Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove Google searches redirect virus (remove Rootkit.Win32.Agent.fwt)

Redirect to is a result of wdmaud.sys trojan/rootkit activity. Once infected, google results redirected you to junk/scam sites. You can see the waiting for in the bottom of the browser. It is caused by the file C:\Windows\system32\wdmaud.sys (reported as Rootkit.Win32.Agent.fwt). The legitimate wdmaud.sys actually exists at C:\Windows\system32\drivers\. Use the free instructions below for removing the wdmaud.sys trojan/rootkit from your computer.

Use the following instructions to remove wdmaud.sys trojan/rootkit.

Step 1. Remove wdmaud.sys trojan/rootkit registry entries and files.

  • Please download OTM by OldTimer from here.
  • Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
  • Click the red Moveit! button.
  • When the tool is finished, it will produce a report for you.

Step 2. Remove wdmaud.sys trojan/rootkit associated malware.

  • Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
  • Once downloaded, close all programs and Windows on your computer (including this one).
  • Double-click on the icon named mbam-setup.exe to install the application.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan”, then click Scan.
  • MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • MBAM will now delete all of the files and registry keys and add them to the quarantine.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.

February 19, 2009 on 5:54 am | In Trojan, Tutorials - HowTo | 4 Comments |


RSS feed for comments on this post.

  1. Dear Patrik,
    I have the wdmaud.sys trojan, and I’d really appreciate your help.
    (1. above, the link to OTmoveIt3 does not work)
    2. for me, MBAM does not find the associated malware. It says that my computer is clean.
    Should I use the forum? Thanks in advance.

    Comment by laurent — June 23, 2009 #

  2. laurent, i have updated a link to OTMoveIt3 (now OTM). Please try follow these steps (above) again or ask help at our Spyware removal forum.

    Comment by Patrik — June 23, 2009 #

  3. Hi, I followed all the instructions on here but I still have those files and I’m still getting redirected to junk sites. When I restarted my computer, all of a sudden there was another wdmaud in my systems32 folder. Both are at 23 kb. Malwarebytes did not show any infected results.

    Comment by gemmy — July 19, 2010 #

  4. gemmy, try the instructions (step 1, variant 3).

    Comment by Patrik — July 20, 2010 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.