Not so Happili Redirected-- audiodev32.dll TrojanDownloader Win32/Tracur

[Maurice Naggar]

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Step 2

1. Close any/all open internet browsers. Save any open documents you have open & close programs you started.
   
2. Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
   On Windows 7, press Windows-key, then start typing in text box

Malwarebytes[code] then select/click [b]Malwarebytes Anti-Malware Chameleon[/b]

Once the Help file opens, click on a [b]Chameleon[/b] button (starting with #1)
If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
You should see a black Command-prompt-window that remains open and says [b]MBAM-chameleon ver. 1.61[/b] at the top
Press any key to continue as it says in the window {space-bar will do}
If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
Have infinite patience during this process
Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
Once the update completes and it says your database is updated, click on [b]OK[/b] button so that process can continue
Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
Once the scan is complete, click on [b]Show Results[/b] and remove any threats that are found by clicking [b]Remove Selected[/b]
If prompted to restart your computer to complete the removal process, click [b]Yes[/b]
If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
After your computer restarts, open [b]Malwarebytes Anti-Malware[/b] and perform one last Quick scan to verify that there are no remaining threats

In Reply, copy & paste the contents of Result.txt, and the last 2 MBAM scan logs.

and remind me, this pc is a Toshiba notebook ?

[effa]

Below is the Listparts log. This pc is indeed a Toshiba notebook.

ListParts by Farbar Version: 12-03-2012 03

Ran by Carl (administrator) on 23-05-2012 at 11:01:33

Windows Vista (X86)

Running From: C:\Users\Carl\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 51%

Total physical RAM: 3034.42 MB

Available physical RAM: 1464.71 MB

Total Pagefile: 6271.13 MB

Available Pagefile: 4744.99 MB

Total Virtual: 2047.88 MB

Available Virtual: 1964.81 MB

======================= Partitions =========================

1 Drive c: (TI100576V0G) (Fixed) (Total:138.28 GB) (Free:67.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 1500 MB 1024 KB

Partition 2 Primary 138 GB 1501 MB

Partition 3 Primary 9 GB 140 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI100576V0G NTFS Partition 138 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

[effa]

The 2 MBAM scans below. Since no threats were found, I did not restart the computer before performing the MBAM quick scan forthe second time. Let me know if that is necessary. Also, the command-prompt-window that showed up after pressing Chameleon #1 had MBAM-Chameleon version 1.60.2 at the top (instead of the ver 1.61 you wrote).

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.23.05

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.19088

Carl :: CARL-NOTEBOOK [administrator]

5/23/2012 11:21:31 AM

mbam-log-2012-05-23 (11-21-31).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 205676

Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.23.05

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.19088

Carl :: CARL-NOTEBOOK [administrator]

5/23/2012 11:39:05 AM

mbam-log-2012-05-23 (11-39-05).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 205475

Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[Maurice Naggar]

The two MBAM scans detected nothing, which is great.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
  

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

I want to review the Checkup.txt log and tell me, if the "happili" or any similar redirects are long gone??

I believe there may be 2 utilities you need to update, and if otherwise things are OK, then on the next pass we can proceed to tools cleanup and closure.

(yes, I did mis-quote the version number in command window for Chameleon. No worries. The run was good.)

[effa]

Here is the Checkup.txt log. Just let me know whether it is okay to do the updates. At least from windows,I saw the update message popping up today, but I wasn't sure whether I could dothe update at this point.

I also tried to google some random stuff and I was redirected in a correct way. No happili or other pages were appearing.

Results of screen317's Security Check version 0.99.36

Windows Vista Service Pack 1 x86

Out of date service pack!!

Internet Explorer 8 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira Desktop

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Secunia PSI (2.0.0.4003)

Malwarebytes Anti-Malware version 1.61.0.1400

Java 6 Update 29

Java version out of date!

Adobe Reader 9 Adobe Reader out of date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSASCui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Windows Defender MSASCui.exe

``````````End of Log````````````

[Maurice Naggar]

You are good to go after this: Java runtime needs to be updated, Adobe Reader needs to be the latest. And after the cleanups here, you should apply the automatic updates.

Longer term you must get/apply Service pack 2 for VISTA

also, you should get Internet Explorer 9 too (IE 9 is more secure than IE8)

Java

Your Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of >> Windows 7/XP/Vista/2000/2003/2008 Offline << from here and save it to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, select Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u32-windows-i586-s.exe to install the newest version.
  ( jre-6u32-windows-x64.exe if this is a 64-bit Windows o.s.)
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
      

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: Java 6 Update 32 from Sun Microsystems Inc.

Adobe Reader

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Programs and Features, Remove Adobe Reader.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

We can wrap this up now. I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

Tools cleanup

The following few steps will remove tools we used.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combofix ),

put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Highlight the line in this CODEBOX.
  Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
  

  C:\Users\Carl\Desktop\ComboFix /uninstall

  
  

• Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.
  Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.
  Then tap Enter
  

IF in the case Combofix un-install has an issue, skip that step.

NEXT

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Delete the following if still present:

aswMBR.exe

Gmer.exe

Listparts.exe

TDSSKILLER.exe

Prevention & safer practices

• Have a hardware router between the incoming main-internet connection and your pc.
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
  Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp
  or Paragon Backup & Recovery http://www.paragon-software.com/home/br-free/download.html
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• See Six tips to help you stay safer online
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on

We are finished here. Best regards.

[effa]

Hi,

I just did all the cleanup steps and I think it worked out fine. Before I go and update Windows and look properly at your prevention advice, some more questions.

There are still some other programs/applications/folders on the desktop that were used/created, shall I also just delete them?

- Security check

- drweb-cureit

- TFC

- rkill

- RK_Quarantine folder

- ERUNT

- NTREGOPT (this icon can be found as well in the Programs and Features list, but the with the name ERUNT 1.1j --> shallI remove it there?)

not sure about these ones:

- MBR.dat

- mssstool 32

- msert

When updating Adobe Reader I also noticed the following program in Programs and Features: "Spelling Dictionaries Support for Adobe Reader 9". Shall I uninstall it as well, since I have Adobe Reader 10.1.3 right now?

Thanks a zillion for your help, patience and advice!!!

[Maurice Naggar]

ERUNT you should keep and run it periodically, that way you will have backup copies of the windows registry. That provides a bit of a safety belt.

{but you still would need to have disk-mirror-image backups to cover all your system. I mention some tools in my safer practices section}.

TFC is Temp File Cleaner which you can use on some basis to empty out temporary file areas.

The rest you can delete. We don't need them anymore.

On the Spelling Dictionaries Support for Adobe Reader 9: I am not familiar with it. You can decide for yourself.

IF you have the full Adobe product suite, then I'd say keep it.

[effa]

Thanks!

Looking for easy ways to backup was already on my to do list before getting into troubles - my methods date from the middle ages :-), I will definitively use your info. You'll probably see me passing by in the PC Help section of the forum.

[Maurice Naggar]

You're welcome.

I'm closing this topic to prevent stray posts by others.

Reminder: The fixes used here were only for this system, and not to be applied to any other.