Thursday, October 30, 2008

DESTRUKTO or Explorar.vbs Virus

This is a very annoying virus. Got it from my flash drive. It spreads out in portable media drives so be very careful. My ultimate tip is before you open you're flash drives, scan it first with you're antivirus software or right click the removable drive icon and click "explore" rather than "open or autoplay". I have searched the internet and I havent found a newbie direction of removing this virus so I have made my own user friendly instruction so that people will not have to think for hours just to remove this virus.

Description:
1. Pop-ups Internet browser window with message:
”DESTRUKTO 10 uToS nG mAnGinGiNoM”

2. Disables Folder Options, Task Manager, Registry Editor, System Restore and Run.
3. Presence of the following files:

New Folder.bat\Start Explorar.Vbs

How to remove:
1. Download & install replacement software for Task Manager (since it is disabled) such as Process Explorer

2. Download & install an alternative software for Registry Editor (it is also diasbled by destrukto virus) such as mpam4_regedit_xp

3. Reboot computer in SafeMode
How to reboot in safe mode
a) During BootUp process Press F8 continuously until selection appears
b) Use Arrow Up+Down to select SafeMode on the selections menu.
c) Hit Enter to proceed.

4. Run the downloaded Process Manager and disable the WSCRIPT process. You may disable the processes by right clicking them and choose disable.

5. Using Command Prompt or File Manager go to C:\Windows\system32 and rename WSCRIPT.EXE to WSCRIPT.TMP

6. Run the downloaded mpam4_regedit_xp and do as follows:

Navigate to and delete the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exlorer\wendows&\system32\explorar.vbs

As you run the program, folders can be seen in the left side of the dialog box, follow the registry path below and convert the values of the registries back to their original values before they were infected by destrukto.

Navigate to subkey and modify value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
Data Value from 1 to 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
Data Value from 1 to 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Data Value from 1 to 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Data Value from 1 to 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Data Value from 0 to 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions
Data Value from 1 to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows NT\SystemRestore\DisableConfig
Data Value from 1 to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows NT\SystemRestore\DisableSR
Data Value from 1 to 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Data Value from 0 to 91 or 95

7. Exit registry editor and restart the computer.

8. By this time you have successfully removed the destrukto virus

Baca Bro Virus

I would like to share with anyone have this virus.

Symptom
No able to launch TaskManager, as it will auto close (Not Disabled by administrator)
No able to launch Regedit.exe as disabled by administrator
You'll found a txt file at C:\Baca Bro !!!.txt
Unable to install any application/run setup bcoz it will auto close

P/S : You dun have to think you could google Antivirus or similar keyword on your browser, bcoz it will auto close your browser.

1st We need to get alternative 3rd party Task manager, i recommend Starter
http://www.snapfiles.com/opinions/Starter/Starter.html

2nd Replace your Task Manager with Process Explorer, which have more details compare with taskmgr.exe
http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

3rd Enable to view SUPER HIDDEN FOLDER, Please download this regtick
http://www.snapfiles.com/get/regtick.html

4th Disable system restore, by follow these steps
- Right Click "My Computer" select System Restore tab and check the small box "Turn Off System Restore"

Lets Start....

Run Starter, kill these processes currently running, KILL THESE PROCESSES IF RUNS UNDER "YOUR USERNAME" NOT THE "SYSTEM". If you accidently kill any process under System, no worry.. Either your pc auto restart or just u need to reboot your pc.

j.exe
o.exe
b.exe
csrss.exe
lsass.exe
services.exe
smss.exe
sv.exe
winlogon.exe

Done, now you should able to run your task manager. Please user Process Explorer. Double check any of these process listed above still running. If yes, please kill it. Completed then now we'll remove the physical files used by this virus. Please access to these locationd and remove all the files

IMPORTANT : PLEASE USE "SHIFT+DELETE"

User>\Local Settings\Application Data\dv[random>\yesbron.com
User>\Local Settings\Application Data\jalak[random>.com
Windows>\_default[random>.pif
Windows>\j[random>.exe
Windows>\o[random>.exe
Windows>\sa[random>\ib[random>.exe
System>\c[random>.com
System>\n\b[random>.exe
System>\n[random>\csrss.exe
System>\n[random>\lsass.exe
System>\n[random>\services.exe
System>\n[random>\smss.exe
System>\n[random>\sv.exe
System>\n[random>\winlogon.exe
Windows>\Tasks\At1.job
Windows>\Tasks\At2.job
System>\n5817\c.bron.tok.txt
C:\Baca Bro !!!.txt <----- If your window installed on C drive,
if D it would be D:\Baca Bro !!!.txt and so on.



Once done, proceed to remove registry

Use regtick to enable your regedit.exe, done proceed to remove the registry entry

The following registry entries are created to run yesbron.com, _default[random>.pif, j[random>.exe and sv[random>.exe on startup:[/span>

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
[random characters>
User>\Local Settings\Application Data\dv[random>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
[random characters>
Windows>\_default.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[random characters>
System>\n\sv[random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[random characters>
Windows>\j[random>.exe

The following registry entries are changed to run j.exe and o.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "[Windows>\o[random>.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file [Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
System>\userinit.exe,[Windows>\j[random>.exe

(the default value for this registry entry is "[Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:
HKCU\Software\Brontok\

That's all. Thanks

Credits to: MOFO