Warrior Forum Re-Directed In Google

[Paul M]

Hi Warriors,

I know this is off topic, but is anyone else getting re-directed to different
sites when clicking on the Warrior Forum at the top of google search.

If anyone has a spare few seconds just do a google search for the Warrior
Forum and click through.

I don't know if this is just me or if it effects everyone.



-Paul

[Sean Donahoe]

Nope not happening for me

Regards

Sean

[Paul M]

Ok, It's not just the warrior forum so it looks like it might be just me.

Does anyone know what would cause me to get re-directed to affiliate
sites when clicking on any and every search result on google?




-Paul

[jcoolbaugh]

Sounds like you've got a browser hijacker. Run your anti-virus and a malware remover - should fix it.

HTH

[Kevin Flask]

Paul,

I have been experiencing this also with any result from a Google search.

I am not that tech savvy, but I believe it is caused by a virus/bug type
of script on my system. I cannot find it and quarantine or remove it.

I have run some spy remover and virus scans but no luck.

Maybe someone with more tech knowledge can help.

Kevin

[Paul M]

Quote:

Originally Posted by jcoolbaugh

Sounds like you've got a browser hijacker. Run your anti-virus and a malware remover - should fix it.

HTH

I think you might be right since this is only effecting me in FF. Things are fine in IE.

Problem is, like Kevin, nothing I do seems to help.


-Paul

[CWreports]

I had this problem a while back and I don't know if your problem is the same... If so basically, if when your search results are loading you see “7.7.7.0″ in your browser’s status bar, you need to browse to your C:/Windows/system32/wdmaud.sys and delete that file. You still need to run the antivirus programs to get rid of the Trojan that started the problem (and possibly downloaded other goodies on your PC), but deleting this file did the trick for me.

But check out a post here on the forum that HeySal did...she had the same problem if memory serves me correctly.

Hope that helps.

Carol

[HeySal]

Yes it's the C:/Windows/system32/wdmaud.sys and only AVAST and AVG (AGV?) can find it - and they don't remove it - you have to get it yourself.

Go to your start menu and click search -
Search all files and folders for:
C:/Windows/system32/wdmaud.sys
it is approximately 22Kb
delete it.

Important -- do not remove the REAL file which is:
C:/Windows/system32/driver/wdmaud.sys
this file is approximately 76Kb

There is also a redirect virus that hits the audio system - I will look the
URL of that virus up if anyone needs it - I've got it on bookmark somewhere.

These viruses are dangerous as they open up holes in other areas of your computer so that they can get back in later or let other stuff in on top of it (such as root kits).

IMPORTANT: After deleting these viruses - check your firewall. It can unhook them from your start menu. You will either have to start it manually or just uninstall and reinstall it - that's one of the holes it makes for itself.

There is another circulating with these that are JS redirects and many people's websites are getting hacked and viruses installed. If this happens to you - please check EVERYTHING when putting your site back together - the hacker will drill security holes all over and paste up fake java codes all over, too - a fake yahoo counter is a usual piece of fake code on this one.

Have fun - my partner is fixing thousands of pages as I type - took him forever just to plug enough holes to keep him out so he could start fixing damage.

[Paul M]

Thanks for the info Sal & Carol.

I have found 3 of those files containing C:\Windows\system32\ however
they end in there own unique names. My McAfee software found them but
cannot remove them as you said.

The problem now is I cant find the files anywhere through searching.

Looks like the only thing left to do is throw it out the window.



-Paul

[KimW]

Try this program:
Malwarebytes.org
if that doesn't fix it, try this one:
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

I actually removed Superantispyware after fixing my problem,but you don't need to,was just my preference.

[HeySal]

These things were new when I dealt with them. Sounds like they are "improving" them.

I'd love to see the guys that are unleashing these things get shot. There's no excuse for someone with that kind of tech know-how to be so stupidly evil.

[CWreports]

HeySal

Quote:

There is also a redirect virus that hits the audio system - I will look the
URL of that virus up if anyone needs it - I've got it on bookmark somewhere.

When you get a few minutes, could you list that here. My speakers have been acting weird
lately and I thought it was just maybe time to replace them... but after reading this I may have another virus that wasn't/hasn't been caught... darn, this stuff is rapidly getting old.

