7.7.7.0 Browser Hijack Virus

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

(1/6) > >>

Edvard:
OK, apparently this started around the middle of last month, and it's still happening. It's happened twice to my co-worker and I wonder if there's a definite fix as the AV companies apparently haven't nailed it down yet.
Here's what's happening...

All Google and Yahoo searches through IE and Firefox are being redirected through the address 7.7.7.0
When using Firefox, you'll notice "7.7.7.0" instead of "connecting to Google" in the status bar.
The subsequent search terms show relevant results in the text and all, but the associated links are horribly wrong.
When this happens, you will also find a file named wdmaud.sys and/or sysaudio.sys in C:\windows\system32.
Also there will be an associated registry entry at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
It will be a key named "aux" with a value of "wdmaud.sys"
The general consensus of opinions is that the attack vector is a tainted PDF that gets payloaded from a banner ad or hidden iframe, and it may also be a rootkit.

Have you come across this?
If so, did you get rid of it?
How?
Where did you find the most helpful advice?

Temporary fixes include turning off javascript, redirecting 7.7.7.0 to Google via a HOSTS file, all kinds of things.
The reality is that this is a new threat that needs to be dealt with quickly.

Read up:
http://www.google.com/search?q=7.7.7.0+redirect

Edit: Changed title of topic so folks know this about a virus, not just a personal annoyance.

Edvard:
Here's a tool that may help:
http://www.techish.net/2009/01/10/google-7770-redirector-malware-tool/

In the meanwhile, to prevent infections, there are a few things you can do.
Firefox: Use the NoScript extension.
Internet Explorer: Crank down your javascript permissions or disable it altogether in the "Internet Options" dialog
Adobe Reader: Turn off Adobe Javascript.
To do that, open Adobe Reader, and hit Edit > Preferences.
Then go to the Javascript entry and tick off the "Enable Acrobat Javascript"

Any other pointers?

app103:
Foxit Reader:

Go to Edit>Preferences>Javascript

uncheck the box

PhilB66:
Thanks Edvard for the heads up. There's a good discussion @ Browser Redirect to 7.7.7.0 - interesting - dslreports.com.

f0dder:
This sounds nasty - good thing I don't have adobe pdf reader installed (I wonder if foxit et al are vulnerable, even with javascript support enabled).

NoScript + AdBlockPlus = :-*

Navigation

[0] Message Index

[#] Next page

Go to full version