Malware that uses a modified OMSMAIN.DLL file

I just cleaned a computer that had Internet Explorer 8 hijacked and redirecting when you would click on a Google result. The file was called QFFAKLK.DLL (probably random) and was in c:\users\username\appdata\local\updater21804\coupon companion plugin folder. In the Details tab of the file, it shows version 12.0.6550.5000 of OMSMAIN.DLL, file description is “Microsoft Outlook Mobile Service.”

It was the registry about five times in various Run locations and was hooked into about 14 processes.

The computer is protected by Symantec Endpoint Protection and I double-checked with MalwareBytes’ Anti-Malware, HitmanPro and even VirusTotal. NONE of them saw any problem with the file. (VirusTotal actually saw the file as OMSMAIN.DLL and not QFFAKLK.DLL.)

I removed all references in the registry to the file, restarted and was able to delete the folder and file. There was no more redirect problems. Thankfully it didn’t have very good counter measures.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *