ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

7.7.7.0 Browser Hijack Virus

<< < (5/6) > >>

Nod5:
@app: I didn't know that Foxit had JS activated by default. Deactivated now. Thanks!

edit:
Edvards first post states that a symptom of the problem is if sysaudio.sys or wdmaud.sys exists in C:\WINDOWS\system32\

It is then best to add that files with those names exist in the C:\WINDOWS\system32\drivers\ , at least on my (supposedly clean) Win Xp Pro system. The files with the MD5 values below passed the test at http://virusscan.jotti.org/ a minute ago:

C:\WINDOWS\system32\drivers\sysaudio.sys
8b83f3ed0f1688b4958f77cd6d2bf290

C:\WINDOWS\system32\drivers\wdmaud.sys
6768acf64b18196494413695f0c3a00f

I also have a registry entry very similar to the one Edvard talks about at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
But the difference is that my (again supposedly clean) computer has a "aux" key with the value: "wdmaud.drv" (NOT "wdmaud.sys")

I guess it is yet an example of the common practice for malware to have deceptively similar names and locations as legit Windows files. A good way to counter that is to post and check file hashes.

Edvard:
The ones in C:\WINDOWS\system32\drivers\ are fine. It's always if they are found in the c:\WINDOWS or system32.
If your registry says wdmaud.drv it should be fine as well.

Edvard:
OK, some instructions for removing this thing have been posted at http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/

The best thing is to NOT get infected in the first place, but if you do, there's some sound advice.

I've also seen a lot of reports that it prevents Malwarebytes' Anti-Malware program from running. I'd say that's as good as an advertisement of MBAM's effectiveness in removing malware.
Apparently it is freeware as a scanning tool but a paid registration gives you "Realtime Protection".
Has anybody had any experience with this tool?

@Nod5: Here is the MD5 for the "bad" wdmaud.sys.
63453ec7d65a333a0a645cc50195990a

Also, the bad one is only about 17K where the real one is 74 or 82k

Stoic Joker:
Malwarebytes' Anti-Malware = Yes

When dealing with end user/client machines 90% of the time Spybot Search and Destroy works for me, the other 10% requires Malwarebytes.

...Okay, 5% of the time I just flatten the box... But Malwarebytes is an excellent utility which is also (highly) MS MVP recommended.

Zedar:
Just a quick note I'll add to the discussion after dealing with this today.  I run Win XP 64 bit edition - and the wdmaud.sys file can be found in the C:\windows\syswow64 folder. 

After doing a search for the file, the infected version has a description of "Meikiemos Rules" in the tooltip description.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version