how to remove destrukto or autoplay virus

If you've encountered this kind of virus... this is one way to remove it from your computer.

If you are getting an Internet Explorer window with a message "DESTRUKTO 10 uToS nG mAnGinGiNoM" with a page telling you to email destrukto_ako @yahoo.com, I have found how the virus works.

Basically, the virus is downloaded and comes in the form of an EXE called SETUP.EXE. As soon as the user clicks on this file, it installs itself.

The virus puts an autorun command in the registry that runs explorar.vbs. It then hacks the registry and locks the task manager, msconfig, system restore, etc.

The vbs (Windows Scripting file) then stays resident in memory in a "loop" so that it pops up the Internet Explorer window with the HTML message.

To manually remove this virus, do the following:

1. Download a replacement to task manager such as Process Manager by Sysinternals at http://www.networkworld.com/community/?q=node/4241.

2. Open a command prompt window and go to windows\system32 and get ready to rename WSCRIPT.EXE by typing rename WSCRIPT.EXE WSCRIPT.TMP (or delete it).

3. Run Process Manager and kill the WSCRIPT process and then run the rename or delete command on the WSCRIPT.EXE.

4. Once WSCRIPT.EXE is renamed or deleted, you will most likely get a Windows message that system files are changed or deleted. Cancel the dialog box when prompted. The script will no longer be able to pop up the DESTRUKTO Internet Explorer page.

5. Download a registry editor such as mpam4_regedit_xp from http://www.patheticcockroach.com/mpam4/index.php?p=61&id=14.

6. Run the registry editor and reverse the key changes the virus made. Change them back so everything is enabled:

ran.regwrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","DESTRUKTO!!!!!"



ran.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer",wendows&"\system32\explorar.vbs"



ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind",1,"REG_DWORD"



ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD"



ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD"



ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr",1,"REG_DWORD"



ran.regwrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"



ran.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions",1,"REG_DWORD"



ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig",1,"REG_DWORD"



ran.regwrite "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR",1,"REG_DWORD"



ran.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"

7. Reboot after the registry changes and then run MSCONFIG and remove the line referencing a RUN command for EXPLORAR.VBS.

That's it. You should be good to go.

~MmixX~