Stuxnet – Winsta, Malware virus that makes your Low Disk Space
For those of you who use internet, you should be careful if you try to visit a website address which is indicated as have pornographic content, or for you who always visiting cracking site for download software crack, because without you realize when you try to use the crack code, it will be could cause turned out the file that actually contains a trojan script “Stuxnet or Winsta“.
If you’ve already run the file, the “Stuxnet” will managed to infect a computer, and will make some files as follows:
- C: \ WINDOWS \ system32 \ winsta.exe
- C: \ WINDOWS \ system32 \ drivers \ mrxcls.sys
- C: \ WINDOWS \ system32 \ drivers \ mrxnet.sys
File “winsta.exe” made will swell for the rest of the existing hard disk space, it will be causing the hard drive becomes full (usually the C drive or system of the OS). While the file is a file mrxnet.sys and mrxcls.sys actively used to infect other computers and devices that are connected ( like USB flash or removable drive ).
Actually Winssta.exe is the original files of Windows that is useful for WinStation Monitor, which is one of the tools from Microsoft that is used in Windows 2000 to monitor Terminal Services client session. Location of these files should also be located at C: \ ProgramFiles \ Resources \ winsta.exe. For further information on the following article you can see at http://support.microsoft.com/kb/320190
Some of the symptoms and effects that occur if you are infected with a trojan “Stuxnet” is as follows:
- Hard-disk computers in the network suddenly fully and your will get a warning “Low Disk Space”. Winsta.exe will growing and make adjust the remaining disk space you have (the C drive or system OS).
- The notification from windows system which informs that the rest of your disk space is empty will appears.
- Because of your disk space is empty, so you can not store data again or you can run certain programs that require hard drive space / use the cache.
- The computer will seem to hang or slow, if you are connected to network, you will be disconnected from the network, because some windows system files that become victims of infections are:
- Svchost: files relating to network connections, with this file to infect the network will be disconnected.
- Lsass: making slow and the computer hangs and restarts itself, this was done by infecting files.
- Spoolsv: can not print data via a printer, this is done with this file to infect.
Trojan Virus “Stuxnet” It spreads by exploiting usb storage or full access network. Trojan infected computer will do automatically, because by creating execution files which name,
~ WTR [random_numbers]. Tmp
The steps that must be done to make cleaning a virus is as follows:
- Clean the virus removal tools using Dr.Web CureIt. You can download the following link:
http://www.freedrweb.com/download+cureit/
- Fix the windows registry is already in the modification of the virus with the following steps:
Copy this script to use WordPad or Notepad :
[Version]
Signature=”$Chicago$”
Provider=Project-880.com
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0
HKLM, SOFTWARE\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
[del]
HKLM, SYSTEM\CurrentControlSet\Services\MRxCls
HKLM, SYSTEM\CurrentControlSet\Services\MRxNet
HKLM, SYSTEM\ControlSet001\Services\MRxCls
HKLM, SYSTEM\ControlSet002\Services\MRxNet
HKLM, SYSTEM\CurrentControlSet\Services\Enum\Root\LEGACY_MRXClS
HKLM, SYSTEM\CurrentControlSet\Services\Enum\Root\LEGACY_MRXNET
HKLM, SYSTEM\ControlSet001\Services\Enum\Root\LEGACY_MRXClS
HKLM, SYSTEM\ControlSet002\Services\Enum\Root\LEGACY_MRXNET
Save the file with the name “repair.inf”. Use the Save as type option to Text Document in order to avoid mistakes. Right-click the file “repair.inf” then select “Install”, then restart your computer. Clean temporary files, this in order to prevent the rest of the trojan is trying to become active again. Use tools like “ATF Cleaner” or use the windows feature is “Disk Clean-Up.”
Next step use the following script to prevent the virus infected your computer again :
@echo off
del /f c:\windows\system32\winsta.exe
rem rd c:\windows\system32\winsta.exe
md c:\windows\system32\winsta.exe
del /f c:\windows\system32\drivers\mrxnet.sys
rem rd c:\windows\system32\drivers\mrxnet.sys
md c:\windows\system32\drivers\mrxnet.sys
del /f c:\windows\system32\drivers\mrxcls.sys
rem rd c:\windows\system32\drivers\mrxcls.sys
md c:\windows\system32\drivers\mrxcls.sys
attrib +r +h +s c:\windows\system32\winsta.exe
attrib +r +h +s c:\windows\system32\drivers\mrxnet.sys
attrib +r +h +s c:\windows\system32\drivers\mrxnet.sys
Save the file with the name “winsta.bat”. Use the Save as type option to Text Document in order to avoid mistakes. then run the file by double clicking on it.
– reference : vaksin.com
This solution in so good !!!!!!!!!!!!!!!