This is a very annoying virus. Got it from my flash drive. It spreads out in portable media drives so be very careful. My ultimate tip is before you open you're flash drives, scan it first with you're antivirus software or right click the removable drive icon and click "explore" rather than "open or autoplay". I have searched the internet and I havent found a newbie direction of removing this virus so I have made my own user friendly instruction so that people will not have to think for hours just to remove this virus.
Description:
1. Pop-ups Internet browser window with message:
”DESTRUKTO 10 uToS nG mAnGinGiNoM”
2. Disables Folder Options, Task Manager, Registry Editor, System Restore and Run.
3. Presence of the following files:
New Folder.bat\Start Explorar.Vbs
How to remove:
1. Download & install replacement software for Task Manager (since it is disabled) such as Process Explorer
2. Download & install an alternative software for Registry Editor (it is also diasbled by destrukto virus) such as mpam4_regedit_xp
3. Reboot computer in SafeMode
How to reboot in safe mode
a) During BootUp process Press F8 continuously until selection appears
b) Use Arrow Up+Down to select SafeMode on the selections menu.
c) Hit Enter to proceed.
4. Run the downloaded Process Manager and disable the WSCRIPT process. You may disable the processes by right clicking them and choose disable.
5. Using Command Prompt or File Manager go to C:\Windows\system32 and rename WSCRIPT.EXE to WSCRIPT.TMP
6. Run the downloaded mpam4_regedit_xp and do as follows:
Navigate to and delete the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exlorer\wendows&\system32\explorar.vbs
As you run the program, folders can be seen in the left side of the dialog box, follow the registry path below and convert the values of the registries back to their original values before they were infected by destrukto.
Navigate to subkey and modify value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
Data Value from 1 to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
Data Value from 1 to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Data Value from 1 to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Data Value from 1 to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Data Value from 0 to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions
Data Value from 1 to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows NT\SystemRestore\DisableConfig
Data Value from 1 to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows NT\SystemRestore\DisableSR
Data Value from 1 to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Data Value from 0 to 91 or 95
7. Exit registry editor and restart the computer.
8. By this time you have successfully removed the destrukto virus
1 comment:
Post a Comment