Main Area and Open Discussion > Living Room
7.7.7.0 Browser Hijack Virus
Nod5:
@app: I didn't know that Foxit had JS activated by default. Deactivated now. Thanks!
edit:
Edvards first post states that a symptom of the problem is if sysaudio.sys or wdmaud.sys exists in C:\WINDOWS\system32\
It is then best to add that files with those names exist in the C:\WINDOWS\system32\drivers\ , at least on my (supposedly clean) Win Xp Pro system. The files with the MD5 values below passed the test at http://virusscan.jotti.org/ a minute ago:
C:\WINDOWS\system32\drivers\sysaudio.sys
8b83f3ed0f1688b4958f77cd6d2bf290
C:\WINDOWS\system32\drivers\wdmaud.sys
6768acf64b18196494413695f0c3a00f
I also have a registry entry very similar to the one Edvard talks about at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
But the difference is that my (again supposedly clean) computer has a "aux" key with the value: "wdmaud.drv" (NOT "wdmaud.sys")
I guess it is yet an example of the common practice for malware to have deceptively similar names and locations as legit Windows files. A good way to counter that is to post and check file hashes.
Edvard:
The ones in C:\WINDOWS\system32\drivers\ are fine. It's always if they are found in the c:\WINDOWS or system32.
If your registry says wdmaud.drv it should be fine as well.
Edvard:
OK, some instructions for removing this thing have been posted at http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/
The best thing is to NOT get infected in the first place, but if you do, there's some sound advice.
I've also seen a lot of reports that it prevents Malwarebytes' Anti-Malware program from running. I'd say that's as good as an advertisement of MBAM's effectiveness in removing malware.
Apparently it is freeware as a scanning tool but a paid registration gives you "Realtime Protection".
Has anybody had any experience with this tool?
@Nod5: Here is the MD5 for the "bad" wdmaud.sys.
63453ec7d65a333a0a645cc50195990a
Also, the bad one is only about 17K where the real one is 74 or 82k
Stoic Joker:
Malwarebytes' Anti-Malware = Yes
When dealing with end user/client machines 90% of the time Spybot Search and Destroy works for me, the other 10% requires Malwarebytes.
...Okay, 5% of the time I just flatten the box... But Malwarebytes is an excellent utility which is also (highly) MS MVP recommended.
Zedar:
Just a quick note I'll add to the discussion after dealing with this today. I run Win XP 64 bit edition - and the wdmaud.sys file can be found in the C:\windows\syswow64 folder.
After doing a search for the file, the infected version has a description of "Meikiemos Rules" in the tooltip description.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version