Google, MSN, Yahoo Search 7.7.7.0 Redirector Malware HiJack
Google 7.7.7.0 Redirect Malware, Virus, Spyware…
UPDATE (11/27/2009 12:23PM EST)
I have removed the 7770finder.zip file from downloads. Malwarebytes’s Anti-Malware picks up this infection and cleans it successfully. Please visit http://www.malwarebytes.org/mbam.php and grab a copy of the free version. If you like their software, consider purchasing the full version for real-time protection!
UPDATE (3/07/2009 10:23AM EST)
I see that people are still having trouble with this and that there is a possible variant out there. I recommend you download MalwareBytes’ Anti-Malware and scan your computer using ‘Quick Scan’. If you want to schedule the scanner to scan at a certain time, please see my post http://www.techish.net/2009/01/24/malwarebytes-scheduled-scanning-updating-using-windows/
for further information on how to do this.
UPDATE (1/29/2009 9:18PM EST)
Uploaded a new version of 7770FINDER. This version includes directory recursion, and allows you to specify whether or not to use it along with a path argument. Read the README.txt in the ZIP for more information on how to use the commands if you are unfamiliar.
UPDATE (1/19/2009 6:30PM EST)
I’ve been getting a lot of email questioning why my tool did not remove found infected files. This tool does NOT remove any infected files. It is up to you to remove them. This tool also does not support directory recursion; e.g., it ONLY scans %SystemDir% files, no subfolders. Sorry.
UPDATE (1/15/2009 12:51PM EST)
I have been able to successfully re-infect myself and I can confirm this is being distributed via PDF JavaScript as I was monitoring processes and my system32\ directory as I visited a known vulnerable site. I also saw ~.exe process start up during my monitoring after I saw Acrobat.exe and acrotray.exe start up. Once infected, the processes (Acrobat, Acrotray) terminated.
To help prevent infection take the following actions:
Adober Reader: Disable Adobe JavaScript functionality (Edit -> Preferences, go to JavaScript entry and untick “Enable Acrobat JavaScript”)
Foxit Reader: Edit -> Preferences -> JavaScript (Uncheck the box)
Use NoScript Firefox Plugin
Tips thanks to Edvard and app103 over at DonationCoder
UPDATE (1/14/2009 11:17PM EST)
Update your PDF application and disable JavaScript.
UPDATE (1/14/2009)
Malwarebytes is able to detect the malware. Interestingly enough, it only detects it if it’s in c:\windows\system32\drivers\ folder. I’m not sure what’s up with that. Update the applications to ensure you’re using the latest definitions. If you know of any other Spyware/Malware/AV software that is detecting this, leave a comment.AVG supposedly detects this threat (posted by: Peter Liu)
Please let me know of any other software that detects this.
Removal Instructions
Detection Tool
Here’s what I know about this lovely little malware that hijacks Google, MSN Live, and I’m sure a few other popular search engines by injecting javascript in the header:
1) Redirects searches to 7.7.7.0
2) Displays what appear to be normal results, but in fact are linked to many other malware centric sites
3) Kaspersky (as of this writing) is the only application to detect the presence of this malware on your PC (and yes I’ve tried Malware Bytes, Spybot S&D, AntiVir, SuperSpyware)
4) The culprit file resides in c:\windows\system32\wdmaud.sys and should be removed, or renamed. Don’t remove the file from c:\windows\system32\drivers\wdmaud.sys.
5) After deleting/renaming the file, restart your browser(s) and you’ll be OK. Note: This affects IE and FF, I have not tested Opera, Netscape or Safari.
Here’s an example screenshot of what Google results look like when you are infected. Notice the Google links (green links) on the results page.
Search results when infected with wdmaud.sys variant.
What I’d like to know is what that file has to do with the browser. The WDMAUD.sys file (the real one) deals with Windows High Definition Audio. Could this file have been placed there via Flash vulnerability? I know I was on YouTube the night prior to me being invaded.
I ran ProcessMon from SysInternals and saw that Firefox and IE both called for wdmaud.sys but in the c:\windows\system32\ directory, not in the drivers subfolder. Here’s a screenshot of that. If I move the file (the infected file) out of system32\ the redirection stops. If I put it back in the infection is back. My question that is burning me is HOW did it get there? What put it there?