Thanks in advance HeySal

Carol

[HeySal]

There are a few varients of these things - they get through by mimicking real files. Once in some of them will act as trojans and cut holes in your security to let in root kits.
These are extremely lethal and obnoxious and it's a good idea to run a registry check after removing them to make sure you don't have any holes cut into anything. I had to just replace my comodo because even though it still "appeared" to be connected to my start menu, it was not.

If you aren't sure if you are removing the correct files - toss them in your trash bin where you can retrieve the good file if you accidentally dump it - you'll have problems if you did but they will be different from redirect problems.


The file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) infiltered into the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll ( there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.

This is old news, so who knows what variations are out there now.

[Kevin Flask]

Sal,

I found the file C:/Windows/system32/wdmaud.sys at 23.0 KB.

I am unable to delete it. Not authorized, though it's my personal computer.

Kim,

I have the Malwarebytes removal but that didn't find it.

I will try the second program you recommended.

Thank you both,

Kevin

[Paul M]

After spending a few more hours trying to figure out what's going
on I think I have a good overview of all the problems now.

The unwanted files that hijacked my browser also disabled my
anti-virus software for a limited time and allowed a rootkit in.

The rootkit seems to have cloaked or hidden the unwanted files so
I cant get to them manually, corrupted some other files and made
it so I cannot even restore the system.

The rootkit has been deleted but the damage it did along with
the unwanted files are still present.


Kim,

I will have to try your suggestions. Thanks.



-Paul

[KimW]

Kevin,
Get to the task manager and look at the processes that are running.
See if you can find wdmaud.sys, if so, end task.
Then try to delete it again.
Also, you might have best results if you do this in safe mode.
You might also need to use a program like this:
UNLOCKER 1.8.7 BY CEDRICK 'NITCH' COLLOMB
If you still can't get it, feel free to PM me.

[HeySal]

Holy Crap, Paul - that's what I was afraid of.........the first time I encountered this virus it was 21KB - I deleted it but it got back in. The second time it was at 22KB. Someone is upgrading it furiously. It hasn't been able to get back in on me since I got it off the second time - and I was on it too quick for it to do any other damage and I noticed the dead zone it created in my firewall right away and just did a reinstall and an immunization.

Turn off your dcom - just google "turn off dcom" and it will take you straight to the dcomabobalator - also try xpanti-spy and turn off everything that you can without interrupting your browsing and work. All those little microsoft spytoys (like remote help) are nothing but holes for crap to seep in through.

What did you use to delete the root-kit? Sophos? I have sophos but not sure if it works against this or not. Hearing a lot of people complaining that they had to totally replace their hard drives.

[AffiliateMax]

Try combofix - download it, rename it, disable all firewalls, antivirus then run it it but perhaps post in a tech forum first so you can get specific help. Also download hijack this so you can post a log if you need to.

Tyr these free tech help forums but post a new thread, don't add to an existing one and someone there will help you.

Search engine redirect 209.85.171.79 virus
New virus redirector 209.85.171.79 - Hardware Canucks
http://www.theeldergeek.com/forum/in...iew=getnewpost
Google Redirecting Problem!

[Thomas Wilkinson]

Nice job Sal. I had something odd happen awhile ago and its not
exactly a part of this but it just shows how this internet thing is
changing. I relisted an item on Craigslist. Fifteen minutes later I
got an email (AOL address) asking if the item was still available?
I thought it was a little odd to get a question like that so quickly
but I hit reply and said that it was. Within minutes my throwaway
gmail address was under attack. I had it locked and as far as I can
tell nothing got in here but it was a bit scary. I'm not sure what
tried to get in here but something did. I'm moving all my junk email
to the junk computer. I don't remember how I turned on the lock on
my gmail accounts but there was a thread in here about a month ago
that told how to do it.

Tom

[AffiliateMax]

By the way instructions for Combofix are here:
A guide and tutorial on using ComboFix

Someone on another forum suggested that this product solved the problem:
Prevx CSI - FREE Malware Scanner It charges £10 to remove the infected files.

[KimW]

Thanks for the mention of combofix.
I have used it in the past and it worked when others didnt.
I had forgotten all about it.

[Paul M]

Thank for your input everyone.

Now I know what this is, it should be easier and quicker to deal with in the future.

It was a shock that after 2+ years doing business online that I know so little about my own security, but lesson learned.


P.S. I sure would like to find the source and show them my deep appreciation of there efforts.


-Paul