PIF Virus / Starter or a virus known as the shortcut to make the victim of sorts with lots of shortcuts made by the virus. The difficulty, how to handle the virus if it is not right then it will come back, again and again.
Therefore, follow the right way 7 of the virus analyst Vaksincom MG Lat shortcut to stop the flooding caused by this virus:
1. Previous first turn off system restore process.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to remove or change the name of (rename) from the file, while not to be used by the virus.
As a note, if we change the file name of the file Wscript.exe with automatic, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe the other, usually in C:\Windows\$ NtServicePackUninstall $, C:\ Windows\ServicePackFiles\i386.
No virus-like virus vbs other, we can change the "Open With" from the vbs file into Notepad, Extension virus is "mdb", which means that the Microsoft Access file. So Wscript will run the file DATABASE.MDB as though he is a vbs file.
4. Delete the files in the parent C:\Documents and Settings\\My Documents\database.mdb, so that every time the computer will not run load the file. And do not forget we are also open msconfig, disable the run command.
5. Now we will delete the files Autorun.INF. Microsoft.INF and Thumb.db. How, click the START button, type CMD, moved to the drive to be cleaned, for example, drive C:\, then we should do is:
Type C:\del Microsoft.inf /s, this command will delete all files in all microsoft.inf folder on drive C:. While the move would drive live just replaced the name drivenya example: D:\del Microsoft.inf /s.
For the autorun.inf file, type C:\autorun.inf del /s /ah /f, the command will delete the file autorun.inf (syntax /ah /f) is used because the file using the attrib RSHA, as well as to file Thumb.db also do the same.
6. For a delete files earlier than 4, we must find ways to search files with the extension .lnk size 1kb. In the 'More advanced options' option make sure that' Search system folders' and 'Search hidden files and folders' both are checked.
Please be careful, not all the shortcut files /LNK file size of 1 kb that is a virus, we can distinguish them from icons, size and type. To create a shortcut icon for the virus using icon 'folder', and the size of 1 kb type 'shortcut'. While the correct folder should not have 'size' and the type is' File Folder'.
7. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'Repair.inf'. Run the file in the following manner:
Click right repair.inf and Click Install.
[Version]Signature="$Chicago$"Provider=Vaksincom Oyee[DefaultInstall]AddReg=UnhookRegKeyDelReg=del[UnhookRegKey]HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"[del]HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, WinupdateHKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer.
Colected @abrar2009
Therefore, follow the right way 7 of the virus analyst Vaksincom MG Lat shortcut to stop the flooding caused by this virus:
1. Previous first turn off system restore process.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to remove or change the name of (rename) from the file, while not to be used by the virus.
As a note, if we change the file name of the file Wscript.exe with automatic, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe the other, usually in C:\Windows\$ NtServicePackUninstall $, C:\ Windows\ServicePackFiles\i386.
No virus-like virus vbs other, we can change the "Open With" from the vbs file into Notepad, Extension virus is "mdb", which means that the Microsoft Access file. So Wscript will run the file DATABASE.MDB as though he is a vbs file.
4. Delete the files in the parent C:\Documents and Settings\\My Documents\database.mdb, so that every time the computer will not run load the file. And do not forget we are also open msconfig, disable the run command.
5. Now we will delete the files Autorun.INF. Microsoft.INF and Thumb.db. How, click the START button, type CMD, moved to the drive to be cleaned, for example, drive C:\, then we should do is:
Type C:\del Microsoft.inf /s, this command will delete all files in all microsoft.inf folder on drive C:. While the move would drive live just replaced the name drivenya example: D:\del Microsoft.inf /s.
For the autorun.inf file, type C:\autorun.inf del /s /ah /f, the command will delete the file autorun.inf (syntax /ah /f) is used because the file using the attrib RSHA, as well as to file Thumb.db also do the same.
6. For a delete files earlier than 4, we must find ways to search files with the extension .lnk size 1kb. In the 'More advanced options' option make sure that' Search system folders' and 'Search hidden files and folders' both are checked.
Please be careful, not all the shortcut files /LNK file size of 1 kb that is a virus, we can distinguish them from icons, size and type. To create a shortcut icon for the virus using icon 'folder', and the size of 1 kb type 'shortcut'. While the correct folder should not have 'size' and the type is' File Folder'.
7. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'Repair.inf'. Run the file in the following manner:
Click right repair.inf and Click Install.
[Version]Signature="$Chicago$"Provider=Vaksincom Oyee[DefaultInstall]AddReg=UnhookRegKeyDelReg=del[UnhookRegKey]HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"[del]HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, WinupdateHKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer.
Colected @abrar2009
0 comments
Post a Comment