What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:
script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)
So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:
This only applies for the first page of the results.
It looks like stopzilla.com is also promoted via this piece of malware
Example:
As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.
The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).
Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!
The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:
"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"
Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)
Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)
Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.
UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!
UPDATE2!!!
And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.
Update: A Great, detailed writeup by MAD (French)
To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.
Monday, October 13, 2008
Fake sysaudio.sys causes Searchengine Hijack
Comments (96)

Sort by: Date Rating Last Activity
Loading comments...
Post a new comment
Comments by IntenseDebate
Fake sysaudio.sys causes Searchengine Hijack
2008-10-13T19:44:00+02:00
miekiemoes
Malware|
Subscribe to:
Derek Smith · 856 weeks ago
How does this file get put on your computer in the first place?
Cindy Siders · 854 weeks ago
I am completely enamored with Belgium after developing quite the taste for Belgian Ales. My husband and I hope to visit someday.
L Carter · 853 weeks ago
IT Guy · 853 weeks ago
syeager · 852 weeks ago
Syeager · 852 weeks ago
Syeager · 852 weeks ago
Keepers · 851 weeks ago
Eric · 850 weeks ago
Scott · 850 weeks ago
Trevor · 850 weeks ago
Still unclear how it manages to create the sysaudio.sys file on the host ? Javascript within a browser can't normally create or write to files on the host (can it??) ?
Phil · 850 weeks ago
jimmy32 · 850 weeks ago
Ian · 850 weeks ago
scottg · 849 weeks ago
Bob · 849 weeks ago
Joe_Miles 0p · 849 weeks ago
Sandro de Rosa · 849 weeks ago
THE_IT_GUY 1p · 848 weeks ago
http://i40.tinypic.com/119s4jo.jpg
Phil · 848 weeks ago
joe · 848 weeks ago
document.write("<div id=_p_></div>");window.onload=function(){try{var u=document.body.getAttribute("unload");if(u)eval(u);}catch(e){}};//
unfortunately i have some updated form of the virus so i'm not seeing it named as "sysaudio.sys". i searched for "wdmaud.sys" and have two of that file in WINDOWSsystem32, one 23kb and one thats 14kb. im not sure what to do here so im trying malwarebytes, hopefully it will work
joe · 848 weeks ago
Patrick · 848 weeks ago
I had the wdmaud.sys variety. Malware bytes, ad-aware, NOD32, Spybot SND were all unable to find this file...
I deleted the file, cleared all temp files, and restarted the browser and my searches are no longer hijacked.
However, many say it returns. Though it seems by what miek is saying that it is because an infected site was visited. Hopefully this won't be the case for me but atleast now I know the file to delete, thanks!
Are there any registry values from the wdmaud.sys varient that I need to delete?
Tate · 848 weeks ago
theo · 848 weeks ago