FANDOM


Krotten is a ransomware of Russian origin. It is known for being very unique, because of what it does, as well as being the most destructive ransomware, as it is near impossible to completely remove without reinstalling Windows.

Payloads

When the virus is first executed, it brings up a dialog box with Russian text, that translates roughly to "All is ready" in the title, and the message says "Restart your computer, and read what needs to be done. Email the program developers at wordsia@notrix.de" . At the same time, the virus disables task manager, regedit, My computer, control panel, the ability to see the C drive, the ability to shut down properly, the run dialog, and many more functions. Upon restart, the desktop background is shifted to the bottom right corner, and the user can't do much anymore. The clock is changed to say "хуй"  (the word "dick" in Russian). All the user can really do is run Command Prompt

It should be noted that in Windows Vista and above, the user must grant the virus administrative priliges in order for all these payloads to work. If no administrative access is granted, only the background shifting and changing of the clock payloads will be functional.

Removal

This virus is notorious because of how destructive it is. It is near impossible to remove without reinstalling Windows, so if you have found yourself to be an unlucky victim of this ransomware, it is probably the best to back your data up and reinstall Windows. However, for those interested, most of this virus can be removed. It will be different depending on if you are using Windows XP and below, or Windows Vista and above

Windows XP and below

Open command prompt, and type the following command: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f

After that, type:  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f

Running these commands will delete the keys that block regedit and task manager. Now, you will be able to run regedit without getting the infamous "Registry editing has been disabled by your administrator" error message. Now, Navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies'. Delete every subkey in this key. Now, navigate to  'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'. Delete any keys that look suspicious here 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies' and delete every subkey from there. Now, Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Delete any suspicious looking values from here.

This will mostly restore full functionality, but to remove everything, save your personal files to a folder in the C drive. Then open up a Command Prompt, and type: 'net user administrator /active:yes'

Now, logout of your account, and log on to the administrator account. Navigate to Start>Control Panel>User Accounts. Find your account, and click "Delete This Account". Once this account is deleted, make a new user account with whatever name you want. Now, Log out out of the administrator account, and log in with the newly made account. If you want to hide the administrator account, Run this command in Command Prompt: 'net user administrator /active:no'

Windows Vista and above

Due to the new User account control and better file protection protocols, removing this virus in Windows Vista onwards is more difficult. First, you will need to boot into the OS install disk, then click "Repair your computer" in the bottom right" In Windows Vista and Windows 7, this will bring you to a screen that will scan for Windows installs. Once it finds one, select your Windows install, and click next. This will bring you to the advanced options screen. On Windows 8 and Windows 10, clicking "Repair your computer" brings you to a screen with several options. You will want to click on the button that says "Advanced options". Now, for all versions, click the "Command Prompt" button. In this window, type 'rename sethc.exe oldsethc.exe', then 'copy cmd.exe sethc.exe'. now, exit the installer and boot back into Windows. Once you are logged in, press shift 5 times, and a command prompt will open, but don't run the removal commands yet, because it will give you a bunch of "access denied" errors, because Windows Vista onwards need administrative privileges to run the necessary commands. Type "explorer.exe C:\Windows\System32". This will open up an explorer window. Now, Scroll down until you find "cmd.exe". Now right click on that, and click "Run as Administrator". Click "Yes" or "Continue" to the UAC prompt. Once this window opens, type: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f

After that, type:  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f

Running these commands will delete the keys that block regedit and task manager. Now, you will be able to run regedit without getting the infamous "Registry editing has been disabled by your administrator" error message. Now, Navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies'. Delete every subkey in this key. Now, navigate to  'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'. Delete any keys that look suspicious here 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies' and delete every subkey from there. Now, Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Delete any suspicious looking values from here.

This will mostly restore full functionality, but to remove everything, save your personal files to a folder in the C drive. Then open up an Administrator Command Prompt, and type: 'net user administrator /active:yes'

Now, logout of your account, and log on to the administrator account. Navigate to Start>Control Panel>User Accounts. Find your account, and click "Delete This Account". Once this account is deleted, make a new user account with whatever name you want. Now, Log out out of the administrator account, and log in with the newly made account. If you want to hide the administrator account, Run this command in an Administrator Command Prompt: 'net user administrator /active:no'

For all Versions, Of course, it is always best to run a proper anti-virus scan, just in case there are any left over remnants of the virus

Community content is available under CC-BY-SA unless otherwise noted.