topic Re: Happili Miserable in Norton Internet Security / Norton AntiVirus

Happili Miserable

kseither — Wed, 11 Apr 2012 15:54:28 GMT

I am running Win 7 x64 and get redirected to happili.com. It happens both through searches and links via other websites. I have read the threads but am confused as to where to start. Don't want to screw anything up and am semi computer ignorant. Please help me.

Re: Happili Miserable

kseither — Wed, 11 Apr 2012 15:56:13 GMT

Also, I am running Norton Anti Virus 2012 and have tried full scan and Power Eraser scan with no success on finding virus.

Re: Happili Miserable

Quads — Thu, 12 Apr 2012 00:23:43 GMT

Don't run Norton Power Eraser.

Quads

Re: Happili Miserable

kseither — Thu, 12 Apr 2012 12:00:10 GMT

I already did. Did that ruin my chances of fixing this thing?

Re: Happili Miserable

Davec33 — Thu, 12 Apr 2012 16:13:19 GMT

Question for Quads ( or anyone from Norton ): I am somewhat concerned about all the reports I see about Happili redirect. Is NIS able to detect and block this yet ?

Re: Happili Miserable

cgoldman — Thu, 12 Apr 2012 17:52:31 GMT

Davec33 wrote:
Question for Quads ( or anyone from Norton ): I am somewhat concerned about all the reports I see about Happili redirect. Is NIS able to detect and block this yet ?

I am neither Quads or Norton, but am advised by Norton that Happili is now being detected although it is included in the detection under the title "trojan.tracur."

Re: Happili Miserable

Davec33 — Thu, 12 Apr 2012 19:41:36 GMT

The OP states that he is running Windows 7.

The write up for "trojan.tracur" by Norton shows:

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Does not mention Windows 7 ??

Also states: Wild Level: Low , Number of Infections: 0 - 49 , Removal: Easy

From what I have been reading here the removal of Happipi is anything but easy ! So I am still not reassured that NIS is blocking this.

Re: Happili Miserable

Quads — Fri, 13 Apr 2012 00:21:10 GMT

It depends on what is causing the redirects for that or other sites. New variants are continually appearing, so that one for last week or even yesterday is different enough to get past AV software at times.

The Redirect can be caused by a group of different Malware, but the users see the same Redirect, So one user actually has Zeroaccess where another has Pihar, then another has Tracur, and other has Mebroot, and another jusr has a Java infection.

Same Redirect but different cause, This is where people are screwing there systems as they are not knowing what they are trying to target.

Quads

Re: Happili Miserable

Davec33 — Fri, 13 Apr 2012 01:34:58 GMT

Thanks for that explanation Quads.

Hopfully Symantec will keep on top of these malware.

Re: Happili Miserable

Quads — Fri, 13 Apr 2012 02:05:55 GMT

kseither wrote:
I already did. Did that ruin my chances of fixing this thing?

Did it detect any object at all, and did NPE unload (close) correctly??

Quads

Re: Happili Miserable

kseither — Fri, 13 Apr 2012 19:19:40 GMT

Yes, it seamed to open/close and run correctly. No, no detection.

Re: Happili Miserable

joen — Fri, 13 Apr 2012 22:36:25 GMT

q:
> New variants are continually appearing, so that one for last week or even yesterday
> is different enough to get past AV software at times.

Good point. And in such cases the question is "what vulnerability on your computer does it then use to get access?"

So in addition to keeping MS Windows updated, also check:
Java (ver 6, update 31; 1.6.0_31-b05)
Adobe Reader (9.5.1)
Flash (11.2.202.233)

Re: Happili Miserable

Quads — Sat, 14 Apr 2012 00:08:38 GMT

kseither wrote:
Yes, it seamed to open/close and run correctly. No, no detection.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back

Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Click the Scan All Users checkbox.

Change file age to 60 days

Press the

Quads

Re: Happili Miserable

kseither — Sat, 14 Apr 2012 01:24:36 GMT

Running OTL next.

Re: Happili Miserable

kseither — Sat, 14 Apr 2012 01:26:04 GMT

Re: Happili Miserable

Quads — Sat, 14 Apr 2012 01:55:29 GMT

It appears you have a file using a Alternate data Stream, that is pretending to be a email, I am trying to figure if all the shortcuts created around the same time on the desktop also belong to it.

Quads

Re: Happili Miserable

Quads — Sat, 14 Apr 2012 13:25:31 GMT

Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix,
Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, Now drag the CFScript.txt into the ComboFix.exe

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Re: Happili Miserable

kseither — Sun, 15 Apr 2012 21:59:06 GMT

Re: Happili Miserable

Quads — Mon, 16 Apr 2012 00:17:12 GMT

Uninstall Firefox completely, if will ask if you want all the data removed to, Do so (yes), So its's like Firefox has never been installed.

We will use Internet Explorer for awhile from now on until cleaned up. I will remove the ADS later

Quads

Re: Happili Miserable

kseither — Mon, 16 Apr 2012 14:00:55 GMT

Done. Dont' know if this matters, but I have always used Explorer and never Firefox - it was installed when I bought computer from Best Buy.