New Trojan stops cmd, regedit, and redirects Google

jtr1962

Flashaholic
Joined
Nov 22, 2003
Messages
7,506
Location
Flushing, NY
On March 18 my machine suddenly refused to run cmd or regedit from the run window. Cmd worked by renaming the .exe to something else but regedit didn't work no matter what. I also noticed that my Google searches were being redirected to various ad sites. I ignored this at first, attributing it to some new campaign by Google to link to ads related to your search terms. Recently however I started doing Google searchs using the term "Regedit, cmd not working, google searches being redirected". Boom-I was getting loads of hits of people experiencing the same problems. Moreover, all their antimalware scans using various softwares were coming up negative, just like mine. I figured somewhere down the road some vital part of my O/S perhaps got trashed, maybe from the hard shutdown I had to do immediately before the problem started. After all, my system was clean, wasn't it? Or at least that's what about 10 different trusted antimalware programs said.

Well, turns out no. This is a new Trojan, termed "Trojan.Win32.Agent.byab", which no antimalware software was aware of until recently. My fix was actually beautifully simple. I downloaded a program called Regalyzer as Regedit wasn't working. Then I went to the key HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Drivers32/aux. Sure enough, the data referred to some junk filename. I changed it to wdmaud.drv as it's supposed to be. I restarted the system (for some reason it didn't want to shut down so I ended doing another hard reboot). Problem solved. :clap:

Now all I need is to find the person(s) responsible so I can test my late Dad's Louisville Slugger on them. :devil:

Hope this helps anyone who may be experiencing a similar problem. I'd guess the major symptom for most people would be the Google redirects as not too many use regedit or cmd on a regular basis.
 

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
On March 18 my machine suddenly refused to run cmd or regedit from the run window. Cmd worked by renaming the .exe to something else but regedit didn't work no matter what. I also noticed that my Google searches were being redirected to various ad sites. I ignored this at first, attributing it to some new campaign by Google to link to ads related to your search terms. Recently however I started doing Google searchs using the term "Regedit, cmd not working, google searches being redirected". Boom-I was getting loads of hits of people experiencing the same problems. Moreover, all their antimalware scans using various softwares were coming up negative, just like mine. I figured somewhere down the road some vital part of my O/S perhaps got trashed, maybe from the hard shutdown I had to do immediately before the problem started. After all, my system was clean, wasn't it? Or at least that's what about 10 different trusted antimalware programs said.

Well, turns out no. This is a new Trojan, termed "Trojan.Win32.Agent.byab", which no antimalware software was aware of until recently. My fix was actually beautifully simple. I downloaded a program called Regalyzer as Regedit wasn't working. Then I went to the key HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Drivers32/aux. Sure enough, the data referred to some junk filename. I changed it to wdmaud.drv as it's supposed to be. I restarted the system (for some reason it didn't want to shut down so I ended doing another hard reboot). Problem solved. :clap:

Now all I need is to find the person(s) responsible so I can test my late Dad's Louisville Slugger on them. :devil:

Hope this helps anyone who may be experiencing a similar problem. I'd guess the major symptom for most people would be the Google redirects as not too many use regedit or cmd on a regular basis.

Note the suffix on the name of the malware (.byab). That means there are upwards of 40,000 variants of that malware family, if I'm multiplying stuff correctly, and probably more every hour or two.

In light of that, and your observation that it wasn't detected by a whole bunch of antimalware software, consider setting yourself up a non-Administrator user account and look at the other proactive defenses also listed on this page. You know how to "lock out" a flashlight so it doesn't accidentally turn on when it's not supposed to... now try "locking out" your system's Admin powers so they can't be misused against you :tinfoil:
 

LuxLuthor

Flashaholic
Joined
Nov 5, 2005
Messages
10,653
Location
MS
Note the suffix on the name of the malware (.byab). That means there are upwards of 40,000 variants of that malware family, if I'm multiplying stuff correctly, and probably more every hour or two.

In light of that, and your observation that it wasn't detected by a whole bunch of antimalware software, consider setting yourself up a non-Administrator user account and look at the other proactive defenses also listed on this page. You know how to "lock out" a flashlight so it doesn't accidentally turn on when it's not supposed to... now try "locking out" your system's Admin powers so they can't be misused against you :tinfoil:

OK, you've convinced me to finally change my main online account to a limited one, and use the software restriction policy. For some reason, I thought it was going to mostly damage my main user (admin) account, and I have relied on multiple Ghost disc images (to external 750GB HD & occasional set of DVD Ghost optical backup) as my ultimate safety net.

