Keyboard
Contributor
Keyboard
Posts: 35
Registered: ‎03-29-2012
happili.com virus help

‎03-29-2012 03:02 PM

I have the happili.com virus on my computer.  I would appreciate any help in getting this removed. I cant Use my Keyboard.    Downloaded TDSSKiller.  did  not detect anything. I downloaded and ran the ComboFix.exe. The script           ComboFix 12-03-29.02 - Dan and Yulichka 03/29/2012  17:18:16.1.2 - x86 .. . .. .Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3316.1777 [GMT -4:00] Running from: c:\users\Dan and Yulichka\Desktop\ComboFix.exe AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Downloaded Program Files\IDropPTB.dll . . (((((((((((((((((((((((((   Files Created from 2012-02-28 to 2012-03-29  ))))))))))))))))))))))))))))))) . . 2012-03-29 21:08 . 2012-03-29 21:08 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C0C1B1F-4B6D-43A5-A913-9AD74EF322E5}\offreg.dll 2012-03-29 20:43 . 2012-03-29 20:43 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\Tific 2012-03-29 05:21 . 2012-03-29 08:12 -------- d-----w- C:\NBRT 2012-03-29 00:45 . 2009-06-12 11:18 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-03-29 00:44 . 2012-03-29 00:44 -------- d-----w- c:\windows\system32\drivers\NBRTWizard 2012-03-29 00:44 . 2012-03-29 00:44 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard 2012-03-28 23:52 . 2012-03-29 00:18 -------- d-----w- c:\users\Dan and Yulichka\AppData\Local\NPE 2012-03-27 22:48 . 2012-03-27 22:48 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\QuickScan 2012-03-27 22:47 . 2012-03-27 22:49 -------- d-----w- c:\programdata\SmartPCScan 2012-03-27 22:41 . 2012-03-27 22:41 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\Malwarebytes 2012-03-27 22:41 . 2012-03-27 22:41 -------- d-----w- c:\programdata\Malwarebytes 2012-03-27 22:41 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-27 22:41 . 2012-03-27 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-03-27 22:29 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C0C1B1F-4B6D-43A5-A913-9AD74EF322E5}\mpengine.dll 2012-03-27 10:23 . 2012-03-27 10:23 -------- d-----w- C:\N360_BACKUP 2012-03-26 20:15 . 2012-03-26 20:15 -------- d-----w- C:\6cd7a14f8dd9e6bd8dba1c00a2 2012-03-26 00:09 . 2012-03-26 00:09 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\Ukpazuy 2012-03-26 00:09 . 2012-03-26 00:09 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\Yfuhhou 2012-03-13 22:18 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys 2012-03-13 22:18 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll 2012-03-13 22:18 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll 2012-03-13 22:18 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll 2012-03-13 22:18 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll 2012-03-13 22:18 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll 2012-03-13 22:18 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat 2012-03-13 22:17 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll 2012-03-13 22:17 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-03-04 08:01 . 2012-03-04 08:01 -------- d-----w- c:\program files\MSXML 4.0 2012-03-03 00:21 . 2012-03-03 00:21 -------- d-----w- c:\users\Dan and Yulichka\AppData\Local\GrantaGateway 2012-03-03 00:20 . 2012-03-03 00:20 -------- d-----w- c:\programdata\FLEXnet 2012-03-02 23:45 . 2012-03-04 17:51 -------- d-----w- c:\users\Dan and Yulichka\AppData\Local\Autodesk 2012-03-02 23:39 . 2012-03-02 23:39 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2012-03-02 23:35 . 2012-03-02 23:35 -------- d-----w- C:\MITSI 2012 Temporary Files 2012-03-02 23:34 . 2012-03-02 23:34 -------- d-----w- c:\program files\Microsoft Chart Controls 2012-03-02 23:33 . 2012-03-02 23:33 -------- d-----w- c:\program files\Microsoft WSE 2012-03-02 23:32 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2012-03-02 23:32 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2012-03-02 23:32 . 2009-09-04 22:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll 2012-03-02 23:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2012-03-02 23:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2012-03-02 23:26 . 2012-03-02 23:53 -------- d-----w- c:\program files\Common Files\Autodesk Shared 2012-03-02 23:26 . 2012-03-02 23:52 -------- d-----w- c:\program files\Autodesk 2012-03-02 21:36 . 2012-03-14 23:49 -------- d-----w- c:\users\Dan and Yulichka\AppData\Roaming\Autodesk 2012-03-02 21:36 . 2012-03-14 23:49 -------- d-----w- c:\programdata\Autodesk 2012-03-02 11:46 . 2012-03-02 11:46 -------- d-----w- C:\Autodesk 2012-03-01 21:24 . 2012-03-01 21:25 -------- d-----w- c:\users\Dan and Yulichka\AppData\Local\Akamai . . . ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-02-23 13:18 . 2010-11-27 01:16 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-01-04 00:59 . 2011-12-30 00:11 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys 2012-01-04 00:03 . 2012-01-02 20:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl . . (((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 36597832 *Deregistered* - 36597832 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache . Contents of the 'Scheduled Tasks' folder . 2012-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 20:34] . 2012-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 20:34] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-29 17:25 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ...  . scanning hidden autostart entries ... . scanning hidden files ...  . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.4.0.12\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2012-03-29  17:28:54 ComboFix-quarantined-files.txt  2012-03-29 21:28 . Pre-Run: 35,618,500,608 bytes free Post-Run: 35,776,946,176 bytes free . - - End Of File - - 93CCBFAD6D30091661A4D4EEF8372873  

Report Inappropriate Content
(2,447 Views)
Quads
Bot Obliterator
Quads
Posts: 13,938
Registered: ‎07-21-2008
Re: happili.com virus help
[ Edited ]

‎03-29-2012 03:24 PM - edited ‎03-29-2012 03:26 PM

You can attach logs to posts instead of the likes of that jumbled mess.

 

Do not use Advanced programs like combofix without supervision they are dangerous.

 

I suspect I can see what is wrong, 

 

Quads

Report Inappropriate Content
(2,444 Views)
Quads
Bot Obliterator
Quads
Posts: 13,938
Registered: ‎07-21-2008
Re: happili.com virus help

‎03-30-2012 05:09 AM

I have to try and figure out which driver has gone missing or is corrupt / infected

 

1.  Download OTL   hxxp://oldtimer.geekstogo.com/OTL.exe   (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it.  Right click OTL.exe and select run as administator for Vista and Win 7.

Click the Scan All Users checkbox.

Change file age to 60 days
Click on Run Scan at the top left hand corner.

 

Post back the  log OTL.txt (attach)

 

Download hxxp://download.bleepingcomputer.com/farbar/FSS.exe  (change the hxxp to http) and run it on the computer with the issue. On the desktop.


Make sure the following options are checked:


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

 

Quads

Report Inappropriate Content
(2,311 Views)
Keyboard
Contributor
Keyboard
Posts: 35
Registered: ‎03-29-2012
Re: happili.com virus help

‎03-30-2012 05:27 AM

Quads,

Thanks for jumping onto this thread. I am on my work computer now (with a keyboard that works) but even this one is giving me a hard time because my work's computer security loads the Norton webpages painfully slow. I had to copy and paste individual letters to make the first few sentences of my last post.

 

A better summary of what happened:

I think I got the virus from watching a TV show online, started getting redirects to "Happili.com" and my computer was running very slow.

 

I did a Norton Scan (Norton 360), which detected nothing.

 

I did the Windows Malware Scan, which detected and removed 3 different malwares (Harnig.B and two others, can't remember but I have it written down at home)

 

I then did malwarebytes, which detected some more malware which I think it removed. I don't know if I still have that log.

 

I then used Norton Power Eraser, that detected some trojans.

 

At this point, the computer was working faster but google wouldn't search at all.

 

I then used the Norton Reboot program (for the infections that are so bad your computer wont start). It found 1 trojan.

 

That is when my keyboard stopped working.

 

I then ran TDSSKiller, which found nothing and then ComboFix. Combofix found 1 malware as shown in my post.

 

I checked my keyboard hardware in the Windows Control Panel, it looks like the driver has been erased because windows doesn't detect any plugged in keyboard. Not sure how to fix that one.

 

Quads, Again thanks for jumping onto the thread. I see you are very thorough in solving all the problems, and I will attach logs from now on. If you can provide some help it would be greatly appreciated.

 

On a side note, is it safe to back up files from my computer (pictures and music) onto my removable hard disk? Or will it just infect the hard disk? I figure as a worst case scenario I could just wipe my hard drive but I don't think that is necessary.

Report Inappropriate Content
(2,303 Views)
Quads
Bot Obliterator
Quads
Posts: 13,938
Registered: ‎07-21-2008
Re: happili.com virus help

‎03-30-2012 05:37 AM

Why are people determined to do this when they don't know what they are doing, Geez

 

 

I did the Windows Malware Scan, which detected and removed 3 different malwares (Harnig.B and two others, can't remember but I have it written down at home)

 

I then did malwarebytes, which detected some more malware which I think it removed. I don't know if I still have that log.

 

I then used Norton Power Eraser, that detected some trojans.

 

At this point, the computer was working faster but google wouldn't search at all.

 

I then used the Norton Reboot program (for the infections that are so bad your computer wont start). It found 1 trojan.

 

That is when my keyboard stopped working.

 

I then ran TDSSKiller, which found nothing and then ComboFix. Combofix found 1 malware  Combofix does not detect Malware as such


Quads

Report Inappropriate Content
(2,300 Views)
Keyboard
Contributor
Keyboard
Posts: 35
Registered: ‎03-29-2012
Re: happili.com virus help

‎03-30-2012 06:15 AM

"Why are people determined to do this when they don't know what they are doing, Geez"

 

Quads,

I admit stupidity on my part with the shoot-from-the-hips action of installing some of the tools developed by masters of the computer engineering and programming world. In my frustration, I did something stupid that could have caused a lot of damage and I admit fault. I also admit I don't understand the full use of combofix. I will follow only your instruction and those instructions to a tee.

 

Anything on how I can at least use my keyboard? The copy and paste of individual letters is quite frustrating.

Report Inappropriate Content
(2,292 Views)
Quads
Bot Obliterator
Quads
Posts: 13,938
Registered: ‎07-21-2008
Re: happili.com virus help

‎03-30-2012 02:12 PM

Are you using a USB or PS/2 keyboard??

 

Quads

Report Inappropriate Content
(2,257 Views)
Keyboard
Contributor
Keyboard
Posts: 35
Registered: ‎03-29-2012
Re: happili.com virus help

‎03-30-2012 03:01 PM

ps2

Report Inappropriate Content
(2,252 Views)
Quads
Bot Obliterator
Quads
Posts: 13,938
Registered: ‎07-21-2008
Re: happili.com virus help

‎03-30-2012 03:08 PM

Try a USB keyboard, or  turn on the Vista on screen keyboard for now.

 

I will need the Malware bytes log to.

 

It may be easier to have NBRT and Malwarebytes restore / undo the objects, including the driver back even though it's infected, and then have the infection removed correctly.

 

Quads

Report Inappropriate Content
(2,247 Views)
Keyboard
Contributor
Keyboard
Posts: 35
Registered: ‎03-29-2012
Re: happili.com virus help

‎03-30-2012 03:13 PM

OTL logfile  

Attachment OTLT.Txt ‏65 KB
Attachment Extras.Txt ‏29 KB
Report Inappropriate Content
(2,244 Views)