Redirect search results problem.

[musicb]

Hello, earlier today I noticed that my google search results were being redirected. This seems to happen randomly, and is sporadic. If I tried to search again, the site that was redirected would load fine sometimes. I ran a malwarebytes scan, and it said I was infected with trojan.happili. I removed and restarted, but my results are still being redirected. I did another malwarebytes scan and nothing came up. According to other threads I've read, it looks like I'm going to need some help. Thanks in advance.

dds.txt

attach.txt

[Maniac]

Hello musicb and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Step 1

Please uninstall the following applications:

Ask Toolbar

Ask Toolbar Updater

Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log
  
• a new fresh DDS log

[musicb]

Hi Maniac,

Here are the logs you asked for. I also have the new attach log from the dds, so let me know if you need that as well.

Thanks!

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.11.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: TMB [administrator]

9/11/2012 3:27:28 PM

mbam-log-2012-09-11 (15-27-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 439212

Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-11 15:36:13

-----------------------------

15:36:13.218 OS Version: Windows 5.1.2600 Service Pack 3

15:36:13.218 Number of processors: 2 586 0x170A

15:36:13.218 ComputerName: TMB UserName:

15:36:14.031 Initialize success

15:36:45.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

15:36:45.531 Disk 0 Vendor: ST325031 HP35 Size: 238475MB BusType: 3

15:36:45.546 Disk 0 MBR read successfully

15:36:45.546 Disk 0 MBR scan

15:36:45.546 Disk 0 Windows 7 default MBR code

15:36:45.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238463 MB offset 2048

15:36:45.546 Disk 0 scanning sectors +488376000

15:36:45.625 Disk 0 scanning C:\WINDOWS\system32\drivers

15:36:51.859 Service scanning

15:37:06.406 Modules scanning

15:37:15.890 Disk 0 trace - called modules:

15:37:15.906

15:37:15.906 Scan finished successfully

15:41:53.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"

15:41:53.296 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31

Run by Administrator at 15:42:35 on 2012-09-11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2463 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe

C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\DYMO\DYMO Label Software\DLSService.exe

C:\Program Files\DYMO File\DYMOFileMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe

C:\Documents and Settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe

C:\Documents and Settings\Administrator\Application Data\Spotify\Spotify.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\aswMBR.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

mDefault_Page_URL = hxxp://intra1.nhsb.local/

uInternet Settings,ProxyOverride = *.local;192.168.*.*

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [DymoQuickPrint] "c:\program files\dymo\dymo label software\DymoQuickPrint.exe" /startup

uRun: [spotify Web Helper] "c:\documents and settings\administrator\application data\spotify\data\SpotifyWebHelper.exe"

uRun: [spotify] "c:\documents and settings\administrator\application data\spotify\Spotify.exe" /uri spotify:autostart

uRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"

mRun: [DYMOFileMonitor] "c:\program files\dymo file\DYMOFileMonitor.exe"

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: adp.com\ipay

Trusted Zone: anthem.com\www

Trusted Zone: bai.org\www

Trusted Zone: benefits4us.com\www

Trusted Zone: betraining.com\www

Trusted Zone: bsiweb.com\www

Trusted Zone: conexis.org\www

Trusted Zone: ct.gov\www.concord.sots

Trusted Zone: harland.net\branchprod

Trusted Zone: healthnet.com\www

Trusted Zone: hostedeet.com\majnhs

Trusted Zone: iapprove01

Trusted Zone: learnbai.org

Trusted Zone: lifebalance.net\www

Trusted Zone: myappro.com\www

Trusted Zone: MyAppro.Com \CTX

Trusted Zone: newalliancehr.com\www

Trusted Zone: synweb

Trusted Zone: tecaccess.com\www

Trusted Zone: ups.com\www

Trusted Zone: userconnect.com

Trusted Zone: usicg.com\www

Trusted Zone: vms1

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302367197153

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 10.1.10.1

TCP: Interfaces\{01DABF7F-049D-4E41-ACEE-8E9BE82C90B5} : DhcpNameServer = 10.1.10.1

Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\anqdakd8.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\musicnotes\npmusicn.dll

FF - plugin: c:\program files\musicnotes\NPSibelius.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 237408]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 41040]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 301920]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]

R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]

R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2010-10-6 1287520]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2008-10-24 149600]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-3-5 44800]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-11 40776]

S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-14 250056]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 114144]

S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2012-2-14 141312]

S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-21 238736]

.

=============== Created Last 30 ================

.

2012-09-11 19:26:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-09-04 20:29:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Spotify

2012-09-04 20:29:00 -------- d-----w- c:\documents and settings\administrator\application data\Spotify

2012-08-30 23:18:45 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

.

==================== Find3M ====================

.

2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-24 19:43:18 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2012-08-15 01:19:05 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-15 01:19:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-26 07:21:30 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys

.

============= FINISH: 15:42:44.68 ===============

[Maniac]

Thanks!

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[musicb]

Hi, here's the combofix log.

ComboFix 12-09-11.02 - Administrator 09/11/2012 18:48:20.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2855 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll

c:\documents and settings\Administrator\My Documents\~WRL3007.tmp

c:\documents and settings\All Users\Application Data\313055a4m715j113g838v8avg1e3

c:\windows\null

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))

.

