How to get rid of Worm Pif Starter.A , Microsoft Shortcut.lnk link virus.
To know weather your computer is infected with Microsoft.lnk shortcut link virus, Look for these symptoms:
Go to “My Documents” folder and look for the file names “database.mdb“.
There is a clone folder with extension .lnk, maximum 5 first folder arranged by name, rules until second sub folders.
There are files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folder, rules until second sub folders. (These files are hidden by default, to see them, enable the SHOW HIDDEN FILES AND FOLDERS option along with the SHOW HIDDEN SYSTEM FILES option)
Disabled registry Editor, Microsoft Shortcut virus will not let you access you registry editor.
This virus is located actually in the “My Document” folder named “database.mdb”. Actually virus will create clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.
The worm pif.starter.A will modify the following registry values:
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\””
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\””
We all know how these registry changes will affect on computer each time it reboots,So we must fix it.
Remove Wom Pif Starter.A shortcut Virus Manually
First of all, Disable the windows utility “System Restore”.
Now kill wscript.exe process using Task Manager.
Rename the file wscript.exe to anything i.e: abcd (this rename should be temporary, only in cleaning process) and don’t forget to rename it back again to wscript.exe once your PC is clean.
Go to MY Documents folder and Deleted the file "database.mdb".
Disable any startup process which has link with “database.mdb”, you can use msconfig or hijackthis log tool for this purpose.
Delete file autorun.inf, microsoft.inf and thumb.db. use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)
Delete all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:
Delete only shortcut with size 1kb and using folder icon, this is social virus spreading technique that mostly tricky newbie out there.
Repair your registry
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
Now scan with your best antivirus program to make sure your system is clean then reboot your computer.