Fixing the "Google redirect" Trojan horse

By Rick Jelliffe
April 17, 2009 | Comments: 37

My laptop started acting strange this week.

Web pages would get redirected to odd locations. My favorite page at Electro-music.com would not load at all. Firefox crashed on some pages. As did Opera. As did IE. And trying to diagnose things, I found that I could not run cmd.exe or even regedit. And the system was painfully slow sometimes.

Looking on the web, I found this was a recent Trojan horse often called the Google Redirect.

Here is what I did to fix it. The laptop is running XP. (Disclaimer: do this at your own responsibility!)

1) I downloaded Malwarebytes Anti-Malware utility that identified a Trojan horse and removed it.

2) I went to c:\WINDOWS\SYSTEM32 and copied regedit.exe to some made up name, such as rzezdziztz.exe. This name change prevents the trojan horse from preventing execution.

3) Running this regedit, I looked for the
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>Drivers32
and look through all the entries called
aux, aux1, aux2, etc
I found the one that had a strange filename, like C:\Windows\System32\..\abcdef.gih
It is supposed to be a random name. So replace this name with wdmaud.drv

4) I deleted the file with that strange name, and rebooted.

(After this, I also ran another malware scanning program too.)

Result: seems to be OK now. The information on the web was pretty good.


[UPDATE: Sept 2010. I helped fix a similar redirect problem recently. The problem wasn't the same as given in this 2009 blog item, but the symptoms were. I first used the MVPS HOSTS file fix, to reduce the spurious traffic; I had already installed ProcessHacker which let me see which sites I was being redirected to, and I added them to the blocked list; this gave some breathing room but was not a fix. I tried more than 8 different free/trialware programs and none worked, though some diagnostics program correctly suggested it was a rootkit problem and gave some fairly scary instructions on fixing it.

Finally, I tried (free version of) Hitman Pro3.5, which had just recently been upgraded to fix this very problem, it seems: it worked fine. Hitman Pro seems to have the edge on Malbytesware for this particular problem in Sept 2010 at least, though the capabilities (and the challenges) change and so any recommendation here has a definite shelf life! Thanks to all the people who put out free tools, though: you are real life savers.]


You might also be interested in:

37 Comments

This may not work if you already have a virus and spyware/malware protector installed. So you may have to download another one that is not already installed.

I've never used regedit.exe and am a little bit confused. Will I be able to recognize the entry with a random name? Are the aux names the ones we keep?

Andy: Have a look first, and only do something if you are reasonably confident you know what you are doing. Just opening up regedit and having a look around won't do any harm.

On some machines, the path may be
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>CurrentVersion>Drivers32 by the way.

Again, in the left hand column, you are looking for names starting with "aux".

For these aux files, in the right-hand column, you are looking for suspicious files. They are suspicious if

1) They have full paths (e.g. C:\X\y.z) rather than being in the drivers directory (e.g. rather than just plain y.drv)

2) They have strange obfuscated paths (e.g. c:\X\Y\..\Z has the ..)

3) They don't have an extension like .dll, .drv or .acm

4) The name seems to be a random collection of letters.

The more of these that are true, the more that you can be suspicious. If nothing fits the bill, this blog entry is probably about a different problem.

(If you want to be very careful, you could write down that entry before you change it. And save the driver file to some other name somewhere else rather than deleting it. That way you can restore it if you want to.)

Again the disclaimer: that is what I did that worked. Do this at your own responsibility!

OK, I don't seem to have a HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>Windows NT>CurrentVersion>Drivers32. I can't find a Drivers or Drivers32 entry anywhere. I'm running XP, with all SPs applied, so where should I be looking?

Pete: First, you were looking in the registry, right? Not the file system, not the menu system?

OK, the best I can suggest is this thread:

http://www.bleepingcomputer.com/forums/topic224017.html

Some viruses change the registry permissions so that you cannot see entries, it seems. Try that option first.

And did you run the anti-malware?

This worked. While looking in the Registry I found two entries that had suspicious locations:
msacm.ctmp3 was C:windows\system32\ctmp3.acm
msacm.iac2 was C:\windows\system32\iac25_32.ax
I changed both of them to wdmaud.drv
Saved my registry and rebooted. No more redirecting problems. I also updated my software to the latest version of Java, since I read someplace else that the virus might have come thru Java.
Thanks for the advice. I have been reviewing other websites with suggestions for solutions and this was the easiest for me to implement.

Thanks again
Gary

Gary: Good, I am glad it was some help!

Caveat for readers: Please don't just assume these same files are necessarily bad on your system and delete them willy nilly. Go through the kinds of steps I mentioned above, so that you have some positive reason to suspect them. Gary and I mentioning what worked for us as non-experts does not mean we are advising you to do the same thing without regard to backups etc.

Hey man thanks for the info...it works for now, I'll keep you informed. One of them did end in .acm, but had the full file path so I went brave and deleted it anyway.

Thanks again.

Thanks for the info.

Had this happen today 12/08/09 Running Windows NT

Not sure what happened. Suddenly all google searches in Firefox opened a new tab for BESTSEARCHEVER or something and then started loading random pages.

Then a "Windows Virus Alert!" type page pops up. I CTRL-ALT-DEL to run program manager and kill firefox.

Spybot finds some unsavory tracking cookies, but nothing else. As others have noted, a pre-existing installed program doesn't seem to find this.

I ran Malwarebytes which found 7 Trojan entries, deleted 5 of them and then said it would reboot to remove the other two. On reboot, it tried to load a "scan"program from the CD-ROM. I had to kill this app in program manager.

Running Malwarebytes again, it says it is clean.


I did not find the funny "aux" entries you mentioned. Two drives had full paths, but they had .drv suffix (one had an .ax suffix)

This is annoying as all get out. The load apparently was the "Windows Virus Alert!" scam, which links you tot a site to harvest your CC number for a supposed fix.

The page did not look like an image of a website - it was pretty real looking. I can only imagine how Aunt Hattie deals with this sort of thing.....

I've had the Google redirect problem for the last two days. I ran Spybot, Ad-Aware, Malwarebytes, and Gmer. Only Gmer reported a suspicious atapi.sys file in c:\windows\system32\drivers. The other programs found nothing that would solve this problem.

Here's what I did:

From another networked computer (that has no problems), I went to DOS and changed to the c:\windows\system32\drivers folder. I copied the atapi.sys file to the computer with the Google redirect problem. The file date (on the problem computer) kept changing automatically to today's date (from 04/13/2008) within seconds after I copied the file. So, I ran the "attrib +r atapi.sys" command to make the file read-only on the good networked computer. Then I copied the read-only file again to the problem computer. Since then, the file date has not changed, and I've had NO redirect problems when searching at Google.

I'm not sure at this time if the problem is completely fixed, but I'll try to post back here in the near future.

Thanks! I found 2 files and renamed them wdmaud.acm in the Data Field. They both had a path name on the data field as well. They were Msacm.ctmp3 and Msacm.13acm. My google search results work fine now and nothing else seems broken :)
Happy Camper Jim

thank you very much!
no anti-virus program (tried out 4) found the problem but you helped me fix the problem of my boss in no time :)

I followed the instructions and renamed four entries and that did the trick. For about 2 weeks, anyway. Now the redirect is back. There are no more entries with the full path. Ideas?

Chuck: Nope, sorry. Did you run Malwarebytes? I had a friend who said he had, but when he brought is notebook around for me to look at, it turned out that he had not: in his mind he had decided that I must have meant some generic scanner, rather than that specific one. (And, it should go without saying, you are strictly avoiding using IE I hope?)

I've had problems with both google and yahoo redirecting me to strange pages, and nothing has helped. I have been running 2 different virus protections almost 24/7 and nothing has picked up WOW WOW WOW I think your advice has worked you all are wonderful. I tired what the first entry sugested. I renamed the file that looked suspicious -(under data it had C:\windows\system32\13codeca.acm where as the others were not that complete) and things seem to be working better so far. Do I still have to delete it? I'm a bit nervous about getiing rid of something I don't know for sure what it is. Thanks so much for your help .

HLD: Did you use Malbytesware (it is free)? If not, I'd get it and run it ASAP and regularly in any case. It seems to catch problems that others miss.

I think the 13codeca.acm is supposed to be a codec for DivX, so if you have problems running DivX, that would be it. (I suppose the virus might be that initializing the codec patches the URL dispatcher, something like that.)

I would certainly at least rename it to perhaps "SUSPECT13codeca.acm" so that it is marked.

Thank you for your help. I did download and run Malbytesware and it hasn't picked anything up - but once again my pages are beinging redirected when I use google or yahoo. Things are fine when I use a different browser. What happens if I do delete the suspect file and it is not a bad one? Also how dangerous is this bug (or don't I want to know)? I'm at my witts end and very frustrated and nervous too. How would I have gottten this thing I'm usually ultra careful?

HLD: If you have renamed it, rebooted and you still get the problem, it is probably not the culprit (or not the only one.)

Just to confirm: the steps are 1) change the suspect entry in the registry to use wdmaud.drv, and 2) rename (or delete) the suspect file.

I think that file is just a codec for XDiv, so deleting it should not hurt anything else. I would just copy it to a memstick or somewhere when deleting.

But if Malwarebytes doesn't say anything, and you can open the Registry in the first place, and taking the steps above doesn't work either, it may just be a different virus.

If you only get the problem in Firefox, uninstall it and install a fresh version. I don't use IE or Outlook under almost any circumstance, because of their bad reputations. Sorry, that is the best I can suggest.

Thanks again for your help. The redirecting problem seems to be a bit better - at least now my virus protection is blocking the "bad page" - it seems to want to go to a broken link or something. Unfortunally I do have IE - your sugesting something different?
But now I have a new problem - windows automatically uploads updates, each time it automatically updates, downloads and installs my computer refuses to start and launches sytem restore - and it fixes it self to a earlier time. I'm afraid one day that it's going to refuse to start all together. Any suggestions?

HLD: Yes, my suggestion is to *never* use IE and Outlook. Perhaps on the stupid pages which fail on other browsers, but these are very rare. I recommend Firefox and Thunderbird respectively. They are free.

(If watch videos a lot, Google Chrome is another good free browser.)

Why never? Because of the persistent security issues. IE and Outlook are victims of their own success: they are the target of the lion's share of browser/email attacks simply because of their popularity. It is a 'monoculture' problem: we need a healthy diversity of products so that any single attack will have less chance to infect and spread.

HLD: We had a problem here at work that a particular update was incompatible. I have a non-Windows operating system loaded in a partition on my hard disk (Open Solaris, but sometimes Linux), and I try only to use platform-neutral applications (or proprietary appliations with good act-alike equivalents). (We store most data on a central server, and we try to use common data formats, too.)

So even if Windows became unworkable, I could still continue with Eclipse, OpenOffice, Firefox, Thunderbird, and the Java applications. I do install the free browsers that are often available for Windows-specific applications (e.g MS' Excel viewer, Word Viewer, PowerPoint viewer) for optimality.

But I see Operating System failure as a significant risk: rather than worrying too much about using virus protection and backups, I think having a completely workable Plan B that I could switch to in a couple of minutes is a more prudent approach.

I think the online environment providers have a plausible story too, for reducing dependency risks on Windows.

Thanks for all your help

Hi I have this google redirect virus, i cant find the virus, have tried norton, windows defender, windows security, and hitman pro. Please can someone help as i am not exactly up on computer speak so need some guidance. Thanks

Dont know about the rest of you but i took Rick Jelliffe"s advice and i deleted every single one of them, i didnt care if they had anything to do with my system or not. aux, acm whatever, i deleted all, now my browser works just fine. Thanks Rick

KayCee: It certainly was not my advice to delete files willy nilly. Only the ones which are strange in the way I described.

That being said, I am happy that it seems to have worked for you, of course.

And, I want to say again, I am not giving advice in this blog: I am reporting what I found worked.

I'm seeing this on my computer for the last week or two. I reformatted and I'm still getting redirected the first time I click a link in a Google search. I've had the computer for three years and this wasn't on the recovery DVD. At this point, I'm thoroughly freaked out.

I have the redirect thing going on with my macbook (past two days). Norton found nothing, MacScan found 63 cookies (3 from a site called deviantart). Today redirect is happening again. Ran iantivirus found nothing. Redirect is still going on. Any advice for mac users would be appreciated (Safari/ Snow Leopard).

Hi Everyone,

RE: GOOGLE REDIRECT PROBLEM FIXED!
First of all, let me say that I am absolutely not a computer person, not by any stretch. Most things I've done on the computer and worked have been by trial and error, sheer flukes. I amaze myself constantly.
My computer became infected 2 days ago, and I didn't even know the name of the infection till I went online, only to discover that pages are devoted to this stupid problem.
Here's what I did to fix it, by following Rick Jelliffe's advice above (I'm on Windows XP):
1 Go to 'My Computer'
2 Click on 'C Drive'
3 Click on 'Windows'
4 Click on 'Regedit'
5 Please note that this step may be different in your computer--
I changed the data for msacm.l3acm from
Old - C:\WINDOWS\System32\l3codeca.acm
New - wdmaud.drv
The C line looked suspicious as Rick says above.
That was ALL I did. Opened my Mozilla Firefox, went to browse, and voila! -- no redirect.
Rick, that worked like magic! Thank you, thank you, thank you!

SecretSociety.ucoz.com

Hi Everyone,

Sorry, after my last submission, I went online to do a search with Google (Firefox), and I found I was redirected again.

I tried something else, and this seems to have worked.
If the redirection returns, I'll let you know.

Here's what I did, something so simple, that I still can't believe it'll hold.

1 Go to Add/Remove Programs, and uninstall every single version of Java
2 Go to Sun Microsystems, and reinstall the latest version.

This works for the time being on my computer, Windows XP, with both IE and Firefox.
If not, I'll be back!

Take care.
secretsociety.ucoz.com.

Hi All,
GOOGLE REDIRECT STILL THERE
So, sorry to say, my problem is back. I even tried to do a System Restore, and found that all my restore points had disappeared.
As a result, still searching for a solution.
I almost want to try what Kaycee did and delete all those registry keys. But I'm scared to do this as I don't know what they're for.
Will continue to search, and post back if I find something that works for me.
Thanks.
secretsociety.ucoz.com

Hi Everyone,
RE GOOGLE REDIRECT TROJAN FIX, REALLY FIXED THIS TIME.
Sorry I cried wolf & posted those previous posts which didn't work.
Here's what has worked for me for the past 5 hours, and I waited to post just to make sure that it held & I could offer the best advice I'm capable of:
1 Download and run HitMan 3.5 by SurfRight from CNET. It's free for 30 days.
2 Set a restore point, note the time you set it, and check on if it's really there as a restore point if you need it later
3 Now here's the paranoid part--
MAKE A LIST OF YOUR REGISTRY KEYS, as they should be optimal at this stage.
[Note: I know zilch about computers, but do know that these keys are important]. Save your list for times when you're hit by a virus.
Do it this way>>>
Click Start>Run>Enter regedit>Click Enter
Follow this path>>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Drivers32
There should only be about 25 items in 3 columns.
Copy down the columns headed Name and Data.
Save your list just in case...
No one's computer is the same as anyone else's, but this approach may work for you!

SecretSociety.ucoz.com

I just want to clear up a confusion that may be cropping up.

There are people talking about "renaming" a suspicious file.

That is *not* what I did to fix the virus. What I am saying is to change the entry in the registry so that it has the correct driver file "wdmaud.drv". This is not renaming a file to a new name, but changing the registry entry so it points to a new file (well, the original file.) I think it is confusing to call this "renaming".

I did however mention that rather than deleting the suspect file, you could rename it. But that is just so that if it turns out to be useful, it is easy to revert back to the old name: just a convenience rather than being essential.

If someone finds a suspect file and renames it to something else rather than changing the registry entry, it may indeed fix the problem, but in a messy way: the registry points to a missing file. This may result in some loss of functionality, so I think it is better to change the registry entry so that it points to the real "wdmaud.drv" instead (as well as deleting or renaming the suspect file.)

I had the trojan and used this site and this one http://www.dslreports.com/forum/r21971760-Trojan-Win32KrypticGStrojan to cure it. I seem to be free of it. One thing I did though was remove my PC from the net after I had installed and updated the software before uninstalling my own virus checker (eset smart security 4) as it can cause problems with the other cure software. Only problem I have now is I can't update windows. Fresh install is gonna be needed but at least I can transfer my files to backup before I do now without the worry of a reinfection.

Thank you Rick ! It has solved my 6 months of problem for now at least

I reinstalled IE 8 during the installation a virus check occurs and the redirect seems to have gone.
I had used Malwarebytes, Spybot, SuperAntispy, Avira, rkll,HJT, Hitman. They all found different malware. After using Ccleaner numourous folders and desktop icons are now dull, grey and fuzzy. Still had the redirect.
When i know more I'll have a go at the H key route. Thank you Rick and the others who contributed.
DOES ANYONE KNOW ABOUT THE FUZZY DULL ICONS/FOLDERS?

There seem to be multiple different causes for the same basic symptoms: Trojans, infected Firefox "xul" components, and one I just discovered today -- infected McAfee "site advisor" module. This provides safety ratings for each result in a search page. My girlfriend's PC was redirecting Google search results, but not Yahoo. I noticed that the site advisor was also only working on Google, so I clicked on its toolbar button and set it to "disabled". The problem disappeared! To make the fix permanent, my GF uninstalled McAfee and then reinstalled it, but did not install the site advisor component. Neither McAfee AV itself nor Malwarebytes detected any infection, but it was there.

Oh, Hitman Pro 3.5 didn't find the infected McAfee module either, so it's something different from the cases described above.

News Topics

Recommended for You

Got a Question?