Saturday, December 15, 2007

Destrukto Virus Removal

To manually remove this virus, do the following:

1. Download a replacement to task manager such as Process Manager by Sysinternals at http://www.networkworld.com/community/?q=node/4241.

2. Open a command prompt window and go to windows\system32 and get ready to rename WSCRIPT.EXE by typing rename WSCRIPT.EXE WSCRIPT.TMP (or delete it).

3. Run Process Manager and kill the WSCRIPT process and then run the rename or delete command on the WSCRIPT.EXE.

4. Once WSCRIPT.EXE is renamed or deleted, you will most likely get a Windows message that system files are changed or deleted. Cancel the dialog box when prompted. The script will no longer be able to pop up the DESTRUKTO Internet Explorer page.

5. Download a registry editor such as mpam4_regedit_xp from http://www.patheticcockroach.com/mpam4/ind...?p=61&id=14.

6. Run the registry editor and reverse the key changes the virus made. Change them back so everything is enabled:

ran.regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","DESTRUKTO!!!!!"

ran.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer",wendows&"\system32\explorar.vbs"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind",1,"REG_DWORD"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions",1,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig",1,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR",1,"REG_DWORD"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"

7. Reboot after the registry changes and then run MSCONFIG and remove the line referencing a RUN command for EXPLORAR.VBS.

That's it. You should be good to go. Below is a copy of the Windows Script that runs when the machine is infected. You can see how the script works.

I am hoping Spyware and Virus companies will contact Eugene Young or I to create definitions so that there is an automatic removal for non technical users.

Source: Here

Any suggestion, question or violent reaction? Feel free to leave a comment.

View Random Post

Wednesday, December 5, 2007

TestDisk - Best FREE Tool for Partition Recovery

Nothing beats a free software that can do what other commercial software can't. If you are looking for a partition recovery software, this one is for you. This open-source software saved me today from a possible one to three-hour work in recovering partitions that suddenly disappear. It only took less than five minutes to recover missing partitions.

You can run this program from windows or you can use Test Disk Live Rescue CD. The only downside of this program is it still uses dos interface even when you run it in windows instead of more friendly-user GUI. So you might need to read first the documentation before using it. As for me, i don't care as long as it gets the job done.

From their website:

TestDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

TestDisk can

* Fix partition table, recover deleted partition
* Recover FAT32 boot sector from its backup
* Rebuild FAT12/FAT16/FAT32 boot sector
* Fix FAT tables
* Rebuild NTFS boot sector
* Recover NTFS boot sector from its backup
* Fix MFT using MFT mirror
* Locate ext2/ext3 Backup SuperBlock

TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.

TestDisk can run under

* DOS (either real or in a Windows 9x DOS-box),
* Windows (NT4, 2000, XP, 2003),
* Linux,
* FreeBSD, NetBSD, OpenBSD,
* SunOS and
* MacOS

You can download it here
Documentation and how-to can be found here


Any suggestion, question or violent reaction? Feel free to leave a comment.

View Random Post

Monday, December 3, 2007

"Incompatible modem codec detected, please check your modem card" error



Somebody brought in an HP Pavilion ze4900 laptop yesterday (the exact model is ze4938ea according to the sticker), and the owner said that she cannot connect to the internet neither via dial up nor her broadband connection. This laptop came from abroad (middle east) and she just started using it this week to replace her desktop.

So i powered it up, and whenever i start the default dial-up connection, this error shows up:



Motorola SM56 Modem Helper
Incompatible modem codec detected, please check your modem card.

Whenever you receive an error while trying to start a dial-up connection, the first thing to do is check whether the computer has the correct driver for the modem installed. I go to the HP support website, fired up the Automatic Detection option to know the exact model of this laptop, and check for the appropriate driver.

My suspicion is right. According to the driver download page of HP Pavilion ZE4938ea this laptop uses a CONEXANT modem, and the error shown above is for MOTOROLA SM56 modem. So the former owner of this laptop installed the wrong driver. I downloaded the right one, installed it, and the dial-up connection is now working.

Problem 1 solved.

Next to solve is the internet connection via LAN Card. I hooked the laptop to my switch and the laptop automatically assigned an IP address. So it seems that it is working well. Fired up Internet Explorer (yes, it is the only available browser, no firefox installed) and the dreaded "Server not found" appear.

I quickly fired up the command prompt, use ipconfig to ping my router, and there is a reply. I also ping yahoo and google, there's also a reply. Odd.

So i checked the Lan settings (control panel > internet options > connections > lan settings) and eureka! i found the culprit.



As you can see, the laptop is set to use a proxy server, what you need to do is just remove the check mark under the proxy server.

Problem 2 solved.


Reference No.: 070001



Any suggestion, question or violent reaction? Feel free to leave a comment.

View Random Post