topic Re: Browser redirect issues - possible Happili infection? (help, Quads...) in Norton 360

Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 01:42:35 GMT

Late this morning, my browser (IE9) began to be redirected to one of several sites whenever I tried to click on a Google search result. Am running Norton 360, so I tried doing a full system scan first - no threats detected. Did some quick research, and ended up downloading Malwarebytes' Anti-Malware program while running in safe mode with networking. Ran that, and it detected Trojan.Happili in a temp directory (don't recall the path.) The Malwarebytes program said it had resolved the issue, and a subsequent scan was clean. Ran Ccleaner with secure deletion enabled to clean out temp directories. Updated Java, and cleared the cache through the Java console. Tried another Google search - same redirect issue. Found Quads' suggestions in this forum, and downloaded TDSSKiller and aswMBR while in safe mode with networking. Stopping there without further guidance, as I don't know how to interpret the results, and it sounds like messing around in ignorance is a recipe for disaster.

Can you help, Quads? Please let me know if more info is required.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 03:04:09 GMT

Why are you running in Safe Mode with Networking??

Why are you going about using tools that can cause more damage without any supervision, I have warned about doing so to people??

Start Malwarebytes and go to the logs tab to see what it detected.

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 04:48:40 GMT

Unfortunately, whatever's wrong with my system seems to be preventing me from accessing anti-malware product sites... running in safe mode with networking was the only way I was able to download the Malwarebytes program. My apologies for jumping the gun with the other two tools - didn't remove anything, just ran them to get the logs to post.

Malwarebytes log is attached as requested. Thanks for any advice you can offer!

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 04:56:30 GMT

Log of subsequent clean mbam scan attached. Didn't stop the redirect issue though.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 05:20:25 GMT

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!

Please read carefully

We may yet have to do this with a program without Windows loading as something is Blocking Programs from running etc. But we will try and log with this,

a) Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop. In Safe Mode if Need be.

Restart the Computer into Normal Mode

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Click the Scan All Users checkbox.

Change file age to 60 days

under Copy and paste what is below between the lines

drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$." /30
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Press the

An OTL.txt will be created.

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 06:02:27 GMT

Thanks for helping me! OTL.txt is attached as requested.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 06:14:14 GMT

A 64 bit System, hmmmmm

Do you have a Flash Drive??

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 06:24:38 GMT

Sure do! :) It's got some stuff on it, but nothing that can't be replaced. What do you need me to do with it?

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 06:32:43 GMT

Got to make sure the subsystems is untouched with anything linked to that.

Please download hxxp://download.bleepingcomputer.com/farbar/FRST64.exe (change the hxxp to http) and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 06:39:38 GMT

Next step in process. OTL created another txt file called extras.txt that I just noticed. It is attached, in case it is useful.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 06:42:38 GMT

The URL hxxp://download.bleepingcomputer.com/farbar/FRST64.exe leads to a 404 not found page. Is there an alternative site for this download?

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 07:00:22 GMT

hxxp://download.bleepingcomputer.com/farbar/FRST64.exe (change the xx to tt) did work for me

There is also a link on the first post here http://www.bleepingcomputer.com/forums/topic452205.html/page__st__15

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 07:00:33 GMT

Got it. Log to follow.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 07:31:57 GMT

FRST.txt attached as requested. Also - following the restart required after running FRST64.exe, and without any action on my part, Norton 360 reported that Trojan.tracur!gen2 had been detected and removed. Am attaching the export of the security history from Norton 360, in case it is useful.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 07:36:41 GMT

Can you get the full details of this entry in the history

5/13/2012 12:22 AM,High,wtzvdsv.dll (Trojan.Tracur!gen2) detected by Auto-Protect,Quarantined,Resolved - No Action

Like location it was taken from.

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 07:54:43 GMT

File insight says that the infected file was wtzvdsv.dll and that the file performed two actions.

File actions dropbox says:

File: c:\users\lauren\appdata\local\apple\adobe\wtzvdsv.dll

Registry actions dropbox says:

Registry Run entry: HKEY_USERS\S-1-5-21-4253071426-4000798264-1434264933-1006\Software\Microsoft\Windows\CurrentVersion\Run->Adobe

File insight also says it was removed,no further action needed.

Am guessing there are other steps required to ensure this issue is really resolved?

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 08:07:37 GMT

It could be the parts leftover in the OTL log as locked and not found

Now

1) Uninstall Malwarebytes

Then

Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix,
Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.

Now drag the CFScript.txt into the ComboFix.exe

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 08:48:50 GMT

Disabled security programs and closed open programs, then downloaded ComboFix and the CFScript.txt file to the desktop as directed. When I drag the script onto the ComboFix icon, a small window appears, numerous lines scroll past, and then that window closes. A few seconds later, another slightly bigger blue window opens (header says "Administrator") and then a dialog box appears with the following message:

CFScript Name Error

Were you trying to run CFScript?

The name, CFScript appears to be incorrectly spelt

The program did not ask about a recovery console or a malware scan, and no combofix.txt file was generated after the error message was closed.

Did I miss a step?

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

armygirl44 — Sun, 13 May 2012 19:55:24 GMT

Also, Norton 360 is now giving me an error message (code 3040, 40018 - conflict with another security program) when I try to access the security history, and recommends installing v6 as the fix. Not sure what the conflict is - removed mbam as previously directed. Have not been able to find any other way to access the security history, and did not yet install the new version of 360 pending your further instruction.

Re: Browser redirect issues - possible Happili infection? (help, Quads...)

Quads — Sun, 13 May 2012 20:07:23 GMT

Take Combofix.exe and rename it to something like Badfile.exe and see if that works.

Quads