W32.Linkfars
W32.Linkfars propagates by duplicating itself on removable media drives, unsecured shared folders and file-sharing applications. W32.Linkfars will delete the original files so that the infected ones will be executed by the users. Then it will display a Persian message that contains the title “SALAM-DOSTE-MAN.”
Alias: W32/Malas-M
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista
How to Remove W32.Linkfars:
FIRST AID TO STOP W32.Linkfars:
When W32.Linkfars virus infects a computer, it will modify system settings and inject itself to legitimate Windows files. System Restore is the tool-to-go-to in bringing back clean files and restoring earlier configuration. If you have saved previous restore point, please restore Windows to an earlier date.
MANUAL REMOVAL OF W32.Linkfars:
1. If an anti-virus program is present, update the definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- From the menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- To edit the registry, click on Start. Search or Run regedit.exe.
Note: For a complete guide on Safe Mode and Registry Editor, please see tutorial links on the sidebar.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Technical Details and Additional Information:
Other functionalities of this Worm:
- The worm will create a copy on all removable and fixed drive as autoplay.exe in an attempt to propagate itself.
- W32.Linkfars also drops an autorun.inf file on each drives so that it runs automatically when the drive is accessed.
- It searches for folders that are associated to file-sharing networks.
Malicious Files Added by W32.Linkfars:
%Temp%\svchost.exe
%ProgramFiles%\Common Files\Microsoft Shared\MSshare.exe
%ProgramFiles%\Sound Utility\Soundmax.exe
%Windir%\Web\OfficeUpdate.exe
%ProgramFiles%\XPCode\SexGame.exe
%ProgramFiles%\XPCode\SexScreenSaver.scr
%ProgramFiles%\XPCode\SexGameList.pif
File Location for Windows Versions:
- %Windir% refers to the installation folder of the operating system.
- %Temp% refers to C:\Windows\Temp\.
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”Soundmax” = “%ProgramFiles%\Sound Utility\Soundmax.exe”
arian
Jan 01, 2008 @ 11:08:31
I Delete/Modify any values added to the registry on my computer. I want a removal tool to delete this virus. Thank you.
kevin
Nov 23, 2008 @ 04:37:02
Many of these registry entries do not seem to apply to Windows Vista. Symantec will delete or quarantine the linkfars files whenever they’re found, but can’t get the source cleaned. Any ideas?
Bart
Mar 20, 2009 @ 22:47:34
Obviously this removal will NOT work.
Step 1 cannot be executed as the virus has disabled the possibility to disable System Restore by removing the System Restore Tab.