Windows XP and trojan.vundo

most PC (equipped with internet facility) usually gets infected with a trojan.vundo (a trojan that disables and hides different option of your Operating system).

As this trojan infection is spreading fast throughout the world and still most of the anti-virus/anti-spyware/anti-rootkit softwars are unable to detect it because this trojan **hides** itself in system process known as winlogon.exe

So, I decided to share some easy steps to remove this threat manually, so that your computer may work properly.


Error #1- Registery editor (regedit.exe) has been disabled by your administrator.

Here are two ways to enable the registry editing in Windows.

1- From Group Policy Editor
Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it. Most probably the settings have been applied instantly. If not, then run gpupdate in command prompt to apply the group policies.







2- From the Run Menu
I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

The effects are usually instant. If not then you should see the results after restarting your computer.

*Please tell me your experiences on this tweak.


Error #2- Task Manager has been disabled by your administrator

This problem is also caused by a variant of trojan.vundo, known as torjan.vundo.B
Click here to download a small tool (76KB) to fix this problem

abid861 wrote:2- From the Run Menu
I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

The effects are usually instant. If not then you should see the results after restarting your computer.

Wrong !

We can't run the registry editor in this case..It will give us the following error..



This methode will not work untill you load your machine in SAFE MODE..

Try this:
Start ur computer in safe mode with command prompt and type the followinf command to enable registry editor:-

reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"
and run HKLM\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"

Or try this VBscript..

Code:

'Enable/Disable Registry Editing tools
' Vinay - www.mig33friends.com

Option Explicit

'Declare variables
Dim WSHShell, n, MyBox, p, t, mustboot, errnum, vers
Dim enab, disab, jobfunc, itemtype

Set WSHShell = Wscript.CreateObject("Wscript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
p = p & "DisableRegistryTools"
itemtype = "REG_DWORD"
mustboot = "Log off and back on, or restart your pc to" & vbCR & "effect the changes"
enab = "ENABLED"
disab = "DISABLED"
jobfunc = "Registry Editing Tools are now "

'This section tries to read the registry key value. If not present an
'error is generated.  Normal error return should be 0 if value is
'present
t = "Confirmation"
Err.Clear
On Error Resume Next
n = WSHShell.RegRead (p)
On Error Goto 0
errnum = Err.Number

if errnum <> 0 then
'Create the registry key value for DisableRegistryTools with value 0
   WSHShell.RegWrite p, 0, itemtype
End If

'If the key is present, or was created, it is toggled
'Confirmations can be disabled by commenting out
'the two MyBox lines below

If n = 0 Then
   n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
   n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR & mustboot, 4096, t)
End If

*Copy the coded text and paste it in a Notpade file..
*Save it as regedit.vbs

Click twice on the regedit.vbs your registry editor will be enabled

Download: > RegEdit.vbs (2 KB)


Task Manager has been disabled by your administrator

Methode 1: Using Group Policy Editor (gpedit.msc)

* Click Start, Run, type gpedit.msc and click OK.

* Navigate here:

Code:

User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager

* Double-click the Remove Task Manager option.

* Set the policy to Not Configured.

Methode 2:

* Click Start, Run and type Regedit

* Navigate here:

Code:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

* In the right-pane, delete the value named DisableTaskMgr

* Close Regedit !

Methode 3:

Download: EnableTM.reg and click twice on it.

dats nice .... vinay bro u always help us alot ... thx alot for ur support bro u rock .. !
best regards
luv.inspecta

vinay wrote:
Wrong !

We can't run the registry editor in this case..It will give us the following error..



This methode will not work untill you load your machine in SAFE MODE..

I guess u better read carefully.. and try it then. its a two step procedure, first to run the group policies configuration after that perform the second step.


EDITED..plz dont use red color.

+ plus you don't need SAFE MODE in those steps

abid861 wrote:

vinay wrote:
Wrong !

We can't run the registry editor in this case..It will give us the following error..



This methode will not work untill you load your machine in SAFE MODE..

I guess u better read carefully.. and try it then. its a two step procedure, first to run the group policies configuration after that perform the second step. MR. TECHNICIAN

Hi Bro abid, Don't get RED...

abid861 wrote:Here are two ways to enable the registry editing in Windows.

You wrote yourself that there are two ways to enable the regeditor in windows.. It means there are two different ways.. and you've posted those two ways as 1- From Group Policy Editor and 2- From the Run Menu

abid861 wrote:plus you don't need SAFE MODE in those steps

If you try to run REGEDIT in normal mode it will give you the Error..

The first way you have posted is a different way..

One more thing.. Express yourself in one reply instead of double posting..

Peace !

Thanks vinay for making it clear

yea vinay thx for clearing it ...... i might be able to understnd fully now

its the way how you preceived "two ways" ...

