Help, I have a redirecting demon on Google search!

When I do a Google search it lists the results as usual, but when I click on the item shown as a result of that search, I get redirected to ad sites.

I’ve scanned with NIS 2009, online scans with trend micro, kap, etc. I’ve also downed the latest version of  Lavasoft ad adware and scanned for adware. Nothing has been found.

I guess I need to download Hijack or something like it to find the culprit?

If so I’ll need instructions on where to download the latest version as well as instructions on how to run it and what is actually the malware/adware found, etc.

Thank you for your much needed help.

It sounds like you may have encountered the 7.7.7.0 redirect.  Please research this at the following links to determine if this is your issue, and, if so, what steps you can take to remedy the problem.  I have read that Malwarebytes can possibly detect this, so I would advise running that first before attempting any other fixes.

http://www.dslreports.com/forum/r21704795-Browser-Redirect-to-7770-interesting

http://chronicle.com/forums/index.php?topic=56480.0

Yep, please download Malwarebytes and rum a full scan

Hi Itsme:

The link to find the download for Hijackthis is here: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Three options are there.  Choose the executable one.  Once it is downloaded, clik run>do a system scan and log file.  Save the file in Notepad to copy & paste. 

Before Running Anti-Virus Scans:

01. Update the Product.

02. Dis-connect from the Internet.

03. Re-Start in Safe Mode (optional, un-less instructed to do so).

04. Run the Scan.

05. If in Safe Mode and you are thinking of doing a Scan in Normal Mode as well right after the one in S.M. has Completed, please Re-Start in to Normal Mode and do not connect to the Internet un-til this N.M.-Scan has been Completed.

___________________________________________________________________________________

Please do a Full System Scan in Safe Mode with Malwarebytes' of all Drives, then, this should be followed up by a Full Scan in Normal Mode. 

Malwarebytes' Anti-Malware for Windows: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=contentBody;mostPopTwoColWrap.

How to Start Your Computer in to Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam.

First of all, thanks to all of your help on this issue!

Here's what has been happening...

I went to the first links and  checked out the information about the 7  Trojan/hijacker.

The gist of this was about finding and removing C:\Windows\System32\wdmaud.sys., Or other similar wdmaud files-   (but be sure to remove only the ":fake one") Make sure you do NOT delete the file at C:\Windows\System32\drivers\wdmaud.sys by mistake. That's a legitimate file.

In my particular situation the files weren't found where they were mentioned in some others.
The legitimate files were supposed to be driver files that were 23k or more with the "fake files" being some system files that were like 16k etc.

I ran a search and found 22 files with wdmaud in them.
I looked at 2 out of three on the list that were supposed to be in system 32  ( I found 2 of them) and on properties they were either a driver file that was 23k or the system files that were  like 80k! And both appeared to be  from Microsoft or a legit source!
I could see many of them installed in service pack.


Another thing, all of the files listed in the search were files that were not new ( as this Trojan is)  !
On the list they ranged from a  last modified date of 2004 up to a date of April 2007. The Trojan is supposed  to be a new one just out around Christmas Time.

So from that information I was afraid that I would erase legitimate files and make things a lot worse so I let it go.

The next thing I did was download the latest Malwarebytes program and update it.

I then scanned in safe mode.
To my surprise it found some files.  All the latest : NIS 2009, Trend Micro, Ad Adware, Spysweeper, as well as online scans with trend micro and kap  found nothing!


I then did another scan out of safe mode as well as some others the next day after updating again and found nothing else.

Although it says it deleted them ,it really only put the infected files in quarantine.

So far my browsers seem to be working without being hijacked...

Now here's the second part of the problem...

I have in the past quarantined some files that were listed as spyware in the registry, then deleting them after a length of time with the results being that  I couldn't  reboot my computer  no matter want I did.
I had the dell tech department trying every way possible  including, discs, DOS commands, restore, etc.

I had to end up using dell system restore and having to reinstall programs,  update windows, lose data ,etc; from the date the 2002 windows XP Pro
was installed.