Process Monitor highlighting the search request for wdmaud.sys
So far, the infection is in c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys). Simply delete the file and restart any open web browsers.
If you do not find the wdmaud.sys file, or are unsure what to even look for, you may download a tool that we created that will investigate all the files in the Windows system directory. It doesn’t just specifically look for the wdmaud.sys file, but it looks for the signature in every file within that directory.
Compatible with: Windows XP (all SPs), Server 2000/2003/2008, and Vista.
Your use of this software indicates that you agree to the included disclaimer.
Download Tool Here (ZIP) (md5: F095664C7148A03878D545D9D6F2502E)
Tool Update (1/29/2009)
* Added 2 parameters: /r (recursion) /p (specify alternative path to scan)
Tool Update (1/16/2009)
* Prints path of file that is infected
If you download the tool and find it useful, or don’t find it useful, I’d appreciate any feedback. You can leave a comment or send any questions/comments to rich@techish.net.
about 11 months ago
@Chris,
I’m sure this thing has mutated and you’re the [un]lucky victim. First thing’s first, have you downloaded and scanned your system (Quick Scan) using MalwareBytes’ AntiMalware scanner?
Second, make sure you disable JavaScript/Web Content from your PDF readers (Adobe/Foxit) if you haven’t already to help ensure safety.
It may have not even been spread by a PDF as variants usually find other methods of deployment. I do know that Adobe Reader has a major vulnerability at this time that is still not patched (Adobe Reader 9) which I have a brief write up of it here: http://www.techish.net/2009/02/21/adobe-reader-9-critical-security-flaw/
Regardless, get MalwareBytes’ AntiMalware and scan your system (making sure Malwarebytes is up-to-date (as it’s not automatically updated if you use the free version). Another option would be to use Super AntiSpyware and see if that turns anything up.
NOTE: I haven’t updated my original scanner with any variants of the hijacker. If people want, they can send me the suspected files and I will include the signatures in my scanner base code. You can upload the variants to: http://www.techish.net/upload/
Thanks,
Rich
about 11 months ago
Hi Richard, Great info on the thread -the 7770 tool worked for me thanks.
The tool located 1 infection for me:
I had to scan the full C Drive using: 7770FINDER.exe /r /p c:\
I wanted to share some slightly different symptoms for anyone listening:
First, my infected file was:
C:\Documents and Settings\Admin\Local Settings\hkurkf.qfa
This file could not be renamed\deleted directly even after booting
in Safe Mode and with System Restore switched off.
(it just popped up in the directory again)
In the end, I edited the file in notepad, removed everything, typed in
some random characters and saved. Then set the file to be read-only.
So far (rebooted a couple of times) this appears to have worked.
I then searched in the Registry for hkurkf.qfa and found this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
Value: C:\DOCUME~1\Admin\LOCALS~1\Temp\..\hkurkf.qfa
Interestingly the entry above that was:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux
Value: wdmaud.drv
Some other symptoms:
With the hkurkf.qfa in place I couldn’t edit the Registry(?)
and a couple of minor changes to my explorer settings didn’t take.
I hope that adds something to the discussion.
Thanks again for the work you’ve done in researching this and
developing the 7770 tool.
Steve
about 11 months ago
I’m not sure exactly how to get the detection tool to recursively scan another location…I downloaded 7770FINDER.exe to my desktop, when I double-click on it there is not a place for me to change the path. I tried Run but can’t get the path to work, either. I need 7770 For Dummies help.
about 11 months ago
Oh, I figured it out! Woohoo, I am scanning c:\windows and so far two infected files have already popped up: jum.ysk and KB833680.log
about 11 months ago
@Niki Maas,
Can you upload KB833680.log to me so I can review that? http://www.techish.net/upload/
Thank you,
Rich
Empty ad slot (#2)!
about 11 months ago
I found 1 infected file “csfici.lgy”. But no matter how times I removed or whether is in safe mode or in regular mode, it always comes back. I Also try renaming it! It comes back and then the programs shows it found 2 infected files. :(
about 11 months ago
I think the problem is solved. I renamed the “csfici.lgy” to ““csficiZucye.lgy” and Even though another one re-appeared shortly after, the new “csfici.lgy” is only 1 kb. And the redirection has stopped. Another thing that I did before this worked was uninstalled all my spyware and virus tools and so far I have only re-installed AVAST (the anti virus). I don’t know if my computer is clean now, but at least the redirection is gone.
about 11 months ago
I used the 7770finder and it found this file in C:\Windows “plofr.oee”. I renamed it, and another one was created instantly in that directory. I’ve been getting google redirects and firefox browser crashes a bunch lately.
