7.7.7.0 Google Redirect Virus Alert
January 4th, 2009 by Andy Didyk
There is a particularly nasty virus out there that is very new, and so there isn’t a lot out there that has been written about it. I just wasted my entire Sunday trying to clear our home computer of it, and I finally think I’ve found a solution, so I thought I would post it here. My symptoms were that whenever I would search for anything in Google, MSN, or Yahoo, the results would appear as normal, except that all of the links were redirected to bogus spam sites.
As it turns out, I had some sort of Trojan Downloader, which had jumped on the web an infected my system with all kinds of nasty stuff. Most of it was easy to clear with some of my favorite ( and FREE!) antivirus and anti-spyware software (AVG Free, Spybot Search & Destroy, and Zone Alarm).
However, even with the Trojan (which, when you think about it, is a misnomer because the Greeks built the Trojan horse, not the Trojans) was cleared, the search results remained the same. Because this is so new, a lot of the forums online don’t have solutions posted yet. Late this evening some started showing up, so I’ll post the solution that worked for me.
I found it here, amidst some bantering about Linux vs. Mac vs. Windows. Basically, if when your search results are loading you see “7.7.7.0″ in your browser’s status bar, you need to browse to your C:/Windows/system32/wdmaud.sys and delete the file. You still need to run the antivirus programs to get rid of the Trojan that started the problem (and possibly downloaded other goodies on your PC), but deleting this file did the trick for me.
I really hope that helps someone out there, and I’m grateful to all of the altruistic techies out there who work to make the internet a slightly safer place.
Oh, and Happy New Year!
This entry was posted on Sunday, January 4th, 2009 at 10:14 pm and is filed under blogging, misc.. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
January 5th, 2009 at 12:23 am
Thank you so much! I stayed up all night trying to get this virus off my laptop yesterday, and none of the scanning programs found it.
What a pain in the butt! I appreciate you posting how you solved this.
January 5th, 2009 at 12:37 am
You are very welcome. I was hoping I could at least help someone else. I wasted an entire Sunday (the last day of vacation!) getting this thing taken care of. Hopefully we can spread the word.
January 5th, 2009 at 3:28 pm
Thanks Andy!
Since this page appears on the second page of Google (which for me is unaffected), this was perfect.
In case anyone else is wondering what wdmaud.sys is before deleting it, it is a driver which SHOULD be in the “drivers” folder in the same directory and be about 82kb. So, feel free to delete the impostor! That one was only 16kb.
January 5th, 2009 at 5:41 pm
First of all, thank you for providing the solution! I went to the system32 folder and found out that I have TWO wdmaud files (one is system file and the other is driver). I was able to delete the system file easily but when I tried to delete the driver file (23 kb, so I assume it’s not the right one that Grateful mentioned), it says “access is denied.” So do I have to find a way to delete this file to ensure that my computer is clean? Please advise. Thanks!
January 5th, 2009 at 7:49 pm
Thanks for the post! I have the same question as Beagle…second wdmaud file…cannot delete, access denied. Please reply!
Thank you
January 5th, 2009 at 9:05 pm
Well I’m on Windows XP Professional x64 Edition. No file wdmaud.sys in the c:\windows\system32 dir. I did find a 14 KB version in the c:\windows\SysWOW64 folder. Deleting it did not help.
I keep digging, just found this 2 hours ago and only a handful of sites / pages / postings on it. I’m in web development for a living, I can definately identify the sneaky way they are using 7.7.7.0 to hijack google’s results for paid ones. Man I hope their upstrem kicks them hard for this.
January 5th, 2009 at 10:24 pm
Well, I’m hardly an IT professional, but I was only able to delete my file AFTER running several scans of AVG Free, Spybot, Ad-Aware 2008 Free, and MalwareBytes in both regular start up and safe mode. So maybe you still have a virus that is preventing you from deleting it. Another option is that you could try to delete the file from Safe Mode (by restarting your computer and hitting F8 repeatedly until it gives you the option to start in safe mode). I had to run those programs multiple times and they all found something different.
Also, I forgot this earlier, spybot had to be updated manually (by downloading the updates file to another computer and transferring it on a thumb drive) because the virus wouldn’t allow it to update. I would DEFINITELY recommend disconnecting your computer from the internet while dealing with this thing.
As for Andrew (on the 64 bit OS), like I said, I’m not an IT expert, just an ordinary person who happened to have dealt with this virus successfully. I don’t really know what to recommend, but I will say this: Don’t give up! Don’t let the hacker win. You can get rid of it eventually. Good luck!