Almost three weeks of hell with DSL.

So I don't want to make the same mistake again.

I want to make sure that it's safe to delete these files from my registry, that they won't take some "good" files with them.

I'm listing the results of the log and hoping that I can delete them without a problem:

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 5.1.2600 Service Pack 3

3/15/2009 10:02:28 AM
mbam-log-2009-03-15 (10-02-28).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 128681
Time elapsed: 20 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e524163-8d00-46f3-b239-1f42d48c8ed0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\bgyndxs.wrs (Trojan.Daonol) -> Quarantined and deleted successfully.

Thanks again.

P.S. - I read elsewhere that some people are having it just  reappear in the same place after they delete this particular Trojan.

You can delete the entries in the Malwarebytes Quarantine.

There are legit files with the name starting with "wdmaud" like sound drivers.

You could try SuperAntispyware Free update the definitions before doing a full scan.

Quads 

itsme,

Good to hear you appear to have been able to cure this without thrashing around in your system files.  I believe this type of malware is constantly changing and  the new  infected files may not always be the same ones reported earlier, or you simply may have gotten an entirely new virus.  Items in quarantine are inactive so any effects of them no longer being present on your system should be immediately apparent.  That being said, they can not do any harm either, so keeping them in quarantine for an indefinite period of time is fine.  In fact, that is the whole point of quarantine.  Keep them until you feel confidant that your system has suffered no ill effects from their removal.

Hi all:

Thanks again for your help.

Quads, I realized that those files were audio driver files as read elsewhere. I didn't know if the system files next to them were legit or not. Those system files were larger than the others that people were claiming might have been "fake files" and all were dated from 2004 to April 2007, etc.

Since the Trojan is a recent one  and the files seemed to be legit, I  didn't  mess with the system files  in question.

I saw the names of the Trojans  next to the registry keys but because of my last experience  I was still  a bit afraid to delete them!

But thanks for your advice, I did go ahead and delete them.

So far my browsers are not being hijacked and it also fixed the problem of me not being able to use a regedit command to view my registry!

Now I would like to make sure everything is clean by using  the superspyware program that you mentioned. I take it you mean the free one from  http://www.superantispyware.com/download.html?

If I can verify that I'm clean I then need to get a download somewhere for  NIS 2009 version 16.2 and  perhaps an uninstaller tool to completely  get rid of  my version  (  NIS 2009 16.0.0.125) that I just
installed off of my NIS 2009 disc that I just purchased last week an received on Friday.

Many thanks to all.

Update:

I scanned with SuperAntiSpyWare Free Edition  and it found my system to be clean other than removing a bunch of cookies.

Before I could uninstall and download NIS 2009 version 16.2, it installed version 16.5.0.135 on my update.

My Browsers seem to be operating without being hijacked now.
Also, I can use a command in run to view my registry keys as well.

I want to take this opportunity to thank SendofJive, Stu, delphinium, Floating_Red and Quads for all of your help.

Take Care

Did you un-install N.I.S. or, once you got the Update, decided not to un-install and re-install?  You currently have 16.5.0.135 and everything is Running okay?

And you're Welcome! 

Floating_Red:-,

No, I didn't install and reinstall the update.

I usually like to do a clean install by uninstalling the old program first.
This includes getting it out of the applications files in some cases , as well as  removing  anything on the add and remove files, shortcuts, even the prefetch.

I've had less problems with  my programs by doing such.
Let me give you just one example...

I was running webroot spysweeper and the one week they came out with a new build.
I unistalled and installed the new build as per normal.

Less than a week later webroot came out with a new build. I called to inquire and found out that many people were having a problem with the new build. The people that did a clean install had no problems, it was just the ones that updated the new build without doing so that were having the problems.

And it's been the same with some other software in the past.

But being that the new version has already installed and I'm having no problems with it and it's using no more resources, I'm leaving it alone.

If it ain't broke, don't fix it!

Take Care