IE Hijacked, Registry shuts down after 15 seconds

Hello,

I have a user who was experiencing a Google Redirect due to a Lando trojan (according to McAfee).  McAfee would find the virus each time she went to Google's homepage, but then it would close and IE would close as well.

I ran scans with MalwareBytes and Spybot-S&D, as well as the McAfee Enterprise AV 8.7 (in safe and normal modes).  None of them reported finding the file, so on the advice of the avertlabs blog, I deleted wdmaud.drv from the system32 folder.  

This seems to have solved the Google issue, but I suspect there is still another virus, as online antivirus scans are blocked and when I go to Windows Update the scan hangs almost immediately.

I've got a HiJack this log that I just created that I'll upload as part of the question.

Thanks,
BenderBender
hijackthis.log
LVL 1
BenderBenderAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Kyle AbrahamsConnect With a Mentor Senior .Net DeveloperCommented:
You can actually upload that log right to hijack this and get feedback based on what other people say.

I would take out the nameservers and any tcp params.

Also a good tool is combofix and the smitfraud fix . . . google them now that you got that running and they'll take care of any further hijacks.
0
 
rpggamergirlConnect With a Mentor Commented:
Check if security sites are blocked in your Hosts file.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
Or run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
Dhiraj MuthaConnect With a Mentor Level DCommented:
Have you tried MalwareBytes? If you haven't then try it.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php 

If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button 



If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Best Solution: Format and Reinstall the OS. This is always better to do once your system gets effected with a Torjan/Virus/Spyware.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
David-HowardConnect With a Mentor Commented:
Good suggestions from above. If you don't have any success with them though you might try using a System Restore point.
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
0
 
BenderBenderAuthor Commented:
I attempted to use ComboFix on the machine and it shows a loading status bar, then closes that window and does nothing.  Also, now the cmd window will not open even in Safe Mode.  Neither will Regedit.

I've run every commercial antivirus I could find, Kaspersky, McAfee, Panda, etc...  AVG won't install because it says it can't find an internet connection.  

Any suggestions?
0
 
rpggamergirlConnect With a Mentor Commented:
BenderBender,
If you get an alert to the PD thread, try and use the link there and the method to run Combofix and see if it works..

You can skip the installation of Recovery Consol if you wish though it is very much recommended to have it installed.

Delete the Combofix that you already have and use the link in the PD thread to download a new one and run it as per the instructions given there.
0
 
BenderBenderAuthor Commented:
I was able to get this solved by running DaonolFix, which showed that I had a bogus registry item for my aux driver as well as a file under my Documents and Settings that was the cause.  

After I used XP Emergency Utilities (http://www.dougknox.com/xp/utils/xp_emerutils.htm) to regain access to the registry I was able to delete the entry and the file.  I then restarted and was able to run all of the online virus scan tools and combo fix, as well as access the Registry, MSConfig and the command line.

Unfortunately, the Daonol trojan doesn't show up anywhere on McAfee's site, so there's no help to be found there.  I was just lucky and got a suggestion from another forum.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.