Web Browser Hijack by this same trojan

2008-12-26T04:59:00.000-08:00

The previous post deals with the Yahoo! Counter Starts trojan in your forum database files. This post is about associated malware that the trojan drops into your local computer.

The trojan drops a file called:


sysaudio.sys

into your WINDOWS/system32 folder.

This causes the malware to hijack your web browser.
So when you do a search in Google, you do not see
the normal Google results, but a set of search engines
and other sites, such as:
moxiesearch.com
findstuff.com
and similar sites.

Create a new folder,
then move the sysaudio.sys file
from the system32 folder to the new folder,
and rename the file.
Next, reboot your computer.
This should solve the problem of the web browser
redirection (hijacking).

HOWEVER, there is a normal sysaudio.sys file
that you should NOT delete, move, or rename
in the WINDOWS/system32/drivers folder
Do NOT mess with that file; it is a normal file
on Windows computers.

Yahoo! Counter starts trojan

2008-12-23T18:08:00.000-08:00

I found a relatively simple fix for the 'Yahoo! Counter starts' trojan that affects VBulletin and other forum software. Here's what I did:

I did a backup of the SQL database in VBulletin:
I went into the Admin Panel; clicked Maintenance, database backup.
At the bottom of that page, I went to the section that says
Backup database to a file on the server. Then I did the following:

1. made new directory within the /forum/ folder called /backup
2. made new directory worldwritable
chmod 777 backup
3. entered location for backupfile in Admin panel:
./backup/forumbackup-year-month-day.sql
4. Clicked save

Then I went into site by FTP and downloaded the SQL backup file,
and deleted the file from the site, and deleted the folder.

Then I searched the backed up SQL file for 'Yahoo! Counter' and found
two sections of code that had been inserted into the database by the trojan.

I found the code by doing a backup of the entire database with vBulletin,
then searching the SQL file generated by that back up.
Both sections of code have 'Yahoo! Counter' in them.

Then I logged into my website hosting company's control panel, and used
PHPmyadmin to go into the mySQL database (I have IXwebhosting), and
I edited the affected tables (the names of the tables were found from the
previous search of the backed up SQL file).

datastore options
[datastore is the name of a table in the database,
and options is a section within that table]

and likewise with:

setting description

The section of bad code in datastore begins with:


1108:\"\" />

and then continues on to include:


Yahoo! Counter starts

and then continues on to end with:


name=\"yahoo\" content=\"count\"

and the repaired code in 'datastore options' should include:


;s:11:\"description\";s:0:\"\";s:12:\"useforumjump\";i:1

The bad code had changed
;s:0:
to
;s:1108:
and then added the malicious code after the 1108. So after deleting the bad section of code, I made sure the repaired code had the zero and not the 1108

The section of bad code in 'setting description' was easier to fix.
This good code:


INSERT INTO setting VALUES('description', 'general', '', 
'This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .',
 '', '20', '0', '1', 'free', 'vbulletin', '', '0');

had been replaced by a long section of code that included the text:
Yahoo! Counter starts

I replaced that long section of code with the text:


This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .

This worked for me. I don't know if it will work for anyone else.
Proceed similarly at your own risk.
Good luck!

Yahoo! Counter Starts Trojan Advice

Web Browser Hijack by this same trojan

Yahoo! Counter starts trojan