+ i think you have a Windows XP special Edition that gives error in normal mode. my windows XP and of my 32 friends doesn't give error in normal mode

abid861 wrote:its the way how you preceived "two ways"...

Bro! two ways means two different ways and two steps means two different steps of a particular methode.
Anyways.. I gave full clarification so I am not going to argue with you.

abid861 wrote:i think you have a Windows XP special Edition that gives error in normal mode. my windows XP and of my 32 friends doesn't give error in normal mode

Special version ? What is that ?
Well I am using windows xp professional with service pack 2

Bro, Tell me, What is wrong with our registry editor if it is working fine in normal MODE ?
I think you are not getting me..

PEACE

vinay wrote:, Tell me, What is wrong with our registry editor if it is working fine in normal MODE ?
I think you are not getting me..

because you are taking TWO steps as TWO WAYS... go on and try... perform the 1st WAY then perform the 2nd WAY... then tell me if YOUR WINDOWS's regedit gives ERROR in NORMAL MODE or NOT

vinay wrote:I gave full clarification so I am not going to argue with you.

ya u clarified... u da master of universe, as you know everything CLEARLY...

abid861 wrote:because you are taking TWO steps as TWO WAYS..

You wrote two ways yourself man.. so don't try to escape.. I told you I am not going to argue with you because its useless..

abid861 wrote:go on and try... perform the 1st WAY then perform the 2nd WAY... then tell me if YOUR WINDOWS's regedit gives ERROR in NORMAL MODE or NOT

I tried it several times before, this is what we do in REMOVAL of BRONTOK virus..

No double posting please..

Don't get angry yaar

Peace

kool!.. then it means u tried the "CORRECT" way duh!!!

n angry? who?

abid and vinay guess u both got into long discussion here lol...atleast we have the right way .. ! thx to both of u !!! cheerzzz

abid861 wrote:kool!.. then it means u tried the "CORRECT" way duh!!!



n angry? who?

abid861 wrote:ya u clarified... u da master of universe, as you know everything CLEARLY

Anger ? Isn't it ?

Peace

adid dude i read the whole discussion . my introduction i am gym i wm the ex technician of this forum dude
ur methods are basic methods u may have seen in some websites but dude ok u opened ur registry . good but now tell me how will u remove the virus
registry can be opened by more than 50 commands u mention two
even software like tuneup ftp cleaners can work on registery
but main thing is u should have idea
nothing will be gained by u removing it from registery unless u close the process and remove from c windows
any way i want to know what kind of virus it is
from the discussion its clear tht the signatures affects the registry and system
tell me the mode of spread
affects on pc
any open discussion and critisim is welcomed
gym

Welcome back GYM

Hi abid bro, Just see the following method
Enable/Disable Regeditor using the Group Policy Editor

Click Start, Run and type gpedit.msc and press ENTER
Go to the following location:

Code:

User Configuration | Administrative Templates | System

Double-click Disable registry editing tools and set it to Not Configured
Exit the Group Policy Editor..

PROBLEM SOVED !!!

Oops! I think this method is same with your first way i mean first step

check this out:

abid861 wrote:1- From Group Policy Editor
Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it.

This error occurs if the DisableRegistryTools Policy is enabled.

If the problem has been solved in the 1st step then what the next step you gonna apply ? Hm ?

Peace

the question is how to remove the trojan
opening registery is never a problem

gym wrote:the question is how to remove the trojan
opening registery is never a problem

Gym Bro, Check my reply carefully! I replied to Abid not to you..

due i also was telling him that why are we making big issue opening registery without removing virus

this torjan is usually present in C:\Windows\ or in C:\Windows\System32 or in C:\Windows\Temp .. directories... as a folder icon (without any name, 300KB or so in size)


How to remove...!
its v.easy to remove. when you enable your task manager and/or registory editor... bring up the task manager and end the torjan's process...

trojan processes

.exe
winlogon.exe

*these processes are under processes tab in task manager with your **username

**username is the account name through which you log in to the windows.

abid bro you are acting a bit stubborn.nobody on our forum tries to
prove himself superior,rather we work as a team n work out all the problems together.A healthy discussion is always welcome on here but after reading
all the discussion on trojans it seems as if ur trying to say that you can never be wrong.I had to edit your post where u used red font and pointed out vinay as "MR Technician."..and plz do use the search button before posting bro..

enigma_1 wrote:abid bro you are acting a bit stubborn. nobody on our forum tries to
prove himself superior,rather we work as a team n work out all the problems together.

when a TEAM member tries to show some atitude or efficiency, then I have right to act stubborn.

abid bro relax we are to discuss not to argue bro .... plz guys lets get bck to the topic here n share knowledge be happy happy