Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cmd and regedit crash explorer


  • This topic is locked This topic is locked
8 replies to this topic

#1 louie330

louie330

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 13 May 2009 - 08:19 AM

I'm new, but I've read the posts on how to get help here. I downloaded and tried to run DDS, but it pops up and disappears immediately.

I noticed my machine acting up last week. Typing into google search was transposing what I typed, and clicking results was redirecting me.
That went away after a reboot, but then yesterday is when my cmd.exe started crashing explorer.

I've run thw Windows online scan for 12 hours and got 50% complete before cancelling it. It found 1 issue, but didn't tell me what.
Last night I ran a full symantec scan that found nothing.

How can I get you more info, or the log file that's suggested I post?

Thx!!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 13 May 2009 - 08:51 AM

Hi,

Are you accessing bleeping computers with the infected computer? This because the malware you are dealing with normally blocks this forum/site as well.

Do next please..

Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:

Posted Image

Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 louie330

louie330
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 13 May 2009 - 09:03 AM

Here's the info from registry, and yes windows created a new regedit.exe after I renamed the one.

I'm on the infected computer now, but heading to the office where I'll have access to other computers and can post from those.

Thx!

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 5/6/2009 - 8:59 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: vidc.I420
Type: REG_SZ
Data: msh263.drv

Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 10
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax

Value 11
Name: vidc.iyuv
Type: REG_SZ
Data: iyuv_32.dll

Value 12
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 13
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 14
Name: vidc.uyvy
Type: REG_SZ
Data: msyuv.dll

Value 15
Name: vidc.yuy2
Type: REG_SZ
Data: msyuv.dll

Value 16
Name: vidc.yvu9
Type: REG_SZ
Data: tsbyuv.dll

Value 17
Name: vidc.yvyu
Type: REG_SZ
Data: msyuv.dll

Value 18
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 19
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 20
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 21
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 22
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 23
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 24
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINDOWS\system32\iac25_32.ax

Value 25
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll

Value 26
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm

Value 27
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 29
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 30
Name: aux
Type: REG_SZ
Data: wdmaud.drv

Value 31
Name: wave1
Type: REG_SZ
Data: wdmaud.drv

Value 32
Name: midi1
Type: REG_SZ
Data: wdmaud.drv

Value 33
Name: mixer1
Type: REG_SZ
Data: wdmaud.drv

Value 34
Name: wave2
Type: REG_SZ
Data: wdmaud.drv

Value 35
Name: midi2
Type: REG_SZ
Data: wdmaud.drv

Value 36
Name: mixer2
Type: REG_SZ
Data: wdmaud.drv

Value 37
Name: aux2
Type: REG_SZ
Data: C:\DOCUME~1\jallen\LOCALS~1\Temp\..\vcto.rkp


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 4/30/2006 - 2:09 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 4/30/2006 - 2:09 AM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll

Value 2
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 3
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 4
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 5
Name: midimapper
Type: REG_SZ
Data: midimap.dll

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 13 May 2009 - 09:37 AM

Hi,

That's what I thought, because with this infection present, you cannot access this forum or my blog where I posted about the infection: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

Anyway, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\DOCUME~1\jallen\LOCALS~1\vcto.rkp

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 louie330

louie330
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 13 May 2009 - 10:36 AM

Yes, that seemed to fix everything.
Thx so much!! Love the dog pic by the way :thumbup2:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 13 May 2009 - 10:38 AM

Glad I could help. :thumbup2:

Any idea how you got infected? Because this infection spreads via legitimate sites. In 80% of the cases it's via an infected PDF file now, so make sure your PDF reader is up to date.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 louie330

louie330
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 13 May 2009 - 10:50 AM

I wish I could pinpoint it, but I'm not sure. The pdf doesn't seem that far off. Recently I've been downloading pdf's of installation manuals for a car hitch I'm looking at buying and also some pdfs from my company's benefits site on mail order pharmacy and life insurance. Probably not fair to call anybody out by name without proof.

Thx again :thumbup2:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 13 May 2009 - 10:54 AM

Well, just make sure you update your PDF reader, this to avoid this in the future :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:32 AM

Posted 16 May 2009 - 05:16 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users