Happili Trojan: Need Assistance With Complete Removal

Hello - please forgive the long post, just want to provide as much detail as possible.

Yesterday (9/26) I was browsing (ie) doing researching as I have done for weeks on end and suddenly my browser became slow, unstable and unresponsive. I have been watching lots of videos on youtube for several days in a row so I figured a deletion of temp files, etc. and a reboot would solve the problems. When my system started back up, it was incredibly slow and after logging in to windows (7) it got stuck on the black screen just before loading the desktop and it would never load after waiting more than 30 minutes. I restarted in safe mode, did a malwarebytes scan and discovered the happili trojan. After doing some research it seems that despite malwarebytes having said it was quar. and removed, my computer is still running incredibly slow and many times unresponsive. I am able to start in safe mode with network capabilities which takes forever, hence my accessing this web page but still cannot start up in regular mode. I’ve tried a couple of things to rid of it pasted below, but the first option did not detect anything and the second said it only worked with 32bit systems, which i have no clue what that means because I thought since I have a 64bit sys it would automatically work.

Two things I tried to resolve:
Kaspersky TDSSKiller (detected nothing)
Webroot antiZeroaccess (received message saying it only worked with 32b systems)

NOTE: I have stopped using ie and have been using chrome since able to be in safe
mode/networking and shockwave is extremely unstable and keeps crashing, so i disabled it in chrome:plugins. Also it may be worth noting that as far as i know, I’ve never had any redirect issues as most have with this trojan. My system has just been very unstable and will NOT load normally. Websites and any applications sometimes take a very long time to load.

Something else that’s been happening for about two weeks… my taskbar would pop up a message stating something about a usb device that i used was not compatible (or something cannot remember exact). what’s strange is that i was not using any usb devices when receiving this message. then about a 1.5 week ago, i plugged in a usb webcam and got a bluescreen crash. i immediately unplugged my laptop and removed the battery. then today, while looking around the community board here, i suddenly got another blue screen crash. did the same thing as before, and upon my next safe mode/networking boot up, i got stuck on the black screen again as if i was booting up normally (immediately after signing in to windows7). I had to remove my battery and upon the 2nd attempt was able to get back on in safe/networking.

I am finding after researching that help is very specific to individual users so I decided to register here and post my issue begging for assistance. :slight_smile: I have Avast as my AV software… but scan with malwarebytes on a regular basis.

Quick question: is this virus transmitted via web browser exclusively or can it be sent over a program as well such as paltalk? FYI, I do use paltalk often but NEVER accept files from anyone but I do understand that my system may still be vulnerable due to the audio and web cam capabilities, the latter I haven’t done in weeks.

Below please find the log from my scan in malwarebytes last night. As you can see it took over 4 hours to do a full scan, which has NEVER happened. I anxiously await your reply and thank you in advance!

Jenn

Maylwarebytes Log 9/26/12

Malwarebytes Anti-Malware 1.65.0.1400
removed malwarebytes link
Database version: v2012.09.11.09
Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Jenn :: WONDERMOMMA [administrator]
9/26/2012 8:20:33 PM
mbam-log-2012-09-26 (20-20-33).txt
Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |
Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 428762
Time elapsed: 4 hour(s), 12 minute(s), 26 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Jenn\AppData\Local\Temp\0.026535462446340086 (Trojan.Happili) → Quarantined and deleted successfully.
(end)

FYI - I am going to do the scans as recommending by Pondus in this thread: http://forum.avast.com/index.php?topic=97520.msg777996#msg777996 and will attach them here when i’m done. In the mean time, I will be monitoring this thread closely so if there’s something else that I should do, please let me know.

Thanks again,
Jenn

first…your Malwarebytes was not updated when you did the scan… Database version: v2012.09.11.
always update before you start a scan

and you only have to run quick scan

follow this guide and attach the logs…not copy and paste http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

yes, i ran that scan after i couldn’t log in any other way BUT safe mode, so i couldn’t update it. i have since done so and will run all four now. will attach the logs when complete. thanks so much!

UPDATE & NEW ISSUE

i ran the first item on your list, adwcleaner and had MAJOR issues when i rebooted. i did safe a logfile from that process and will attach it when i get the others.

do i absolutely need to reboot my machine between each item on your list? i am currently running malware quick scan and would really like to complete the last two items on the list THEN reboot.

when i rebooted after adwcleaner:

  • i could not get my boot up options to come up in order to start in safe/networking. but instead received a screen asking me which os i wanted to boot. win 7 was my only choice so i selected it. it tried to start up normally, but as that has been one of my issues it again got stuck so i removed the battery to reboot.
  • upon reboot the same thing as above but upon loading windows i got a message that my system failed to start up so it did an auto start up repair. after about 10 minutes of checking i got an recovery option to do system restore. i chose yes as that is something i tried to do earlier as a remedy without success.
  • startup repair continued checking for 25 more minutes and said that it could not repair the issue and the following log was displayed. i had to write it down so i could relay it to you below
  • after pressing ok, my computer shut off automatically. upon reboot i hit f2 setting and was finally given the option to start in safemode/networking and here i am.

