 therube
join:2004-11-11
Randallstown, MD | reply to rjkreider
Re: Browser Redirect to 7.7.7.0 - interesting @rjkreider
What browser (& version) are you running?
If you close FF, are any other processes attempting to access wdmadu.sys?
If you reopen FF, do the attempts open to wdmadu.sys restart?
If you start FF in Safe Mode, do the attempts to open wdmadu.sys restart?
Do you have any FF extensions or plugins installed?
If you open IE, does it attempt to open wdmadu.sys? |
|
| 
Firefox ProcessMonitor |
Addons: Java QuickStarter 1.0, Logmein 1.0.0.395, Microsoft .NET Framework Assistant 1.0
No other processes are accessing wdmaud.sys when FF/IE are closed.
When I open FF in safemode (and IE) they both still load it. That was one of the first things I tried.
I suppose I'll spend some time tonight digging into what wdmaud.sys is used for (suspect audio) in FF/IE and where FF/IE are configured to look for wdmaud.sys. I searched the registry for ascii wdmaud.sys and it points to my %SystemDir%\drivers\wdmaud.sys I can't find any other keys/values that point to %SystemDir%\wdmaud.sys. I suspect this is just a "default" nature for FF/IE to search c:\windows\system32, c:\windows, c:\windows\system, c:\windows\drivers, c:\program files\mozilla firefox for this file?
I'll run some debugs and see what I can dig up with filemon too.
Thanks,
Rich Kreider |
|
therube
join:2004-11-11
Randallstown, MD
2 edits | reply to amungus
Is this the same, or an earlier varient, How to remove trojan DNSChanger (DNS hijacking and copy-book.com virus)?
Note the more extensive list of files, folders, drivers, registry entries ...
Also note the date of the article, November 2007.
Other posts, tidbits mentioned ...
the file, C:\windows\system32\sysaudio.sys
disabling JavaScript stopped the redirects to 7.7.7.0
the malware is inserting script src = 7.7.7.0 in the head of a Google search results page
NameServer = 85.255.116.86,85.255.112.157
Also there will be an associated registry entry at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32. It will be a key named "aux" with a value of "wdmaud.sys" |
|
| reply to rjkreider
Ok, I figured out why all those wdmaud.sys files were being searched for, the entry is in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\
Mine had aux2="wdmaud.sys"
Removed that and it did not try to search for wdmaud.sys when it loads (FF and IE).
Figured I'd post back in case anyone is interested or was following what I was reporting...Still not sure how that got put there; probably was put there initially by the PDF script vulnerability. What's weird is that it also looked for wdmaud.sys in My SQL Express program directory and even a couple other oddball directories. Hmmph.
Thanks,
Rich Kreider |
|
| reply to amungus
Hello guys, i had the same problem (got it since yesterday). I googled and found this site. Started reading the first page and decided to look in my system32 folder for the nasty wdmaud.sys. I discovered two, so i could not decide which one i could delete, the date seemed fine on both files. But then i looked at the description. One of the wdmaud.sys files had the description "miekiemoes rules". I didnt like the sound of that and decided to remove that one, and voila. It worked. |
|