So far, I have never had a viral/malware infection...but your steps are really easy, and being able to temporarily change it back to admin account sold me.

One question I wondered about, why does the "administrator" user account show up and also have its own folder in C:\Documents and Settings? I understand it is a group, but it shows up also as a user.

What percent of the forum using WinXP do you guess will take up your advice on these two changes? LOL!

Thanks again!
 

LuxLuthor

Flashaholic
Joined
Nov 5, 2005
Messages
10,653
Location
MS
Couple other questions if you don't mind...in your SRP guide, Step 5 is ignored with my XP Pro 32bit? Does that present a significant set of problems?

When running compmgmt.msc, if I wanted to see the impact of SRP, which category under Event Viewer logs should I look for (ACEEventlog, Application, Security, System)?

I use iTunes for IPoD, which always wants to install QT if you update. Still uninstall it every time, even if iTunes used? So many websites use JAVA (including Jotti.org) seems like that would be a hard one to uninstall.
 
Last edited:

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
OK, you've convinced me to finally change my main online account to a limited one, and use the software restriction policy. For some reason, I thought it was going to mostly damage my main user (admin) account, and I have relied on multiple Ghost disc images (to external 750GB HD & occasional set of DVD Ghost optical backup) as my ultimate safety net.

So far, I have never had a viral/malware infection...but your steps are really easy, and being able to temporarily change it back to admin account sold me.

One question I wondered about, why does the "administrator" user account show up and also have its own folder in C:\Documents and Settings? I understand it is a group, but it shows up also as a user.

A very logical question :) On WinXP, the account that's actually named Administrator is what I call the "One True Administrator" account. Windows Setup creates it, and it normally doesn't show up. But if you start the system in Safe Mode, then you should see it at the log-on screen. Its password is blank by default, which sounds like a security issue, but to make a long story short, on Windows XP this would only matter if someone can walk right up to the computer and start it in Safe Mode.

Anyway, that account has a folder in C:\Documents and Settings like the others do. In rare instances, people do end up using that account if they do certain unusual steps during Windows XP Setup.

What percent of the forum using WinXP do you guess will take up your advice on these two changes? LOL!

I'll take a guess and say 5%, because it's a significant change in how a person does stuff, and people are generally cautious about changing their routines. In this case, they'd be changing a habit they started back in Win95 days, or heck, Apple IIc days in my case.

Couple other questions if you don't mind...in your SRP guide, Step 5 is ignored with my XP Pro 32bit? Does that present a significant set of problems?

No, 32-bit XP should be fine in that regard. 64-bit Windows has that second Program Files folder and for some unknown reason, the default SRP rules don't include it! Good job, Microsoft! :shakehead I did pester them about it when giving them Windows 7 beta feedback, maybe they'll fix it :poke:

When running compmgmt.msc, if I wanted to see the impact of SRP, which category under Event Viewer logs should I look for (ACEEventlog, Application, Security, System)?

They'll show up under the Event Viewer > Windows Logs > Application log. Here's an example, I went to C:\Windows\System32 and copied & pasted the actual notepad.exe file onto the Desktop screen, and then tried to run notepad.exe from the Desktop screen. Windows was all, like,

LOLno.jpg


...and here's the corresponding event in Event Viewer:

SRP_log.png


Note that it gives the time, the user account responsible, and the name of the executable file that tripped the defenses. So it can be handy for sorting out what the heck happened.

I use iTunes for IPoD, which always wants to install QT if you update. Still uninstall it every time, even if iTunes used? So many websites use JAVA (including Jotti.org) seems like that would be a hard one to uninstall.

I see your point. With a non-Admin account and SRP, the bottom-line risk level is very low even if you do have an exploitable item installed, so I wouldn't give up stuff I have a real use for, I'd just keep it up-to-date.
 
Last edited:

LuxLuthor

Flashaholic
Joined
Nov 5, 2005
Messages
10,653
Location
MS
OK, great feedback. So in your example, if you had some .exe you needed launched in XP Pro 32bit, you would just move its file/folder into Program Files, right click on the exe to make a shortcut and launch it OK from there?

