Google, MSN, Yahoo Search 7.7.7.0 Redirector Malware HiJack
Google 7.7.7.0 Redirect Malware, Virus, Spyware…
UPDATE (11/27/2009 12:23PM EST)
I have removed the 7770finder.zip file from downloads. Malwarebytes’s Anti-Malware picks up this infection and cleans it successfully. Please visit http://www.malwarebytes.org/mbam.php and grab a copy of the free version. If you like their software, consider purchasing the full version for real-time protection!
UPDATE (3/07/2009 10:23AM EST)
I see that people are still having trouble with this and that there is a possible variant out there. I recommend you download MalwareBytes’ Anti-Malware and scan your computer using ‘Quick Scan’. If you want to schedule the scanner to scan at a certain time, please see my post http://www.techish.net/2009/01/24/malwarebytes-scheduled-scanning-updating-using-windows/
for further information on how to do this.
UPDATE (1/29/2009 9:18PM EST)
Uploaded a new version of 7770FINDER. This version includes directory recursion, and allows you to specify whether or not to use it along with a path argument. Read the README.txt in the ZIP for more information on how to use the commands if you are unfamiliar.
UPDATE (1/19/2009 6:30PM EST)
I’ve been getting a lot of email questioning why my tool did not remove found infected files. This tool does NOT remove any infected files. It is up to you to remove them. This tool also does not support directory recursion; e.g., it ONLY scans %SystemDir% files, no subfolders. Sorry.
UPDATE (1/15/2009 12:51PM EST)
I have been able to successfully re-infect myself and I can confirm this is being distributed via PDF JavaScript as I was monitoring processes and my system32\ directory as I visited a known vulnerable site. I also saw ~.exe process start up during my monitoring after I saw Acrobat.exe and acrotray.exe start up. Once infected, the processes (Acrobat, Acrotray) terminated.
To help prevent infection take the following actions:
Adober Reader: Disable Adobe JavaScript functionality (Edit -> Preferences, go to JavaScript entry and untick “Enable Acrobat JavaScript”)
Foxit Reader: Edit -> Preferences -> JavaScript (Uncheck the box)
Use NoScript Firefox Plugin
Tips thanks to Edvard and app103 over at DonationCoder
UPDATE (1/14/2009 11:17PM EST)
Update your PDF application and disable JavaScript.
UPDATE (1/14/2009)
Malwarebytes is able to detect the malware. Interestingly enough, it only detects it if it’s in c:\windows\system32\drivers\ folder. I’m not sure what’s up with that. Update the applications to ensure you’re using the latest definitions. If you know of any other Spyware/Malware/AV software that is detecting this, leave a comment.AVG supposedly detects this threat (posted by: Peter Liu)
Please let me know of any other software that detects this.
Removal Instructions
Detection Tool
Here’s what I know about this lovely little malware that hijacks Google, MSN Live, and I’m sure a few other popular search engines by injecting javascript in the header:
1) Redirects searches to 7.7.7.0
2) Displays what appear to be normal results, but in fact are linked to many other malware centric sites
3) Kaspersky (as of this writing) is the only application to detect the presence of this malware on your PC (and yes I’ve tried Malware Bytes, Spybot S&D, AntiVir, SuperSpyware)
4) The culprit file resides in c:\windows\system32\wdmaud.sys and should be removed, or renamed. Don’t remove the file from c:\windows\system32\drivers\wdmaud.sys.
5) After deleting/renaming the file, restart your browser(s) and you’ll be OK. Note: This affects IE and FF, I have not tested Opera, Netscape or Safari.
Here’s an example screenshot of what Google results look like when you are infected. Notice the Google links (green links) on the results page.
Search results when infected with wdmaud.sys variant.
What I’d like to know is what that file has to do with the browser. The WDMAUD.sys file (the real one) deals with Windows High Definition Audio. Could this file have been placed there via Flash vulnerability? I know I was on YouTube the night prior to me being invaded.
I ran ProcessMon from SysInternals and saw that Firefox and IE both called for wdmaud.sys but in the c:\windows\system32\ directory, not in the drivers subfolder. Here’s a screenshot of that. If I move the file (the infected file) out of system32\ the redirection stops. If I put it back in the infection is back. My question that is burning me is HOW did it get there? What put it there?
Process Monitor highlighting the search request for wdmaud.sys
So far, the infection is in c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys). Simply delete the file and restart any open web browsers.