January 5th, 2009 at 11:26 pm
I tried entering into the system through Safe Mode and it worked!! I don’t have any wdmaud files in my system32 folder now. Thanks! Let’s hope this nasty thing doesn’t come back!
January 5th, 2009 at 11:44 pm
That’s great news. I hope more people are able to get rid of this thing and stop having to waste their time fixing it. Good luck everyone!
January 6th, 2009 at 1:43 am
Uh oh! I just restarted my computer and there’s no sound (when I clicked on volume control, it says, “There’re no active mixer devices available”). I am afraid the last wdmaud file that I deleted was a legitimate sound/audio driver file! Where/how can I get it back? Please help!
January 6th, 2009 at 10:50 am
Beagle, sorry to hear about that. The easiest way to get this back is to find another computer that isn’t infected, copy the file, and then place it in the same directory. That should solve the problem.
January 6th, 2009 at 5:16 pm
Thank you thank you thank you. What a good deed!
January 7th, 2009 at 6:40 am
Deleting the wdmaud.sys file does the trick. The other wdmaud-file i.e. the wdmaud.drv does not have to be deleted to get rid of the problem. I actually assume that it is required for either graphics card or volume control to work.
In any case, thanks for the tip. It saved me a lot of work.
January 7th, 2009 at 10:36 am
Thanks for this. It really worked.
January 7th, 2009 at 11:02 am
How in the world were you able to dig this file out? How did you find it? I have a computer at work that had this Google redirect, however Spybot, Ad-Aware, and Malwarebytes did not detect it. Your solution did work by the way. The main problem is figuring out as well how it got on there in the first place.
January 8th, 2009 at 12:08 am
Thank you thank you thank you! I spent DAYS trying to figure out where this silly thing was hiding. Several virus scans, spyware and malware scans (at least 2 of each) turned up NOTHING. I figured a temporary fix on Firefox by blocking the 7.7.7.0 site but once I deleted the file you listed and restarted the problem was fixed.
I don’t know how you found this file but a few of my friends have turned up this same problem since the new year and I will be sure to pass this along.
January 8th, 2009 at 12:04 pm
Thanks Andy! I didn’t even have a problem with a trojan. It was the craziest thing. Nothing ever happened to indicate a problem with a virus. Symantec AV with current definitions never detected anything. Windows Defender never detected anything. It’s been ages since I’ve even needed to use other programs, but I downloaded Adaware and Spybot S&D and they came up dry. I tried Malwarebytes. Nothing. I tried Kaspereky’s online AV (turning off SAV while it ran). Nothing.
The only symptom I had was the search engine redirects (it noticed it with Google since that’s all I ever use, but I tried other search engines to see if the problem replicated–which it did). There was literally nothing wrong with my machine that I or the half dozen of anti-malware applications could detect. The only issue was the search engine redirect.
So following your advice I deleted the wdmaud.sys file and the problem is gone. I still have no idea how I got the infection (or when, there was nothing in the event log indicating anything had happened). It’s clearly too new for any AV or anti-malware to be able to detect it. Thanks again.
January 8th, 2009 at 12:30 pm
You’re welcome to everyone. Thanks for your comments and I’m glad this little blog can help so many people get an evening back =).
January 9th, 2009 at 7:02 pm
Good work! Saved me a bunch of time…
January 10th, 2009 at 12:30 am
By the way, if you have the 2008 version of Trend Micro Internet Security installed on your computer, perform a full system scan and you should be able to remove these nasty Trojans.
January 10th, 2009 at 2:54 am
Dude, if I were a woman, I’d marry you.
I just spent like 6 hours in a drunken haze wondering why every damn google search came up with a link to monstermarket.com WTF.
Then I noticed 7.7.7.0 at the bottom and thought that was odd. so i went to another computer and googled that, and sure enough, there you were, like a knight in shining armor.
Your source saved me from spending an excruciating 12 hours posting Hijack this logs to geekstogo.com Maybe Tag this post with “Monstermarket” so more people can find it, because this helped out so much.
I deleted the file while in safe mode and deleted the corresponding registry key at HKLM\software\microsoft\windows nt\currentversion\drivers32 and everything works like a charm.
January 10th, 2009 at 10:36 am
Nice!!! I was losing my mind on this one.
January 10th, 2009 at 11:30 am
Ohhh darn! It’s coming back! I deleted the wdmaud.sys file a while ago (see previous posts) and when I googled today the 7.7.7.0. showed up again! I went back into the system32 folder and didn’t see the file. Any ideas on what I can do? Thanks!
