Want to know how, the following steps:
1. Previously turn off system restore process.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or rename the file so as not to be used temporarily by the virus.For the record, if we rename the file with an automatic Wscript.exe, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, this virus berextensi MDB that matters is the Microsoft Access file. So Wscript database.mdb will run the file as if he is the vbs file.
4. Delete the parent file in C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer starts up will not load the file. And do not forget we are also open MSCONFIG, disable the run command.
5. Now we will delete the files autorun.inf. Microsoft.inf and Thumb.db. The trick, click the START button, type CMD, moved to the drive to be cleaned, such as drive C: \, then we have to do is:
Type C: \ del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. Meanwhile if you want to move the drive to stay renamed drive just an example: D: \ del Microsoft.inf / s.
For the autorun.inf file, type C: \ autorun.inf del / s / ah / f, the command will delete the autorun.inf file (syntax / ah / f) is used as the file is taking attrib RSHA, as well as to file Thumb . db also do the same thing.
6. To delete the files in addition to four previous file, we must find a way search files with extensions. Lnk size 1 kb. In the 'More advanced options' make sure the option 'Search system folders' and 'Search hidden files and folders' are both checked.
Please be careful, not all of the shortcut file / LNK file size of 1 kb is a virus, we can distinguish it from an icon, size and type. For the shortcut icon created the virus always uses icons 'folder', size 1 kb and type 'shortcut'. While the correct folder should not have 'size' and the type is 'File Folder'.
7. Fix the registry has been altered by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'repair.inf'. Execute the following ways:
- Right-click repair.inf- Click Install[Version]Signature = "$ Chicago $"Provider = Vaksincom Oyee
[DefaultInstall]AddReg = UnhookRegKeyDelReg = del
[UnhookRegKey]HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"HKLM, SYSTEM \ ControlSet001 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"HKLM, SYSTEM \ ControlSet002 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
[Del]HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, WinupdateHKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
No comments:
Post a Comment