I did a Quick Scan with MalwareBytes, but it did not find any infections.
about 11 months ago
the latest version of this blocks the malwarebytes.org updates and then crashes the program. It won’t let me into CMD or regedit even in XP’s safe mode, it won’t let me update mcafee’s scanner or any of the other products I have tried downloading, and online scanners don’t find a thing. I think mine came from a flash application but I’m still digging to find it.
about 11 months ago
I was having those same probs upset2. I was able to run ‘command’ (rather than ‘cmd’) and had 7770finder search my entire C:\Windows drive, where it found the file I mentioned above.
I overwrote that file with a dummy one I created in notepad, and my probs seem to be fixed! :D
Empty ad slot (#2)!
about 11 months ago
Ok… my ISP emailed me after I posted about my website and said that they were working on it. I do use an old phpbb system, and haven’t updated because I had made some mod’s to it. I’ll have to figure out how to update it now.
My laptop appears to be infected by this newer version as well. I can’t do cmd/regedit or update malwarebytes. I have uploaded a file for you oqxjss.ttr that is what your tool found. Hopefully that will take care of it!
about 11 months ago
Ok… it seems to be working… I left the file but deleted it all in notepad, leaving only a dummy file. After rebooting, I was able to run regedit. Did a search for the file and found it in 4 places – 2 were in the opencloseMRU files, which I assume were associated with me opening the file to edit it. The other one was:
HKEY_LOCAL_MACHINE/software/microsoft/windows NT/current version/drivers.desc
In this location the file was listed as c:\windows\oqxjss.ttr
HKEY_LOCAL_MACHINE/software/microsoft/windows NT/current versin/drivers32
In this location the file was listed as c:\windows\drivers32\..\oqxjss.ttr
Don’t know if that helps at all. Thanks for all your work on this.
about 11 months ago
@Steve,
That’s interesting…
Look at this little tidbit I got in my email today:
——-
A message has been uploaded, here’s the details:
REMOTE_ADDR: [privacy_enabled]
FILE: oqxjss.ttr
SIZE: 18944
——-
oqxjss.ttr is the common denominator.
This was a random person who uploaded this; typically I delete the files once I get the message if I was not expecting an upload. The files are also inaccessible to general public so it prevents malicious linking.
I have an upload page (http://www.techish.net/upload/) that allows people to upload files and it notifies me via email. I use this when I’m helping a client or something of that nature and I need to see a file that email systems would filter out or the use of FTP would be too much of a task for someone…
I believe (but have not looked into it) that TTR files are true type fonts? I may be mistaken. I’ll analyze that file with Malwarebytes and a few AV scanners.
@Everyone:
If you ever receive a suspicious file or find a suspicious file on your computer you can always upload it to http://www.virustotal.com/ That site utilizes ~40 different AntiVirus/Malware scanning tools (which are kept up-to-date) to determine if that file is potentially malicious. May be a good resource for those of you who didn’t know about it.
about 11 months ago
Regarding last comment…
I did upload it to VirusTotal:
5/40 found it to be potentially malicious.
If you like, you can view the results of the online scan:
http://www.virustotal.com/analisis/cdcf3b2da10205fd218f346d81c1f486
about 11 months ago
Sorry, I ended up posting twice. I uploaded my file yesterday, which must be the one you got. I didn’t know how to attach my name to it to show you who it was from.
Thanks,
Steve
Empty ad slot (#2)!
about 11 months ago
One other thing.. over the past few weeks while struggling with this latest variant, I was getting a lot of the Microsoft “referenced memory could not be read” errors over the last two weeks, especially around itunes and internet explorer. I haven’t had any (in one day, so this isn’t definitive) since I fixed the problem yesterday. I also had issues where my audio card driver would basically ‘go away’ – when I’d open the volume control, it would say no audio device installed. Not sure any of this is related, but wanted to through it out in case others might be experiencing it.
about 11 months ago
I’m infected with the dreaded Google Redirect virus. This variant is blocking MalwareBytes’ program from opening. Running the 7770finder turned up nothing. I’m at the end of my rope. Help!!!
about 11 months ago
You are my hero.
