• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Need Happili removal help!

Hi-

I can't get rid of the Trojan.Happili redirect. Norton AntiVirus can't find it and Malwarebytes says it's quarantined and deleted it, but I'm still getting redirected from Google search result links. I had this issue last month, it seemed to be resolved, but now it's back. I've attached the Malwarebytes logs from today and from the last infection. Any help would be greatly appreciated.

Thanks

Replies

Kudos0

Re: Need Happili removal help!

Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )

  •  Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

Kudos0

Re: Need Happili removal help!

Thanks for your quick and detailed response.I've attached the log file for review. I appreciate the help.

File Attachment: 
Kudos0

Re: Need Happili removal help!

Please read carefully Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.

Now  drag the CFScript.txt into the ComboFix.exe  


  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

File Attachment: 
Kudos0

Re: Need Happili removal help!

OK, Combofix has run. The requested report is attached. I left Combofix run unattended and it rebooted the system, so does that mean it detected Rootkit/Bootkit activity? Also I did get a warning message about registry keys being listed for deletion when I tried to open items, so I rebooted again per your instructions and it seemed to fix that. After the reboot, I tested a Google search and was NOT redirected.

Does this mean the issue is resolved? If no, what's next? If yes, how can I avoid this hassle again in the future?

Thanks again for your help.

File Attachment: 
Kudos0

Re: Need Happili removal help!

OK,  

With your browsers go into the options and clear all the Browsing data,   The browser will give options like Browser Cache, Temp files, History etc.   select all.

Quads

Kudos0

Re: Need Happili removal help!

Thanks, Quad. All browsing info is now deleted. Are there any more steps to complete. Anything I can do to avoid this going forward?

Kudos0

Re: Need Happili removal help!

Are you getting the redirects now??

Quads

Kudos0

Re: Need Happili removal help!

Argh! Just tested and I'm getting redirects AGAIN! After running Combofix last night I was NOT getting redirects for a while...now the issue is back. What's the next step?

Thanks for all your time and expertise~

Kudos0

Re: Need Happili removal help!

Please read carefully and Slowly

 Please scan with ESET next 


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on  to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the  icon on your desktop.
  • Check 
  • Click the  button.
  • Accept any security warnings from your browser.
  • Under scan settings, check  and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it. 

Quads

Kudos0

Re: Need Happili removal help!

OK, ESET scan is done. As requested, I've attached C:\Program Files\ESET\ESET Online Scanner\log.txt. I also exported the scan results to Eset scan results.txt which is attached. Please advise me on next steps. Thanks.

File Attachment: 
Kudos0

Re: Need Happili removal help!

Turn off System Restore, wait for it to finish cleaning the restore points and then turn it back on.

Which browserS) are you still getting redirected on??

Quads

Kudos0

Re: Need Happili removal help!

OK, System Restore turned off then turned it back. The redirects are happenning in IE and Chrome. Please advise. Thanks

Kudos0

Re: Need Happili removal help!

We will check the HOSTS later

For IE  download instead of Run as the Page says,  http://support.microsoft.com/kb/923737  there is also manual instructions

For Chrome   Competely uninstall Chrome, it will ask you about whether to remove all data,  tick all then click yes.   then download a fresh install from Google.

Quads

Kudos0

Re: Need Happili removal help!

OK, the IE reset is done and Chrome has been removed and re-installed. What's the next step? Thanks

Kudos0

Re: Need Happili removal help!

Be aware that the Happili redirect has more than one root cause and you could be going to a website that is download files into the temporary Internrt files or Java cache to start it off,  wouldn't be able to tell you which site, if that's the case

Download OTL   hxxp://oldtimer.geekstogo.com/OTL.exe   (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it.  Right click OTL.exe and select run as administator for Vista and Win 7.

Disable Norton for say 30 minutes

Start OTL,  

Click the Scan All Users checkbox.

Change file age to 60 days

under  Copy and paste what is below between the lines



msconfig
activex
drivers32
netsvcs
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe

mswsock.dll
wininit.exe
services.exe

svchost.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys

mrxsmb.sys

/md5stop

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs


Press the 

An OTL.txt will be created.

Quads

Kudos0

Re: Need Happili removal help!

OK, OTL scan is complete and the OTL.Txt file is attached.

Re: "Be aware that the Happili redirect has more than one root cause and you could be going to a website..." Not sure what this means in terms of what I should/should not do in terms of web navigation.

