Avatar of mraikes

asked on 

Google search hijack remains after removal of "Antivirus 2009" Malware

I recently removed "Antivirus 2009" malware from a friend's computer using Malwarebytes. That process seemed to go smoothly, however there remains a problem with Google search results being hijacked.

Google opens fine, however the search results page doesn't look quite right (font too large, and random characters like "9h" appears at top of page just prior to the search results).  The list of results themselves look reasonable, but when you click on one, a new window opens containing a page generally unrelated to the link clicked.  The web addresses in the new window are always preceded by "go." for example "www.go.blahblahblah.com"

Any ideas?

Here's the logfile from Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:55:00 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\Chew.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for 4 hijackthis.zip\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: http://*.lvarmls.com
O15 - Trusted Zone: abqrealtors.rapmls.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: http://*.vvmls.com
O16 - DPF: ImageUploader - http://www.assetval.com/app/ImageUploader.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.riocentral.com/Image%20Uploader/ImageUploader4.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fisdesktop.webex.com/client/T26L/training/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.assetlinklp.com/AssetLinkPortal/XUpload.ocx
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.riocentral.com/Image%20Uploader/ImageUploader4.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{10898C23-7968-45D2-83F5-EC6F4C450B6D}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{10898C23-7968-45D2-83F5-EC6F4C450B6D}: NameServer =,
O17 - HKLM\System\CS4\Services\Tcpip\..\{10898C23-7968-45D2-83F5-EC6F4C450B6D}: NameServer =,
O20 - AppInit_DLLs: idnhkh.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

Anti-Virus Apps

Avatar of undefined
Last Comment
Jerry Solomon
Avatar of sharkbot221984
Flag of United States of America image

I didn't see any homepage or search settings in your hijackthis log, those are usually R1 or R0 lines.  So it seems that there is still something lurking on the machine still hijacking your web browser.  MIght go ahead and run Adaware, and Spybot S&D to see if they catch something as well.  What AV did you run against it?  Maybe try another one.
Avatar of rpggamergirl
Flag of Australia image

Can we look at the MalwareBytes log? there's still this bad dll present in the log.
O20 - AppInit_DLLs: idnhkh.dll
also try running Combofix, if problem persists you might need to reset the router if this is one of those Zlob.DNS.Changer.

Please download ComboFix by sUBs:
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Avatar of Davis McCarn
Davis McCarn
Flag of United States of America image

What the heck are those Southwest Airlines entries?
Your AOL toolbar is messed up.
Omnipass is too

This is definitely a bad guy: O20 - AppInit_DLLs: idnhkh.dll

Try getting Autoruns (Google it) and use it to clean up the error entries and to delete the one I listed.  Winsockfix would be a good idea, too.
Avatar of mraikes


These are excellent suggestions. I'll try them this evening and post back the results.

Avatar of sharkbot221984
Flag of United States of America image

Davis - The southwest item should be fine, it's a program called Ding! where it will alert you of a sale on plane tickets.
Avatar of Jerry Solomon
Jerry Solomon
Flag of United States of America image

OK, I just ran into the same issue--combofix, SDfix, Webroot, Malwarebytes not getting it out. I'll follow this to see if anyone gets the browser issue resolved.
Avatar of rpggamergirl
Flag of Australia image

>>>--combofix, SDfix, Webroot, Malwarebytes not getting it out<<<

We need to look at the logs, especially the combofix log because whatever bad files not removed during the first run we will remove using its script function.

And if it's a DNS.Changer, then it would show up in the MBAM log which you then need to reset router if connecting thru it.

Please attach the MBAM log and combofix log, CF log which should be located in --> C:\Combofix.txt
Avatar of Jerry Solomon
Jerry Solomon
Flag of United States of America image

OK, I found the issue after extensige searches online. This is a new trojan, that the tools haven't picked up on yet. It injects a javascript header on the search result pages.
The fix is really simple: throw C:\Windows\System32\wdmaud.sys into the recycle bin.
The problem immediately goes away, no reboot required.  I understand kaspersky online scan is the only tool to date thatrecognizes this file as a trojan.
Avatar of rpggamergirl
Flag of Australia image

There are 2 variants so far, either wdmaud.sys or the sysaudio.sys located in the system32 folder.
They should show up in the Combofix log.
Avatar of mraikes

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of rpggamergirl
Flag of Australia image

The infection surfaced about 3 months ago with the fake "sysaudio.sys" hijacker and now the new variant is "wdmaud.sys".
Apparently getting installed via a malicious javascript injected on many legit sites, clicking on a "Yahoo! Counter starts here"
(which is not even related to yahoo gets you infected).

It loads under this key:
HKLM\software\microsoft\windows nt\currentversion\drivers32
and insert as a value of "aux" where legit value data should be wdmaud.drv, mmdrv.dll or ctwdm32.dll

"aux"="sysaudio.sys" or

I participated a thread here where after deleting those 2 fake files the audio is gone and we had to restore the value of "aux" to "wdmaud.drv"

Another EE database:(with wdmaud.sys hijacker)
Avatar of Davis McCarn
Davis McCarn
Flag of United States of America image

WinAntivirus 2008 or 2009 (AKA a bunch of other names) has morphed over time and the list of files has grown.  CTFMON.EXE, BEEP.SYS, WDMAUD.SYS, and ( be glad this one was seemingly abandoned!!), in one case, NTLDR are some of the files which I have seen it  replace in the past year.
Over two years ago, I suggested to Microsoft they host a database of legitimate drivers precisely so we could more easily verify which were legitimate.  I even got one small nibble back from one attempt; but, to my knowledge, we still lack what would be an invaluable tool.
For those who may read this, even a week from now, expect the infested file to have been changed, use COMBOFIX and/or MalwareBytesAntiMalware to get rid of it; but, be prepared for the need to format and start from scratch.
It's time to close this question if your issue is resolved. I see comments with additional insights into the current malware trends keep getting added after resolution.
Anti-Virus Apps
Anti-Virus Apps

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo