Just added this up today, it's been on my skull the last few months and just decided to put it up. Bleeping computers removal is not as effective so I had to go old school on this one...

http://www.mainsteam.net/fixingvundotrojan

DrArkaneX wrote:
Just added this up today, it's been on my skull the last few months and just decided to put it up. Bleeping computers removal is not as effective so I had to go old school on this one...

http://www.mainsteam.net/fixingvundotrojan

You really need to double-check your stuff on that page. ...so let me make something clear.

Javascript isn't the mechanism for this. Javascript (at least with FireFox) can't go altering host OS files. If you find a way to do this with JavaScript and can prove it, there's people reading this site who would really like to know about it (and that's putting it mildly).

Third party browser plugins containing vulnerable code can be used, and are being used, as a avenue for infection of vulnerable PCs.

...and for that matter, Bleepingcomputer's fix worked fine here. Perhaps you downloaded an older version of it and haven't revisited the issue since it's been updated, I dunno.

If you prevent the bloody thing from loading by removing it's hooks from the registry, you'll find you don't actually have to use any special tool to bypass the file locking mechanism... It can be ripped out in Safe Mode in just one pass by running the two tools at Bleeping Computer one after the other, just like they say.

Crap cleaner is not necessary for this, and that's not it's job anyway. People should scan with a working virus scanner of their choosing to try to be sure the system's clean.

...and changing the administrator password to blank is not a useful method for reenabling the use of regedit. However, if a user boots to safe mode so they can login as Administrator, they can just go hunting for the 'DisableRegistryTools' value. If Administrator has somehow been explicitly disallowed the use of regedit due to acts of whatever, there's live CDs around that can be used to modify the registry anyway, as well as a few free third-party tools that will just kick that value out of the registry, as the policy only prevents regedit and regedit32 from being run--it doesn't actually make the registry read-only.

Welp, I've done a LOT of research on this. Stripping the hook out of LSASS really does the trick more than anything, but I have updated my Vundo fix page as well. Only thing about your last reply on this is that Safe Mode does not work. The file is still considered a "Windows Safe File" and will still get used by LSASS even in safe mode. BleepingComputer's fix is not necessarily the right way to go. I have used the most recent version of their fix and this trojan still laid dormant. This prompted me to write my Vundo fix page because Bleeping's wasn't working for me and plus I really wanted to find out how this ticked.

but anyways, Wendy's laptop got hit with it a few days ago and the only caveat, which I have hence updated my page with, is that you MUST boot to a BartPE or ERD Commander (Ultimate Boot Disc) to delete the .DLL or .EXE and then in notepad, create the same filename as a text file and then make them Read Only. Also, it borked with her startup items like loading "googletalk .exe" (notice the space before the .exe) so I had to recreate a new account and copy her stuff over. Best fix i've seen for Vundo yet. Do me a favor and on the computer you fixed, check that Lsa reg entry and see if anything is there.

That was one of the problems I had with Bleeping's fix was that the damn thing laid dormant and you'd think you got rid of it only to find out later you were wrong. (happened to me a few times)

There was actually several ways Vundo gets on your computer. Java and Quicktime. Firefox does use the same java as IE and by default will allow Vundo to get in. Check to make sure Java is updated to Update 3. That will fix it.

Crap Cleaner is an Excellent tool for removing registry entries that are invalid or non-existant. Perhaps you should read my fix on Vundo a little better as I think you just skimmed through it.. :) Crap Cleaner does not get rid of viruses nor did I claim it to. Crap Cleaner is an excellent tool and should be on everyone's Windows PC, next to the Anti Virus of their choosing.

Bear in mind that the only thing that Wendy does on her laptop is check email, Craigslist and MySpace. Nothing else and it was a fresh reload of the OS as well. I checked her Java version before cleanup and it was Java build 1.6.0_02.

Here are some links in reference:

Link 1
Link 2
Link 3

As much as I want to blame Microsoft for this, it's not an IE Exploit that Vundo gets in. Not a Firefox exploit as well. Simply it's either Java or Quicktime that hasn't been updated. Very simple really.. :)

Also, about the RegEdit denied workaround in there. I think you are taking my page out of context and I really think you skimmed it. The question was posed to me by a reader and was wanting to get into Regedit. The link noted is a workaround by microsoft to allow the user to get into RegEdit. Of course you and I both know we can boot up to Ultimate Boot CD or whatever and work around this issue, but sometimes we're dealing with people that don't know too much about computers or have never seen a C64 boot screen.. :)

And my method on that page has been double checked, triple-checked. I use this method for every Vundo removal I run into. I have hence removed the Unlocker, because it's not needed, but it's still a very good tool. I have over the last 2 weeks simplified my methods and with wendy's Laptop just solidified it. As I stated before, I used Bleeping's programs and while they worked (or so I thought), it came back. My method is a sure-fire, multiple tested way to get rid of Vundo. next time you run into it again, try my method.