Saturday, December 15, 2007

Destrukto Virus Removal

To manually remove this virus, do the following:

1. Download a replacement to task manager such as Process Manager by Sysinternals at http://www.networkworld.com/community/?q=node/4241.

2. Open a command prompt window and go to windows\system32 and get ready to rename WSCRIPT.EXE by typing rename WSCRIPT.EXE WSCRIPT.TMP (or delete it).

3. Run Process Manager and kill the WSCRIPT process and then run the rename or delete command on the WSCRIPT.EXE.

4. Once WSCRIPT.EXE is renamed or deleted, you will most likely get a Windows message that system files are changed or deleted. Cancel the dialog box when prompted. The script will no longer be able to pop up the DESTRUKTO Internet Explorer page.

5. Download a registry editor such as mpam4_regedit_xp from http://www.patheticcockroach.com/mpam4/ind...?p=61&id=14.

6. Run the registry editor and reverse the key changes the virus made. Change them back so everything is enabled:

ran.regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","DESTRUKTO!!!!!"

ran.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer",wendows&"\system32\explorar.vbs"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind",1,"REG_DWORD"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr",1,"REG_DWORD"

ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions",1,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig",1,"REG_DWORD"

ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR",1,"REG_DWORD"

ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"

7. Reboot after the registry changes and then run MSCONFIG and remove the line referencing a RUN command for EXPLORAR.VBS.

That's it. You should be good to go. Below is a copy of the Windows Script that runs when the machine is infected. You can see how the script works.

I am hoping Spyware and Virus companies will contact Eugene Young or I to create definitions so that there is an automatic removal for non technical users.

Source: Here

Any suggestion, question or violent reaction? Feel free to leave a comment.

View Random Post

2 comments:

Leerz said...

Noob.Killer Update
# Added Destrukto (Destrukto.vbs/Explorar.vbs)
# ImgKulot :)

Cheers
Viva Las Filipinas!
-Leerz

Online Malware Removal said...

Great application to remove virus on your computer, but remember to consult first experts before using such tool to avoid total breakage of your computer ;)