startup repair log:
Problem Signature
Problem Event Name: startuprepairoffline
Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 233
Problem Signature 05: AutoFailover
Problem Signature 06: 1
Problem Signature 07: NoRootCause
OS: 6.1.7600.2.0.0.256.1
Locale ID: 1033

END

as mentioned above, i’m currently running malware scan then will complete the other two and attach all logs when complete. i just need to know if i can do the remaining steps without rebooting in between or if that is mandatory.

many thanks, i really appreciate your time and effort
jenn

Hello - just completed all scans as recommended above. I was a little unsure of the instruction “be sure all log files are saved as ansi”. i wasn’t sure if you wanted all of them that way or just the OTL log… so i have attached both the regular log files in three posts for a total of 10. details below:

1. this post (ansi log files)
adwclean ansi log file
malwarebytes ansi log file
otl ansi log file
extras ansi log file

2. next post (regular log files)
adwclean log
malwarebytes log
otl log
extras log

3. final attachment post (due to 4 file limit, both the ansi and regular versions of the aswMBR log files are attached)
aswMBRansi log
aswMBR log

hope this wasn’t confusing :smiley:

malwarebytes didn’t seem to find the trojan this time as it did in my scan last night… but my computer is definitely still acting up. again, i thank you for all of your help and will be awaiting further suggestions.

cheers,
jenn

  1. next post (regular log files)
    adwclean log
    malwarebytes log
    otl log

NOTE - due to file size limit, i am moving this file to the next (3rd post). sorry for any confusion.

extras log

  1. final attachment post (due to 4 file limit, both the ansi and regular versions of the aswMBR log files are attached)
    aswMBRansi log
    aswMBR log
    extras log (carried from last post)

DONE! dang, i hope i never have to do this again! what a pita! :smiley:

to be safe, i will be shutting down my computer while i sleep in hopes of ensuring this thing doesn’t do any further damage on my system (i usually leave it running which is probably bad). i will definitely be back here tomorrow (i’m in eastern time zone USA) to see what’s next.

and i keep saying thank you only because i have no way of emailing you a 6 pack, or chocolate, or anything else you might enjoy!

best,
jenn

DONE! dang, i hope i never have to do this again! what a pita! :-D
well....you sort of did it double here ;) anyway we have the logs we need
and i keep saying thank you only because i have no way of emailing you a 6 pack, or chocolate, or anything else you might enjoy!
you should thank the removal specialist that will do all the work now ;)

Malware removers are notified. It may take hours before one arrive so be patient

@WonderMomma

Hello and Wellcome to avast! 8) :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we’ll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start to some non systemroot partitions ( common : D: )


Step#1

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please attach the contents of that log in your next reply.


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Hello! THANK YOU IN ADVANCE TO ANY AND ALL WHO HAVE, WHO ARE, AND/OR WILL BE HELPING ME REGRDLESS OF THE OUTCOME!

I have printed out your instructions and am now going to do them all. But first, I would like to go ahead and back everything up. I was thinking I was going to create zip files with all my important stuff and place them on a CDR but I think it might be better/easier to try to find a free online storage/backup option… any suggestions? Also, I saw in your first set of steps below that worst case scenario might be to reformat reinstall my os… however, I do not have any Windows software CDs to install. It all came bundled on my computer already… so not sure how that will work. But I am just crossing all digits that it doesn’t come to that. Wish me luck!

I will report back here in this thread when completed.

Thanks again,
Jenn

I’ll be here :wink:

Abaut backup, If you have some important files on C: (usual letter) partition where Windows is installed, Desktop, Documents on C, then just moved your files to a next partition.
Other partitions are completely safe. We only touching system partitions. It’s just as a preventative.
But you do not have a lot of worries, you’re in safe hands :wink:

hello - just a quick note… i found an online storage location but my java was out of date and i downloaded and installed the update for it (in google chrome browser) without even thinking about your instructions not to make any changes to my computer. :frowning: smacks self is this going to cause any problems with the steps you gave me or do any chances to any part of those instructions need to change because of that? btw, i did not install the stupid ask toolbar it recommended.

UPDATE/EDIT: 9:55pm/5:55pm et
it would not install because i am in safe mode. so forget it darn it!! i am not going to back up anything and if i lose something/anything i’ll just take it as a sign from the powers that be that i wasn’t meant to have it! i still don’t know if this will cause any conflict with your instructions. nonetheless, i’m beginning them now.

i am so sorry! being in auto-mode i didn’t even think about the possible conflict until it was done!

fyi, i chose to use an online storage option as i am not quite clear on what you meant above by putting my files on the “next partition” as i’m not sure what partitions are. lol i am a bit of a computer geek, but must have been sleeping during the partitions chapter during my computer nerd training. :frowning:

and i am confident that i am in excellent capable hands and as always, appreciate your time and efforts!
cheers,
jenn

Ok jenn, there is no problems. :wink:
When you be ready, then we will starts with malware removal. Just follow steps for running TDSSKiller and Combofix and everything will be fine. :slight_smile:

thanks magna! sorry for all the messages, just wanted to keep you informed.

i am only now starting with tdsskiller and then combo because i had to run my daughter to a friends and stop by the grocery store. i’m not getting up or answering my phone until i get these steps completed this evening!

unlike last night, i will post my logs as i create them instead of waiting to do them all together.

best,
jenn

hello, attached please find the log from the TDSSKiller scan. Moving on to step 2: ComboFix and will attach that log when complete.

thanks,
Jenn

Ahhhh! All done. Attached please find the report log for ComboFix.

First let me apologise, again, for my verbosity. I prefer to include more than take a chance of not enough!

Something else my computer has been doing that jumps out at me… not sure if it’s related what-so-ever but sometimes when I’m typing, my cursor will jump to another part of the sentence as if my mouse was redirected there manually. This has happened off and on for about 2 months and not on a daily basis, probably about 5 - 7 days out of those two months. I’m pretty sure i’m not accidentally touching the touchpad with another part of my hand but it’s entirely possible as I do type relatively fast. I will be more vigilant about this in the future to try to avoid it if possible. If you feel this is completely irrelevant… ignore this part! (when i started typing the next paragraph it did it again and I am POSITIVE it wasn’t my hand(s) touching the touchpad, FYI)

Couple of notes about the last 2 steps. I had to click on my desktop Avast logo to open it, as it was not in my taskbar tray, which I’m pretty sure it’s because I am still operating in safemode/networking. I did re-enable all shields and the client itself after ComboFix was complete.

Upon running ComboFix, it never checked for a new version, nor did attempt to install the “Recovery Console” per your instructions, strictly FYI.

So, hopefully this is the part where you tell me we are done and my machine is all better!! But that might be just wishful thinking. :slight_smile: I will be online for a bit longer checking in but if I miss you before I hit the hay, I am going to go ahead and shut my computer down like I did last night. I don’t want to chance it in case there still something there. I have no idea where we are in the process of all of this! Also, please let me know when I should go change all the passwords that I have typed in recently for various things. Don’t want to do so too soon.

As usual, my sincerest thanks and I look forward to hearing back from you at your convenience. :smiley:

Cheers,
Jenn

PS. I have been “saving as” a copy of most of my log files, just `cause I like to keep a central copy of all of them together in one folder. But just in case, I’ve included 1. my save as copy of ComboFix as well as 2. the original CombiFix report log it generated.

Good, let’s move on …

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.


Again disable your antivirus.
Open notepad and copy/paste the text present inside the code box below:



DirLook::
c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

ClearJavaCache:: 

File::
c:\windows\SysWow64\sho5D96.tmp

DDS::
mStart Page = hxxp://www.searchbrowsing.com



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

hello magna…have a little bit of a hiccup here that i need your advice on before i continue, so i will await your reply before moving on.

here’s what happened:

  • i re-ran TDSSKiller with all the instructions you indicated for it and it completed without any issues or without asking me to reboot. log file was created and i was going to await sending it to you until i was done with everything in these steps.

  • then opened avast user interface, clicked on settings/troubleshoot and unchecked “enable avast! self-defense” and clicked “ok”.

  • next i right clicked on the avast logo in my taskbar and disabled “avast! shield controls” permanently.

  • X’d out of the user interface of avast.

  • i then copied the script/text from the box you provided, opened a new notepad, pasted it, saved it as "CFScript.txt) onto my desktop then drug it into the cat icon of the ComboFix program.

  • ComboFix did it’s thing but then gave me a warning stating that avast was still running/enabled and that i needed to disable it before pressing the “ok” button on this warning window.

  • this is where i got confused because i had just followed the steps from last nights instructions on disabling the avast program and had done exactly what i had done last night to do so. however, i immediately checked my taskbar tray and discovered that the avast icon was still there. so i repeated the disabling shields permanently and unchecking the enable avast! self-defense box in settings/trouleshoot. i would close the avast interface and make sure to check the taskbar tray and sure enough, the avast icon was still there. so i repeated the above steps in avast once again, closed it… then went to my task manager, checked the “applications”, “processes”, and “services” tab and only found avast active in the processes tab, so i went ahead and ended it thinking this would take care of it. (avast was in the services tab but was stopped).

  • i pressed ok in the ComboFix warning box and received yet another warning box saying:

[b]WARNING
antivirus: avast! Antivirus
antispyware: avast! Antivirus

The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk. [/b]

then there’s an ok button to press and nothing else (except X in upper right).

so i need to know how to proceed from here. i have no idea why avast is still registering with ComboFix! it’s definitely not showing up in the taskbar tray nor on any tab in the task manager.

please advise how to proceed when you have a moment. i hope you actually are an employee of avast and get paid for this stuff!! i’ve got you working the last few days, that’s for sure!

cheers,
jenn

If you where disable avast antivirus and Combofix still pop-ups warning, then just ignore them and continue with running Combofix.