C:\WINDOWS\eemowd.asy found by 7770finder; replaced by dummy notepad text, so far so good. No more search redirects, and no more random crashes on regular pages.
about 11 months ago
All hail Richard, and blessings on the planet you hail from. C:\WINDOWS\tja.mmv found by 7770FINDER, replaced by dummy notepad text, so far so good (to steal what Don said so well). I had also lost most of my task tray icons, and the appearance of some browser displays (Google bookmarks) were being affected. Task tray icons are back, and things look normal.
about 10 months ago
I tried everything. your tool doesn’t find any problems but after i ran the malwarebytes software it worked for a while but now like 5 minutes later the problems are back. please please help. in system32 there is a wdmaud file but its not .sys and it says its been modified over 3 years ago. i really need to use my comp. thank you so much.
Empty ad slot (#2)!
about 10 months ago
and i’ve checked and there is no wdmaud file in system32 other than the one in drivers. the redirect problem is still there. please help. i have no clue what to do.
about 10 months ago
or maybe i’m not using your tool right. i just open the 7770 finder and it automatically searches right? i get 0 infected 0 skipped and 0 errors. is there anyway you can help? i’ll try anything. i’m sick of this virus.
about 10 months ago
The 7770 tool doesn’t find anything for me either and the only file I have in system32 is a wdmaud.drv
is this the file I need to delete?
about 10 months ago
i’m in the exact same position as bryan.
about 10 months ago
I tried the 7770 detector and it says it found nothing. I tried deleting the file and it wouldn’t let me. I tried renaming it as well and a duplicate is made every time. I don’t know if I have the same virus, but I’m redirected when I click on links to various websites. This happens when I’m on any other google webpage as well. Also, the snapshot you showed where the URLs didn’t fit the descriptions is not what I see. The URLs listed all are the right URLs. The URL changes after I click on the link. Any ideas?
Empty ad slot (#2)!
about 10 months ago
yea. mine doesn’t show different urls either. but near the bottom of the browser, when u scroll over the link it shows the google-redirect url. also, its been atleast 5 hours since any redirections have happened. however once in a while i get an error from internet explorer. is the virus gone?
about 10 months ago
This is by far the best info about this virus on the internet.
THANKS!
But I seem to be having the same trouble here, as 7770finder doesn’t detect anything. I’ve had this virus for only a couple of days now.
But by disabling Adobe JavaScript & using the NoScript Firefox Plugin as suggested, I seem to be able to bypass the virus. I also disabled the Firefox Java Quick Starter plugin, which is automatically installed with the latest version of Java.
To remove this extension, first make sure that the extension is ENABLED in Firefox by checking in “Tools -> Add-ons -> Extensions”. If the Java Quick Starter Firefox extension is disabled, click the “Enable button” and restart Firefox. Then open the Windows Control Panel and double click Java. In the Java Control Panel, click the Advanced tab, click the + in front of Miscellaneous and clear the Java Quick Starter box.
about 10 months ago
yea. no more redirections happen for me. other than the browser randomly shutting down, my itunes says my iPod is corrupt even when there is no iPod connected to my comp. is there a chance the virus corrupted my iTunes?
about 10 months ago
i ran a hijackthis and removed the file it wanted me to remove. but still, i haven’t had a redirection in over a day but now nothing i plug into my usb port gets recognized. i hate this virus.
about 10 months ago
Richard,
I am having multiple problems with ridding my computer of this Google Redirect virus. When I ran your scan, I did not get any results. As I loaded Kaspersky and tried to activate via internet connection I can not access. I am no tech guy, but I also have something on my computer that is not allowing me to update any spyware or panda updates. Is there anything out there that would block that access?
Thanks in advance
Empty ad slot (#2)!
about 10 months ago
@LSUPAWZZ
Many of the malware and virus creators typically modify DNS records (or “Hijack”) in order to prevent users from updating existing antivirus/antimalware/antispyware software and also to keep them from downloading new software to remove existing malware etc.
Have you tried to run Malware Bytes’ AntiMalware?
about 10 months ago
I can not download or run any new av/am/as software at this time. I am cranking it out again this morning to resolve these issues but it is getting very frustrating. I am having to use my laptop to download and transfer via flash and it now appears that some of the downloads are conflicting each other i.e. my Panda.
about 10 months ago
I cannot seem to change the search location on your detection software, im a bit confused..
could someone tell me the step by step on how to change the scan location?
thanks.
about 10 months ago
Richard,
The virus “plays” with Malwarebytes installation, rendering it unusable.
