Re: Happili.com Virus - How to Remove?

iahawks32 · ‎03-22-2012

Here is an updated aswMBR log with the definitions.

Quads · ‎07-21-2008

To others:-

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

iahawks32

Download Combofix to your Desktop from http://www.bleepingcomputer.com/download/anti-virus/combofix

Download the attachment to this post (CFscript.txt) and save it to your desktop also.

Disable Norton and close your Browser(s)

Now drag the CFScript.txt into the ComboFix.exe

Do not do anything else while it is running including moving the mouse cursor inside combofix.

When it is finished it will create a log after, also you may have to restart the PC before you are able to use the Browsers.

Quads

iahawks32 · ‎03-22-2012

I downloaded and ran the ComboFix.exe, I did not get a script though. But I have attached the log after CF ran.

Quads · ‎07-21-2008

The script file isattached to my last message CFscript.txt 1 KB

Quads

iahawks32 · ‎03-22-2012

Ok here is the log again after running the script you provided. Sorry about that. Thanks for all your help.

Quads · ‎07-21-2008

Now do you still have the redirects and for which Browsers?? (Firefox, Chrome, IE)

Found a common file removed for you and another user for 6 days ago, hmlxkn.dll (Trojan.Agent.GMAGen) having the Happili.com redirect problem, sometimes it's a Rootkit, sometimes the Java Cache, Sometimes Chrome and Firefox needs completely uninstalled including all personal data and history then a fresh install at the end.

Malwarebytes updated can find Trojan.Agent.GMAGen.

I am still not sure why your MBR is unknown whetther it's because it's and OEM version or what, but you should now have a file called MBR.dat, that you can upload to Virustotal if you like.

Quads

iahawks32 · ‎03-22-2012

Thanks for your help. I use IE and Chrome and just did several Google and Yahoo searches and no re-directs! I'll download malwarebytes and run that just to be sure. I also upgraded to the 2012 version of Norton Internet Security, in case that helps me for the future.

iahawks32 · ‎03-22-2012

I spoke too soon. In doing a Google search for Malwarebytes, I got a redirect. I just downloaded Malwarebytes and am running a scan with that, we'll see what happens.

Thanks again.

Quads · ‎07-21-2008

The Java Cache did get cleared as you now have more HD space free afterwards

Pre-Run: 117,621,456,896 bytes free
Post-Run: 117,715,558,400 bytes free

an example of it with a MBAM scan

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Microsoft\hmlxkn.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

I will have to do a cleanup of what was used at the end to delete files and folders etc.

Quads

Quads · ‎07-21-2008

Which Browser has the redirect, people have found that IE comes right, but Not Firefox or Chrome so they have tio be completely removed including all data then freshly reinstalled like you were installing it for the first time.

Quads