Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser ads redirect, cmd not working


  • This topic is locked This topic is locked
11 replies to this topic

#1 internetmike

internetmike

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 March 2009 - 04:11 AM

I have a friend's infected computer that is redirecting the browser to ad sites on selective addresses. When I try run cmd or regedit, the computer returns back to the desktop like when you reload explorer. I have coped cmd to cmd! and can now open it.

It will not allow me to run sdfix or smitfraudfix in safe mode as it pauses half way through it.

Have scanned with the latest signatures of AVG, Malwarebytes, CWShredder, Superantispyware, Spyware Doctor and all reporting clean.

Please see attached my hijackthis log.

Thanks for your help,
Mike Bollinger

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 01 March 2009 - 09:58 AM

Hi,

This smells like you're dealing with the new Win32:Danaol variant. This one is responsible for "locking" a lot of (commandline)tools such as Combofix, DDS, plus cmd, regedit etc..
Could be by design, or could be because it's buggy... this since it's loaded under processes like explorer, winlogon, your browsers etc....
I've blogged about previous variant here and updated it with the latest info. However, this one is more advanced to deal with it manually imho, so do next please..

Open HijackThis and click Config below > Misc Tools button on top. (or "Open the Misc Tools section" via the main screen)
There, click the "Open Process Manager" button.
On top, on the right, select "Show DDLs"
Then highlight the process Winlogon.exe
Then click the "copy list to clipboard" button or "save list to file" button on top.

Posted Image

This will create a log with the Winlogon.exe handles below. Please copy and paste the contents of this log in your next reply. I actually only need the part under: "DLLs loaded by process C:\WINDOWS\system32\winlogon.exe:"
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 01 March 2009 - 01:10 PM

Hi,

It probably won't show under the winlogon.exe process (just tried it in another thread). I assumed it was since wdmaud.drv is launched under it (legitimate handle), but it may be another reference in the registry.

so select another process instead. best is iexplore.exe (IE should be launched) or firefox.exe (FF should be launched) and generate a logfile from it instead.

Edited by miekiemoes, 01 March 2009 - 01:11 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 internetmike

internetmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 March 2009 - 01:19 PM

Thanks for your quick response!

Attached are the results for both the netlogon and iexplore loaded DLLs

Again, thanks!
Mike

Attached Files



#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 01 March 2009 - 01:24 PM

Thanks.

I see it won't show in above logs anyway, could be because of the .. in the filepath.
Do next please..

Since you can't run regedit either since this variant crashes it, do next instead..
Download registrar manager:
http://www.resplendence.com/download/rrtri.exe
Install it and launch it.
In the Addressfield on top in Registrar Manager, enter:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

This will Highlight/select the key "Drivers32" on the left.
Rightclick that key and select "Export".
See the image below how it should look like: Posted Image
Save the export to your desktop. In registrar manager, it saves it by default as regfile.reg, so that file should be on your desktop now.
Rightclick that file (regfile.reg) and select to edit. This will open it in notepad.
Copy and paste the contents of it in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 internetmike

internetmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 March 2009 - 01:29 PM

I was able to use one of my renamed Regedit files:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"MSVideo8"="VfWWDM32.dll"
"msacm.siren"="sirenacm.dll"
"wave1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"VIDC.ACDV"="ACDV.dll"
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 01 March 2009 - 01:39 PM

Hi,

I was able to use one of my renamed Regedit files:

So you renamed regedit.exe ?
As what was it renamed? still .exe extension or .com extension?? Anyway, let me know. :thumbup2:

This is the cause:

"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"

Note the ".." reference in the filepath.
Don't bother to search for the .. folder as it doesn't exist. In this case, the jjmviih.nkt file is present in the C:\Windows folder.

You will need to use HijackThis delete on reboot option to delete it, since manually deleting will recreate the file immediately again.

So, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\jjmviih.nkt

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

verify the C:\WINDOWS\jjmviih.nkt is gone after reboot.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that fixed your problem

Edited by miekiemoes, 01 March 2009 - 01:41 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 internetmike

internetmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 March 2009 - 01:51 PM

That did it! Excellent!

I keep emergency files in my technical folder with copies of regedit, msconfig and taskmgr. I rename them as follows (keeping them EXEs)

Reg!dit
MSConfig1
Taskmgr1

Thanks again!
Mie

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 01 March 2009 - 01:53 PM

Thank you for the feedback and good to hear your problem is resolved :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 internetmike

internetmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 05 March 2009 - 08:09 AM

Hi miekiemoes,

As it usually the case, I have another person with the same symptoms on their computer (cmd and regedit not working). This time, though, it will not allow me to run hijackthis, though I can run superspyware.

Do you have any suggestions about how I can get hijackthis to run. The install just flashes on the screen. The EXE doesn't load. Renaming doesn't help. Have renamed my regedit so I have looked for any unusually HKLM and HKCU running apps. Also won't work in safe mode.

Is there a way to access those loading DLLs for iexplore from the registry, particular the dll for AUX if it is indeed a similar virus?

Thanks for your help in advance!
Mike

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 05 March 2009 - 08:20 AM

Hi,

This appears to be a different infection.
If it's for someone else, I suggest you start a new thread for it, this to avoid confusion.
What if you rename to a .com extension?
Also, have you tried Combofix already? Anyway, in case more exe files are starting to "fail" or nothing works, then it means that the other person is most probably dealing with Virut. This is a common Virus nowadays that infects legitimate files.
In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, if that's the case, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

Edited by miekiemoes, 05 March 2009 - 08:20 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:21 PM

Posted 06 March 2009 - 07:51 AM

Since the main issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users