Jump to content

Another victim of the hapili redirect nightmare


Recommended Posts

Merged 3 post

Hello, I noticed the redirect about a week ago and did some research on how to remove the virus. I got the malwarebytes anti-malware program and it found several things that looked like the offending files and got rid of them, however, I still get the redirect. I've read every resent guide out there and I've gotten the virus itself, but some little bit of it is still there annoying the ever loving bat snot out of me. What have I missed? Any Ideas? Any insight would be greatly appriciated. Thank you for your time.

puffkitty

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by owner at 14:17:25 on 2012-05-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2431 [GMT -4:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9498ED5E-A23D-44FA-8A36-38111DEE2151} : DhcpNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\x2a7y7j0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\epicplay\npEpicHost.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-3-19 154664]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-10 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-10 337880]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-10 20696]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-10 44768]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-11-27 398176]

R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-4-9 2136224]

S0 cerc6;cerc6; [x]

S2 AODService;AODService;c:\program files\amd\overdrive\AODAssist.exe [2010-7-1 136616]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-19 253088]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-1 129976]

S3 XDva388;XDva388;\??\c:\windows\system32\xdva388.sys --> c:\windows\system32\XDva388.sys [?]

S3 XDva389;XDva389;\??\c:\windows\system32\xdva389.sys --> c:\windows\system32\XDva389.sys [?]

.

=============== File Associations ===============

.

.txt=

.

=============== Created Last 30 ================

.

2012-05-01 20:55:25 -------- d-----w- c:\program files\Mozilla Maintenance Service

2012-05-01 20:55:21 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe

2012-05-01 20:55:21 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe

2012-05-01 20:34:09 -------- d-sha-r- C:\cmdcons

2012-05-01 20:32:37 98816 ----a-w- c:\windows\sed.exe

2012-05-01 20:32:37 518144 ----a-w- c:\windows\SWREG.exe

2012-05-01 20:32:37 256000 ----a-w- c:\windows\PEV.exe

2012-05-01 20:32:37 208896 ----a-w- c:\windows\MBR.exe

2012-05-01 18:13:15 -------- d-----w- c:\program files\OverDrive Media Console

2012-04-19 15:42:57 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-16 18:19:21 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2012-04-16 18:19:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-16 18:19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-16 18:19:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-09 16:58:44 450560 ----a-w- c:\windows\system32\NCTAudioTransform2.dll

2012-04-09 16:58:44 315392 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll

2012-04-09 16:58:44 237568 ----a-w- c:\windows\system32\lame_enc.dll

2012-04-09 16:58:44 196608 ----a-w- c:\windows\system32\NCTWMAFile2.dll

2012-04-09 16:58:44 1843200 ----a-w- c:\windows\system32\NCTAudioFile2.dll

2012-04-09 16:58:43 344064 ----a-w- c:\windows\system32\msvcr70.dll

2012-04-09 16:58:43 -------- d-----w- c:\program files\AudioToolsFactory

2012-04-09 16:56:19 -------- d-----w- c:\program files\1ClickDownload

2012-04-09 12:20:07 -------- d-----w- C:\My Music

2012-04-05 22:57:19 -------- d-----w- c:\program files\MP3Gain

2012-04-03 19:05:14 -------- d-----w- c:\program files\iPod

2012-04-02 19:26:00 -------- d-----w- C:\ShareFiles

2012-04-02 19:26:00 -------- d-----w- C:\Richvideo

2012-04-02 19:25:59 435712 ----a-w- C:\PowerDirector.msi

2012-04-02 19:25:59 38958968 ----a-w- C:\QuickTimeInstaller.exe

2012-04-02 19:25:58 3809590 ----a-w- C:\NewBlueArtEffectsForPDR10.exe

2012-04-02 19:25:54 4866576 ----a-w- C:\ISSetup.dll

2012-04-02 19:25:54 -------- d-----w- C:\Fonts

2012-04-02 19:25:52 95600 ----a-w- C:\CLSM.exe

2012-04-02 19:25:52 914432 ----a-w- C:\7z.dll

2012-04-02 19:25:52 163840 ----a-w- C:\7z.exe

.

==================== Find3M ====================

.

2012-04-19 15:49:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr

2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-02-15 15:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-02-15 15:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2012-02-14 16:19:18 679936 ----a-w- c:\windows\system32\AWC_SS.scr

.

============= FINISH: 14:17:39.71 ===============

And this too is a requested item. I must be getting old, it took me a good 5 minutes to figure out how to load up an attachment. egads.

attach.rar

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

About a week ago, maybe a little more now, I noticed that I was getting redirected in my google searches to a few pointless sights. I updated my anti-virus but that caught nothing, so I went the malware scanners. I ran TDSS killer and it came up clean, so I ran Malwarebytes and it caught several little files and cleaned them off. Currently my computer is acting normally except that on occasion my google searches are still redirected, though the happili page now loads with script errors. That is the only remaining piece of the happili redirect virus that I can't seem to root out. And yes, if all else fails, I will be formatting. Going to be time to do that soon anyway, I just didn't want to have to do it yet. I'm pretty sure there is some little bit of the virus attached to my registry, which I dislike messing with, or to some other equally unsavory part of my OS. Here's my Malwarebytes log.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.05.02

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

owner :: OWNER-FA53F1043 [administrator]

5/4/2012 10:47:54 PM

mbam-log-2012-05-04 (22-47-54).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 390056

Time elapsed: 1 hour(s), 38 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

This infection is infecting all the browsers

Whichever browser you're using, uninstall it and download a fresh copy.

Next:

Copy and paste these lines in Notepad.

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0

Save as flush.bat to your desktop.

Double Click flush.bat and let it run.

Your computer will reboot itself.

Let me know how it's running.

Link to post
Share on other sites

ran flush.bat, what a great little tool. Reinstalled Firefox 12. Now firefox won't finish opening without giving me this script error chrome://browser/content/tabbrowser.xml:466, and then freezing up so that I have to ctrl,alt,del and close firefox from there. This script error makes no sence, I didn't think firefox was still useing tabbrowser. I remember this error from way back in version 2 or 3. I'm getting to old for this. ^_^

Link to post
Share on other sites

okay, so far I haven't seen the happili redirect, but I have another one now. The page it loads is empty, just white background, the tab says 'Redirect' and the URL has this in it http://click.findsearchengineresults.com/ads-clicktrack/click/jump1.do?sid=0EeODYWNq207D3G2914WUBLYDXIRXIbwHloIIUiaB4Mj5YN5IdCUmw%3D%3D&affiliate=46573&subid=10673-1-28356&rc=0&terms=redirect%20virus It comes up a bit randomly, but mostly when I search for virus stuff, which I've been doing a lot of to test. I might just cry.

Link to post
Share on other sites

Sorry, got sidetracked with work. I don't have chrome installed and I did fix that issue. It was a Firefox thing and there was a quick fix on their site for it. I'm still getting random redirects, but it is now less frequent, which is something anyway.

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.