Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IE browser hijack / cmd.exe and regedit doesn't work. 1

Status
Not open for further replies.

SKSysAdmin

Technical User
Mar 20, 2008
17
CA
Hi I was wondering if anyone has come across malware that is so invasive non of the anti-viral / anti-spyware tools can detect or remove it. Recently we had one workstation that for whatever reason had its IE browser hijacked while doing google searches. The hijack appears to happen some of the time but not on all searches. The other thing that happens is that I can't open a cmd window on the machine or run regedit. I have run Symantec Endpoint Security, Kaspersky 5.x and several tools out on the internet to try to identify and stop this behaviour. The only thin I think of left is that its a registry virus or that the file is either JAvascript or ActiveX based and its hiding out somewhere (otherwise regular scans would have caught it).

I've looked at removal tools for Conficker, 7.7.7.0 hijack, etc... Removed System Restore data, cleaned up all Temp directory locations as best I can.

Any un-conventional ideas would be appreciated.

thanks.
 
Hi,

I found a solution that was posted in another forum. The solution was that this particular malware should be removed by renaming the regedit.exe to reg3dit.exe in order to run.

Then go to HKLM\software\microsoft\windows nt\currentversion\drivers32

check to see what entry exists for the aux key (if present).
The path may point you to some randomly generated file. This file is what is causing the browser redirects as well as the cmd.exe failures.

Download the "hijack this" tool and use the delete on next reboot tool. Point it to where this file is located and continue.

Symptoms of this problem include redirecting your webpage to places like elle.com ,etc. Plus not being able to run any command prompt files or regedit or regedt32.

Also, this malware is currently not detected by Kaspersky 5.0, Symantec Endpoint security 11, SuperAntispyware or Malware bytes (as of today).

Hopefully this information will assist someone else as it has taken days and weeks of searching for a fix.
 
Thanks for this SKSysAdmin!
I've come across this exact same problem on 2 different PC's - both in the last day. I think this is something new we'll be seeing more of. In both cases, the problem would persist, even after running several malware scans that came up clean.

I ended up doing a clean install on the first system I worked on, as I couldn't find any other solution. I guess I did a better job researching the issue for the 2nd PC, because I was lucky enough to find your post. The solution you provided definitely fixes the issue. One thing to note, though, was that the aux value under the Drivers32 key was set to wdmaud.drv. I compared that to a couple of other systems that aren't having the problem, and they were set to the same value. However, there was an aux2 value that was set to a randomly generated file. After using HJT to delete the file on next reboot, the system was running normally again. I wish I found your post before doing a clean install of Windows on the 1st system.

Thanks again!
 
PCAnswerGuy,

Yes this problem was definitely one of the harder ones to solve. In my case the entry was just aux not aux2. The otherthing might be that the malware that I had replaced the wdmaud.drv path for the aux value. My one user did complain not having any audio afterwards but it could have been because another fix we were investigating, we deleted that wdmaud.drv file suspecting it was a virus. However, It could be the difference in the variation of whatever malware this is. I'd seriously like to know what the name of this malware is but like you said definitely something new considering the anti-virus products can't see it.

Anyways, Glad I could be of help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top