Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

IE browser hijack / cmd.exe and regedit doesn't work.Helpful Member! 

SKSysAdmin (TechnicalUser) (OP)
31 Mar 09 16:57
Hi I was wondering if anyone has come across malware that is so invasive non of the anti-viral / anti-spyware tools can detect or remove it. Recently we had one workstation that for whatever reason had its IE browser hijacked while doing google searches. The hijack appears to happen some of the time but not on all searches. The other thing that happens is that I can't open a cmd window on the machine or run regedit. I have run Symantec Endpoint Security, Kaspersky 5.x and several tools out on the internet to try to identify and stop this behaviour. The only thin I think of left is that its a registry virus or that the file is either JAvascript or ActiveX based and its hiding out somewhere (otherwise regular scans would have caught it).

I've looked at removal tools for Conficker, 7.7.7.0 hijack, etc... Removed System Restore data, cleaned up all Temp directory locations as best I can.

Any un-conventional ideas would be appreciated.

thanks.
 
Helpful Member!  SKSysAdmin (TechnicalUser) (OP)
1 Apr 09 16:32
Hi,

I found a solution that was posted in another forum. The solution was that this particular malware should be removed by renaming the regedit.exe to reg3dit.exe in order to run.

Then go to HKLM\software\microsoft\windows nt\currentversion\drivers32

check to see what entry exists for the aux key (if present).
The path may point you to some randomly generated file. This file is what is causing the browser redirects as well as the cmd.exe failures.

Download the "hijack this" tool and use the delete on next reboot tool. Point it to where this file is located and continue.

Symptoms of this problem include redirecting your webpage to places like elle.com ,etc. Plus not being able to run any command prompt files or regedit or regedt32.

Also, this malware is currently not detected by Kaspersky 5.0, Symantec Endpoint security 11, SuperAntispyware or Malware bytes (as of today).

Hopefully this information will assist someone else as it has taken days and weeks of searching for a fix.
 
PCAnswerGuy (TechnicalUser)
3 Apr 09 1:02
Thanks for this SKSysAdmin!
I've come across this exact same problem on 2 different PC's - both in the last day.  I think this is something new we'll be seeing more of.  In both cases, the problem would persist, even after running several malware scans that came up clean.  

I ended up doing a clean install on the first system I worked on, as I couldn't find any other solution.  I guess I did a better job researching the issue for the 2nd PC, because I was lucky enough to find your post.  The solution you provided definitely fixes the issue.  One thing to note, though, was that the aux value under the Drivers32 key was set to wdmaud.drv.  I compared that to a couple of other systems that aren't having the problem, and they were set to the same value.   However, there was an aux2 value that was set to a randomly generated file.  After using HJT to delete the file on next reboot, the system was running normally again.  I wish I found your post before doing a clean install of Windows on the 1st system.

Thanks again!
SKSysAdmin (TechnicalUser) (OP)
3 Apr 09 8:58
PCAnswerGuy,

Yes this problem was definitely one of the harder ones to solve. In my case the entry was just aux not aux2. The otherthing might be that the malware that I had replaced the wdmaud.drv path for the aux value. My one user did complain not having any audio afterwards but it could have been because another fix we were investigating, we deleted that wdmaud.drv file suspecting it was a virus. However, It could be the difference in the variation of whatever malware this is. I'd seriously like to know what the name of this malware is but like you said definitely something new considering the anti-virus products can't see it.

Anyways, Glad I could be of help.
 

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close