Characteristic feature :
1. Make file database.mdb in My Documents.
2. Make autorun.inf file in every drive, flash disk, and folder.
3. Make file Thumb.db in every folder
4. Make file Microsoft.lnk in every folder
5. Make file New Harry Potter in every folder
6. Duplicate every folder with .lnk extension
7. At Task Manager there is wscript.exe services.
Step by step to restore / remove / clean :
1. Turn off System Restore
2. Kill / turn off wscript.exe service / process
3. Remove / delete file database.mdb on My Documents
4. Delete duplicate file ->
Use search on Windows, klik "More Advanced Option",
make sure "Search system folders" and "Search hidden files and folders" choose (ticked)
Search file autorun.inf with size 8KB
Search file Thumb.db size 8KB
Search file *.lnk (all file with extension are .lnk) , size 1KB
after search, delete / remove all founded file.
5. Delete / remove registry that contain database.mdb
Tidak ada komentar:
Posting Komentar