[Resolved] Google and Yahoo search engines are redirected in IE and Firefox

[FireballMail]

Finally back.

I ran mbam on all the different logins and all came up clean.

Was there anything interesting in the GooredfFix log I posted a few days back?

[Hoov]

Sorry I left you hanging. Somehow the e-mail message I get when you respond got misplaced.  :-[ I apologize.

The scan you had was fine. But there is one more thing to do.

Do a full Malwarebytes' Anti-Malware scan on all of your computers that are connected thru the same router. When that is done, restart all of the computers, and at the same time disconnect the router from the internet and reset the router. Once the reset is done and the computers have rebooted, then reset the password on the router, Make sure it is a secure one. The longer, more complex the better.

After that, try some searches and see what happens.

Again I apologize for leaving you hanging.

[FireballMail]

Hoov -

The only other "computer" that is wired into the router is an XBOX 360. Not sure if I can run a MAM scan on that. Are they a source of infestations?

Anyhow, I followed your instructions for my main computer including changing the password used to login to the router to something long and complicated. Sadly, the searches are still redirected.

Is it possible that something got installed on this computer that simply overwrote an otherwise valid file so the scanning tools don't see it as an alien? Is the fact that Google and Yahoo are redirected but not Dogpile of any forensic use?

Very vexing for sure.

Thanks for all your help so far.

[Hoov]

I don't think the XBOX can be affected, but if you are not actively using it is it possible to take it out of the LAN? Are the different users in your system set to have private files?

[FireballMail]

The infected computer has 4 different logins + the standard Guest login. I had my family members remove their passwords while I was scanning but at least one of them has restored their password. If having a password makes the files for a login "private" then I suppose they have private files when their passwords are in force.

All logins have search redirected for Google and Yahoo except my login where only Yahoo is redirected and Google still works (so far).

I can remove the XBOX for further tests.

[Hoov]

Well, if its any consolation, you have joined a few other people with this particular problem that has yet to find a resolution.

Do a search for the file wdmaud.sys and let me know what the results were.

[FireballMail]

Got a number of hits searching for wdmaud.sys. See attached file for image of search results.

I've been looking at the posting for other people with similar problem and it seems there are many different causes. If worse comes to worse I'll have to reformat and reinstall everything. I have other junk on here that I wouldn't mind cleaning up as well!

[Hoov]

Have you installed any Video Codecs lately?

[FireballMail]

Yes. Probably within the last 6 months. Not sure exactly which one.

[Hoov]

Does that coincide with when the problem started?

[FireballMail]

No. The redirection started within the last ~6+ weeks. The codec was many months ago.

[Hoov]

Download SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
     
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
     
• Type Y to begin the cleanup process.
     
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
     
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
     
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Then close McAfee and then do a search for something using Google and see what kind of sites it points you to. Then turn McAfee back on and do a new search and see if you are still being redirected.  Let me know a couple of sites that you are redirected to , both before and after restarting McAfee.

[Hoov]

Also after type in 209.85.171.100 and do a search from there and tell me if you are redirected.

[FireballMail]

1. Ran SDFix in safe mode, system rebooted and finished -   Report.txt is attached
2. Ran HiJackThis -  output attached
3. Disabled McAfee and ran Google searches, they are still redirected.
4. Enabled McAfee and ran Google searches, they are still redirected - image of redirected search is attached
5. Went directly to 209.85.171.100 (Google site) and searches are still redirected

Not sure if anything was found. Do the logs show anything interesting?

[Hoov]

At first blush nothing interesting. But I think I missed something earlier today.

C:/Windows/system32/wdmaud.sys

Delete it (or move/rename) and Reboot. Then check your searches again.