Procedure to remove LNK Virus

In your “My Documents” folder there is file named “database.mdb“.

There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules
until second sub folders.
There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules
until second sub folders. (You might not see them because it’s set hidden)
Your Registry Editor is disabled.
This virus master actually in “My Document” folder named “database.mdb” Wait… you
will know why this is called as virus master. Actually virus will created clone for folder
using “wscript.exe” execution. wscript.exe is microsoft windows based script host
programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My
Documents\database.mdb\”"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for
Windows XP.sys\”"

I think you all know how this registry changed will affect on your computer each time it
reboot no need to explain this right? Really simple social technique.

Remove Virus Manually

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name ex:blabla
(temporary only in cleaning process) and don’t forget to rename it back again to
wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use
msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del
Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf and
thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in
root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all
thumb.db)
7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully
when you want to deleted look on this sample:

Deleted only shortcut with size 1kb and using folder icon, this is social virus spreading
technique that mostly tricky newbie out there.

8. Repair your registry

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0,
“Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

9. Scan with your best antivirus program to make sure your system clean and restarted
your computer.