If you do not find the wdmaud.sys file, or are unsure what to even look for, you may download a tool that we created that will investigate all the files in the Windows system directory. It doesn’t just specifically look for the wdmaud.sys file, but it looks for the signature in every file within that directory.
Compatible with: Windows XP (all SPs), Server 2000/2003/2008, and Vista.
Your use of this software indicates that you agree to the included disclaimer.
Download Tool Here (ZIP) (md5: F095664C7148A03878D545D9D6F2502E)
Tool Update (1/29/2009)
* Added 2 parameters: /r (recursion) /p (specify alternative path to scan)
Tool Update (1/16/2009)
* Prints path of file that is infected
If you download the tool and find it useful, or don’t find it useful, I’d appreciate any feedback. You can leave a comment or send any questions/comments to rich@techish.net.
about 1 year ago
It’d be helpful if the tool listed the directory of the infected file(s) as well. It found wdmaul.sys to be infected, but my C:\Windows\system32\ directory didn’t have it, and I had 6 other directories that DID have a wdmaul.sys. I had to guess which one it was, rename it, then run the tool again to confirm. If it helps, I’m using Windows XP x64, and I found it in C:\Windows\SysWOW64\.
Also, I use Foxit Reader instead of Adobe Acrobat, and it looks like my version is stuck always running Javascript (no option to disable it — others have confirmed it runs Javascript), so I’m installing a newer version to disable it.
about 1 year ago
@Reed
1) I suspect you were using Foxit 2.2? Good idea to upgrade!
2) Sorry for the confusion; This has been updated (although shouldn’t matter to you now that you’ve found it) to include the path in which it found the infected file. Also, the program now supports an argument passed to the application for a path to scan the files inside. Just a note; No recursion takes place — so when it scans %SystemDir% it’s scanning only files inside %SystemDir%.
about 1 year ago
I am sorry, but the md5 hash generated by your file does not match the checksum provided …:(
I do not know why this should happen, unless … … …
about 1 year ago
vj,
The md5 is updated now and the correct md5 is: ac1980b2260f2af9344536ad573e0b35
I had been making updates to the application over the weekend and fell behind updating the post and the md5.
about 1 year ago
Thanks! Your program identified the infected file, I removed it. Life is good.
Empty ad slot (#2)!
about 1 year ago
You know whats strikes me as odd? (To all those who write brower hijacks like the one your program fixes) Is that people even make browers hijacks like this. I mean why? And why make one so simple to kill? I mean, do you think I’ll actually try or have anything to do with anything on a site that I get redirected to by a stupid hijack?
I mean all you end up doing is wasting a few minutes of my time. (I’ve known which file to delete actually before even coming and just found this page via google search since my google is working.)
I mean why to people do this to others? Do you really think advertising like this actually works?
about 1 year ago
@Shadow Mage
Well, if it didn’t work and probably didn’t generate a profit in some manner, people wouldn’t do it right?
I had the same questions when I was trying to determine where this was coming from and how I infected myself. It did disturb me as to why it was so simple to eliminate and I was briefly paranoid as to whether or not there was a bigger problem behind the scenes than at first hand.
Without becoming too much of a conspiracy theorist… maybe it’s the A/V companies hiring ‘hackers’ to create these annoyances so that they can keep the business alive. Hackers are job security for A/V companies. Just a random thought…
about 1 year ago
I ran the scan, and it said nothing was infected, but there were 4 errors. What does this mean?
about 1 year ago
I accidentally put my email in the name error in my previous post. Can you remove my email address?
about 1 year ago
@Anonymous:
Removed the email in name box.
The errors can indicate permissions issue typically or unreadable file.
Empty ad slot (#2)!
about 1 year ago
Wish I had read this post before I reinstalled Windows on my son’s computer! I tried Norton, Spybot, CounterSpy, and several other “well known” programs with no success. What a simple fix for the problem!
about 1 year ago
When you say permissions issue, do you mean the system is too permissive or not permissive enough?
about 1 year ago
@Anonymous:
It means that either you do not have sufficient privileges to open the file due to security settings, or there could be another issue.
Did you run the scanner as a local system administrator?
about 1 year ago
I can’t thank you enough for your simple write up on this hijack.
Luckily, Ask.com wasn’t affected. :)
about 1 year ago
If you mean did I select the option run it as administrator, no I didn’t. The account does have administrative privileges. Do I need to select the option run as administrator?
