Jump to content

New Google Hijack threat:


Recommended Posts

Hi guys,

First post but I thought I have used this product to solve literally dozens of problems. I work at a University and browsing is pretty wide open ("Academic Freedom").

I figure it was time to give back a bit and start letting you guys know some stuff I find. This week I found a newer Google Hijack you folks might or might not be aware of.

Malwarebytes engine version 1.32 with database version 1628 did not find any problems, but either did a slew of other scanners.

The symptom: Users are calling in and when they attempt a search in IE or Firefox, there is a slight delay, and the user is given bad URL's. You can see the browser getting redirected to 7.7.7.0

I ran several scans, aside from some low level cookies everything seemed fine. I ran Hijack this and found a few helpers and 'file missing' DLL's that were suspicious, but the problem remained.

Finally in C:\Windows\system32\wdmaud.sys (NOT wdmaud.drv)

This finally seems to have fixed the problem. Sorry I don't have the file date, the user was very impatient and wanted his laptop back. I have other users with similar problems (probably VUNDO related). I will update... I'm rushed at the moment but hopefully this helps.

Thanks.

Link to post
Share on other sites

Oops, no 'edit' button?

I should clarify (rushing too much. lol)

Finally in C:\Windows\system32\wdmaud.sys (NOT wdmaud.drv)

I had to delete this file and so far the browsers have returned to normal search function. FYI, it seemed to only effect Google. Other search engines were fine.

Link to post
Share on other sites

Hello.

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Please don't post your log in this topic or start another thread in this forum, but post them in the Malware Removal - HijackThis Logs forum linked to above. :D

Link to post
Share on other sites

Google was hijacked for me as well. I ended up discovering that it only happened on my user profile on my computer, not my wifes. So I went back on mine and took a look at the Activex add-ons in IE7. THere was one called "research" that had no info on it so I disable it and my searches were ok again......

Link to post
Share on other sites

  • 1 month later...

The wdmaud.sys is working for me, however might I also suggest surfing the sites listed finding the contact us section and informing them of the situation? Also letting them know that you are contacting the better business bureau might cause them to raise holy Heck from their end (nothing like Government intervention/over site to make someone wanna go to the bathroom really fast) Oh and go ahead and look at the advertisements on the linked to sites and inform them of whats going on as well. :D

Link to post
Share on other sites

  • Staff
Hi guys,

First post but I thought I have used this product to solve literally dozens of problems. I work at a University and browsing is pretty wide open ("Academic Freedom").

I figure it was time to give back a bit and start letting you guys know some stuff I find. This week I found a newer Google Hijack you folks might or might not be aware of.

Malwarebytes engine version 1.32 with database version 1628 did not find any problems, but either did a slew of other scanners.

The symptom: Users are calling in and when they attempt a search in IE or Firefox, there is a slight delay, and the user is given bad URL's. You can see the browser getting redirected to 7.7.7.0

I ran several scans, aside from some low level cookies everything seemed fine. I ran Hijack this and found a few helpers and 'file missing' DLL's that were suspicious, but the problem remained.

Finally in C:\Windows\system32\wdmaud.sys (NOT wdmaud.drv)

This finally seems to have fixed the problem. Sorry I don't have the file date, the user was very impatient and wanted his laptop back. I have other users with similar problems (probably VUNDO related). I will update... I'm rushed at the moment but hopefully this helps.

Thanks.

Hi and welcome to the forums.

That is a rootkit which has been around for several months now. It also uses sysaudio.sys

See below:

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

I know AVG free kicks this sucker out in the first few minutes of scanning. Used it twice myself.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.