Please advise on next steps.

Thanks once more for your help.

File Attachment: 
Kudos0

Re: Need Happili removal help!

Looks like I found the entry,   I will use the log to create a fix script to clesn things up,  including removing this

O4 - HKU\S-1-5-21-1733658495-1156133173-3422704267-1003..\Run: [Adobe] C:\Users\Christopher\AppData\Local\Apple\Adobe\sjjxra.dll (Gracenote)

And that is why when you restarted the system things started all over again.

back soon.

Quads

Kudos0

Re: Need Happili removal help!

Disable Norton for say 30 minutes

Start OTL,   under   Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads

File Attachment: 
Kudos0

Re: Need Happili removal help!

I ran OTL with the custom script and the system has re-booted. The log file is attached. Thanks

File Attachment: 
Kudos0

Re: Need Happili removal help!

Now do a few restarts and tests to see if like yesterday / this morning it comes back, before I give the final proceedure.

Quads

Kudos0

Re: Need Happili removal help!

Quads - Per your instructions, I've done a few restarts and the redirect issue persists. I appreciate that you are persistent in helping find a solution. Thanks

Kudos0

Re: Need Happili removal help!

After removing the startup file 

O4 - HKU\S-1-5-21-1733658495-1156133173-3422704267-1003..\Run: [Adobe] C:\Users\Christopher\AppData\Local\Apple\Adobe\sjjxra.dll (Gracenote)

You have to remove all browsing data cache data etc from all browsers

Quads

Kudos0

Re: Need Happili removal help!

Quads-

I've just deleted the browsing history in IE (selected all checkbox options). To be certain, is this what you meant by "remove all browsing data cache data etc..."?

I ran Malwarebytes again before I saw you last message and it found and quarantined Trojan.Happili again. I've attached the log.

Please advise on next steps.

Thanks.

Kudos0

Re: Need Happili removal help!

It's known as Win32/Kryptik.AGOD trojan the entry I removed but just wonder how it rebuilds

Create another OTL log

Quads

Kudos0

Re: Need Happili removal help!

OK, I'll run OTL again, Quads. Should I paste the same script you provided earlier before I run? Thanks

Kudos0

Re: Need Happili removal help!

Do the same all users settings etc.  Just not the script part

I found this similar infection  http://www.bleepingcomputer.com/forums/topic456108.html

maybe System restore has to be turned off and stay off so it can't rebuild from there.

Quads

Kudos0

Re: Need Happili removal help!

Per your request, here's the new OTL log, Quads. Please advise. Thanks

File Attachment: 
Kudos0

Re: Need Happili removal help!

It has rebuilt itself, different random file name,  hmmm where is it coming from. thinking.

Quads

Kudos0

Re: Need Happili removal help!

Update your malwarebytes database (update tab) and then run a Full Scan.   With System restore still turned off.

Quads

Kudos0

Re: Need Happili removal help!

DB updated, full scan completed, log attached. During scan NIS twice detected and quarantined Trojan.Tracur.

Kudos0

Re: Need Happili removal help!

OK, what has happened is that Norton has more than likely taken the files before Malwarebytes may have got to it.

Can you open Norton's history and look up the info on what Norton took.

Quads

Kudos0

Re: Need Happili removal help!

Security history shows that Trojan.Tracur was detected by AutoProtect. Status is quarantined. Risk state: fully removed.

Kudos0

Re: Need Happili removal help!

Open up the details of the threats (files)  then click the Copy to Clipbard button, then you can paste the info back in a message.

It should look something like this

Full Path: c:\users\michael\appdata\roaming\windowsdefender.exe
Threat: Trojan.Gen.2
____________________________
____________________________
On computers as of 07/06/2012 at 16:51:34
Last Used 12/06/2012 at 19:37:39
Startup Item Yes
Launched Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
Very New
This file was released less than 1 week ago.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

Source File:
zipper.exe
File Created:
java.exe
File Created:
gpjcpaqu.exe
File Created:
windowsdefender.exe
____________________________
File Actions
File: c:\users\michael\appdata\roaming\local.exe
Removed
Event: Running process: c:\Users\Michael\AppData\Roaming\windowsdefender.exe
No fix attempted
Infected file: c:\Users\Michael\AppData\Roaming\windowsdefender.exe
No fix attempted
____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-2987770335-1501293673-996271820-1000\Software\Microsoft\Windows\CurrentVersion\Run->local
No fix attempted
____________________________
File Thumbprint - SHA:
8a2064e75ef38ac022dbaacb03bb24e3c2faa8fba69f8dde1f6c0ff5a2d370bc
____________________________
File Thumbprint - MD5:
b185b3888b39105c76f97735c28019fd
____________________________


Quads

Kudos0

Re: Need Happili removal help!

Sorry to be dense Quads, but I'm not clear on where I open up the details of the threats in NIS. Thanks

Kudos0

Re: Need Happili removal help!

In the Norton Histoy you click on the entry(ies) that state Trojan.Tracur  and click on the details button  or I think you can maybe just double click the entry.

A Window will appear that looks like this

Near the bottom of the close button,  there is a Copy to Clipboard, click it and after you can just paste into notepad, or into forum posts.

Quads.

Kudos0

Re: Need Happili removal help!

I'm sorry, I have Norton Internet Security version 16.8.3.6 and I don't see any screen that looks like that. Is it possible that you are thinking of another program? It looks like NIS found a file in C:\_OTL\MovedFiles\06142012_001105\C_Users\Christopher\AppData\Local\Apple

Hope this helps.

Thanks

Kudos0

Re: Need Happili removal help!

No you said Norton detected ...........  What do you thing I am thinking of Norton Motorcycles??

Other AV products if you do not have Symantec AV's  (Norton ) are not on this forum it's a NoNo

Quads

Kudos0

Re: Need Happili removal help!

OK so Norton can detect and remove the dormant fille I have already shifted but not the one running.

Found the closest write up, 3 O4 registry keys http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FTracur.AK

Quads

Kudos0

Re: Need Happili removal help!

LOL..."Norton Motorcycles". Quads, when I suggested that you might be referring to another product, I was thinking perhaps the screenshot you posted was from another Norton product other than Norton Internet Security version 16.8.3.6 which I am running, such as Norton 360™ Version 6.0 or Norton™ AntiVirus 2012 because I don't see any screen that looks like that in the Norton product I have.

You have been very helpful and persistent since I first posted and I greatly appreciate that. What do you suggest as the next step?

Thanks once again.

Kudos0

Re: Need Happili removal help!

Download Hijackthis.exe from here http://sourceforge.net/projects/hjt/files/2.0.4/  and create a log.

Quads

Kudos0

Re: Need Happili removal help!

Here is the Hijackthis log. When I launched Hijackthis I got a message box saying that "For some reason your system denied access to the Hosts file..." Is that just Norton or the malware denying access?

Thanks

File Attachment: 
Kudos0

Re: Need Happili removal help!

Right click Hijackthis.exe and from the menu select "Run as Administrator"

Quads

Kudos0

Re: Need Happili removal help!

OK, here's the log run as Admin. Thanks

File Attachment: 
Kudos0

Re: Need Happili removal help!

Download a fresh new copy of Combofix

Please read carefully Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.

Now  drag the CFScript.txt into the ComboFix.exe  


  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

File Attachment: 
Kudos0

Re: Need Happili removal help!

OK, here's the latest log from ComboFix.

BTW, I just upgraded to Norton Internet Security version 19.7.1.5. I'd had v16.8.3.6 installed and I think the different version was the cause my confusion regarding your screenshot in our earlier communication.

Thanks

File Attachment: 
Kudos0

Re: Need Happili removal help!

Now after restarts of the system does a entry like this appear in Hijackthis

O4 - HKCU\..\Run: [Apple] rundll32.exe "C:\Users\Christopher\AppData\Local\BOSS\Apple\ciljkjua.dll",CreateInstance

Quads

Kudos0

Re: Need Happili removal help!

Has that part of it come back yet??

Quads

Kudos0

Re: Need Happili removal help!

Quads- I don't see the line you asked about in the HijackThis log. Please see the attached log and advise on next steps. Thanks once more

File Attachment: 
Kudos0

Re: Need Happili removal help!

You are correct it hasn't comeback this time, we will wait for another 24 -48 hours to see before doing any clean up of programs used or temp files.

At the same time just keep updating malwarebytes and make sure Norton is up to date and run scans over that time, see if anything else appears, even one file.

Quads

Kudos0

Re: Need Happili removal help!

Quads- I've done several restarts and have updated and run both malwarebytes and Norton multiple times with no threats found. The Google redirect behavior seems to have stopped. Please advise on next steps. Thanks

This thread is closed from further comment. Please visit the forum to start a new thread.