Empty ad slot (#2)!
about 1 year ago
Thanks so much. I’ve been trying for 2 weeks to get the 7.7.7.0 google thing off my system. Your program identified the infected wdmaud.sys and I deleted it and so far so good. I swear I tried this before but it kept coming back. Now it seems to be gone for good. I did disable acrobat javascript like you suggested so maybe that’s why it’s not coming back?
about 1 year ago
This turned up on my wife’s computer today. It’s interesting that under MY login, I wasn’t affected. I’ve sent that file up to Spybot (and probably will send it to Lavasoft too).
And after many scans with AVG showing nothing. I think people are reporting this as a false positive when it’s actually a real thing.
about 1 year ago
@Bryan Price
Did you use my tool also? I’d be interested in seeing the results. User account shouldn’t matter (AFAIK) unless we’re into a variant stage already (?). If the scan tool I created doesn’t detect that file, can you please send it to me also? I’d like to investigate further. You can simply email it to me if you’d like.
about 1 year ago
I can’t thank you enough for this!! I had done just about everything – including making the hosts file read only. (which was being overwritten every time I re-booted) I must have had several infections, and on top of that I downloaded rogue ani spyware – but I have now removed wdmaud from the windows\ system21 directory and my whole system is back to normal!! YIPPEE
about 1 year ago
Thank you so much for this simple fix. I removed the file, and search engines are no longer directed to 7.7.7.0
By the way, to aid people with selecting which wdmaud to remove (I had two) – I removed the one whose description was “Miekimouse rules” or something to that effect.
Empty ad slot (#2)!
about 1 year ago
I was directed to your site after noting the slight delay in Firefox when googling, and and the “Waiting for 7.7.7.0″ message in the lower right corner. Submitting WDMAUD.SYS to virustotal.com confirmed it was infected.
My question is: once your PC gets this, what mechanism hooks it to Firefox/IE? Close Firefox with the file gone and no problem – reinsert WMDAUD.sys and restart Firefox and its back.
about 1 year ago
@Eric
I spent a little time researching and trying to figure it out myself. I’m unsure still to this day. What I do know is that Firefox was looking for not only the wdmaud.sys file in c:\windows\system32, but also in c:\windows, c:\windows\system32\drivers, c:\windows\system.
I initially thought it was related to flash because of this audio-related driver file (I surmise) but I was actually infected via PDF JavaScript. Who knows anymore, I just haven’t had much time to devote to tracking this down.
Come to think of it, I just ran across a site (chicagotech.com) that must have a vulnerability because one of it’s sub-pages has this exploit and attempted launch Acrobat but I have JS disabled in Acrobat so it did not successfully infect me.
If anyone does find out WHAT is calling this file in Firefox and for what purpose it does actually serve, please let me know!
about 1 year ago
Thanks – and if I stumble across the answer somewhere myself I’ll post back. The other thing I noted about wmdaud.sys is the date-time stamp: in my case, 4/18/2007 11:25 AM (14,336 bytes). I use Google all the time so this thing slipped in only the past few days, yet I can’t pinpoint the exact infection time and go back and look for other files with the same time stamp.
about 1 year ago
Hey; thanks to your instuctions I was able to get rid of this annoying redirect, so thanks a lot!
I’m an Opera user and it was affecting me as well. For some reason, after deleting cookies and cache yahoo started working again but google was still giving bogus links. I noticed that using an open proxy would solve the problem. Thankfully I found this page.
I was wondering if in Altavista.com anyone has the MP3/Audio, Video and Directory tabs missing as well. I thought it might have to do with wdmaud.sys, but I’ve deleted it and Altavista is still like that. Not that important, but I was worried maybe I had another variation of wdmaud.sys, since I read that sysaudio.sys in the same directory does a similar thing.
about 1 year ago
@Arsenic
Not sure about the Altavista.com thing… but, if you download the tool I created and run it, it will scan all the files in your %SystemDir% (c:\windows\system32 typically) for the signature from wdmaud.sys.
You may want to recursively scan your %SystemDir% also using the command line option of my tool: 7770FINDER.exe /r
If nothing is found, I would also recommend downloading MalwareBytes’ application from http://www.malwarebytes.org/mbam.php and scan your system (Quick Scan) to see if it detects any other present malware.
Thanks,
Rich
Empty ad slot (#2)!
about 1 year ago
Every time I delete wdmaud.sys from my computer, it just recreates itself in the same place. Is there any way I can get rid of it permanently?
about 1 year ago
@Dylan
If you ran the scan tool I created, which file(s) show infected? Can you paste them here in another comment for me.
