7.7.7.0 browser search hijack

issue is that google, yahoo, and windows live search all get redirected to this site prior to giving results, so the results look good as titles but the sites they redirect to are not.

file is located in c:\windows\system32\wdmaud.sys. pretty sneaky and i'm sure another variant will come along shortly with a different name and method of payload. there are no registry keys tied to this hijack, so that's probably why the a/v and malware apps aren't finding it. the file details of the malicious file even match the valid one, byte count and date modified. very sneaky.

not to be confused with c:\windows\system32\drivers\wdmaud.sys, which is a valid system file and should NOT be removed.

close all browsers, and verify they are closed with taskmgr process tree. remove the offending file, open a browser to test and make sure the behavior is not happening anymore.

Several dialog boxes are blank

source

Method 1: Reregister Jscript.dll

1. Click Start, and then click Run.
2. In the Open box, type regsvr32 jscript.dll, and then click OK.
3. Click OK.


Method 2: Edit the registry.

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
The (Default) value data should contain the following value:
C:\WINDOWS\SYSTEM32\JSCRIPT.DLL
If it does not, double-click Default, type C:\WINDOWS\SYSTEM32\JSCRIPT.DLL in the Value data box, and then click OK.
4. The ThreadingModel value data should contain the following value:
Both
If it does not, double-click ThreadingModel, and then type Both in the Value data box.
5. Locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
6. Repeat steps 3 and 4 to edit this key, and then go to step 7.
7. Locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
8. Repeat steps 3 and 4 to edit this key, and then go to step 9.
9. Exit Registry Editor.

vundo - yet another reason java sucks big time

so my friend gets an infection with this vundo nonsense. this is why you don't let dumb family members visiting touch your computer. after removing the drive from the machine, hooking it up to my workstation, and scanning the holy hell out of it, i think it's removed.

WRONG!

turns out those bastards attrib +s +h their .dll file which kept populating entries in regedit. in this case the file was named rilalelu.dll. convinced it's buried in the HKLM\software\microsoft\windows nt\currentversion\winlogon\notify, i check again. nope, nothing but required system files.

open process explorer, look at the threads, and rilalelu is attached to every single process, from their shitty aol to winlogon, explorer, svchost, you name it, it's attached. remove the drive one final time, go into cmd, and brute force the damn thing out.

cd windows\system32
attrib -h |more
dir rila*
attrib -s rilalelu.dll
del rilalelu.dll