thistlepie

Will do! Thank you AGAIN for your help!

I uninstalled and cleaned up the programs, then ran Security Check. Here are the results: Results of screen317's Security Check version 0.99.56 Windows Vista Service Pack 2 x64 (UAC is enabled) Internet Explorer 8 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Norton 360 WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Java 7 Update 10 Java version out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 10.1.4 Adobe Reader out of Date! Mozilla Firefox (17.0.1) Google Chrome 21.0.1180.83 Google Chrome 21.0.1180.89 Google Chrome 22.0.1229.79 Google Chrome 22.0.1229.92 Google Chrome 22.0.1229.94 Google Chrome 23.0.1271.64 Google Chrome 23.0.1271.91 Google Chrome 23.0.1271.95 Google Chrome 23.0.1271.97 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0 % ````````````````````End of Log``````````````````````

Okay, I tested several dozen different searches and it looks like it worked! No more redirects, as far as I can see. Is there any more to do after that?

I deleted the detected files and rebooted but the problem was not resolved. I ran Microsoft Safety Scanner and it did not find any problems. The redirection persists--what should we do next? Attached is the AdwCleaner log file. AdwCleanerS2.txt

Ran AdwCleaner, attached is the log file! AdwCleanerR4.txt

Ran Combofix, attached is the log file. combofixlog.txt

I ran TDSSKiller which found 4 threats. Cure was not an option for any, so I didn't touch anything. Attached are the two result logs found in the C directory. TDSSKiller.2.8.15.0_02.01.2013_14.19.18_log.txt TDSSKiller.2.8.15.0_02.01.2013_14.22.17_log.txt

Yes, same computer as before. I ran the MBAM scan after we finished up last time and didn't see Trojan.Happili anymore, so I assumed the redirect problem was fixed. But we discovered the next day the redirection was still happening. She uses Firefox and has seen the problem with Google and Yahoo! Search. She's minimized her search engine usage until we solve the problem, but is using Duckduckgo when necessary. I attempted to resolve the problem myself and optimized Internet Explorer (even though she doesn't use IE), but that didn't do anything, apparently. Attaching dds.txt, attach.txt and the RK results below! Thanks! dds.txt attach.txt RKreport1_S_01022013_02d1256.txt

Hi, just to clarify: should I upload the files as attachments to the post or copy and paste into my next reply?

Hello (again)! A week ago, I received help from MrCharlie to resolve a Trojan.Happili infection on my mother's computer after she complained of being redirected to suspicious sites when clicking on links from a Google search. We resolved the Happili problem (thanks, MrC!), but my mother still had the redirection issue. I'm pretty sure it's the Google Redirect Virus, which (as I'm sure you know) is very tricky. I'd really appreciate someone's help nipping this last issue in the bud. Thank you!

Oh great! Everything's been updated, the clean-up tools uninstalled. I ran a last MBAM scan and it came out clean! Thank you SO much for your help. You're a life (and computer!) saver!