Thanks
about 1 year ago
It calls out wdmaud.sys as it should, but every time I delete it from system32, it just pops back up a few minutes later. I’ve tried doing it with and without Javascript turned on, but so far nothing’s worked.
about 1 year ago
@Dylan
Does it pop back up only if you use your browser, or can you delete it and sit there are watch it regenerate? I created a little application that monitors system32\ specifically to watch for file creations, access, modifications etc. while I was tracking down the site I got this from.
Let me know if it’s regenerating _after_ you open your browser, or if it does it whithout. What webbrowser(s) are you using also? One idea would be to run the browser in safe mode and also to clear out your cache.
about 1 year ago
I’m running on Firefox. I sat back and deleted it to the Recycle Bin and watched it pop up again while Firefox was closed. I cleared the cache, but nothing happened.
Empty ad slot (#2)!
about 1 year ago
Found wdmaud.sys in c:\windows\system32 and renamed it. Worked a treat. Thanks a lot. I can now run google search again – though, in the meantime, I’ve found that AltaVista has a much cleaner interface with no adverts.
about 1 year ago
Brilliant tool. Thanks Richard!
My only regret is that I didn’t come across your program before spending $30 on spysweeper (which ultimately was unable to pick up this little glitch).
about 1 year ago
Ok, this might be a tricky one. I’ve used the tool; it says “Infected File: C:\WINDOWS\system32\wdmaud.sys” but when I search for this file on normal Windows search, it doesnt appear. Only the .DRV
And yes; I’ve the “hidden files” and “system files”. I’ve done a search within DOS for this file also with no results. If this helps I use XP64 Prof. Edition
Directory of C:\WINDOWS\inf
25-03-2005 13:00 21.461 wdmaudio.inf
04-01-2008 18:13 41.100 wdmaudio.PNF
2 File(s) 62.561 bytes
Directory of C:\WINDOWS\system32
24-03-2005 17:34 36.352 wdmaud.drv
1 File(s) 36.352 bytes
Directory of C:\WINDOWS\system32\dllcache
24-03-2005 17:34 36.352 wdmaud.drv
17-02-2007 01:02 187.904 wdmaud.sys
2 File(s) 224.256 bytes
Directory of C:\WINDOWS\system32\drivers
17-02-2007 01:02 187.904 wdmaud.sys
1 File(s) 187.904 bytes
Directory of C:\WINDOWS\system32\ReinstallBackups001\DriverFiles\amd64
24-03-2005 17:34 36.352 wdmaud.drv
1 File(s) 36.352 bytes
Directory of C:\WINDOWS\SysWOW64
25-03-2005 13:00 23.552 wdmaud.drv
18-02-2007 16:05 19.456 wdmaud.sys
2 File(s) 43.008
about 1 year ago
Thanks ~ renaming file did the trick.
about 1 year ago
removed the tosser too.
Empty ad slot (#2)!
about 1 year ago
I’ve got this crap too. I can’t afford to renew my Kaspersky.
I downloaded the tool but it didn’t find anything. When I do a search for wdmaud.sys I find it here.
C:\WINDOWS\system32\drivers -this is the legit file?
C:\WINDOWS\driver cache\i386\sp2.cab -it only allows me to copy or extract this
When I look in the C\:WINDOWS\sytem32 folder and scroll down manually I find wdmaud but it won’t let me delete it. This file also says it was modified over 5 years ago.
What should I do?
about 1 year ago
Actually, I just found out that was the wdmaud.drv file
I scrolled all the way down and found the .sys file
I delete it and it comes right back…
about 1 year ago
Is it possible that this darn thing has evolved? I can’t find wdmaud.sys. I tried the recursive search as an Admin in Safe Mode and I came up with 10 skipped, 10 errors…thoughts? (and thanks!)
about 1 year ago
It looks like this has most likely evolved since I wrote this back in January.
If you don’t already have it, I would recommend downloading the free edition of Malwarebytes from http://www.malwarebytes.org/mbam.php
See what comes up when you perform a ‘Quick Scan’ with that.
about 1 year ago
Hi Richard, thanks for the follow up. I did download malwarebytes and it fixed the problem. A few notes to others in the future:
1.) you won’t be able to actually get to the site from your infected computer. I downloaded onto another machine. you’ll either have to transfer over on USB or get through networked computers
2.) once you copy the setup files to your infected machine you have to rename the setup file (the .exe) to install (tricky trojan)!
