Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Happili and Zaccess


  • This topic is locked This topic is locked
5 replies to this topic

#1 VAGirl

VAGirl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 07 August 2012 - 10:39 AM

Hi! I have an Acer laptop with Vista OS with McAfee security. I am computer challenged, so...

I received numerous false McAfee alerts indicating that a trojan had been removed. I have previously used Malwarebytes Anti-Malware and had it saved on my desktop, so I ran a scan and Happili and Zaccess were detected and I removed them. Here is the log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.03.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
BEH :: BEH-PC [administrator]

7/31/2012 8:47:05 PM
mbam-log-2012-07-31 (20-47-05).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 363537
Time elapsed: 55 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\BEH\AppData\Local\{604a2575-b281-b1ba-e635-373fe8248759}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\BEH\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRU27TDQ\axiYl6Ws[1].exe (Trojan.Happili) -> Quarantined and deleted successfully.
C:\Users\BEH\AppData\Local\Temp\0138c0e90808.exe (Trojan.Happili) -> Quarantined and deleted successfully.

(end)


Here is that damage that I have noticed:

Internet disconnected

Computer Launcher has stopped working

McAfee security alert that Auto Updates turned off

USB ports not working - flash drive lights up but computer does not detect

Saved Defogger, DDStool, GMER log, etc software to CD but I get an error message when I attempt to open them or save to desktop

Tried to re-run MAM from desktop and got error message - ShellExecuteEx failed, code 1060. The specified service does not exist as an installed service. I tried again in Safe Mode and was able to open and run scan.


I have no idea what to do next and would greatly appreciate any assistance you can provide. Thanks!

Edited by VAGirl, 08 August 2012 - 09:19 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 12 August 2012 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with these scans.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 VAGirl

VAGirl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 13 August 2012 - 03:29 PM

Hi, nasdaq. Thanks for your response.

I am not able to download any programs directly onto the laptop since the trojans have disabled my internet connection.

I saved both downloads to two different USB flash drives, but the laptop does not acknowledge the presence of a flash drive in any of the 4 USB ports. The light on the flash drive does light up.

I saved the downloads to a CD. When I tried to open TDSSKiller.exe, it tells me that I should “Extract All” the files. When I attempt to do this, I get an error message that the compressed (zipped) folders was unable to create the specified directory, that I should ensure that the directory does not already exist, and that the path entered is invalid. When I just try to “Run” the file, the specified service does not exist as an installed service. I also get an error message which indicates that Windows cannot complete the extraction and that the destination file could not be created. I am not able to open aswMBR.exe or save it to my desktop or elsewhere either.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 14 August 2012 - 06:34 AM

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

===

What is the situation now with this computer?

#5 VAGirl

VAGirl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 15 August 2012 - 04:59 PM

Thanks, nasdaq, but I'm done. New laptop on the way!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 PM

Posted 16 August 2012 - 09:44 AM

Thanks for the feedback.

I will close this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users