cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Help super wdmaud redirect virus.

First of all this virus was picked up while running an updated version of McAfee Total Protection 2009 with all protection setting set to On.

I have been able to remove what seems to be to be all viruses on the infected machine except this one.

When I start any web browser on the machine it loads the correct Start page then proceeds to redirect to one of a handful of websites. Actually by looking at the bottom part of the browser where loading info is flashed I can see that the adware is basically pinging all the sites before selecting one to redirect to.

After running every antivirus scanner and remover including some rootkit removers with no viruses detected. I stumbled upon some forums disscussing the wdmaud file.

Sure enough I have a bogus version of the file in C:\WINDOWS\system32\

I am unable to delete it but I can rename it and move it. Even after renaming and moving it the bogus file reappears. It reappears with no system reboot or browser restart.

So now I think it must be a registry entry in Drivers32 but I can't tell for sure.

This is my Drivers32 registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="L3CODECA.ACM"
"wave"="serwvdrv.dll"
"wave1"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"msacm.siren"="sirenacm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll":confused:
8 Replies
Highlighted

RE: Help super wdmaud redirect virus.

Download, update and run the free version of both these tools and let them remove anything they find:

http://www.superantispyware.com/superantispywarefreevspro.html

http://www.malwarebytes.org/mbam.php

If they fail then download Hijackthis and post its log on one of the following forums for expert guidance:


DOWNLOAD HIJACKTHIS

Do not post the log here, we can't help!

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

GEEKS TO GO FORUM

MAJOR GEEKS FORUM

MALWAREBYTES FORUM

MALWARE REMOVAL FORUM

SPYWAREHAMMER FORUM

SPYWARE INFO FORUM

WHAT THE TECH FORUM

Be sure to read all the sticky announcements/instructions at the top of each malware forum!
Highlighted

Already did all that.

I already ran both SuperAntiSpyware and Malwarebytes full scans turned up clean.

My HijackThis log looks clean.

Still can't get rid of the bogus wdmaud file.
Highlighted

RE: Already did all that.

Your Hijackthis log may look clean but did you post it on a specialist forum for analysis?
Highlighted

I finally figured it out.

I ran a trial version of Spyware Doctor which picked up 8 Threats and a couple hundred infections. The bad news is that it wont fix anything unless I dish out the cash.

So I had to remove the bad stuff myself. I got rid of everything easily except for the Browser Favourite stuff (which I'm still not sure what that is since I deleted everything in IE) and the entries in my hosts file.

The hosts file part is where the catch is.

I was stumped because when I opened my hosts file in C:\WINDOWS\system32\drivers\etc it was clean. There was no other hosts file visible and I had my folder settings set to show hidden.

After scratching my head a while I finally ran a search for hosts files using FreeCommander. Several hosts files came up but the main one was in C:\WINDOWS\system32\drivers.

When I opened it up, it had the bad redirect entries. I was unable to delete or edit the file.

I restarted in safemode and used Freecommander to go directly to the hosts file and I changed the permissions on it so that the account I was on had total control of the file.

Sorry I can't give the instructions on how to regain control of the file off the top of my head. I have it written down at home and will edit it in later if needed.

I cut out the bad entries which were inserted before the comments on file and saved it.

Restarted the PC and started up the browser and no more redirect problems.

I have to say that I am a bit disappointed by McAfee's product and services.

I convinced my mom to buy it at the end of last year when her PC was infected and I was far more naive about malware. She bought the most expensive version they had at the store and now I feel like it was a waste of money.

I understand that no scanner will be able to find everything and that each scanner picks up things that others miss but for the price that people pay for this product I would think that the company would be more willing to assist in issues where the PC was infected while running their product.

A higher level of technical help should be free and more accessible.

I don't think I will be recommending this software to anyone in the future as my number one choice.

P.S. my HijackThis log was clean cause HijackThis couldn't open the bad hosts file happy
Highlighted

RE: I finally figured it out.

Nevertheless, that "higher level of technical help" as you put it, would have been available on the Hijackthis forums, but instead you did some self diagnosis and decided they would be of no help, well at least that's how I interpret your post.

Free help here is limited to the expertise of the unpaid volunteer that is providing the help. Sorry I'm not so expert, but there didn't seem to be anyone else available & time is always the essence in these cases - your post had been sitting unanswered for 11 hours or so.

There was a chance that HJT forum might spot issues or at least have that expertise necessary to suggest other avenues of approach.

Malware comes in so many forms and there are many tools that could have been used.

Anyway, good luck in the future and remember that anti-virus is only one step in protection and non of the major A/V software can protect against everything. The main part is an up to date system and due care when surfing, downloading etc. and keep some extra anti-spyware applications handy.

We have several anti-spyware tools listed here, Spyware Doctor isn't one of them.
Highlighted

RE: I finally figured it out.

There are several ways to infect the HOSTS file and one of them is to modify the registry as to where the HOSTS file is.

The malware writers are well aware of this and take advantage of this knowledge.

Read User's rating of Spyware Doctor:
http://download.cnet.com/Spyware-Doctor/3000-8022_4-10293212.html
Highlighted

I do have a post on bleepingcomputer.

I set up the post yesterday afternoon around 4:00 p.m. my time.

After about 4 or 5 hours later with no replies and few reads I decided that I must not have done such a great job on the title and description. So I started working on the problem myself again.

I'm still trying to understand how the virus was able to hide the infected hosts file. Even though I had folder settings to show hidden. I think the fake clean hosts file that I was looking at was just a text file. That was one of the first things I looked at when I started working on the problem.

Plus before I left the infected PC last night I forgot to check the bogus wdmaud file. But using the DDS Attach file I was able to see that Windows File Protection is what keeps bringing the wdmaud file back to life.

I found a site that shows how easy it is to hack the WFP. But It's going to take me a day or two before I can understand it well enough to fix the WFP. Maybe if I can just delete the backup trojan wdmaud file and use that as a quick fix but I'm not sure which one is the back up and which is the trojan backup.

As for the lack of help from McAfee, I don't blame the non paid volunteers. I appreciate that they donate their time and efforts to try and assist. But McAfee should either supply it's volunteers with high level training or supplement them with well trained staff that can handle any infections. To me it seems like a lack of consideration to their customers.
Highlighted

I agree. McAfee Still Does Not Detect or Catch This Redirect Virus

I totally agree.  What is with McAfee?  This redirect virus has been around a very long time now and yet their software still fails to detect it  - let alone remove it!  I guess they are sitting on a "cash cow" with AT&T Yahoo DSL who has contracted them to provide their users with a Security Suite and don't find it necessary to aggressively work at real updates to their software. McAfee still gets its money from AT&T and other ISPs who are offering to their subscribers. Sad, sad, sad.

I agree with the training.  Here on this forum, McAfee has volunteers that are working for free. McAfee should provide these volunteers with free training.  Do the volunteers even get free McAfee subscriptions?  If not, they should.

This just shows you the character behind the upper management at Network Associates.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community