Here is the AdwCleaner log: # AdwCleaner v2.103 - Logfile created 12/27/2012 at 10:37:56 # Updated 25/12/2012 by Xplode # Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits) # User : Colleen - BESS # Boot Mode : Normal # Running from : C:\Users\Colleen\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Deleted on reboot : C:\Program Files (x86)\Ask.com Deleted on reboot : C:\ProgramData\APN Deleted on reboot : C:\ProgramData\Trymedia Deleted on reboot : C:\Users\Colleen\AppData\LocalLow\AskToolbar Deleted on reboot : C:\Users\Colleen\AppData\Roaming\iWin Deleted on reboot : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86- 96357B70F4FE} File Deleted : C:\Users\Colleen\AppData\Roaming\Mozilla\Firefox\Profiles\lpiikmba.default\sea rchplugins\safesearch.xml ***** [Registry] ***** Key Deleted : HKCU\Software\APN Key Deleted : HKCU\Software\APN PIP Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar Key Deleted : HKCU\Software\AppDataLow\Software\CompeteInc Key Deleted : HKCU\Software\Ask.com Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\StartNow Toolbar Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B- 85AF-466F52E918B0} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Deleted : HKLM\Software\APN Key Deleted : HKLM\Software\AskToolbar Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8- CFA9143FB169} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4- EDCD19A43874} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FAA8C612-F1B6-461B-8B60- B54D74D9642E} Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\ToolbarBroker.EXE Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1 Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{38BF9661-BDA0-4A74-BB3B- 576EC7AE16DC} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2- 8A235FCCEF4A} Key Deleted : HKLM\SOFTWARE\Classes\ZGClnt.Mngr Key Deleted : HKLM\SOFTWARE\Classes\ZGClnt.Mngr.1 Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\PIP Key Deleted : HKLM\Software\StartNow Toolbar Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3- 8538-502F5495E5FC} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2CBD2A57-2FD5-4F1A- 9FC8-90ED48FA4187} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5911488E-9D1E-40EC- 8CBB-06B231CC153F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{6E13D095-45C3-4271- 9475-F3B48227DD9F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{761F6A83-F007-49E4- 8EAC-CDB6808EF06F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{76C45B18-A29E-43EA- AAF8-AF55C2E1AE17} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{96EF404C-24C7-43D0- 9096-4CCC8BB7CCAC} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97720195-206A-42AE- 8E65-260B9BA5589F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97D69524-BB57-4185- 9C7F-5F05593B771A} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{986F7A5A-9676-47E1- 8642-F41F8C3FCF82} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B18788A4-92BD-440E- A4D1-380C36531119} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066- A1AD-4243D8127440} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A -ABED-442A-BE86-96357B70F4FE} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CBD2A57-2FD5-4F1A-9FC8- 90ED48FA4187} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7- 294C0CE2F277} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A- 160059D9D456} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232- 3B2E6B63AA92} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40- FD42A077E7CA} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46- E146747BB67E} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E65F40C8-3CEB-47C2-9E01- BF73323DF4E7} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18 \Products\A28B4D68DEBAA244EB686953B7074FEF Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater] Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{5911488E-9D1E-40EC-8CBB-06B231CC153F}] Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.19393 [OK] Registry is clean. -\\ Mozilla Firefox v17.0.1 (en-US) File : C:\Users\Colleen\AppData\Roaming\Mozilla\Firefox\Profiles\lpiikmba.default\pre fs.js Deleted : user_pref("extensions.FAS-SAT.my-keyword-url", "\"hxxp://asksearch.ask.com/redirect?client=ff&src=kw[...] Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files (x86) \\Ask.com\\"); Deleted : user_pref("extensions.asktb.abar-war-timeout", "4000"); Deleted : user_pref("extensions.asktb.autofill-competitor-query-enabled", true); Deleted : user_pref("extensions.asktb.autofill-text-highlight-enabled", true); Deleted : user_pref("extensions.asktb.cbid", "V8"); Deleted : user_pref("extensions.asktb.config-updated", true); Deleted : user_pref("extensions.asktb.crumb", "2011.08.05+09.07.14- toolbar005iad-US-U291dGhmaWVsZCxNSSxVbml0ZW[...] Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...] Deleted : user_pref("extensions.asktb.displaybehavior", ""); Deleted : user_pref("extensions.asktb.displaytext", ""); Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS"); Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup- weatherWidget", false); Deleted : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USMI0794"); Deleted : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F"); Deleted : user_pref("extensions.asktb.guid", "63bcbd84-3e71-4f2e-862c- 73d3558d2cfe"); Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...] Deleted : user_pref("extensions.asktb.if", "first"); Deleted : user_pref("extensions.asktb.l", "dis"); Deleted : user_pref("extensions.asktb.last-config-req", "1324583611514"); Deleted : user_pref("extensions.asktb.last-search-timestamp", "1323609010660"); Deleted : user_pref("extensions.asktb.locale", "en_US"); Deleted : user_pref("extensions.asktb.location", "Southfield,MI,United States"); Deleted : user_pref("extensions.asktb.lstation", ""); Deleted : user_pref("extensions.asktb.new-tab-enabled", true); Deleted : user_pref("extensions.asktb.o", "100000042"); Deleted : user_pref("extensions.asktb.pstate", ""); Deleted : user_pref("extensions.asktb.qsrc", "2871"); Deleted : user_pref("extensions.asktb.sa", "NO"); Deleted : user_pref("extensions.asktb.search-history-queries", "ftaforall.net||souvenirs||art or no art||satel[...] Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true); Deleted : user_pref("extensions.asktb.silent-upgrade", true); Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false); Deleted : user_pref("extensions.asktb.socialmini-first", true); Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000"); Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33"); Deleted : user_pref("extensions.asktb.socialmini-max-items", "30"); Deleted : user_pref("extensions.asktb.socialmini-native-on", true); Deleted : user_pref("extensions.asktb.socialmini-speed", "5000"); Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false); Deleted : user_pref("extensions.asktb.themeid", ""); Deleted : user_pref("extensions.asktb.to", ""); Deleted : user_pref("extensions.facemoods.first_time", false); Deleted : user_pref("extensions.facemoods.newTab", false); Deleted : user_pref("keyword.URL", "hxxp://asksearch.ask.com/redirect? client=ff&src=kw&tb=FAS-SAT&o=APN10458&i[...] Deleted : user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.install_folder", "C:\\Program Files (x86)\\StartNo[...] Deleted : user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name", "StartNow Toolbar"); Deleted : user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.startpage", "lf.startnow.com"); -\\ Google Chrome v23.0.1271.97 File : C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Preferences Deleted [l.165] : homepage = "hxxp://www.ask.com/? l=dis&o=APN10458cr&gct=hp&apn_ptnrs=^AKI&apn_dtid=^YYYYYY^YY^US&[...] ************************* AdwCleaner[R1].txt - [10888 octets] - [27/12/2012 10:02:57] AdwCleaner[R2].txt - [10949 octets] - [27/12/2012 10:25:06] AdwCleaner[R3].txt - [11010 octets] - [27/12/2012 10:37:25] AdwCleaner[s1].txt - [10360 octets] - [27/12/2012 10:37:56] ########## EOF - C:\AdwCleaner[s1].txt - [10421 octets] ########## And here is the Security Check log: Results of screen317's Security Check version 0.99.56 Windows Vista Service Pack 2 x64 (UAC is enabled) Internet Explorer 8 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Norton 360 WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Java™ 6 Update 30 Java version out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 10.1.4 Adobe Reader out of Date! Mozilla Firefox (17.0.1) Google Chrome 21.0.1180.83 Google Chrome 21.0.1180.89 Google Chrome 22.0.1229.79 Google Chrome 22.0.1229.92 Google Chrome 22.0.1229.94 Google Chrome 23.0.1271.64 Google Chrome 23.0.1271.91 Google Chrome 23.0.1271.95 Google Chrome 23.0.1271.97 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0 % ````````````````````End of Log``````````````````````

Ran it, and here's the log! I don't have any concerns about what we're deleting--let's do it! AdwCleanerR1.txt

Good morning! I ran Combofix and am attaching the log below. log.txt

Okay, so... I made a new system backup point, downloaded MBAR, and ran it--the results being that there were no items to remove...? Are we in the clear or are these Happili files trickier than we thought...? I'm attaching the mbar-log and system-log files as requested. Thanks! mbar-log-2012-12-26 (23-05-49).txt system-log.txt