On May 13, 6:28 pm, (e-mail address removed) wrote:
Hi, I am having the same issue only I don't see a file called taw.hbe. I got
as far as opening the drivers32 in notepad. Can you help me me figure out
what other trojans may be affecting my regedit / cmd prompts?
Thanks,
Trish
:
Hi
Found a trojan virus using a file named "taw.hbe" in User/Local Settings
which was being loaded in registry
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Drivers32
Deleted the key with "taw.hbe" in
Now can run cmd.exe and update MBAM to latest DB
AVG 8.5 did recognise the trojan and remove it but I had tomanually finish
the removal by editing the registry using ERD5.0
Thanks for your input - IanC
:
Despite full scanning with Malwarebytes' Anti-Malware Version 1.36 I have not
found any problems. Using DB version 2060 as I am stillunable to get a later
version because the update feature fails (as it does with AVG 8.5). I have
manually updated AVG and done a full scan but nothing has been detected.
Thanks for all suggestions and help.
As after midnight in the UK I will retry on Thursday todiagnose/rectify the
problem.
regards IanC
:
Hi Thanks
Regedit doesn't work
I'll update AntiMalware manually and try a full scan.
Thanks for now
IanC
:
Hi
Cmd.exe window does appear at all. It has done before
Task Manager works.
Msconfig works
Anti-Malware runs and scans but finds nothing on a quick scan (Ver 1.36
Db2060)
AVG 8.5 scans but finds nothing now. Previouslyhas removed PUP Tool.AX and
virus Win32/Heur.
I get a command prompt window if I run "command" (that is something new to
me)
regards IanC
:
I cannot open a command prompt window from the Run dialogue box.
Also cannot get auto updates for my AVG 8.5AV and Anti-Malarebytes
programmes. IE7 works fine though.
Need some new angle of attack if it's a virus/trojan as I can't find one.
Tried scans in safe mode and with HiJack This I can't see anything obviously
bad.
Intel Core 2 Duo PC with XP Home SP3
any help suggestions greatly appreciated regards IanC
Has CMD ever worked?
What do you see when you run CMD?
Does COMMAND work? (not the same program)
Does regedit work?
Does Task Manager work?
If you run Malwarebytes (and I wish you would) are you saying you
can't do an update? What happens when you try to do an update? Does
it run at all?
Learn something new everyday!
Does regedit work?
My Malwarebytes DB is 2079 and I updated today.
Try to update your MBAM and do a FULL scan.
See, regedit is an important clue, hence my question
Yes - Malwarebytes is the thing to run.
You can try hatsoff suggestion that might work, first if you want,
which I don't think will do anything for your regedit problem, but you
certainly can try it.
Okay - I believe part of the effect of this problem is that regedit
and cmd won't run merely by their name alone. This is why COMMAND
works. Tricky malware.
I think that regedt32 might work, so try that just to see.. Regedt32
uses regedit so it might not run but your result will be a clue. If
regedt32 works exit out of any registry edit program whenyou are done
testing. We'll stick with regedit.
Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember. You can do all this file
manipulation through Windows Explorer or your newfound COMMAND window.
Using Start, RUn, your copy.exe may not work just becauseregedit.exe
still exists, so if copy.exe doesn't work and behaves like regedit,
get rid of copy.exe it and RENAME regedit.exe to copy.exe.. Now,
regedit.exe does not exist, but copy.exe does. You will want to
replace your regedit.exe later, so make a note. The thing is we must
get into the registry somehow.
You should now be able to either run copy.exe or regedt32..exe to get
into the registry, but try copy.exe first since you are more familiar
with that look.
When you get into the registry, go here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32
Highlight the Drivers32 sub-key and under File menu choose Export.
Name the file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files. You will get drivers32.reg in the place
you saved it.
I want to see the contents of that file which has your exported key.
If you double click it, it will just import it back into the registry
(like it should with the .reg extension). It won't make any
duplicates, it will just overwrite what is there already. Even if you
call it drivers32.txt, if you double click it to open the.txt file,
it will import it into the registry just because of contents looks
like registry stuff.
So, right click the file, choose Open With and use notepad or wordpad
to open the file.
In the editor, type Ctrl A to select all, Ctrl C to copy and then post
back here and type Ctrl V to paste the results here in a reply.
Well, there you go! That's where I was heading.
Did you use regedt32 or a renamed regedit.exe to get into the
registry?
Sometimes, an existing key will be modified with some trojan value and
just needs to be modified. Sometimes a new bogus entry is added. I
also know about others besides your taw.hbe.
If you had a new key added, I would like to know what it all looked
like before you deleted if you can tell me. What did your bad key say
if you remember or have the export before hand? Was it some entry
with a path to taw.hbe? If yes, you will want to try to find that
taw.hbe (it might not exist anymore) and terminate it with extreme
prejudice.
This will help me later with other folks.
Maybe. I wish that as you go through this procedure you will tell me
what happens so I can refine
it down to make it more clear or fix any problems. I would love to
get this down to 1 or 2 messages
back and forth instead of the usual 35...
I am not surprised you did not find that file. There are several
malwares that will cause this and I
am making a list.
Here you go:
First download, install, update and do a full scan with Malwarebytes
software. No matter what else
you are using for AV protection do this. This will hopefully remove
the malware, but not all traces of it.
That is next.
See if Start, Run, Command works - it probably will. CMD and COMMAND
are not the same program. You malware probably forgot about COMMAND.
(let me know if this works)
I believe part of the effect of this problem is that regedit
and cmd won't run merely by their name alone. This is why COMMAND
works. Tricky malware.
I think that regedt32 might work, so try that just to see. Regedt32
uses regedit so it might not run but your result will be a clue.
If (let me know if regedt32 works)
regedt32 works exit out of any registry edit program when you aredone
testing. We'll stick with regedit.
Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember. You can do all thisfile
manipulation through Windows Explorer or your new found COMMAND
window.
Using Start, Run, your copy.exe may not work just because regedit..exe
still exists, so if copy.exe doesn't work and behaves like regedit,
get rid of copy.exe it and RENAME regedit.exe to copy.exe. Now,
regedit.exe does not exist, but copy.exe does. You will want to
replace your regedit.exe later, so make a note. The thing is we must
get into the registry somehow.
You will need to put regedit.exe back when you are done - make a note.
You should now be able to either run copy.exe or regedt32.exe to get
into the registry, but try copy.exe first since you are more familiar
with that look.
When you get into the registry, navigate to here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32
Highlight the Drivers32 sub-key and under File menu choose Export..
Name the file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files. You will get drivers32.reg in the place
you saved it.
Depending on your expertise, you may be able to spot the problem
here right away and fix it. Even if you
...
read more »- Hide quoted text -
- Show quoted text -
Hi ,
I also have same issue with my computer(Cmd and regedit is not
working but command is working).
As per the above procedure i was able to copy regedit32.exe to
copy.exe and able to export here is log
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux1"="wdmaud.drv"
"aux2"="C:\\DOCUME~1\\mgampa\\LOCALS~1\\Temp\\..\\naor.mui"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32\Terminal Server]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
Appreciate your help on this.
Thanks
Mahesh G
Very good.
The problem is the aux2 setting:
"aux2"="C:\\DOCUME~1\\mgampa\\LOCALS~1\\Temp\\..\\naor.mui"
That path is the symptom of the infection. Your scan has probably
already deleted the naor.mui file, but it would be interesting to see
if it is still on your system. If the file still exists, the scan
failed to we should figure that out first. Please let me know if the
file exists or not.
On my system, I don't have an aux or an aux2 setting but have seen
them. This depends on the devices installed in your computer. Your
aux2 setting is very wrong and needs to be fixed.
Double click the aux2 setting on the right and change the Value data
box to match aux: wdmaud.drv, then click OK. The aux and aux2 should
not be the same.
Exit the registry editor by clicking File, Exit.
I don't think a reboot is required, so see cmd and regedit work now.
If you have to do a reboot, let me know that so I can update my now
simpler and easier instructions.
Jose
