Solved

IE Hijacked, Registry shuts down after 15 seconds

Posted on 2009-03-31
7
601 Views
Last Modified: 2013-12-06
Hello,

I have a user who was experiencing a Google Redirect due to a Lando trojan (according to McAfee).  McAfee would find the virus each time she went to Google's homepage, but then it would close and IE would close as well.

I ran scans with MalwareBytes and Spybot-S&D, as well as the McAfee Enterprise AV 8.7 (in safe and normal modes).  None of them reported finding the file, so on the advice of the avertlabs blog, I deleted wdmaud.drv from the system32 folder.  

This seems to have solved the Google issue, but I suspect there is still another virus, as online antivirus scans are blocked and when I go to Windows Update the scan hangs almost immediately.

I've got a HiJack this log that I just created that I'll upload as part of the question.

Thanks,
BenderBender
hijackthis.log
0
Comment
Question by:BenderBender
7 Comments
 
LVL 39

Accepted Solution

by:
Kyle Abrahams earned 100 total points
Comment Utility
You can actually upload that log right to hijack this and get feedback based on what other people say.

I would take out the nameservers and any tcp params.

Also a good tool is combofix and the smitfraud fix . . . google them now that you got that running and they'll take care of any further hijacks.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
Comment Utility
Check if security sites are blocked in your Hosts file.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
Or run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 14

Assisted Solution

by:Dhiraj Mutha
Dhiraj Mutha earned 100 total points
Comment Utility
Have you tried MalwareBytes? If you haven't then try it.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button



If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Best Solution: Format and Reinstall the OS. This is always better to do once your system gets effected with a Torjan/Virus/Spyware.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 100 total points
Comment Utility
Good suggestions from above. If you don't have any success with them though you might try using a System Restore point.
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
0
 
LVL 1

Author Comment

by:BenderBender
Comment Utility
I attempted to use ComboFix on the machine and it shows a loading status bar, then closes that window and does nothing.  Also, now the cmd window will not open even in Safe Mode.  Neither will Regedit.

I've run every commercial antivirus I could find, Kaspersky, McAfee, Panda, etc...  AVG won't install because it says it can't find an internet connection.  

Any suggestions?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
Comment Utility
BenderBender,
If you get an alert to the PD thread, try and use the link there and the method to run Combofix and see if it works..

You can skip the installation of Recovery Consol if you wish though it is very much recommended to have it installed.

Delete the Combofix that you already have and use the link in the PD thread to download a new one and run it as per the instructions given there.
0
 
LVL 1

Author Comment

by:BenderBender
Comment Utility
I was able to get this solved by running DaonolFix, which showed that I had a bogus registry item for my aux driver as well as a file under my Documents and Settings that was the cause.  

After I used XP Emergency Utilities (http://www.dougknox.com/xp/utils/xp_emerutils.htm) to regain access to the registry I was able to delete the entry and the file.  I then restarted and was able to run all of the online virus scan tools and combo fix, as well as access the Registry, MSConfig and the command line.

Unfortunately, the Daonol trojan doesn't show up anywhere on McAfee's site, so there's no help to be found there.  I was just lucky and got a suggestion from another forum.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now