January 10th, 2009 at 1:24 pm
Scott, glad I can help. Am I am happily married, although I appreciate your honesty that you are in fact a dude.
Beagle, that sounds really frustrating. What I would do is delete the registry key (go to start, click “run” and type “regedit.exe” to pull up a registry editor) according to Scott’s suggestion and see if that helps. Several people in this thread have suggested some different virus programs that may help solve the root of the problem.
Make sure you disconnect your computer fully from the Internet before you attempt a repair, and then run scans with the programs mentioned above. I had to do this several times, including in Safe Mode, in order to eradicate the threat. Hang in there…this is a real bugger!
January 10th, 2009 at 1:28 pm
Ok guys, i’ve been fighting with this one for the last 24hours! and finally seem to have gotten rid of it. My biggest problem was that any helpful site on the internet was being blocked or not found by the URL seeker. After searching for a techy site that would load for me i found this link
http://www.bullguard.com/forum/12/Google-and-Yahoo-redirect-and-_68426.html
I followed the first step given to by “touch” and low and behold! my Malware bytes opened.
It seems like the virus has some sort of block against known antispyware programs that can remove it. The key is to rename it, so very simple! Then the Program will open, run its scan and ask for a restart. I restarted, checked google and it works!
Hopefully it will not re-occur! who knows.
I’m no genius when it comes to computers, i just followed the instructions given by Touch and my problem was solved.
I highly recommend that if you are still having trouble you register with bullguard.com and ask for help in the spyware section.
Thank you for the consorted efforts of everyone who has contributed!
January 10th, 2009 at 1:53 pm
I went to the find the registry key that Scott suggested in HKLM\software\microsoft\windows nt\currentversion\drivers32 but didn’t see anything suspicious there.
Josh, I went to the forum you listed. Did you have to download Malwarebyte and install Combofix to solve the problem?
Any other suggestions would be greatly appreciated. Thanks!
January 10th, 2009 at 2:04 pm
Beagle, I have both installed but the problem was fixed after doing the malwarebytes scan + a prompted restart.
It may not be the same for everyone and you may have to do a combofix scan too. Fingers crossed yours is sorted as easy as mine! Good luck!
January 11th, 2009 at 12:55 pm
Funny to join this community of 27 with identical story of my own weekend
an post elsewhere indicates that disabling Javascript is a temporary fix
and hat Kaspersky anti-virus is currently only software with this definition
thanks very much!
January 11th, 2009 at 4:09 pm
I ran Malwarebytes and restarted my computer. When I did a google search, I could still see the 7.7.7.0 showing up on my status bar, but the results look normal (i.e., all the links seem to be going to the right places). Does that mean that I still have the virus, but it is not functioning?
January 12th, 2009 at 12:06 am
Hey dude, your instructions helped save us! I deleted wdmaud.drv too by mistake and then my sound did not work. So I found this website ( http://www.afreedrv.com ) to download a new copy of it at and now everything works, sound and google searches work right. Thanks again! Peace! Erik, http://www.madebyhippies.com
January 12th, 2009 at 11:49 pm
Thanks for the fix Andy!
I have another problem, am not sure whether it is a related problem. The font size of all the text on google pages, gmail and yahoo has suddenly changed. I could not find a good fix for this. DO any one have this problem? or know a fix for it?
January 12th, 2009 at 11:57 pm
Again the problem is showing up[:(]
can some body tell me which key to delete from HKLM\software\microsoft\windows nt\currentversion\drivers32 ??
January 13th, 2009 at 12:01 am
As soon as I delete it, when I search for the wdmaud.sys its right there.
January 13th, 2009 at 12:57 pm
Ben,
In any browser, just hit CTL + or CTL – to change your font size. I hope that helps.
To everyone else, I must reiterate that I’m not an IT professional, just a regular guy who found a fix for me. I’m in the business of writing out consumerism and online marketing, but I hope if you’ve been affected with this virus that this post can help.
January 13th, 2009 at 10:08 pm
THANK YOU!!
You are amazing, I’ve been set back with this ass-kicker for about 2 weeks now and Ask really doesn’t cut it for me as a search engine
Should I block the IP 7.7.7.0? because it still shows up but the searches are as normal.
January 13th, 2009 at 10:27 pm
uh oh. I had one successful search and now I’m back to square one. Also I can’t find the directory mentioned in regedit. I am running Windows XP media Centre edition
January 16th, 2009 at 12:59 pm
THANK YOU! Your solution worked perfectly. It didn’t work after deleting file until I restarted my computer, then there were no more search problems.
January 19th, 2009 at 3:20 pm
[...] Fed up, I do a search for the results “7.7.7.0″ and find the answer to my prayers at Andy Didyk’s blog. Can’t thank him [...]
January 19th, 2009 at 5:56 pm
I just recently got an alert from avast antivirus that it found C:\WINDOWS\system32\wdmaud.sys as a trojan…. but I did actually notice that my Google links were spam during the past couple weeks. I didn’t think anything of it.
I tried deleting it like you said here (which is the only thing I’ve done to rid of it since I knew of it), but my computer won’t let me. Any ideas on what I can do?
January 19th, 2009 at 6:54 pm
Nice work. I found this article after my it guy would not believe what i was telling him. After fixing it myself i sent him a link to the article. You guys who know what your doing are awesome.
Frustrated engineer
January 20th, 2009 at 3:11 am
Holy hell man! Great solve.
I deleted the file specified and things look gravy for the time being. At first, I thought this was the Google.goored redirect BS, but decided to do a 7.7.7.0 search via Google in Safari which was not affected on the PC. IE7 and FF were both struck.
In addition to simply deleting the file, MBA-M (Malwarebytes) and Adaware by Lavasoft both got a run at it, but Andy wins!
January 21st, 2009 at 6:37 am
Hi,
Yesterday i noticed that my google was looking a little different to usual (shopping, images , web ) etc tabs are underneath the logo rather than along the top left.
When i search it returns rubbish results, if i search for facebook ill get some blackberry phone thing as my top number one hit!! when i click on the results they open in a new window (never happened before & Not set up to open in a new window) half the time i might get the page and the other half i get some advertising crap. Is this the same thing you guys are experiencing?! I dont know what to do
Please help!!
January 21st, 2009 at 8:36 pm
thx Andy. removed the file and the regedit entry, restarted and haven’t had a recurrence of the problem. it’s been 3 days since i implemented your fix.
January 22nd, 2009 at 6:45 am
I had two computers infected with this. With the first computer, I ran system restore, and the problem went away. Now I can’t find the wdmaud.sys file on this computer.
However, on the other computer that had the problem, I found the file and deleted it, and search works again! Thanks!
January 23rd, 2009 at 1:16 pm
Wow, that couldn’t have been easier. Thank you so much.
January 24th, 2009 at 8:21 pm
That worked. Had the 7.7.7.0 thing. Searched on google, found this site, deleted the file, end of 7.7.7.0 thing and spam search results. Thanks.
January 25th, 2009 at 6:43 am
I too was able to repair this browser redirecting problem with a mere deletion from DOS in recovery mode. However, I was concerned to find that the file did not have the correct creation date–my normal, relatively quick, method for removing malware is to manually do so in DOS by checking the time the file was created and researching all file names that share creation dates with the time that I began having problems. This is rather unsettling…
January 25th, 2009 at 4:55 pm
Great job on eliminating the 7.7.7.0 virus. It was really annoying. Thanks for the help.
January 26th, 2009 at 11:23 pm
Basically, I got rid of the wdmaud file in system32 (there were actually like 5 copies of it, and I took them all out). It solved the problem except that I lost sound capability, which is OK, I can fix that. But I still haven’t gotten a clear response as to which registry value I have to delete to complete the cleanup. I know it’s located in HKLM\software\microsoft\windows nt\currentversion\drivers32, but which entry is it in there? There is no entry called wdmaud in that folder, and I don’t know what to do. Somebody else has asked this earlier, but I didn’t see it answered, and I think it needs to be answered because it’s kind of important. Thank you very much Andy for providing me with the solution, u da man.
January 27th, 2009 at 4:02 am
thanks a million andy. your advice worked great
. for those who can tell the difference between the two files. just go to tools/folder options/view tab and uncheck hide extention for known files and also hide protected system files
click apply. now look for the the wdmaud.sys file then delete it. leave the . drv alone .now go back to the folder option and check back wht you unchecked than your done.
January 28th, 2009 at 12:25 am
I got this nasty thing today. I downloaded Spybot and AdAware but still no help. I have tried to follow your directions but I am confused. I found 5 files. Which ones should i get rid oF ?
Windows\Driver cache\i386
Windows\I386\sp2.cab
Windows\system32\drivers
Windows\Driver Cache\I386\sp2.cab
Windows\SoftwareDistribution\dd9ab55
I have spent aall afternonn on this before finding this site. Thanks for any help!
January 28th, 2009 at 4:13 am
Thanks Andy!
