Print
Listen
By My laptop started acting strange this week.
Web pages would get redirected to odd locations. My favorite page at Electro-music.com would not load at all. Firefox crashed on some pages. As did Opera. As did IE. And trying to diagnose things, I found that I could not run cmd.exe or even regedit. And the system was painfully slow sometimes.
Looking on the web, I found this was a recent Trojan horse often called the Google Redirect.
Here is what I did to fix it. The laptop is running XP. (Disclaimer: do this at your own responsibility!)
1) I downloaded Malwarebytes Anti-Malware utility that identified a Trojan horse and removed it.
2) I went to c:\WINDOWS\SYSTEM32 and copied regedit.exe to some made up name, such as rzezdziztz.exe. This name change prevents the trojan horse from preventing execution.
3) Running this regedit, I looked for the
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>Drivers32
and look through all the entries called
aux, aux1, aux2, etc
I found the one that had a strange filename, like C:\Windows\System32\..\abcdef.gih
It is supposed to be a random name. So replace this name with wdmaud.drv
4) I deleted the file with that strange name, and rebooted.
(After this, I also ran another malware scanning program too.)
Result: seems to be OK now. The information on the web was pretty good.
Subscribe to our Newsletters
O'Reilly on YouTube
O'Reilly on Twitter
O'Reilly on Facebook
News Feed
This may not work if you already have a virus and spyware/malware protector installed. So you may have to download another one that is not already installed.
I've never used regedit.exe and am a little bit confused. Will I be able to recognize the entry with a random name? Are the aux names the ones we keep?
Andy: Have a look first, and only do something if you are reasonably confident you know what you are doing. Just opening up regedit and having a look around won't do any harm.
On some machines, the path may be
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>CurrentVersion>Drivers32 by the way.
Again, in the left hand column, you are looking for names starting with "aux".
For these aux files, in the right-hand column, you are looking for suspicious files. They are suspicious if
1) They have full paths (e.g. C:\X\y.z) rather than being in the drivers directory (e.g. rather than just plain y.drv)
2) They have strange obfuscated paths (e.g. c:\X\Y\..\Z has the ..)
3) They don't have an extension like .dll, .drv or .acm
4) The name seems to be a random collection of letters.
The more of these that are true, the more that you can be suspicious. If nothing fits the bill, this blog entry is probably about a different problem.
(If you want to be very careful, you could write down that entry before you change it. And save the driver file to some other name somewhere else rather than deleting it. That way you can restore it if you want to.)
Again the disclaimer: that is what I did that worked. Do this at your own responsibility!
OK, I don't seem to have a HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>CurrentVersion>Drivers32. I can't find a Drivers or Drivers32 entry anywhere. I'm running XP, with all SPs applied, so where should I be looking?
Pete: First, you were looking in the registry, right? Not the file system, not the menu system?
OK, the best I can suggest is this thread:
http://www.bleepingcomputer.com/forums/topic224017.html
Some viruses change the registry permissions so that you cannot see entries, it seems. Try that option first.
And did you run the anti-malware?
This worked. While looking in the Registry I found two entries that had suspicious locations:
msacm.ctmp3 was C:windows\system32\ctmp3.acm
msacm.iac2 was C:\windows\system32\iac25_32.ax
I changed both of them to wdmaud.drv
Saved my registry and rebooted. No more redirecting problems. I also updated my software to the latest version of Java, since I read someplace else that the virus might have come thru Java.
Thanks for the advice. I have been reviewing other websites with suggestions for solutions and this was the easiest for me to implement.
Thanks again
Gary
Gary: Good, I am glad it was some help!
Caveat for readers: Please don't just assume these same files are necessarily bad on your system and delete them willy nilly. Go through the kinds of steps I mentioned above, so that you have some positive reason to suspect them. Gary and I mentioning what worked for us as non-experts does not mean we are advising you to do the same thing without regard to backups etc.