Google, MSN, Yahoo Search 7.7.7.0 Redirector Malware HiJack
Google 7.7.7.0 Redirect Malware, Virus, Spyware…
UPDATE (11/27/2009 12:23PM EST)
I have removed the 7770finder.zip file from downloads. Malwarebytes’s Anti-Malware picks up this infection and cleans it successfully. Please visit http://www.malwarebytes.org/mbam.php and grab a copy of the free version. If you like their software, consider purchasing the full version for real-time protection!
UPDATE (3/07/2009 10:23AM EST)
I see that people are still having trouble with this and that there is a possible variant out there. I recommend you download MalwareBytes’ Anti-Malware and scan your computer using ‘Quick Scan’. If you want to schedule the scanner to scan at a certain time, please see my post http://www.techish.net/2009/01/24/malwarebytes-scheduled-scanning-updating-using-windows/
for further information on how to do this.
UPDATE (1/29/2009 9:18PM EST)
Uploaded a new version of 7770FINDER. This version includes directory recursion, and allows you to specify whether or not to use it along with a path argument. Read the README.txt in the ZIP for more information on how to use the commands if you are unfamiliar.
UPDATE (1/19/2009 6:30PM EST)
I’ve been getting a lot of email questioning why my tool did not remove found infected files. This tool does NOT remove any infected files. It is up to you to remove them. This tool also does not support directory recursion; e.g., it ONLY scans %SystemDir% files, no subfolders. Sorry.
UPDATE (1/15/2009 12:51PM EST)
I have been able to successfully re-infect myself and I can confirm this is being distributed via PDF JavaScript as I was monitoring processes and my system32\ directory as I visited a known vulnerable site. I also saw ~.exe process start up during my monitoring after I saw Acrobat.exe and acrotray.exe start up. Once infected, the processes (Acrobat, Acrotray) terminated.
To help prevent infection take the following actions:
Adober Reader: Disable Adobe JavaScript functionality (Edit -> Preferences, go to JavaScript entry and untick “Enable Acrobat JavaScript”)
Foxit Reader: Edit -> Preferences -> JavaScript (Uncheck the box)
Use NoScript Firefox Plugin
Tips thanks to Edvard and app103 over at DonationCoder
UPDATE (1/14/2009 11:17PM EST)
Update your PDF application and disable JavaScript.
UPDATE (1/14/2009)
Malwarebytes is able to detect the malware. Interestingly enough, it only detects it if it’s in c:\windows\system32\drivers\ folder. I’m not sure what’s up with that. Update the applications to ensure you’re using the latest definitions. If you know of any other Spyware/Malware/AV software that is detecting this, leave a comment.AVG supposedly detects this threat (posted by: Peter Liu)
Please let me know of any other software that detects this.
Removal Instructions
Detection Tool
Here’s what I know about this lovely little malware that hijacks Google, MSN Live, and I’m sure a few other popular search engines by injecting javascript in the header:
1) Redirects searches to 7.7.7.0
2) Displays what appear to be normal results, but in fact are linked to many other malware centric sites
3) Kaspersky (as of this writing) is the only application to detect the presence of this malware on your PC (and yes I’ve tried Malware Bytes, Spybot S&D, AntiVir, SuperSpyware)
4) The culprit file resides in c:\windows\system32\wdmaud.sys and should be removed, or renamed. Don’t remove the file from c:\windows\system32\drivers\wdmaud.sys.
5) After deleting/renaming the file, restart your browser(s) and you’ll be OK. Note: This affects IE and FF, I have not tested Opera, Netscape or Safari.
Here’s an example screenshot of what Google results look like when you are infected. Notice the Google links (green links) on the results page.
Search results when infected with wdmaud.sys variant.
What I’d like to know is what that file has to do with the browser. The WDMAUD.sys file (the real one) deals with Windows High Definition Audio. Could this file have been placed there via Flash vulnerability? I know I was on YouTube the night prior to me being invaded.
I ran ProcessMon from SysInternals and saw that Firefox and IE both called for wdmaud.sys but in the c:\windows\system32\ directory, not in the drivers subfolder. Here’s a screenshot of that. If I move the file (the infected file) out of system32\ the redirection stops. If I put it back in the infection is back. My question that is burning me is HOW did it get there? What put it there?
Process Monitor highlighting the search request for wdmaud.sys
So far, the infection is in c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys). Simply delete the file and restart any open web browsers.
If you do not find the wdmaud.sys file, or are unsure what to even look for, you may download a tool that we created that will investigate all the files in the Windows system directory. It doesn’t just specifically look for the wdmaud.sys file, but it looks for the signature in every file within that directory.
Compatible with: Windows XP (all SPs), Server 2000/2003/2008, and Vista.
Your use of this software indicates that you agree to the included disclaimer.
Download Tool Here (ZIP) (md5: F095664C7148A03878D545D9D6F2502E)
Tool Update (1/29/2009)
* Added 2 parameters: /r (recursion) /p (specify alternative path to scan)
Tool Update (1/16/2009)
* Prints path of file that is infected
If you download the tool and find it useful, or don’t find it useful, I’d appreciate any feedback. You can leave a comment or send any questions/comments to rich@techish.net.
about 2 months ago
Amoss,
your hosts file looks normal to me. mine actually had a whole list of things that shouldn’t have been there, which i managed to delete, but the google results redirecting is still happening. and malware bytes still doesn’t find anything wrong.
about 1 month ago
I have the same problem.
If I click on any link displayed in Google or Bing, or msn search, I get redirected to an unrelated website, which is different each time.
Sometimes it is to a travel website, sometimes to a shopping website, somethings to a rogue spyware site that pretends to scan your PC for viruses and malware. Clicking CANCEL on the page does nothing, you have to click the X close box, top right.
Malwarebytes, spybot, adaware, norton 360, avg, Microsoft security essentials, all report the system as clean.
I have booted and scanned in SAFE mode for those programs that allow a safe mode scan.
I have checked, I do not have the c:\windows\system32\wdmaud.sys file.
I do have c:\windows\system32\drivers\wdmaud.sys
I have checked the C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts file
The only URL shown is 127.0.0.1 LOCAL HOST
Other lines in the file are all prefixed with # (assumed to be a comment)
I have checked the running processes and loaded files using Hijackthis
There appears to be nothing unusual.
Any ideas would be greatly appreciated, I have spend two days on this, I am tearing my hair out!
about 1 month ago
I forgot to mention, It happens in both Firefox (latest version) and IE8
about 2 weeks ago
Same problem… except I deleted Wdmaud and I still have it. And on my computer, no matter how much I delete Wdmaud, it keeps coming back.