I had this exact thing...have been using an age old program going back at least to Win95....prob not Win 3.11 that is a very DOS like proggie that dials into various Atomic clock and resets your PC time. You may have actually heard of it...anyway I moved folder from

C:\Colorado Cesium Clock\CCC.exe to

C:\Program Files\Colorado Cesium Clock\CCC.exe
made shortcut for taskbar, and it works fine again. No need to make a exception rule.
 

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
OK, great feedback. So in your example, if you had some .exe you needed launched in XP Pro 32bit, you would just move its file/folder into Program Files, right click on the exe to make a shortcut and launch it OK from there?

I had this exact thing...have been using an age old program going back at least to Win95....prob not Win 3.11 that is a very DOS like proggie that dials into various Atomic clock and resets your PC time. You may have actually heard of it...anyway I moved folder from
C:\Colorado Cesium Clock\CCC.exe to

C:\Program Files\Colorado Cesium Clock\CCC.exe made shortcut for taskbar, and it works fine again. No need to make a exception rule.

Yeah, perfect example. Another option is to make a new Path Rule that allows the C:\Colorado Cesium Clock\ folder and its contents to be Unrestricted. If you had software that freaked out at being transplanted, and you didn't want to go through the hassle of uninstalling it and then reinstalling it inside of C:\Program Files, then adding a Path Rule would get it handled.

BTW, if you'd like to run a program at Admin-level power in WinXP without having to log out of your non-Admin account, it can be done. There's a couple options. Both of them require that your Admin-level account has a password.

Method 1, the one-time method: right-click the thing you want to "elevate," while holding the Shift key down. On the right-click menu, there should be a Run as... option, and then you can pick the name of your Admin-level account, provide the password, and off it goes. This is handy if you've just downloaded an installer or something. It also works on some Control Panel items.

Method 2, a shortcut that'll always elevate the program: This option requires Windows XP Pro or Windows XP MCE. Make a shortcut to a program on your desktop. Now right-click the shortcut and choose Properties, and its panel opens. Alter its Target line to begin with runas /user:<name of Admin account> /savecred and alter the Start in line to your Limited account's profile folder as shown, substituting the names of your own Admin and non-Admin accounts in place of mine:

RUNAS-1.gif


Once this modified shortcut is created, it'll prompt for the password just the first time. So let's say I'm on WinXP and my Mechwarrior4 games absolutely won't work while I'm logged onto my Limited account... I can create custom shortcuts for them, and they'll run as Admin while everything else runs as Limited. But only when I use the doctored shortcuts.

A side effect of an elevated program: it sees the file system from the Admin's point of view. So for example, if you browse to My Pictures from within the elevated program, it sees the Admin's My Pictures, not the Limited account's My Pictures.
 
Last edited:

bretti_kivi

Enlightened
Joined
Jan 5, 2009
Messages
230
Location
Lahti, Finland
If you don't want to run Java, use Firefox and NoScript.

That with AdBlockplus means pretty much 0 popups, flash, annoying animations and other niceties that eat bandwidth but you don't need.

Bret
 

kramer5150

Flashaholic
Joined
Sep 6, 2005
Messages
6,328
Location
Palo Alto, CA
Noob question... most of what you have been discussing is over my head.
What www browser were you using? Would it have mattered?

Could using firefox with adblocker and popup blocker in addition to your virus shield prevented it in the first place?

:eek::thinking:
 

jtr1962

Flashaholic
Joined
Nov 22, 2003
Messages
7,506
Location
Flushing, NY
Noob question... most of what you have been discussing is over my head.
What www browser were you using? Would it have mattered?
Usually Opera but prior to the problem occurring I needed to use IE7 to do a few things Opera couldn't do (eBay didn't work 100% correctly under Opera). However, I've since upgraded Opera to fix the incompabilities with certain sites and don't plan to use IE any more. Firefox is a good alternative browser also.

Could using firefox with adblocker and popup blocker in addition to your virus shield prevented it in the first place?

:eek::thinking:
Maybe. Then again maybe not. Malware programs can only protect against threats which they are aware of. That being said, better to have protection than not have it. I regularly scan my system with Spybot Search & Destroy, SpywareBlaster, Adwatch, Malwarebyte's Antimalware, HijackThis, and Avast Antivirus. Of course, you need to regularly update the definition files of these programs or you might as well not be using them.

