New Malware Threat... SOLVED!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Kyellan, Apr 19, 2009.

  1. Kyellan

    Kyellan Private E-2

    Okay, so, here's the story.

    Two nights ago, my fiancee began complaining that her startup programs (Google Talk, eTrust Anti-Virus, etc) were not loading when she restarted her computer.

    I was able to take a look at this today, and after much research and banging my head against the wall, I discovered several other symptoms as well.

    Regedit will not run either from Explorer or CMD
    BleepingComputer.com is redirected to a blank page
    Event logs after trying to launch regedit say ("The shell stopped unexpectedly and Explorer.exe was restarted.") It is only an INFORMATION event, NOT an error (as I was expecting).
    Neither MalwareByes Anti-Malware nor eTrust Anti-Virus were able to execute any updates

    Other places that I have seen similar things state that ComboFix will not run and that browser search results are redirected, but we did not experience either of these in the process.

    Here comes the good news! I have found a solution.

    Combining information from this link: http://forums.majorgeeks.com/showthread.php?t=187212 and this one (yes, I know it is the World of Warcraft forum, but it really did help me out a lot)
    http://forums.worldofwarcraft.com/thread.html?topicId=16019572612&sid=1&pageNo=17

    The problem seems to be an infected file that inserts itself into the registry. I used Registry Workshop (a free trial version) to access the registry even though it was blocked, and it worked like a charm. I navigated to:

    HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Drivers32/ and when looking at the keys, one of the "aux" keys had a value that included a path and a random filename. THIS IS THE OFFENDING KEY. By editing the key value and renaming it to wdmaud.drv, all of our problems magically disappeared! A restart of the computer resulted in everything starting as normal, bleepingcomputer.com is now accessible, and MalwareBytes was able to start and update successfully. Regedit now opens normally.

    We are in the process of running a full scan with MBAM as I type this.

    This seems to be the "hot new thing" because I'm seeing posts like this all over the web. Hopefully this information will help keep somebody else from bloodying their forehead on the nearest hard surface.

    Thanks!
     
  2. Kyellan

    Kyellan Private E-2

    Update: After completing the MalwareBytes Anti-Malware scan with new defintions 4/16/2009, the computer found and removed Trojan.Daonol successfully. This appears to have been the culprit as it shared the same random name as the registry key value.
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know....if you need further assistance, please attach the requested logs.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds