All my searches are redirected no matter which browser I use. Help!!

All my searches are getting redirected, not only Google, but Yahoo and Live too. I put what Im looking for in the search, it brings up a normal search window with normal links, But when you click on the links, it doesnt take you to that place, it redirects you to different Advertisement pages. Ive done a scan and it doesnt detect any sort of malware, spyware, trojan or virus. Anyone having this problem? What is it and how can I make it stop? Please help :frowning:

Hey. Welcome to the forums. Please scan the system with mbam and sas and avira.
Please post back and tell me how it goes.

If possible, Could you please submit the samples to comodo so that it can help protect other users in the future.

I’d suggest you also try GMER a well known anti-rootkit scanner to see if there is something “hiding” from your eye’s.

http://www.gmer.net/gmer.zip

Since it is impacting all browsers, it’s probably worth checking the HOSTS file & the network providers (Winsock, LSA & Network) as well… not sure if the stated scanners do all that. A HijackThis log would probably be useful.

In case you do not know how to produce a HijackThis log here are instructions.

Click here to download HJTsetup.exe and download the installer.
[]Save HJTsetup.exe to your desktop.
[
]Double click on the HJTsetup.exe icon on your desktop.
[]By default it will install to C:\Program Files\Hijack This.
[
]Click on the Do a system scan and save a log file button. It will scan and open the log file.
[]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[
]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Ok, Ive scanned it with sas which found nothing but tracking cookies. Scanned it with mbam next, it found one thing… WINDOWS\system32\sysaudio.sys (Rootkit.Agent) and it quarantined it. Downloaded avira, ran it and it locked my comp up on reboot. I could get to the desktop but there was nothing on it, no icons, no taskbar, nothing. It took me several times of rebooting to safe mode before I could actually get into safe mode. When I did, I uninstalled avira. Downloaded and scanned with hijackthis and am pasting the log here:

Let me know what to do next. :slight_smile: Thanks

EDIT: HiJackThis Log Has Been Attached To This Post

[attachment deleted by admin]

I strongly suggest scanning with GMER because it looks like your having a rootkit infection.

Yes, there is nothing HijackThis can see.

Presumably you have no Norton firewall running as well as CFP?

When you’ve removed the sysaudio.sys file, maybe your problem with wrong search engines is resolved. I found this, when I searched for “sysaudio.sys”: Searchengine Hijack.
But I highly recommend to do a scan for rootkits like said before.
Maybe you should also download a live cd like the Avira AntiVir Rescue System, burn it onto a cd, boot from this cd and do a scan of your hard drives.
The advantage of this method is, that no components of your system and therefore no rootkit components are loaded which can hide the rootkit (if there is one) on your system.

Yay! Its gone, no more redirecting my searches.

Malwarebytes removed the sysaudio.sys that was in C\Windows\system32 and quarantined it. But I was still getting the redirect searches. None of the other scans found anything. So I tried the GMER…it was scanning, got an error mssg that it had to be shut down. I rebooted my comp and got a blue screen of death stating that a program had either downloaded a driver or a driver was corrupt…causing the blue screen.

So Im thinking , I dont really know anything about this GMER program, maybe it has to load a driver…(bear with me guys, Im blond and not real computer literate to begin with)…So my intention was to get rid of GMER. In the meantime, Im thinking I should check the boards again, just to see if anyone had posted anything more for me to do. Lo and behold what do I find? The post by BigMike with a link to a blog he found while searching the sysaudio.sys.

It seems as if the sysaudio.sys file wasnt the only variation. Its sneeky, it likes to make a new name for itself and hide in places that look legit. Whatever, so I find the second half of this little puzzle in the blog, and in my C\Windows\system32 folder…mdmaud.sys. I put it in quarantine. Close all my browsers down, open a new one and try a search with google. What do I get? Exactly what Im looking for, no more redirects. Ive got my fingers crossed now that it wont come back in a day or two.

So the fix seems to be to let Malwarebytes find the first file, sysaudio.sys, from the right spot and quarantine it. Then delete mdmaud.sys from the Windows\system32 folder…close your browser and open a new one. Type a search in Google and see if you get your search without redirecting.

Thanks goes out to everyone who helped me and a big hug to BigMike for finding that blog. Im posting the link also, very informative. miekiemoes' Blog: Fake sysaudio.sys causes Searchengine Hijack

You’re welcome.