Ironically, this is the first time I caught anything besides tracking cookies in over 8 years on the web. And the scary part is I still don't know where I picked this up. I just don't engage in what's considered risky activity. I don't look at porn from questionable sites (frankly I consider most porn a waste of bandwidth), don't download from wares sites, block pop-ups all the time, turn off instant messaging, and generally keep keenly aware of anything funny, even on trusted sites. Yet I picked something up anyway. Only one other time I even came close. A smitfraud malware started giving me popups about my PC acting slow and needing to go to some bogus site to "fix" it. Of course, the "fix" involved paying them money and installing more crap. However, I saw how the smitfraud was making my pc slow (via starting up some junk exe file). I removed the reference to the .exe file in the registry, restarted my PC, and removed the junk file. End of story. Speaking of these smitfraud schemes, they generally involve a pop-up when you're surfing which says something scary about a virus being detected. DO NOT close the window or otherwise click on any buttons. Instead, shut down your browser via the task manager (hit CNTL-ALT-DEL, then select your browser in the list of running processes, and terminate it). From what I know of smitfraud schemes, clicking any button on the pop-up, whether it's OK or Cancel, or even clicking on the x to make the window go away, will install crap on your PC to make it slow. That's how I got caught the first time, but I promptly removed the crap once I realized its only purpose was to slow down my PC so these jerks could extort money from me to fix it.

Bottom line is no matter how safe you think you are, you can never do too much to secure your PC these days.

And while we're discussing this, why do so many people spend their time writing malware just to screw up people's computers? Don't these people have anything better to do with their time? If I ever caught one, I'd break their fingers so they could never type another line of code again.
 

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
And while we're discussing this, why do so many people spend their time writing malware just to screw up people's computers? Don't these people have anything better to do with their time?

The answer is "money." Computer malware is bigger business than the entire world's illicit-drug trade combined.

Last year there was a nifty exploit that worked on Opera, FireFox, Mozilla proper, Internet Explorer, and it worked in Linux, Mac OS X, and Windows. All it needed was Flash Player, even the very latest version of Flash Player. So people who want to secure their systems against these criminals, consider starting at the foundation: change your user account to a non-Administrator user account first, before you worry about which browser, which antivirus, which antispyware, etc. If you run into difficulties using a non-Admin account, you can always change back.

Naturally, it's also smart to avoid obvious risks. But the bad guys have ways of bringing the risks to you, such as hacking normally-safe, legit websites.
 
Last edited:

greenlight

Flashlight Enthusiast
Joined
Aug 18, 2004
Messages
4,298
Location
chill valley
OK, I followed your advice and created a standard user account, but it doesn't have any of the prefs that I've already set up like my links and desktop layout. Is there a way to clone the acct that I'm using now and make it the standard acct?
 

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
OK, I followed your advice and created a standard user account, but it doesn't have any of the prefs that I've already set up like my links and desktop layout. Is there a way to clone the acct that I'm using now and make it the standard acct?

Yeah, a couple ways. The easy one is the one described on my page: create a new account, and make the new account the Admin account that you only use when Admin powers are required. Then you can switch your established account from Admin to non-Admin. That way, there's no changes to your preferences, files, and other customizations... just keep using your usual account after switching it to non-Admin mode. You can always boost your established account back up to Admin level if needed.

Another option is to run the Files And Settings Transfer Wizard (in WinXP), or the Easy Transfer (in Vista), and it creates an archive file containing your setup, customizations and whatever files are in your user profile (like what's on your personal Desktop screen, in your My Documents and My Pictures folders, and so forth). After making this backup file, then you can create the new user account, run the wizard again, and have it import your setup from that archive, and it should be pretty close (you might lose your wallpaper image).
 
Last edited:

baterija

Flashlight Enthusiast
Joined
Feb 7, 2008
Messages
1,053
What www browser were you using? Would it have mattered?

Could using firefox with adblocker and popup blocker in addition to your virus shield prevented it in the first place?

Mech already covered a big chunk of why it might not matter. The other thing to remember is that the browser isn't the only vector into your system. Maybe you use an email program instead of a web based email. USB drives are a vector (whether they get plugged into an infected system and then used in yours or come from the factory infected.) The bad guys may use social engineering to convince you to let malware through. Just being connected to the internet, even while you are off sleeping, allows worms to query your system for security issues that can be exploited.

Think of browser security as the front door to your home. No matter how strong the door is and how many locks you have on it your home isn't safe if you leave all the other doors and windows open and unlocked.
 
Top