Solved

IE Hijacked, Registry shuts down after 15 seconds

Posted on 2009-03-31
7
609 Views
Last Modified: 2013-12-06
Hello,

I have a user who was experiencing a Google Redirect due to a Lando trojan (according to McAfee).  McAfee would find the virus each time she went to Google's homepage, but then it would close and IE would close as well.

I ran scans with MalwareBytes and Spybot-S&D, as well as the McAfee Enterprise AV 8.7 (in safe and normal modes).  None of them reported finding the file, so on the advice of the avertlabs blog, I deleted wdmaud.drv from the system32 folder.  

This seems to have solved the Google issue, but I suspect there is still another virus, as online antivirus scans are blocked and when I go to Windows Update the scan hangs almost immediately.

I've got a HiJack this log that I just created that I'll upload as part of the question.

Thanks,
BenderBender
hijackthis.log
0
Comment
Question by:BenderBender
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 100 total points
ID: 24029552
You can actually upload that log right to hijack this and get feedback based on what other people say.

I would take out the nameservers and any tcp params.

Also a good tool is combofix and the smitfraud fix . . . google them now that you got that running and they'll take care of any further hijacks.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 24036008
Check if security sites are blocked in your Hosts file.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
Or run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 14

Assisted Solution

by:Dhiraj Mutha
Dhiraj Mutha earned 100 total points
ID: 24036028
Have you tried MalwareBytes? If you haven't then try it.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php 

If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button 



If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Best Solution: Format and Reinstall the OS. This is always better to do once your system gets effected with a Torjan/Virus/Spyware.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 100 total points
ID: 24061743
Good suggestions from above. If you don't have any success with them though you might try using a System Restore point.
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
0
 
LVL 1

Author Comment

by:BenderBender
ID: 24064966
I attempted to use ComboFix on the machine and it shows a loading status bar, then closes that window and does nothing.  Also, now the cmd window will not open even in Safe Mode.  Neither will Regedit.

I've run every commercial antivirus I could find, Kaspersky, McAfee, Panda, etc...  AVG won't install because it says it can't find an internet connection.  

Any suggestions?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 24065474
BenderBender,
If you get an alert to the PD thread, try and use the link there and the method to run Combofix and see if it works..

You can skip the installation of Recovery Consol if you wish though it is very much recommended to have it installed.

Delete the Combofix that you already have and use the link in the PD thread to download a new one and run it as per the instructions given there.
0
 
LVL 1

Author Comment

by:BenderBender
ID: 24088882
I was able to get this solved by running DaonolFix, which showed that I had a bogus registry item for my aux driver as well as a file under my Documents and Settings that was the cause.  

After I used XP Emergency Utilities (http://www.dougknox.com/xp/utils/xp_emerutils.htm) to regain access to the registry I was able to delete the entry and the file.  I then restarted and was able to run all of the online virus scan tools and combo fix, as well as access the Registry, MSConfig and the command line.

Unfortunately, the Daonol trojan doesn't show up anywhere on McAfee's site, so there's no help to be found there.  I was just lucky and got a suggestion from another forum.
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question