3.) THEN, once installed, you have to rename the mbam.exe for it to run!!! I changed it to mbam.bat. It ran and fixed the issue! Then, in order for it to sucessfully delete I needed to reboot (make sure to change the mbam back to mbam.exe.
HTHs save others some grief!!! This was surprisingly quick and easy!
Empty ad slot (#2)!
about 1 year ago
@Adrienne
Glad you’re cleaned up. I’m not sure the transport method of this variant but I would recommend disabling JavaScript in Adobe Reader or Foxit PDF if you have them. This is how the original was distributed (AFAIK). Thanks for posting back your results; it will indeed help others. And of course, make sure you keep up-to-date with all your Windows Updates and Microsoft Updates (two separate updates) along with Adobe/Foxit software updates.
If you (or anyone reading this) wants to get a little further into making sure software installed on your computer are up-to-date, you can use the following two programs (I typically use them also):
1) MBSA (Microsoft Baseline Security Analyzer): http://technet.microsoft.com/en-us/security/cc184924.aspx
2) Secunia PSI (Personal edition is free: http://secunia.com/vulnerability_scanning/personal/)
MBSA is geared more toward your computer security settings, Microsoft related software, and Windows updates/hotfixes.
PSI is geared toward the Microsoft/Windows updates and hotfixes/patches along with checking to make sure your installed software versions do not have vulnerabilities in them. If they do have vulnerabilities, PSI makes it easy to show you how to update your software by usually providing links or further information on what should be done.
Happy computing =)
about 1 year ago
I have all the symptoms but not the file……I’m at ‘my wits end’!!!
Could it be something else?
Deana
about 1 year ago
@Deana
Have you downloaded and scanned using MalwareBytes yet? (http://www.malwarebytes.org/)
about 1 year ago
Ive been having problems with my computer too. But it hasn’t been going to 7.7.7.0. Its taking me several websites but i notice on th URL bar it says http://www.search-march.com=(WHAT YOU SEARCHED ON GOOGLE) Does anyone know about this?? i search everywhere and it still redirects my searches.
about 1 year ago
@kane,
Visit http://malwarebytes.org/mbam-download.php and download MalwareBytes Anti-Malware and scan your system. The download is pretty small (~2.74MB).
Empty ad slot (#2)!
about 1 year ago
ARARARRGGGHH!!!!!
Im not good with computers and ive got this damn redirecting thing on my laptop – i swear to god if i ever hear someone bragging about being involved in creating virus’ ill beat the living crap out of them.
about 1 year ago
ok so ive downloaded the malwarebytes programme but my laptop wont run it…….ive tried the tool on this site but it doesnt locate any infection…….ive tried looking for the system32/mdmaud/sys file the filebut i found is a drv file (dont know what that means). Im running vista.
So basically id like some advice, before i have to quit my job and embark on a world tour to find and destroy the evil virus creating sonsabitches.
: )
about 11 months ago
Thanks! Can’t believe how simple this was after the endless hours of trying to find the answer.
I think I have a unique problem. I run a really small non-profit website (basically a bulletin board) that appears to be the source of the infection, as every time I go there I get this virus. Do you have any idea how I can get it so it doesn’t infect our visitors?
Thanks!
about 11 months ago
@Steve,
If you host the site (your own server(s)), run a scan on them with MalwareBytes’ AntiMalware Scanner.
If they are hosted by a company there are a couple possibilities:
1) The source code of the web pages is infected with lines of code that perform the vulnerability exploits.
2) The provider (hosting company) is infected on that server or servers and you should notify them.
3) If you use some type of messaging system, make sure the messaging system platform or bulletin board software is up-to-date. I see that this is probably going to be the best chance of fighting this off as typically (from what I’ve seen) most of the sites carrying this distribution of malware was running PHP Bulletin Board that was out of date and didn’t have the patches applied to prevent certain XSS/SQL or other types of website attacks.
Thanks,
Rich Kreider
about 11 months ago
Rich, I’ve tried every solution you offer here, and still have some sort of a Google redirect virus problem. I found a wdmaud file in the exact location you suggested, but it appears to be .ddv, not .sys, and your download tool didn’t identify a bug. Is it possible I’ve picked up another, perhaps nastier form of the redirect virus, and are you aware of any possible solutions? Thanks, hope you can help.
Empty ad slot (#2)!