My name is Yuyun အမည်ဖြင့် ဗိုင်းရပ်(စ်) တစ်မျိုးထွက်ရှိ
My name is Yuyun အမည်ဖြင့် ဗိုင်းရပ်(စ်) အသစ်တစ်မျိုးထွက်ရှိလာကြောင်း ကိုဗိုင်းရပ်(စ်)သည် ကွန်ပျူတာအားချက်ချင်းပျက်စီးစေရန်နှောင့်ယှက်ပြုလုပ်ခြင်းမဟုတ်ဘဲ ကွန်ပျုတာအတွင်းရှိ မူရင်းဖိုင်များ အပြင် အတုဖိုင်များဖန်တီးခြင်း၊ ဖိုင်အပိုများတည်ဆောက်ချင်းဖြင့် ကွန်ပျူတာကို ပိုမိုလေးလံလာ စေမည် ဖြစ်သည်။
အဆိုပါ ဗိုင်းရပ်(စ်)ကို ရှင်းလင်းဖို့ -
ပထမဆုံး system restore ကိုပိတ်ပေးပါ။
computer>properties>System restore>check all the system restore on all drivers)
1. Previously turn off system restore process. (Right click myComputer> Properties> System Restore> check all the system restore on all drivers)
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or to rename the file so not used for awhile by the virus.
For the record, if we are to rename the files with automatic Wscript.exe, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that means is berextensi MDB Microsoft Access file. So Wscript database.mdb will run the file as if he is a VBS file.
To look tersuper hidden files using the Tools menu> Folder Options> View tab as shown
4. Delete the parent file in C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer starts will not load the file. And do not forget we are also open MSCONFIG, disable the run command.
5. Now we will delete the files autorun.inf. Microsoft.inf and Thumb.db. The trick, click the START button, type CMD, moved to the drive to be cleaned, for example, drive C: \, then we have to do is:
Type cd C: \ to go to a local directory of disk C: and then type del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. Meanwhile if you want to move the drive to stay just renamed drive example: cd d: \ then type del Microsoft.inf / s.
To file autorun.inf, autorun.inf type del / s / ah / f, the command will delete the file autorun.inf (syntax / ah / f) is used as the file is taking attrib RSHA, as well as to file Thumb.db ( Thumb.db del / s
/ Ah / f) also do the same thing.
So who needs didelet file2 in this step are:
autorun.inf del / s / ah / f
Thumb.db del / s / ah / f
del desktop.ini / s / ah / f
Microsoft.inf del / s
6. To delete the files in addition to 4 files earlier, we must find a way search files with the extension. Lnk (LNK) size 1 kb. In the 'More advanced options' make sure the option 'Search system folders' and 'Search hidden files and folders' are both checked. (Use Shift + del to file a terdelete not enter recyclebin)
Please be careful, not all shortcut files / LNK file size of 1 kb is a virus, we can distinguish it from the icon, size and type. To
virus created shortcut icon icon always use the 'folder', size 1 kb and type 'shortcut'. While the correct folder
should not have 'size' and the type is 'File Folder'.
7. Fix the registry has been altered by the virus. To speed up the process
repair registry copy the script below on the program 'notepad' and save it with the name 'Repair Yuyun Shortcut.inf'. Execute the following ways:
- Right click repair.inf
- Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
[Del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
Or if do not want to make Repair Yuyun repot2 Shortcut.inf Can directly download here
Additional Characteristics ajah just that my analysis yuyun
thumb.db => activation of virus checker
autorun.inf => startup script
xxxxxx.ink => dealer to the parent, and who will run thumb.db mengesekusinya
database.mdb, Microsoft Office Update for Windows XP.sys => File Parent
xxxxxxx.pif => pembandrol and carrier
v.doc => message delivered the carriers of the virus
အားလုံးအဆင်ပြေကြပါစေ
အဆိုပါ ဗိုင်းရပ်(စ်)ကို ရှင်းလင်းဖို့ -
ပထမဆုံး system restore ကိုပိတ်ပေးပါ။
computer>properties>System restore>check all the system restore on all drivers)
1. Previously turn off system restore process. (Right click myComputer> Properties> System Restore> check all the system restore on all drivers)2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or to rename the file so not used for awhile by the virus.
For the record, if we are to rename the files with automatic Wscript.exe, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that means is berextensi MDB Microsoft Access file. So Wscript database.mdb will run the file as if he is a VBS file.
To look tersuper hidden files using the Tools menu> Folder Options> View tab as shown
4. Delete the parent file in C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer starts will not load the file. And do not forget we are also open MSCONFIG, disable the run command.
Type cd C: \ to go to a local directory of disk C: and then type del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. Meanwhile if you want to move the drive to stay just renamed drive example: cd d: \ then type del Microsoft.inf / s.
To file autorun.inf, autorun.inf type del / s / ah / f, the command will delete the file autorun.inf (syntax / ah / f) is used as the file is taking attrib RSHA, as well as to file Thumb.db ( Thumb.db del / s
/ Ah / f) also do the same thing.
So who needs didelet file2 in this step are:
autorun.inf del / s / ah / f
Thumb.db del / s / ah / f
del desktop.ini / s / ah / f
Microsoft.inf del / s
Please be careful, not all shortcut files / LNK file size of 1 kb is a virus, we can distinguish it from the icon, size and type. To
virus created shortcut icon icon always use the 'folder', size 1 kb and type 'shortcut'. While the correct folder
should not have 'size' and the type is 'File Folder'.
7. Fix the registry has been altered by the virus. To speed up the processrepair registry copy the script below on the program 'notepad' and save it with the name 'Repair Yuyun Shortcut.inf'. Execute the following ways:
- Right click repair.inf
- Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
[Del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
Or if do not want to make Repair Yuyun repot2 Shortcut.inf Can directly download here
Additional Characteristics ajah just that my analysis yuyun
thumb.db => activation of virus checker
autorun.inf => startup script
xxxxxx.ink => dealer to the parent, and who will run thumb.db mengesekusinya
database.mdb, Microsoft Office Update for Windows XP.sys => File Parent
xxxxxxx.pif => pembandrol and carrier
v.doc => message delivered the carriers of the virus
အားလုံးအဆင်ပြေကြပါစေ