mraikes
asked on
Google search hijack remains after removal of "Antivirus 2009" Malware
I recently removed "Antivirus 2009" malware from a friend's computer using Malwarebytes. That process seemed to go smoothly, however there remains a problem with Google search results being hijacked.
Google opens fine, however the search results page doesn't look quite right (font too large, and random characters like "9h" appears at top of page just prior to the search results). The list of results themselves look reasonable, but when you click on one, a new window opens containing a page generally unrelated to the link clicked. The web addresses in the new window are always preceded by "go." for example "www.go.blahblahblah.com"
Any ideas?
Here's the logfile from Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 1:55:00 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
c:\program files\common files\logishrd\lvmvfm\LVPr
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Softex\OmniPass\Omni
C:\WINDOWS\System32\svchos
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Softex\OmniPass\OPXP
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\Chew.exe
C:\WINDOWS\system32\wuaucl
C:\DOCUME~1\Owner\LOCALS~1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: http://*.lvarmls.com
O15 - Trusted Zone: abqrealtors.rapmls.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: http://*.vvmls.com
O16 - DPF: ImageUploader - http://www.assetval.com/app/ImageUploader.CAB
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {6E5E167B-1566-4316-B27F-0
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-0
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS4\Services\T
O20 - AppInit_DLLs: idnhkh.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dims
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIini
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxp
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPr
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\Srv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omni
Google opens fine, however the search results page doesn't look quite right (font too large, and random characters like "9h" appears at top of page just prior to the search results). The list of results themselves look reasonable, but when you click on one, a new window opens containing a page generally unrelated to the link clicked. The web addresses in the new window are always preceded by "go." for example "www.go.blahblahblah.com"
Any ideas?
Here's the logfile from Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 1:55:00 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
c:\program files\common files\logishrd\lvmvfm\LVPr
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Softex\OmniPass\Omni
C:\WINDOWS\System32\svchos
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Softex\OmniPass\OPXP
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\Chew.exe
C:\WINDOWS\system32\wuaucl
C:\DOCUME~1\Owner\LOCALS~1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: http://*.lvarmls.com
O15 - Trusted Zone: abqrealtors.rapmls.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: http://*.vvmls.com
O16 - DPF: ImageUploader - http://www.assetval.com/app/ImageUploader.CAB
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {6E5E167B-1566-4316-B27F-0
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-0
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS4\Services\T
O20 - AppInit_DLLs: idnhkh.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dims
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIini
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxp
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPr
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\Srv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omni
sharkbot221984
I didn't see any homepage or search settings in your hijackthis log, those are usually R1 or R0 lines. So it seems that there is still something lurking on the machine still hijacking your web browser. MIght go ahead and run Adaware, and Spybot S&D to see if they catch something as well. What AV did you run against it? Maybe try another one.
Can we look at the MalwareBytes log? there's still this bad dll present in the log.
O20 - AppInit_DLLs: idnhkh.dll
also try running Combofix, if problem persists you might need to reset the router if this is one of those Zlob.DNS.Changer.
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
O20 - AppInit_DLLs: idnhkh.dll
also try running Combofix, if problem persists you might need to reset the router if this is one of those Zlob.DNS.Changer.
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
What the heck are those Southwest Airlines entries?
Your AOL toolbar is messed up.
Omnipass is too
This is definitely a bad guy: O20 - AppInit_DLLs: idnhkh.dll
Try getting Autoruns (Google it) and use it to clean up the error entries and to delete the one I listed. Winsockfix would be a good idea, too.
Your AOL toolbar is messed up.
Omnipass is too
This is definitely a bad guy: O20 - AppInit_DLLs: idnhkh.dll
Try getting Autoruns (Google it) and use it to clean up the error entries and to delete the one I listed. Winsockfix would be a good idea, too.
ASKER
These are excellent suggestions. I'll try them this evening and post back the results.
Thanks!
Thanks!
Davis - The southwest item should be fine, it's a program called Ding! where it will alert you of a sale on plane tickets.
OK, I just ran into the same issue--combofix, SDfix, Webroot, Malwarebytes not getting it out. I'll follow this to see if anyone gets the browser issue resolved.