I deleted wdmaud.sys and the problem is gone.
Also, I created a new wdmaud.sys in notepad. (i.e. open notepad and type gibberish, then save as wdmaud.sys in c:\windows\system32). I’m betting the script that places the file there doesn’t have error catching to allow file overwrites. Why should it? there shouldn’t be a file there with that exact name unless the system is already infected. If it does reappear, I’ll just delete it again. (thanks to Andy)
All: leave your wdmaud.drv alone, deleting it is why people are losing sound.
The reason the creeps use wdmaud.whatever is because wdmaud.drv is a valid file and they can hide their file right next to it without suspicion.
Thanks again!
January 28th, 2009 at 10:15 am
Sandra,
You only need to delete one file to make this nasty virus go away:
C:/Windows/system32/wdmaud.sys
If you can’t find that file, then I’m not sure what might be wrong with your system. Try doing a search for just that file, or browse directly to that folder and look very hard for it. If you still can’t find it, look at your Folder Options and make sure the folders are set to “Display Hidden Files or Folders” so that way you can see the file if it’s been hidden.
Good Luck!
January 31st, 2009 at 1:40 pm
Andy Didyk,
I followed your instructions and deleted the file at C:\\Windows\\system32\\wdmaud.sys but was still having the problem. Then I found the files at both C:\\Windows\\I386\\sp2.cab and C:\\Windows\\Driver Cache\\I386\\sp2.cab All three were 16.1MB so I created new folders on my desktop and moved the last two there so if I made a mistake, I could move them back. This seems to have solved the problem. Every thing is working great.
Thanks for your help, AL
February 1st, 2009 at 1:55 pm
thanks mate,,,god i tired everything and was nearly giving up to do a full format…now after a whole weekend is gone i can finaly live again…well i dring this next glass of wine for your health,thanks andy
February 3rd, 2009 at 9:17 pm
Had the same trouble with Google & MSN being hijacked. AVG & Spybot picked up random cookies but nothing that fixed the hijack!
I searched & searched [on defected search engines] to find any reference. Dogpile was the only one unaffected & popped up with your helpful info!
E-mailed the contents of your original message to AVG to see if they could help me get this &^%$ thing off my machine. Got a generic response e-mail yesterday from them.
WELL!!!! Today, 1st thing on my daily AVG Scan…. BINGO! There was the reference to WDMAUD & tonight AVG caught 2 files labeled “Trojan Horse Rootkit – Agent.DA”. AVG removed them & hopefully this is the end of this!!
I think you may have played a major role in getting this info/help out to folks that could do something about it! Thanks SO much for taking the time to put the info out there for the rest of us!!
February 4th, 2009 at 12:05 am
Thanks for the info, deleting said file worked like a charm. however, any idea on where this virus comes from, because just as quickly as I delete it, it comes back an hour later. Spybot, adaware and avg does not recognize or block it, so i’m having to constantly look in my system32 folder which is a huge hassle. Thanks
February 5th, 2009 at 10:47 am
Andy…
You are a lifesaver.
fyi: This intrusion is so nasty it kept replicating itself even as I deleted the file(s),
Can you say Andromeda Strain?
Thanks so much for your diligence.
February 5th, 2009 at 11:16 pm
Thank you so much for posting this! It worked like a charm for my computer (at least so far). This nasty virus kept downloading all sorts of things to my computer in addition to ruining my Google searches. What a pain! I’m so thankful I found this post!
February 6th, 2009 at 2:13 pm
Perhaps a little more info to help with identifying the correct file:
The one I deleted was found in C:\windows\system32, had a size of 21.0KB and came up with description of “Miekiemoes rules” when I hovered over it. The description was blank, however, in the file properties.
February 7th, 2009 at 11:34 pm
Andy -
I appreciate the post, it at least identified the problem file. some of the users finding this post on non-infected searches might notice that when deleting the file it simply returns. This means that you have a trojan virus downloading it, unplug your pc from the internet and try again. once the file is erased run your anti-virus software.
you might try installing a third-party firewall program like Zone Alarm as well.
February 8th, 2009 at 11:43 pm
Thanks SOOOOO much for that! I spent the better part of this weekend trying to fix that darn bug before running across your post.
February 9th, 2009 at 8:55 am
I also found the file at C:\\Windows\\I386\\sp2.cab. When I right click to delete the file, I am not given a choice to delete — only to copy or extract the file. Now what do I do? I am so glad I found this forum as I too have been trying to find the fix for days!
