Search engine result hijack

M

m22au

After many years of computer use, I encountered some malware that I couldn't fix with Spybot S&D or Ad-Aware.

The malware file was 'sysaudio.sys', and it was detected by Malwarebytes.

http://www.malwarebytes.org/

It appears that the malware hijacks search engine results, but thankfully I don't think it does 'other stuff' like keystroke logging.

Useful article on Sysaudio:

http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html

do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

For what it's worth, I also had Zone Alarm detect WJQS.exe

in real-time.

At this stage I am unsure if it's related.

Before I removed the sysaudio malware, Google was going to 1.2.3.0 instead of my usual 127.0.0.1 hosts file.
 
Some further useful links:

http://www.google.com.au/search?hl=en&q="yahoo+counter+starts+here"+malware&btnG=Search&meta=

http://www.bleepingcomputer.com/forums/topic175838.html

The Bleepingcomputer forum mentions that 'Combofix' solves the problem.

I didn't try this because Malwarebytes was sufficient.

* * * *

EDIT:

One way to prevent future infections is to install the Noscript addon for Firefox:

https://addons.mozilla.org/en-US/firefox/addon/722

http://en.wikipedia.org/wiki/NoScript

https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:all?show=20&sort=popular
 
Quote from m22au:

After many years of computer use, I encountered some malware that I couldn't fix with Spybot S&D or Ad-Aware.

The malware file was 'sysaudio.sys', and it was detected by Malwarebytes.

http://www.malwarebytes.org/

It appears that the malware hijacks search engine results, but thankfully I don't think it does 'other stuff' like keystroke logging.

Useful article on Sysaudio:

http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html

do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

For what it's worth, I also had Zone Alarm detect WJQS.exe

in real-time.

At this stage I am unsure if it's related.

Before I removed the sysaudio malware, Google was going to 1.2.3.0 instead of my usual 127.0.0.1 hosts file.
More...

Thanks for the info. I installed Malwarebytes and seems to work fine. I will also upgrade to RT.
 
You must log in or register to reply here.
Back
Top