>>>--combofix, SDfix, Webroot, Malwarebytes not getting it out<<<
We need to look at the logs, especially the combofix log because whatever bad files not removed during the first run we will remove using its script function.
And if it's a DNS.Changer, then it would show up in the MBAM log which you then need to reset router if connecting thru it.
Please attach the MBAM log and combofix log, CF log which should be located in --> C:\Combofix.txt
We need to look at the logs, especially the combofix log because whatever bad files not removed during the first run we will remove using its script function.
And if it's a DNS.Changer, then it would show up in the MBAM log which you then need to reset router if connecting thru it.
Please attach the MBAM log and combofix log, CF log which should be located in --> C:\Combofix.txt
OK, I found the issue after extensige searches online. This is a new trojan, that the tools haven't picked up on yet. It injects a javascript header on the search result pages.
The fix is really simple: throw C:\Windows\System32\wdmaud
The problem immediately goes away, no reboot required. I understand kaspersky online scan is the only tool to date thatrecognizes this file as a trojan.
The fix is really simple: throw C:\Windows\System32\wdmaud
The problem immediately goes away, no reboot required. I understand kaspersky online scan is the only tool to date thatrecognizes this file as a trojan.
There are 2 variants so far, either wdmaud.sys or the sysaudio.sys located in the system32 folder.
They should show up in the Combofix log.
They should show up in the Combofix log.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The infection surfaced about 3 months ago with the fake "sysaudio.sys" hijacker and now the new variant is "wdmaud.sys".
Apparently getting installed via a malicious javascript injected on many legit sites, clicking on a "Yahoo! Counter starts here"
(which is not even related to yahoo gets you infected).
It loads under this key:
HKLM\software\microsoft\wi
and insert as a value of "aux" where legit value data should be wdmaud.drv, mmdrv.dll or ctwdm32.dll
"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"
"aux"="wdmaud.sys"
I participated a thread here where after deleting those 2 fake files the audio is gone and we had to restore the value of "aux" to "wdmaud.drv"
http://www.experts-exchang
Another EE database:(with wdmaud.sys hijacker)
http://www.experts-exchang
Apparently getting installed via a malicious javascript injected on many legit sites, clicking on a "Yahoo! Counter starts here"
(which is not even related to yahoo gets you infected).
It loads under this key:
HKLM\software\microsoft\wi
and insert as a value of "aux" where legit value data should be wdmaud.drv, mmdrv.dll or ctwdm32.dll
"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"
"aux"="wdmaud.sys"
I participated a thread here where after deleting those 2 fake files the audio is gone and we had to restore the value of "aux" to "wdmaud.drv"
http://www.experts-exchang
Another EE database:(with wdmaud.sys hijacker)
http://www.experts-exchang
WinAntivirus 2008 or 2009 (AKA a bunch of other names) has morphed over time and the list of files has grown. CTFMON.EXE, BEEP.SYS, WDMAUD.SYS, and ( be glad this one was seemingly abandoned!!), in one case, NTLDR are some of the files which I have seen it replace in the past year.
Over two years ago, I suggested to Microsoft they host a database of legitimate drivers precisely so we could more easily verify which were legitimate. I even got one small nibble back from one attempt; but, to my knowledge, we still lack what would be an invaluable tool.
For those who may read this, even a week from now, expect the infested file to have been changed, use COMBOFIX and/or MalwareBytesAntiMalware to get rid of it; but, be prepared for the need to format and start from scratch.
Over two years ago, I suggested to Microsoft they host a database of legitimate drivers precisely so we could more easily verify which were legitimate. I even got one small nibble back from one attempt; but, to my knowledge, we still lack what would be an invaluable tool.
For those who may read this, even a week from now, expect the infested file to have been changed, use COMBOFIX and/or MalwareBytesAntiMalware to get rid of it; but, be prepared for the need to format and start from scratch.
mraikes:
It's time to close this question if your issue is resolved. I see comments with additional insights into the current malware trends keep getting added after resolution.
It's time to close this question if your issue is resolved. I see comments with additional insights into the current malware trends keep getting added after resolution.