Amid the onslaught of viruses hit the world of martial Confiker network, then there is a local virus that does not want to lose to show teeth. This virus writers get by accident, when there beranjang in a workplace close friends, he complained why so many shortcuts in computer hell.
Having observed it is true a lot of shortcut files are scattered in every folder that is in the computer, such as Microsoft.lnk, and also a shortcut file with a name like the name of the folder that is owned. Finally, with the instinct vaksinis who can not hear any new viruses that are not detected by antivirus, then immediately direct the complaint further analyzed and made remedies.
1. In the My Documents folder contained a file called database.mdb, and apparently this is the file on the mainland.
2. Autorun.inf files, Thumb.db, Microsoft.lnk in every driver, folders and flash disk to the folder that the SUB-2.
3. Make any folders Duplicate Files with the extension. lnk, maximum 5 first folder name, for example, if the C: \ Windows there are a lot of it will only take 5 first name only. And is valid until the sub folder of the 2nd (see Figure 2)
4. Turn off the function of the Registry file (see Figure 3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistrytools"=dword:00000001- Menambahkan value di registry :[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]"Explorer"="Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"WinUpdate"="Wscript.exe /e:VBScript \"C:\WINDOWS\:Microsoft OfficeUpdate for Windows XP.sys\""
in practice we must mendeletenya. If at the time we logged on the computer, then
will get an error message as below
Turn off the process of WSCRIPT file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of windows.
Previously, the process of turning off System Restore.
Once off the process of Wscript, we must mendetele or rename of the file so as not to be used (temporarily) again by the virus. For the record, if we rename the file wscript.exe is to automatically be copied again in the folder, therefore we must find where the other wscript.exe file usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386. Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that matters is berextensi MDB Microsoft Access file. So Wscript DATABASE.MDB will run the file as if he is VBS file. (Viruses smart right)
Wscript.exe / / E: VBScript \ "C: \ Documents and Settings \ Administrator \ My Documents \ database.mdb \" "
Delete an existing parent file in C: \ Documents and Settings \ <user> \ My Documents \ database.mdb, for every time the computer boots will not load the file. And do not forget we also open MSCONFIG, disable the run command.
Now we will delete the files autorun.inf. Microsoft.INF and Thumb.db. by the way, click the START button, type CMD, and moved to the drive to be cleaned, for example, drive C: \, then we have to do is
Type C: \ del Microsoft.inf / s = this command will delete all files microsoft.inf the whole folder on drive C:, if you want to move the drive to stay just renamed drive example: D: \ del Microsoft.inf / s
For the autorun.inf file, type C: \ del autorun.inf / s / ah / f = command will delete the autorun.inf file (syntax / ah / f is used because the file is taking attrib RSHA, as well as to do Thumb.db file also the same thing
0 komentar:
Posting Komentar