I’ve read that renaming the Malwarebytes dot exe installation file (also renaming for download) & installed dot exe file & folder to some other thing than Malwarebytes helps, which I did.
But if you do so, you’ll have to do a manual registry search for the original file’s name & rename the entries found, to the new name (and folder) in order for the program to find its way & work.
But what the virus does is to not install multiple dlls & ocx to the c:/windows/system32/ directory. You will need to copy these files from the “programs” directory in which Malwarebytes is installed into the windows/system32 directory & start them up manually.
the files are mbamext.dll ssubtmr6.dll vbalsgrid6.ocx zlib.dll. You will then need to run these using the following commands from the “run…” command line (found on the windows start menu):
regsvr32 mbamext.dll
regsvr32 ssubtmr6.dll
regsvr32 vbalsgrid6.ocx
regsvr32 zlib.dll
I scanned & cleaned the whole computer with Malwarebytes.
I also ran HijackThis & removed everything suspicious & ran a full AVG scan.
There was a virus that I think is part of the problem called HeroCodec. You can check here for removal of this one: http://www.411-spyware.com/remove-herocodec#deletefiles
I also searched the registry for “herocodec” & removed all entries found…
I can tell you that the computer is a lot cleaner now, but that damn virus is still there, so NoScript is doing the job to block all incoming unfriendly websites.
HELP!
about 10 months ago
Well… Seems that this new form for this virus is completely undetectable by anything out there. So far I’ve done complete scans with Malwarebytes, Spyware Doctor & AVG and ran & cleaned everything that was picked up by Hijackthis… Yet the virus is still there. Good thing for the Firefox NoScript plugin, or I’d otherwise would’t be writing this.
If anyone finds anything, please report.
cheers
Empty ad slot (#2)!
about 9 months ago
This worked for me -
Checked HOSTS file located at c:\windows\system32\drivers\etc\hosts.
(you can open it up in Notepad).
If it’s just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then it should be okay.
However, if there are others following 127.0.0.1 localhost then re-name it. Which I did and it worked!
about 9 months ago
Hi Rich, I tried to send you an email but it said it didn’t exist? rich@techish.net
Basically, The 7770 finder didn’t work for me. I did download the Malwarebytes’ program, and it found a bunch of stuff, all different types.
I ‘removed’ (quarantined) anything with “Trojan” in the name — I figured that was pretty safe. But I don’t know how to tell which of the rest might be the google redirect virus, or any other ones I should remove – do you think you could help me out?
log:
Malwarebytes’ Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3
6/1/2009 3:10:35 PM
mbam-log-2009-06-01 (15-10-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 179603
Time elapsed: 37 minute(s), 28 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 9
Memory Processes Infected:
C:\WINDOWS\system32\drivers\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1daefcb9-06c8-47c6-8f20-3fb54b244daa} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Heuristics.Reserved.Word.Exploit) -> Data: c:\windows\system32\drivers\ctfmon.exe -> No action taken.
Folders Infected:
C:\Program Files\VSAdd-in (Adware.Agent) -> No action taken.
Files Infected:
c:\program files\k-lite codec pack\Real\settings.exe (Rogue.Installer) -> No action taken.
c:\program files\k-lite codec pack\tools\fixcodecs.exe (Rogue.Installer) -> No action taken.
c:\program files\k-lite codec pack\quicktime\QuickTimePlayer.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\stt82.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\drivers\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\system32\ps.a3d (Stolen.Data) -> No action taken.
C:\WINDOWS\system32\klo5.sys (Stolen.Data) -> No action taken.
c:\program files\k-lite codec pack\Real\mpclauncher.exe (Rogue.Installer) -> No action taken.
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
I also just downloaded the latest version of IE (8), and I have Firefox on my computer as well.
But something called “DEP” won’t let IE open at all now, unless I change the permissions… so I guess I’ll have to do that.
