Troublesome Google hijacking – redirects results through 7.7.7.0
So a user at the office tells me that his Google is messed up. And by messed up, I mean the results appear to be legitimate at first glance. If you look closer, the descriptions are accurate, but they link to useless, if not blatantly spammy sites. See screencap below.
This happened around mid-December and all of the usual AV tricks I tried could not find the source of the infection. The search hijacking affected multiple browsers and search engines.
Both IE and Firefox were compromised, but not Google Chrome. It also hijacked search results from Google, Yahoo, and I think MSN Live. Luckily OpenDNS’s search was clean. I made the user use these workarounds up until this afternoon.
Today I noticed that this search hijacking was running a bit slower than usual and I saw that search results were waiting on something from IP address 7.7.7.0. I searched for malware originating from that IP and came across this blog entry.
Deleting C:\windows\system32\wdmaud.sys has worked so far. The user’s search results are now clean. I recommend uploading any suspect file in the C:\windows\* through Virus Total before deleting it though. Better to be safe than sorry, especially when fiddling with the Windows system folder.
I’m now running more malware scans on the infected computer. This time using Malwarebytes in addition to SuperAntiSpyware. Superantispyware didn’t catch anything the last time I ran it, but Malwarebytes found a similar piece of malware in C:\WINDOWS\system32\sysaudio.sys, and Virustotal confirmed it.
This piece of malware was harder than usual to diagnose because searching for “Google hijack” didn’t return any useful results. Hopefully this little post will push this Google Hijacking description a little higher up in the ranking. And kudos to the Podnutz Podcast for turning me on to Malwarebytes.
Got this one. A real pain to even work out whats going on
Got this as well. Worse, while deleting wdmaud.sys, webroot antivirus popped-up and notified me that 'Troj/Daonol-Fam' was attempting to access the file system (as it is self-replicating). Since I'm using the trial version, webroot suggested manually deleting a .sys file in my system volume information's _restore directory, but all attempts to locate and delete the file mentioned have failed… Thanks for all the info. From searching for the symptoms, it looks like lots of people have been hit with this recently.
Thank you so much for documenting this. I had no idea what was going on, only that Google searches were very slow.
Thank you, Kyle! You did an excellent job of describing your fix. Thank you for identifying the additional resources, too.
Thank you so much! Kaspersky wasn't catching these, I've sent them in to Kaspersky to be included in the updates! I found this be google searching 7.7.7.0 like you.
That worked BEAUTIFULLY for me! Thanks so much for getting this out there for everyone and sharing the knowledge!
thanks for your help!
Though I love Chrome, and it's the primary browser I use…it is not immune to this hijack. I first noticed this problem in Chrome, then saw it on Firefox and IE. The wdmaud.sys deletion (following removal of the trojan by symantec av) worked great, though…
Thank you so much! I was nervous about deleting the file, but it worked.
I have a slight problem.. I have these symptoms however I don't have wdmaud.sys in my system32 folder or any trace of it in the registry. I have the driver however but this cannot be deleted and I believe it is not the imposter file anyway.
Jason,
I had the same issue as you, no mdmaud.sys file in the wrong place.
I downloaded Malwarebytes' Anti-Malware. Also my IP is Rogers, so they gave me a link to their Norton-like program that can be downloaded. It caught even more than Malwarebytes. And after running a scan with those two, suddenly I got a pop up informing me that Symantec had just updated, and had detected viruses.
Long story long, I ran them all, deleted or quarantined everything, and Google no longer gives me problems. However my computer is still incredibly slow, so I'll have to take the machine in anyway. I'll update when I hear what the problem was.
I ran into the same problem on my system running chrome this past week. I'm running AVG with the most recent updates and it has not fixed the problem. I will look for that file and see if i can work through the fix as you suggest. It is really !#%^ maddening! Aloha!
I ran into the same problem on my system running chrome this past week. I'm running AVG with the most recent updates and it has not fixed the problem. I will look for that file and see if i can work through the fix as you suggest. It is really !#%^ maddening! Aloha!