.

2012-09-04 20:29 . 2012-09-11 14:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotify

2012-09-04 20:29 . 2012-09-11 15:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify

2012-08-30 23:18 . 2012-09-07 21:25 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2012-01-28 15:19 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-24 19:43 . 2011-02-10 11:54 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2012-08-15 01:19 . 2012-04-14 16:45 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-15 01:19 . 2011-12-10 21:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-26 07:21 . 2011-01-07 10:41 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2012-09-07 21:25 . 2011-04-07 18:22 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-07-06 . B175B44DE1C18935F5F1D61BADCFE164 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2009-10-29 1885944]

"Spotify Web Helper"="c:\documents and settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-09-04 1193176]

"Spotify"="c:\documents and settings\Administrator\Application Data\Spotify\Spotify.exe" [2012-09-04 5576408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-27 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-27 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-27 142872]

"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]

"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2009-10-28 55808]

"DYMOFileMonitor"="c:\program files\DYMO File\DYMOFileMonitor.exe" [2009-05-30 196608]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-6-30 5832536]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-7-6 1156968]

QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-7-6 1178984]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-126107\Scripts\Logon\0\0]

"Script"=VipSales.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-50617\Scripts\Logon\0\0]

"Script"=VipSales.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-53443\Scripts\Logon\0\0]

"Script"=VipSales.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-81624\Scripts\Logon\0\0]

"Script"=VipSales.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 237408]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 301920]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]

R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [6/30/2011 1:25 PM 1248256]

R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\ProPatches\Scheduler\stSchedEx.exe [10/6/2010 11:28 AM 1287520]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/24/2008 3:02 AM 149600]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/5/2010 3:02 PM 44800]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [8/13/2012 3:24 AM 5167736]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/14/2012 12:45 PM 250056]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 3:17 PM 114144]

S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2/14/2012 12:49 PM 141312]

S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/21/2008 2:27 AM 238736]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 01:19]

.

2012-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: adp.com\ipay

Trusted Zone: anthem.com\www

Trusted Zone: bai.org\www

Trusted Zone: benefits4us.com\www

Trusted Zone: betraining.com\www

Trusted Zone: bsiweb.com\www

Trusted Zone: conexis.org\www

Trusted Zone: ct.gov\www.concord.sots

Trusted Zone: harland.net\branchprod

Trusted Zone: healthnet.com\www

Trusted Zone: hostedeet.com\majnhs

Trusted Zone: iapprove01

Trusted Zone: learnbai.org

Trusted Zone: lifebalance.net\www

Trusted Zone: myappro.com\www

Trusted Zone: MyAppro.Com \CTX

Trusted Zone: newalliancehr.com\www

Trusted Zone: synweb

Trusted Zone: tecaccess.com\www

Trusted Zone: ups.com\www

Trusted Zone: userconnect.com

Trusted Zone: usicg.com\www

Trusted Zone: vms1

TCP: DhcpNameServer = 10.1.10.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll

HKU-Default-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-11 18:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\system32\wuauclt.exe.wusetup.136062.bak 53472 bytes executable

c:\windows\system32\wuaueng.dll.wusetup.137828.bak 1929952 bytes executable

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.EXE'(2128)

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-09-11 18:56:26 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-11 22:56

.

Pre-Run: 218,915,336,192 bytes free

Post-Run: 221,464,977,408 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 835DCFE83E99B76245BA84583846CDEB

[Maniac]

Please open www.virustotal.com and upload the following file:

c:\windows\system32\sfcfiles.dll

Wait until scan finished and then copy/paste the URL in your next reply here.

[musicb]

https://www.virustotal.com/file/40459f9fb23ece0cce6b00ba0fec7d8c1b01504ff0cad43410c83a1c72dc0efd/analysis/1347404956/

[Maniac]

Could you please compress for me the following folder: C:\Qoobox\Quarantine and to upload it somewhere, for example in www.rapidshare.com . Next, please send me a download link via PM.

http://support.microsoft.com/kb/307987

Thanks in advance!

[Maniac]

Thanks!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[musicb]

Hi, here is the log from the ESET Scanner.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=c2541a363079394c8f3b79ab3f13a2e2

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-09-13 07:49:20

# local_time=2012-09-13 03:49:20 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28559083 28559083 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=79897

# found=5

# cleaned=5

# scan_time=2609

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\extensions\yvlwuxymdm@yvlwuxymdm.org.xpi JS/Redirector.NCA trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Administrator\My Documents\Downloads\musicnotesSuite.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Administrator\My Documents\Downloads\SetupImgBurn_2.5.6.0.exe Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine.zip Win32/BHO.OEI trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll.vir Win32/BHO.OEI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maniac]

How are things now?

[musicb]

I've clicked through about 30 different google results and everything's loaded and functioned properly. It looks like everything should be good? Thanks for your help once again!

[Maniac]

Glad I could help!

Please uninstall ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, uninstall ESET Online Scanner and then manually delete DDS and aswMBR.

Some malware prevention tips:

www.users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!