I have scripts turned off on Firefox, so it won’t let me do anything at all in Google without permitting scripts for it, so I have no idea what to do there…
Thanks for any help you can provide…
Bonnie
about 9 months ago
@Bonnie,
Re-run the scan (update Malwarebytes again before scanning) and you can safely remove all the entries with the EXCEPTION of:
C:\WINDOWS\system32\drivers\ctfmon.exe (Heuristics.Reserved.Word.Exploit)
AND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Heuristics.Reserved.Word.Exploit)
After you remove all the entries EXCEPT THOSE, please download an antivirus program such as Avira (www.avira.com) and run a full system scan to remove those last two remaining issues.
rjkreider@gmail.com if you need further assistance.
Thank you,
Rich Kreider
about 8 months ago
Hi, gr8 post thanks for posting. Information is useful!
about 8 months ago
I had already installed malewarebytes, and it appeared to run correctly but found nothing.
The tool failed to open. It gave me an error, so I couldn’t use it. I found the wdmaud.sys and wdmaud.drv files under \drivers\, but I was not able to remove them permanently, as there is some kind of module in the directory \Drivers Cache\ that seems to restore it when you rename, delete, or even edit it. Any suggestions?
Empty ad slot (#2)!
about 8 months ago
My laptop got infected with this, and I’m having to post here from another computer. How do I get rid of this without completely wiping out my browser files or editing code that could easily cause a crash if I did it wrong?
about 8 months ago
Rich,
So far for me I have not had this redirect problem. (Knock on wood!!) I was helping a friend out by cleaning up a laptop she got, and she had the redirect bug too. After 3 hours of looking for any “helpful” info on this I happen to stumble here and YOU ARE THE MAN!!
Whether or not this piece of crap has mutated or adapted to a person who isn’t hip to getting into the file system of Windows and/or the registry is going to be SOL.
You are an awesome person for taking your time to help a bunch of strangers who are probably losing their damn mind over this!!
I’m bookmarking this page for future reference and hopefully any NEW info on this.
about 8 months ago
@AlanGarou:
Download MalwareBytes’ AntiMalware (http://www.malwarebytes.org/mbam.php) and put it on a flash drive. Take the flash drive to the computer that is infected, and install the software onto that machine. Run a quick-scan. That may be able to resolve issues enough for you to get your AntiVirus software updated and run a full system scan.
about 7 months ago
Rich,
I have tried everything. The detector tool didn’t show anything. I cannot load/run malwarebytes no matter what I do. I have spent about 24 hours trying everything I know. what else can I do.
about 7 months ago
I deactivated Adobe Reader javascript and installed NoScript in Firefox.
Did a full recursive scan of C:\ with 7770finder, it didn’t find any infections but it did skip 41 files.
Tried installing malwarebytes’ tool from an external drive, but the setup script halts before finishing.
So I’m still being redirected. THis is one nasty piece of work. I’ll try installing AVG but I’m not hopeful. Could be it’s time for an XP reinstallation…
Empty ad slot (#2)!
about 7 months ago
Btw I’m also getting windows-like warning popups saying various files are corrupt and I need to run Chkdsk.
about 4 months ago
I’m having a problem with the Redirect Virus, and would like to use your tool, but the zip file does not seem to exisit. Is there a way to get hold of it?
about 3 months ago
The file has been removed due to the fact MalwareBytes Anti-Malware scanner picks up this infection and fixes it. You can get Malwarebytes from http://www.malwarebytes.org/
about 3 months ago
Yeah, well I have this google redirect thing on my computer and MalwareBytes, and it doesn’t remove it. This problem came after I got the AdvancedVirusRemover infection, this thing that tries to pass itself off as a virus remover, came out of nowhere while on my college’s website. MalwareBytes removed that, but this is a lingering problem that won’t go away. Of course I find this site a few days after you have removed the tool.
about 3 months ago
Hi.
PLEASE HELP!!!!!
Every time i click on a link on google i get redirected to some other site. Mainly advertising sites.
I have tried to restore my default settings on the browser, i have scanned with Malewarebytes and it found stuff and deleted them already, i have sacnned with avast anti virus and that deleted files but the problem is still happening.
Im not very good with computers and need help.
This is what it says in my hosts file in noteped:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
To be honest i wouldn’t know if there was something wrong with that or not????? :s
I am a bit concerned with these 3 files that avast picked up and i cant get rid of them, they are:
kernel32.dll
winsock.dll
wsock32.dll
All in system32 folder…
Someone please help me. it happens all the time, even brings up new pages…..
Empty ad slot (#2)!