February 9th, 2009 at 4:21 pm
same problem here starting 3 days ago and besides redirecting google searches to ad sites most commonly “coupon mountain” perhaps the more disturbing problem (same or different virus I don’t know) is that after logging in to any email or myspace etc account the page goes blank and then logs me in after a refresh but the page looks slightly different, something’s not right. Definitely think that in addition to redirecting google this thing is logging information typed into the browser like passwords. None of the spy sweeper or mcafee or AVG or kaspersky etc are fixing this. I’ve been to a bunch of different blogs saying look for this file or that one or try this software or that one, all not working. and i guess the creators of this stuff would monitor or host these pages to learn how people are dealing with it or who is dealing with it so why am i posting here ? lol but looks like the viral guys are outdoing the viral protection guys to me.
February 10th, 2009 at 2:02 am
Andy –
Well done, sir – good fix! To re-iterate and clarify some of the comments above: After reading these posts thoroughly, I restarted my computer in safe mode (without network), deleted the wdmaud.sys file (the system file), and left the wdmaud driver file alone. I then immediately ran a virus scan, THEN restarted the computer and the problem is gone. Don’t take shortcuts! Thanks Andy!
February 10th, 2009 at 5:21 am
Hi All,
I have wdmaud, but no .sys suffix. It says it is a device driver and I have the 82k version under the real driver directory. This wdmaud file is under system32 and is about 23kb, i renamed it, but it regenerated and i cannot delete it.
Any ideas?
February 10th, 2009 at 11:31 pm
Thank you SO much for this… I was wondering while the hell EVERY search result I got was stupid ads… and I was a little suspicious of that “7.7.7.0″ in the loading after a while…
Hate those people that make viruses like this.. do they seriously have nothing better to do?
February 10th, 2009 at 11:33 pm
I was wondering WHY*… <_< Sorry, typo.
February 11th, 2009 at 2:21 pm
Recently found myself in the 7.7.7.0 quagmire of browser redirects. After finally finding this forum I located the suspicious file in C:\WINDOWS\system32\wdmaud. There were two files with this name. As pptitian26 said in a February 6th post, as I hovered my mouse over one file it said DESCRIPTION: Miekiemoes rules FILE VERSION: 5.1.2700.2170 DATE CREATED: 8-26-2008 7:50 am SIZE: 21.5k. I deleted it, restarted my computer and so far everything is back to normal.
February 13th, 2009 at 6:33 pm
Hi everybody. After deleting the wdmaud.sys one it was just getting back when running a new google search.
I fixed it though, and in quite a surprising and elegant (as much as lucky) fashion. I just removed the wdmaud.sys related entry in the registry key HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603.
It works perfectly even though, amazingly, wdmaud.sys is still there, now harmless.
Thank you Andy for finding out and letting us know what the evil file was. Sure you were not expecting to host such a huge forum in your blog, but… doesn’t feel great to be an accidental hero?
February 15th, 2009 at 10:27 pm
Accidental hero…I like that. No, I typically write about marketing, photography, and the occassional rant about consumerism in general. But I’m truly happy that I could help so many people. It’s nice to know that one person’s suffering can cut short someone else’s.
February 17th, 2009 at 9:20 am
Great…guys. that has worked
disconnect the net. run antivirus to be on safe side and delete that wdmaud.sys file only, not the driver file..that has worked ..thanks to this forum and ANdydyk ….cheers
February 17th, 2009 at 12:16 pm
[...] – [andydidyk.com] [...]
February 18th, 2009 at 2:14 am
thank you so much! i hope it doesn’t come back. but search in your C: Windows\system32 file and look for wdmaud one will be the driver and the other will say like mieoke rules. delete that bad boy..and hopefully it wont come back!!
February 18th, 2009 at 3:57 am
YOU ARE THE BEST…YOU ARE THE MAN!!!
February 18th, 2009 at 3:08 pm
Another grateful computer user (me!) adds thanks for posting this on your blog. I’m going to write to Jack Scofield, the IT pundit at The Guardian, and suggest he awards you a “Well Done, Chap!” award in his weekly (Thursday, IT section) column.
Again … THANKYOU!
Colin
February 19th, 2009 at 3:49 pm
You are a LIFE SAVER. I spent an entire work day trying to fix this. I had already removed all of the virus/trojan junk, but this one file eluded me. I am in your debt, sir.
February 20th, 2009 at 5:43 am
I’m about to go check my system for these issues, havent noticed having the problems you Guys/Gals are..
BUT for deleteing horrible things that wont delete as they are in use by another process..
There is a free tool called “Unlocker” we found it in google few years back and it has enabled us to kill/unlock/delete many files in the past without the need to gointo safe mode. if it cant delete the thing your trying to remove instantly it gives you the option to have it removed on the next reboot.
awsome tool I recomend it to anyone and everyone!
how to use it.. simple once you install it, right click on the offending file and select “unlocker” the options are in front of you.. job done!
someone posted about “hijackthis logs” theres a site called w*w.hijackthis.de the save it to your fav’s list. you can post your log into a self serveice window and get your results.
very handy if you dont want to wait for replies,
but if you get seriously stuck they also offer the service like other forums do.
post the log and wait for advice.
sorry for blabbing on but these tips may really help people.
Andy Didyk, ty for your findings, you will save many people hasttle..
2 thumbs up from me!
March 1st, 2009 at 4:12 am
any thoughts on how to proceed if I cannot find the wdmaud.sys file. I have a feeling that my av found it and tried to fix it. When I restarted all hell broke loose. Now I can’t even get my computer to boot windows half the time! tried installing malwarebytes, but the darn thing won’t let me run the setup. Any thoughts?
Thanks!
March 20th, 2009 at 7:59 pm
Thanks a lot for your solution. However it looks like I had a slightly different version of the virus which was affecting my computer in the same way. It turns out the infected file was gaopdxorefidfs.sys in the drivers file of system32. I managed to finally find it using malwarebytes’ anti-malware.
If you see the gaopdxorefidfs.sys file at all, I would suggest running malwarebytes first to identify any other files which may be associated with this virus rather than attempting to just delete it.
Hope this helps anyone still having problems!
March 30th, 2009 at 6:53 pm
I just wanted to tell you how much I appreciated this article. I spend an entire weekend looking for this little monster and couldn’t find it with any of my malware or virus scans. I even ran a duplicate files program and didn’t peg it.
Fixed me right up and I’m saving this page.
Thank you so much
April 3rd, 2009 at 9:13 pm
As Mike(two post above me) said, there’s a different kind running around right now. it’s an annoying problem. To help scan the computer for just “gaop” highly unlikely you’d have another file with that name, and make SURE you check hidden files and folders AND System folders, and delete anything. with “gaop” usually followed by lots and lots of letters. I hope this helps anyone. Another hint I don’t know if it’ll remove the adware (’cause that’s really all that it is) but it’ll remove the google redirecting. I hope this helps many more people searching for a solution.
AVG people make sure to go to scan settings and add Rootkits to scan. (was informed by a friend)
April 3rd, 2009 at 9:19 pm
Another note, just searching your computer might not be able to find it, neither normally.I don’t know what to suggest to find it.
April 21st, 2009 at 3:55 am
I have had this problem for a week now, and it is baffling me. I do not appear to have wdmaud.sys on my system, nor do I have gaop…. either. Please someone help
June 19th, 2009 at 5:26 pm
perhaps the more disturbing problem (same or different virus I don’t know) is that after logging in to any email or myspace etc account the page goes blank and then logs me in after a refresh but the page looks slightly different, something’s not right. Definitely think that in addition to redirecting google this thing is logging information typed into the browser like passwords. None of the spy sweeper or mcafee or AVG or kaspersky etc are fixing this. I’ve been to a bunch of different blogs saying look for this file
June 20th, 2009 at 7:27 pm
I’m pretty sure this things back.
I have all the symptoms,
Like sites not loading
The word “Jumping” at the top of Firefox when I try to go to a tech related site…It started when I went to some site, and my Adobe Reader popper up real quick, then closed itself,
Then a fake virus program started telling me I had viruses and errors…
I was able to get the Virus scan imposter out, couldn’t get the wdmaud out though, I found the imposter Wdmaud, and when I delete, it just creates a duplicate of itself, I’m going to try safemode soon, but if anyone else is havin this issue, please give me some advise!
BTW:
If you can’t get into tech sites cause of this thing, just bookmark the link, and click on the bookmark, that should allow you in
(I’m using AOL right now to avoid that issue)
But, any help would be very much appreciated!
July 19th, 2009 at 4:46 pm
I followed what applied to my problem from the above messages it was very helpful. I got rid the bad file and registry entry. I continued to get the redirects. I put spybot on my computer from a USB drive, but a connection with the server was required and it was blocked.
I finally remembered how I got spybot to work once before. I downloaded it to another computer and copied the file from my program files to a usb file. I ran the program from the files on my usb drive and it found 182 redirects and fixed them all. I restarted the computer and could finally connect to spybot to add to the infected computer so this would not happen again. I hope this helps someone else.
August 8th, 2009 at 9:40 pm
I think I am having the same problem or a very similar one as everyone else. I don’t see a 7.7.7.0 when I get redirected but I have a lot of the similar problems.
I tried running several programs to fix it including Ad-Aware, Spybot, AVG Anti Virus.
Adaware and spybot both get closed down as soon as I try to scan anything with them. I also tried using Malwarebyte and renaming the .exe as suggested in the link to another forum.
I tried deleting wdmaud.sys and .drv but everytime I delete one a duplicate comes up in its place. For some reason I can’t go into safemode to delete it either my computer says im missing ntoskrnl.dll? I checked and the file is there but it’s probably corrupt and I can’t seem to find or trust a download link for the .dll
December 23rd, 2009 at 6:40 pm
Thanks a bunch, bro. I got stuck fixing my Dad’s computer this Christmas (again…*sigh*) and couldn’t figure out where the redirects were coming from. The file you mentioned, wdmaud.sys, was not there but I found it now listed as wdmaud.drv in the same location. I renamed it and suddenly, no more redirects! Thanks again for your excelent forethought in writing this down. Just letting everyone know the new name just in case they need it in the future. Remember to rename it instead of delete it in case its a valid file, but in all honesty you might want a professional to look if you start mucking around in system files.
Tim
January 9th, 2010 at 11:19 pm
Hey guys i know some of you don’t have the wdmaud.sys but are still getting hijacked as that is what was happening to me… well i did a little digging around and found windrv.sys in my system32 folder and after removing it the hijacking is over. Hope this helps!
January 18th, 2010 at 5:12 am
I just started having this problem. I tried system restore, and then my virus protection was off when windows started back up, so I undid the restore, and virus protection worked again.
I looked in the system32 folder, and only show one wdmaud file (no .sys, or .anything after it). I tried to delete it, but wouldn’t let me. I’m afraid to do it in safe mode, in case my audio quits (which someone else mentioned), plus, I have no idea what safe mode is, or how to use it.
I did a search for files/folders, for “wdmaud”, and got several hits, all listed as being modified from August 2004 to April 2008 only… nothing in the recent past.
Anyone have similar findings, or new corrections to try?
February 1st, 2010 at 2:58 am
I’ve just had this Google redirect problem, myself. Though, I noticed no 7.7.7.0, I just got redirected from good links. Surfright Hitman Pro 3.5 (30-day free trial) sorted this problem out for me, as AVG & Adaware couldn’t pick the problem up. It was an overwrite infection of the otherwise legitimate atapi.sys. I seem to have acquired the problem either by briefly going into my router’s DMZ, else by hooking up an infected hard disk to my machine.
February 1st, 2010 at 6:29 am
I too, did not see the 7.7.7.0. I used the Hitman 3.5, and it showed the atapi.sys as bad, but have been told that your pc needs this file, so I just can’t delete it, can I?
February 2nd, 2010 at 3:26 pm
Today is 2/3/10. I had that darn redirect virus for almost two weeks and no one could seem to help me. I even called a repair shop and they said, well you tried everything we would have tried, Malwarebytes, SpyDoctor, etc. Finally, I went on Yahoo answers and one replied that the only thing that took this driver related virus off their machine was Hitman Pro 3.5. I downloaded it (home website is Surfright” which took seconds. When file is opened, it scans immediately. In just a minute or so, it came up with the driver related “rootkit”. I hit delete, rebooted and now everything is fine. Hallejuhah. It was so miserable. Now that was yesterday and I haven’t started up my computer yet so hopefully it is still gone.
February 2nd, 2010 at 6:36 pm
I had this problem last year and I was able to solve it by deleting the wdwaud.sys file. But this year, my friend got the same problem but he didn’t have the sys file. So we decided to use the free trial version of HitMan Pro (downloaded from CNet) and it worked within minutes! It showed three files that were trojans (I can’t remember the names but I don’t think I saw atapi.sys). When I restarted the computer, everything was working.
March 5th, 2010 at 2:30 am
[...] – [andydidyk.com] [...]
March 12th, 2010 at 9:15 am
I am so, so glad I found this site, thanking everyone for the advice! If only there was some way to prevent creators of this bullshit from checking out pages like this too…
March 18th, 2010 at 3:38 pm
HitMan Pro cleared up the search engine redirect problem in 30 minutes. Two days with McAfee support did nothing. I know I will go with Hitman when my current contract with McAfee ends. Thank you guys at Hitman Pro.
Steve Jowett