Google hijacked

[Veeger]

Yesterday, my google was hijacked. Eveytime I click a google link I am redirected to a "bad" page or shady advertising. I believe there is a well known exploit which involves a program wdmaud.drv which is misdirected to the trojan. wdmaud is normally stored in the system32\drivers directory but this exploit puts a trojan of the same name in the system32 directory. Deleting him solves the problem for about one or two searches, then wdmaud reappears and I am hijacked again. Obviously, there is another component to this I can not find and neither can Malewarebyte, Superantispyware and McAfee.

Anyone had any experience with this bug? So far Chrome is unaffected.

[Larry Jacks]

It definitely sounds like you've gotten a serious infection of some sort. I had something infect my computer while travelling a few weeks ago (no longer behind the company firewall). Fortunately, Spybot Search and Destroy cleaned it up. You can get a copy from Download.com.

[a1call]

The surest way is a low level hard disk format and a re-setup of the OS.
Other than that try Kaspersky. IMO they are the best AV (does not mean perfect) and have 30 day trial.

[Nick Theodorakis]

I say you take off and nuke the entire site from orbit. It's the only way to be sure.

Nick

[Fazor]

I had a virus that did the whole search-redirect thing. It'd also re-direct if you tried to type in certain URLs that would have been helpful in removing said virus (I.e., blocked Microsoft's site, all major anti-virus sites, any of the better-known tech-support forums, etc).

Man that thing was nasty. And it also liked to replicate itself into random genuine window's file filenames, but would put them in the wrong directory. E.g., a .dll that should be in ...Windows/ directory would also show up (as the same name) in ...Windows/System32/, but the later was part of the virus. There were also dozens of bad Registry entries that had to be manually removed.

And if you missed one little part, they whole thing would replicate itself with different filenames and entries on the next boot.

It was a nightmare, but finally erradicated it.

And, though I didn't nuke it from orbit, that sounded like a reasonable option at the time.

Good luck.

[a1call]

I had a virus in my computer couple of machines ago. Ended up scrapping it for parts.

ETA: I am surprised at the level of the expertise of the people who create this viruses. Some of them are more sophisticated and ingenious than very expensive softwares on the market. Makes you wonder why they don't apply their skills constructively.

[Veeger]

ETA: I am surprised at the level of the expertise of the people who create this viruses. Some of them are more sophisticated and ingenious than very expensive softwares on the market. Makes you wonder why they don't apply their skills constructively.

I agree. These are not necessarily made by bright children. The engines are extremely clever and often complex requiring intimate knowledge of the operating system. The sad thing is, it doesn't redirect to a website that may actually pay good money for advertising. Often they are dead links or low-quality sites which makes me wonder...why bother infecting people for little return?

ETA: I don't think this one is the well known wdmaud.sys trojan. Something else is going on and a nuke may be the only recourse.

[baric]

Malwarebytes is a great virus/trojan scanner, and it's free from: http://www.malwarebytes.org/

[Atraveller]

Yesterday, my google was hijacked.
Anyone had any experience with this bug? So far Chrome is unaffected.

Do you use IE or Firefox as your browser? (may be browser specific?)

Does anyone have any experience with Avast? I seem to be having pretty good results with it so far - but not sure if it has had any serious challenges to deal with.

[HenrikOlsen]

I like Awast! so far, I previously preferred AVGFree, but after an incident where it wanted to update every day until I uninstalled it, it's no longer on my list of good programs.

[Atraveller]

I like Awast! so far, I previously preferred AVGFree, but after an incident where it wanted to update every day until I uninstalled it, it's no longer on my list of good programs.

Avast! updates it's virus database pretty much everyday too... I find that slightly anoying - but I guess it does assure it is always up to date...

[HenrikOlsen]

It wasn't updating the virus data, it was updating the program. Every day. Forcing a reboot 10 minutes after starting the day. Every day.

[Veeger]

I've had no problems yet with FF or Chrome, only IE (that alone probably says something).

Malwarebytes did not find a thing. Neither did Superantispyware, nor Mcafee.

For some reason, I can't get Kaspersky online scanner to run. It claims I do not have the correct configuration which may be true since it is an older laptop with XP.

[Atraveller]

It wasn't updating the virus data, it was updating the program. Every day. Forcing a reboot 10 minutes after starting the day. Every day.

Now that would be truly anoying....

[Atraveller]

I've had no problems yet with FF or Chrome, only IE (that alone probably says something).

Malwarebytes did not find a thing. Neither did Superantispyware, nor Mcafee.

For some reason, I can't get Kaspersky online scanner to run. It claims I do not have the correct configuration which may be true since it is an older laptop with XP.

I don't trust IE.... (long time Firefox/Netscape user...)

[a1call]

For some reason, I can't get Kaspersky online scanner to run. It claims I do not have the correct configuration which may be true since it is an older laptop with XP.

I suggest downloading and setting up kaspersky "internet security" which is the most complete package they have. I have used it to get rid of a virus no other AV could(had to make a OS install on a separate folder 1st).

Another AV you might want to look into is clamwin. It is open source and is very good at detecting threats but does not remove them. You will have to remove them manually.

[z0diac]

I say you take off and nuke the entire site from orbit. It's the only way to be sure.

Nick

He's not capable of making those types of decisions - he's just a grunt (no offense).

[mugaliens]

I say you take off and nuke the entire site from orbit. It's the only way to be sure.

Nick

Well, one never knows when the attackers' back-up servers are located in a different country.

Best to warp the entire planet into the sun. That'll fix 'em.

[boppa]

The best thing to do imho is use Hijackthis and Combofix (after the usual MAB, antivirus checks of course)
antivirus is only 1 part of having a secure system these days (and imho- a relatively unimportant part) malware is by far more prevalent and most antivirus programs dont deal well (or at all in many cases) with trojans, page hijackers, worms etc

combofix will often deal with the easier to remove stuff, but in many cases it takes an expert who will want hijackthis and combofix logs before even starting to write a fix

there are many tech forums who deal with this stuff on a regular basis, I'm a regular (larrikin) on one that has one of the best on it- There are many people who owe their systems health to Ilago

[z0diac]

Quote:
Originally Posted by Nick Theodorakis
I say you take off and nuke the entire site from orbit. It's the only way to be sure.

Nick

Well, one never knows when the attackers' back-up servers are located in a different country.

Best to warp the entire planet into the sun. That'll fix 'em.

Hehe, I believe his quote was in reference to dialogue from "Aliens" (as was my reply). I thought everyone would have picked up on it But since not everyone did obviously, I feel the need to explain my reply as I'm new here and I dn't want the mods to think I was calling someone names.

My reply..

He's not capable of making those types of decisions - he's just a grunt (no offense).

was also from Aliens - same scene as where Nick posted the "I say you take off and nuke the entire site from orbit. It's the only way to be sure." part (where they were deciding how to kill the Aliens and they had just lost their commanding officer, Hicks had just stepped up to take charge).

[captain swoop]

At work we use Malwarebytes and AVG, together they seem to catch everything.

[Veeger]

The demon reared his head today and installed a program which continually claims my machine is infected, and just click here and well...

At the same time, it installed some files in my system\32 folder and then redirected by .exe files to it. It was effectively screening all of the programs I was running. When I deleted these files, my ability to run .exe files was destroyed. I didn't realize at the time, that deleting the malware would break my system so badly. Its not easy trying to solve problems when you can't run any programs. Fortunately, I figured out a way around it, and launched a virus scan. Long story short, I finally have my system back and in the course of repairing it (without nukes), my IE google links seem to be working again.