Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, April 11, 2012

Remove Happili Redirect Virus (Uninstall Guide)

Tell your friends:
Although the growth of browser (search results) redirects associated with rootkits and orther malware has been declining quite rapidly since the middle of last year (except for a few spikes during holidays) many people are still having issues with the 'redirect virus'. That's how many of you would call it. It's an evergreen niche, sort of... Recently, my aunt contracted a virus that was redirecting every search she did to Happili.com. Obviously, she wasn't happy about that :) She had it among other redirect and ads. This is a very common problem faced by thousands of pc users every day. Occasionally when you search on Google or any other web search engine for that matter and then click a search result you get redirected to a website full of ads or even worse - malicious code. Sometimes, you may get the 404 not found web server error when you click a search result. This happens when malware authors add new domains but their malicious code still redirects users to old websites. Most of the incidents reported by our readers during the last couple of weeks were one way or another associated with websites called Gimmeanswer and Happili.



Happili redirect virus or whatever you may call it, is just another domain/site involved in malicious scheme when cyber criminals earn more every time affected user clicks the ad or installs affiliated software. Usually, cyber crooks change domain names every few weeks or so but I've seen some domains that are used to distribute malware for at least a couple of months and they are still active. It might be that these domains are accepted by certain companies that monetize parked domains. Cyber crooks increase traffic using malicious software and infected computers and at the same time earn some nice money while displaying paid ads. However, this is probably not the case.



Even thought, the URL says happili.com, the rootkit loads content from entirely different website - x2838954xc(dot)com.



ZAccess/Sirefef rootkit creates a new Windows services called DCamUSBDXGT [symmpi].



Removing Happili virus is not an easy task, unfortunately. It has nothing to do with your web browser. Happili.com as well as many other redirects are very often caused by rather sophisticated malware called ZeroAccess or Sirefef. The problem is that this rootkit cannot be removed with popular anti-spyware software, e.g. Malwarebytes' Anti-malware. It may however remove associated malware from the infected computer, trojan droppers, etc. If you want to get rid of ZeroAccess rootkit and stop annoying redirects you need to use removal tools designed to remove this specific infection.

TDSSKiller by Kaspersly is probably the most popular but other antivirus software companies have ZAccess removal tools as well. Besides, sometimes TDSSKiller fails to remove infected files from the system, so it's always a good idea to use alternate removal tools just to be sure that your PC is perfectly clean and the that virus was successfully removed. AVG Win32/ZeroAccess remover removes most of the ZAccess/Sirefef variants but very often fails to remove newly released samples. Symantec offers ZeroAccess Fix Tool 1.0.0 which detects and removes this infection but may not work with the latest variants of the roorkit. It cleans the .sys file but not the malicious module, so once you restart your computer, the rootkit patches new drivers. I'm not saying that these utilities are useless but Panda, BitDefender and Webroot offer removal tools that worked for me almost every single time when I was dealing with the ZeroAccess rootkit. So, I definitely recommend scanning your computer with these great utilities before running your favorite anti-malware software. Please note that certain variants of this rootkit blocks legit anti-malware software and security related websites.

Panda ZeroAccess/Sirefef remover: http://www.pandasecurity.com/usa/homeusers/support/card?id=1672&idIdioma=2

BitDefender ZeroAccess removal tool: http://www.malwarecity.com/community/index.php?app=downloads&showfile=34

To remove the remnants of Happili virus from your computer you should run a full system scan with updated anti-malware software. Also, you should check your LAN settings, make sure that your internet settings are set up correctly, flush DNS cache and make sure that Windows Hosts file was not modified. For more more details, please read this removal guide. If you have any questions or need assistance removing this malware from your computer, please leave a comment below. Good luck and be safe online!


Happili virus removal instructions:

1. First of all, download and run TDSSKiller by Kaspersky. This utility will remove malicious .dlls and infected memory modules.

2. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the remnants of this virus from your computer. Don't forget to update anti-malware software before scanning.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts.


Happili virus removal instructions for Mac users:

1. Update Java to remove the most common variants of the Flashback malware which causes Happili.com redirection. Learn more: http://support.apple.com/kb/HT5242

2. Download and run Flashback Removal Tool to remove the remnants of Flashback malware.

3. Reset Safari settings. Click on the Reset Safari option under the Safari menu.


Tell your friends:

1 comments:

JTKeimig said...

We have infection eve while running non-admin. tdskiller finds no root kit. Yet ie is definitely infected. Does happili have a "user mode". Or can it escalate privilege?