Computer Help forum

General discussion

I think my computer is getting hijacked.

by Bloodyleaf / December 25, 2008 10:10 AM PST

i suspect that my computer is being hi-jacked because every time i search something on "Google" it would give me the wrong result. For example when I search youtube, it would give me results such as freescan.antivirus.com/youtube. Do you think my computer's getting hi-jacked? Should I post a hi-jack this log?

Discussion is locked
You are posting a reply to: I think my computer is getting hijacked.
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: I think my computer is getting hijacked.
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Do you have spywar antivirus
by prose036 / December 25, 2008 10:27 AM PST
Collapse -
A Couple More Good Free Antispyware Tools..
by Grif Thomas Forum moderator / December 25, 2008 12:16 PM PST

Please try the steps below:

On a friend or family member's computer, download the Malwarebytes installer and update files from the links below, copy them to a CD or flash drive, then transfer the files to the problem machine and use them.. I use the sites below to download the installer file and the manual updater:

Once downloaded and before transferring them to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe

Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Next, download the SuperAntispyware program and the manual updater from the links below. After running the Malwarebytes tool above, if you still can't download and install it directly from the problem machine, download it on a friend or family member's computer as well.:

SuperAntispyware
http://www.superantispyware.com/

SuperAntispyware Manual Updater
http://www.superantispyware.com/definitions.html
____________

In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder.

Hope this helps and let us know more.

Grif

Collapse -
still not working
by Bloodyleaf / December 26, 2008 4:08 AM PST
Collapse -
Looks Like A Yahoo Search Problem..
by Grif Thomas Forum moderator / December 26, 2008 10:52 AM PST

Did you try using Google.com to do the searches from? Do the same redirected websites show up from the link below:

http://www.google.com/

More importantly, what did the malware scans find, if anything? Have you tried re-running the scans repeatedly, in "Safe Mode", to see if it will get rid of any remanants of malware?

Hope this helps.

Grif

Collapse -
Exactly the same problem here.
by astidkalis / December 28, 2008 11:57 AM PST

And also on MSN.com but not on Yahoo!
Moreover I can't do a Windows Update through Internet Explorer. However, everything works fine in Windows Explorer! (In the search panel: view->explorer bar->search and then search the internet).

I've been working on this and I think I'm getting somewhere: I've noticed that if you delete the following registry key and all its content (export the key an all its content first to put it back!):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

The problem with the search disappears (you have to restart the browser). However, of course, you also lose all the functionality of the ActiveXs, like flash and Windows update.

Restored the registry key and the problem is back, as expected.

Now you would think that the problem is with one of the numerous subkeys: Tried deleting them all (by editing the reg file, not manually!) keeping just the main key (i.e ActiveX Compatibility with its empty default value) and the problem remains, as if IExplorer is just looking for the presence of the key to continue or not with the hack or other ActiveXs.

That's where I'm at now. I'll keep working on it later. More to follow I hope. Reply if you find something.

BTW I did try do disable all the ActiveXs and it didn't work.


--Never Reinstall!

Collapse -
FOUND IT!
by astidkalis / December 29, 2008 4:07 PM PST

C:/Windows/system32/wdmaud.sys

Delete it (or move/rename) and Reboot.

Collapse -
Be Careful On That One..
by Grif Thomas Forum moderator / December 30, 2008 12:58 AM PST
In reply to: FOUND IT!

Although that particular driver file can be malware, it is also a legitimate Microsoft file. the legitimate file should be located in the "C:\Windows\System32\drivers" directory which is different from the location where you found it. Obviously, a legitimate "wdmaud.sys" file doesn't belong in the System32 folder as you've discovered.. Just a link or two below:

http://www.file.net/process/wdmaud.sys.html

http://www.dynamiclink.nl/htmfiles/rframes/info_sys/info_w/31.htm

Others should confirm the location of the problem file. It might be beneficial to run a test first by disabling the wdmaud.sys process/service to verify that it's causing the problem. Obviously, it's taken care of your problem but it may not be a universal solution for all. Good find..

Hope this helps.

Grif

Collapse -
re: C:/Windows/system32/wdmaud
by siouxsy / January 22, 2012 11:36 AM PST

Was having issue with Google and Yahoo search results getting diverted to other SPAM sites. Spyware and virus protection could not find/repair the exact issue.

Removing the wdmaud file seemed to work for me too.

Collapse -
Same problem issue returned
by siouxsy / January 23, 2012 7:46 AM PST

Still having an issue with Google search results being redirected to SPAM sites.
The wdmaud file has been replicated and replaced. Now unable to access my Calendar tab from my Gmail account.
Noticed this file also appears in the System32 folder on another computer. Removing wdmaud may not help.

After all the other trojans that were found, may need to reboot and reinstall programs on this XP computer, as seemingly unable to find the problem issue.

Collapse -
Worke for me too
by robotewa / December 31, 2008 11:16 AM PST
In reply to: FOUND IT!

astidkalis instructions fixed the problem for me too.

Find C:/Windows/system32/wdmaud.sys

Delete it (or move/rename) and Reboot.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?