Cleaning Virus Copy of Shortcut to (1), (2), (3), (4)

Shorcut virus is very famous virus from indonesia, this virus could make change the folder and file become .ink and our file will be can not to open and disappear. Actualy this virus is not really dangerous for us, cause there is a two ways how to clean or delete that virus from our windows operating system.

First way you must read below here, there is 8 steps what we must to do:

1. Turn off ‘System Restore’ during the cleaning process.
2. Disconnect your computer from the network.
3. Deactivate the virus by using “Ice Sword”. After it program has been already installed into your computer, choose the file which look a like ” Microsoft Viasual Basic Project” icon then click “Terminate Process”. You can download that tools from HERE
4. Clean the registry that already created by virus in this way:
-. Click the menu [Start]
-. Click [Run]
-. Type REGEDIT.exe, Then click [OK] button
-. At the Registry Editor, follow the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
-. Then delete the key which is have data file [C:\Document and Settings\%user%].
5. Disable autoplay/autorun Windows. Copy script below here at the Notepad then save it file REPAIR.INF, then you right click on that file and click INSTALL.
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
6. Delete parent file and duplicate file that created by virus include in your flashdisk. To making fast searching process you can use Search. Before you do searching, will be better if you show the hidden file in the Folder Options. Be carefull to delete the parent file and duplicate file from the virus. The parent file have look like this:
-. Icon ‘Microsoft Visual Basic Project’.
-. Size the File is 128 KB (for the other variant maybe will be different size).
-. File extension ‘.EXE’ or ‘.SCR’.
-. Type file ‘Application’ or ‘Screen Saver’.
next delete the duplicate file shortcut which is look like this:
>. Icon Folder or icon
>. Extension .LNK
>. Type File ‘Shortcut’
>. Size the file 1 KB
Delete the file wich is have extension .DLL (e.g ert.dll) and Autorun.inf in your flashdisk or shared folder for a while to avoid the virus activating again, delete the parent file that have the extension .EXE or .SCR first then delete the shortcut file (.LNK)
7. Show the hidden file that was made by virus. To make it fast you should download the UnHide file and Folder Tools in After get installed choose the directory [C:\Documents and settings] and your flashdisk. At the menu [Attributes] make empty the options then click button [Change Attributes].
8. Install the security patch ‘Microsoft Windows Shell shortcut handling remote code execution vulnerability-MS10-046′. Please to download the security patch at
Like ussual, to make optimal cleaning and prevent reinfection, you should install and scan at the first with updated antivirus. If still can not detect this kind of virus you must make sure your antivirus update.

Then the second way to delete VIRUS SHORTCUT:
The shortcut virus seems look like this :
First that you should know, after get infection to the computer, it will make parent file database.mdb in My Documents.
Then the second is that virus will be make Autorun.inf file in every disk drive also your folder without the exception.
The third is the virus will be create Thumb.db file ( look carefully if this file without s letter, the original thumbnail chache is have the letter s (e.g Thumbs.db) in every folder. To hook the victims, the virus will create file and New Harry Potter and …ink in every folder to execute it and directly that virus will be activated.
Like the others, they will be make the duplicate file in every folder but this time not anymore with .EXE extension but with .INK extension or you can call it Shorcut extension.

At the task manager there is services process wscript.exe still running. At the normally condition, there is no process like this. So the second ways to delete that virus shortcut is:
1. Turn off the System Restore. I always turn off the System Restore after windows installation process to back up and imaging system. I prefer to use third party like acronis or Norton Ghost (2010) Full Serial Crack.
2. End virus wscript.exe process (C:\WINDOWS\System32\wscript.exe)
You can use Process Explorer or misc. tool at HijackThis. You should have HijackThis 2.0.2
3. Delete the virus database.mdb file in My Documents
4. Delete the duplicate virus. In process delete file. You can use Search feature from windows. “at more advanced options” make sure you check options Search system folders and Search hidden files and folders
Search file autorun.inf size 8 KB
Search file Thumb.db size 8 KB
Search file ekstensi .lnk.lnk size 1 KB
Then delete all the file founded.
To make easy searching process also deleting founded file. maybe you should use UTool, a freeware that allowed to download for free. This software automatically find and deleting the file we wanted.
5. Delete the registry Autorun that created by virus by using HijackThis.
Look for at the HKCU\..\Run part which is related with database.mdb file regedit_run
Here is my suggestions to you to prevent or make your computer more safe.

Here is we can do:
1. After Windows Instalation process over, Turn off the System Restore
2. Install third party software like Tweak UI or Magic Tweak to disable Autorun and prevent from activating .ink file themselves. Maybe at the Windows XP Professional version, to deactivate process can be easily to do. But for Windows Xp Home version you will need this software. This will help us so much cause we can making mistake everytime although we has been make disable activating the file for all drive also removable disk (flashdisk).
3. After all instalation process over, back up your image system by using Acronis True Image or Norton Ghost, So if the next time we got problem with our computer, you just restore the image file.
4. If needed, you should install deep freeze if your computer more than 1 user. So your setting won’t be changed.
5. Update info: if your removable disk got infection by shortcut virus. The icon drive will be change to icon folder. If you see this icon, use the explorer and open the removabledisk ( don’t double click from My Computer) then delete Autorun file and the others manually by pressing shift + Del. Mostly the local virus could be prevent with disable Autorun at the windows or Magictweak has been activate and also disable .INF at the Magictweak.

Ok,, Good Luck XD


Posted on 29 December 2011, in Tips N Trick and tagged . Bookmark the permalink. 3 Comments.

  1. It is powered by fast, interactive business communication that is cost-effective, your business needs are supplemental it now met with more rapid response
    system put in place. But we at iYogi provide
    you with a far deeper level of understanding of your subject,
    which supplemental it you’ll come to realise is a Godsend in the working environment.

    For some, this is not a new concept.

  2. Can you Make A video of this ?? I have a memory card That has this problem Copy of Shortcut to (1) (2) (3) (4) …….. They Don’t go with any thing Antivirus,CMD ……. So, please help me !!!

  3. use windows defender.
    i try it and splved problem.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: