Removal attempts for Happili virus did not work

mjstein3 · 02 May 2012

Hello all,
Noticed there were a ton of threads for this already so I tried the instructions from a number of different methods. I use google chrome; the problem does not happen on Firefox. Seems none have worked.

After following the instructions in this thread: Need help removing Happili redirect virus the virus was still on my computer. I used Combofix, then ESET, then TFC (you can find two logs and error reports attached). Downloaded all today. Combofix has since been uninstalled and deleted from the computer.

These did not work, so I tried a Kaspersky TDSSKiller scan, which found nothing. I then tried my Malwarebytes Anti-Malware software (after updating for the latest version), which found nothing. My daily AVG scan has yet to bring up anything either.

Yet every google search, when I click on a link for the first time, I get re-directed. It's not always to a Happili page either, about 20% of the time it goes to a different landing page. Thoughts? Any advice would be greatly appreciated.

-Matt

Jacee · 02 May 2012

First lets flush the dirty DNS cache and restore MS's Hosts file

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

After rebooting, update Java

Download the latest version of Java Runtime Environment (JRE) 7.
Java SE Downloads
Scroll down to where it says "Java Runtime Environment (JRE) 7u3 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u3-windows-i586-p.exe to install the newest version.

Now,

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

mjstein3 · 03 May 2012

Thanks Jacee! Attached are the two logs.

Jacee · 04 May 2012

Sorry I'm so late at getting back to you ...

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe

mjstein3 · 04 May 2012

No worries on the delayed response. Here's the ComboFix log attached.

As a sidenote, and maybe this helps you where to look? After updating Java I did a few test searches and found that the Happili redirect is happening less, but I'm still getting redirected to click-get-answers-fast and a couple of others. Is this the same virus?

Jacee · 05 May 2012

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.

Totally uninstall Google Uninstall Google Chrome - Google Chrome Help

Reboot ...

Let me know if you're still being redirected.

Jeteroll · 05 May 2012

I had this redirect virus before, in addition to,what Jacee said, just makes sure there are no entries in your host file, run superantispyware, and reset chrome's settings. Hope this works for you as it did for me :)

mjstein3 · 06 May 2012

It seems re-installing Chrome and updating the settings fixed the re-direct issue. I can't thank you enough! Will reply to this thread if I discover problems persist.

Torrentula81 · 06 May 2012

How are people getting this? I've read its chrome but can't find any info as to how people are getting it.

Jacee · 06 May 2012

@ mjstein3
Please uninstall Combofix (it won't do you any good to keep it. It's just a tool we use):

Click START Search
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Now download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

***TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

This is a tool to keep!