HomeServicesHomeProductsFAQSearchRegistercontact usLog in
Hooked On Line Latest Product Redsail Vinyl Cutter P24,000 include package: *1 roll - vinyl sticker *1 meter - vinyl transfer *3 pc A4 size US Dark Transfer Paper

Share | 

 Registry editing disabble by Administrator

Go down 

Number of posts : 102
Age : 45
Registration date : 2007-06-22

PostSubject: Registry editing disabble by Administrator   Mon Nov 12, 2007 4:09 pm

Solution for Folder options missing , Registry editing disabled by Adminstrator

Infected by virus name RontokBro@Mn

W32.Rontokbro@mm is a mass-mailing worm that causes system instability

Details of this Virus :

When W32.Rontokbro@mm is executed, it performs the following actions:
1. Copies itself as the following files:
•%System%\3D Animation.scr

•%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
•%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
2.Creates the folder:

%UserProfile%\Local Settings\Application Data\Bron.tok-24
3.Overwrites C:\Autoexec.bat with the following text:

4.Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"

to the registry subkey:


so that it runs every time Windows starts.
5.Adds the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"

to the registry subkey:


so that it runs every time Windows starts.
6.Modifies the value:

"DisableRegistryTools" = "1"
"DisableCMD" = "2"

in the registry subkey:

7.Modifies the value:

"NoFolderOptions" = "1"

in the registry subkey:

8.Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

9.Reboots the computer when it detects a window whose title contains one of the following strings:
10.May also launch a ping flood attack on the following sites:
11.Gathers email addresses from files with the following extensions on all local drives from C to Y:
1Z.Avoids sending itself to email addresses that contain any of the following strings in the domain name:
13.May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
14.Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:


Subject: [BLANK]

BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --



1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions if you have any anti-virus program.
3.Run a full system scan and delete all the files detected.
4.Use the Security Response "Tool to reset shell\open\command registry subkeys."
5.Delete any values added to the registry.
6.Delete the scheduled task.

1. To disable System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

How to disable or enable Windows Me System Restore

Turning off System Restore deletes all previous restore points. You must create new restore points once you turn System Restore back on.
1 Click Start > Settings > Control Panel.
2 Double-click System.
If the System icon is not visible, click View all Control Panel options.
3 On the Performance tab, click File System.
4 On the Troubleshooting tab, check Disable System Restore.
5 Click OK.
6 When you are asked to restart Windows, click Yes.

How to turn off or turn on Windows XP System Restore
•Click Start.
•Right-click My Computer, and then click Properties.
•On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.
•Click Apply.
•When you see the confirmation message, click Yes.
•Click OK.

2.To update the virus definitions

Update your definitions with any anti-virus program you have.

3.To scan for and delete the infected files
a.Run a full system scan.
b.If any files are detected, click Delete.

4.Using the Security Response "Tool to reset shell\open\command registry subkeys."
This risk makes changes to the Windows registry that may prevent you from running executable files. Security Response has developed a tool to reset these values to the default settings. This tool is the easiest way to fix this.

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.

They may also change a registry value so that you cannot run the Registry Editor at all.


1. Download the file UnHookExec.inf and save it to your Windows desktop.

(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.)

Note: The tool has a .inf file extension.

2. Locate the download file, either on the Windows desktop or the floppy disk.

3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

4. Follow any other instructions for the threat that you are trying to remove.

5. To delete the value from the registry

Important: We strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.

Manual steps to export registry subkeys
You can follow these steps to export a registry subkey before you edit it.

Note Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead.
1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate and then click the subkey that contains the value that you want to edit.
4.On the File menu, click Export.
5.In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, and then click Save.

Modify the specified subkeys only.
a.Click Start > Run.
b.Type regedit
c.Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
d.Navigate to the subkey:

e.In the right pane, delete the value:

"Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"
f.Exit the Registry Editor.

6. To delete the scheduled tasks added by the worm
Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
In the Control Panel window, double click Scheduled Tasks.
Right click the task icon and select Properties from pop-up menu.
The properties of the task is displayed.
Delete the task if the contents of the Run text box in the task pane, matches the following:

Back to top Go down
Registry editing disabble by Administrator
Back to top 
Page 1 of 1
 Similar topics
» kurnalpi gold
» Bryan Irwin is at the MLS combine...

Permissions in this forum:You cannot reply to topics in this forum
Get Hooked On Line :: Tech Support-
Jump to: