So a user at the office tells me that his Google is messed up. And by messed up, I mean the results appear to be legitimate at first glance. If you look closer, the descriptions are accurate, but they link to useless, if not blatantly spammy sites. See screencap below.
This happened around mid-December and all of the usual AV tricks I tried could not find the source of the infection. The search hijacking affected multiple browsers and search engines.
Both IE and Firefox were compromised, but not Google Chrome. It also hijacked search results from Google, Yahoo, and I think MSN Live. Luckily OpenDNS’s search was clean. I made the user use these workarounds up until this afternoon.
Today I noticed that this search hijacking was running a bit slower than usual and I saw that search results were waiting on something from IP address 220.127.116.11. I searched for malware originating from that IP and came across this blog entry.
Deleting C:\windows\system32\wdmaud.sys has worked so far. The user’s search results are now clean. I recommend uploading any suspect file in the C:\windows\* through Virus Total before deleting it though. Better to be safe than sorry, especially when fiddling with the Windows system folder.
I’m now running more malware scans on the infected computer. This time using Malwarebytes in addition to SuperAntiSpyware. Superantispyware didn’t catch anything the last time I ran it, but Malwarebytes found a similar piece of malware in C:\WINDOWS\system32\sysaudio.sys, and Virustotal confirmed it.
This piece of malware was harder than usual to diagnose because searching for “Google hijack” didn’t return any useful results. Hopefully this little post will push this Google Hijacking description a little higher up in the ranking. And kudos to the Podnutz Podcast for turning me on to Malwarebytes.