Happili virus
Kids don’t try this at home, NOT for beginners
---------------------
I had this, along with a world of malware hurt on my two antique desktop xp machines, I decided I had p*ssed someone off, happili was just one more and only one of what turned out to be about five redirects, or more, some would hijack me for one interruption, a few went for three before letting me get back to work
---------------------------
I had a very long exchange with malwarebytes.com and Microsoft security, in the end they provided no help, I have become quite expert in the huge domain of malware removal, and learned a lot about cr*p; on my machine
-------------------------
I am self-taught geek enough to know that there were probably multiple separate attacks, and multiple separate locations in my machine where these malware (plural noun) lay lurking
------------------------------
After a while I started to read the Redirect websites, not just curse and saw that they came with urls, happili is the most obnoxious, placing its name prominently atop the hijack page
------------------------------
I captured (copied) the urls for at least five, and saved them to notepad, and studied them, ‘study’ means stare at, and hope for creativity and inspiration
------------------------------
The light bulb half went off, I decided/ speculated that these malware urls were hard-coded into the invasions, only b/c I was flailing
-----------------------
I then did a string search, or substring, a ‘string’ is geek talk – ‘www.happli.com ‘ is a string, ‘happili’ is a string, all find and replace commands operate on ‘strings’
----------------------
I used agent ransack, which I inherited sort of by accident, after another malware defeated my Search command,
--
- -------------------------------
and ! f**k y**r m*th*r, ! happili was polluting my machine, so what to do now
----------------------------
to mass delete would probably delete my operating system I have done that in the past, land-fill time
-----------------------------
many of the happili pollutants were *. Sqlite file, where * is a place holder for a file name
-------------------
SQLite is, I think Structured Query Language, lite, Oracle and DB2 database programmers will recognize the acronym
----------------------------------
So I deleted these, and also _cache_ several copies, b/c the malware writes itself into cache, not explained here, I also ran ccleaner before and after each internet session, which erases all my passwords etc, and erased all my histories etc, with browser tools options, IE and Mozilla, which exist in so many places that you really have no privacy, and inside various {system restore} locations, kids don’t try this at home, and be sure to backup your data and bookmarks etc, removable usb disk, is A Good Idea
-------------------------------
And then I was faced with a dilemma, happily had written itself into my google profile, deleting a profile sounded BAD (it is)
---------------------------------
The malware infestation abated, only to recur, but I now knew where and how to look, and what to delete, this is a holding action, but works
---------------------------
These files infested with the happili string, can be examined in agent ransack, where I saw the entire url, and the other urls which Redirected me – note these are NOT text files, but have text embedded, the redirect pests will mature after reading this
--------------------
Aha, M*Fr, gotcha!
---------------------------------
These files also have Properties, they are windows objects, and these properties have creation dates, so I now knew when they had started, and saw that hey were new and post-dated my cleanup efforts, so I was being reinfected, which I had thought
-----------------------------
I also found, after a while a *.sc file, which is a java script, I think, which had not only the happily string and also the name of a wiki file where I had just been, from which I decided that the wiki file had been infected by the happily virus when I opened the wiki file the virus came down and created the sqlite and sc files, the timing was all consistent,
----------------------------
So I clobbered (deleted) them (Marvel comix fans may remember Hulk and ‘clobbering time’)
Which worked pretty good, but I still had the Mozilla profile problem, this was some Trojan horse, to let the virii back in I was afraid, the profile name is random characters, and virii infiltrate with random character name generators, to defeat name-specific anti-malware searching, so I decided the profile was a Trojan horse and deleted it
-------------------------
At which point Mozilla stopped working, but I still had IE, so I uninstalled and reinstalled Mozilla, and it started worked
-------------------------
The error message was bizarre, when I tried to commence a session it said the previous session was running and had to be manually stopped, but task manager did not have any information, of a concurrent or stalled session, and a hard reboot (power down) did not help either, uninstall/ reinstall helped, the first time, turns out I had two profiles in Mozilla
----------------------------------
So I am now happily working away and whap! happili is back, so I delete all the happily infested files, and also the profile, just in case, and now Mozilla won’t work even with uninstall reinstall
----------------------------------
So now I have to think
----------------------------------
At an IE session, searching on my error message, I see that my error message means that I have a Mozilla profile problem, indeed I do I have no Mozilla profile, so I search on ‘fix this error’ and find that there is a one line command to create a Mozilla profile, using 'default', and I am back in biz, happily not happili, the profile-name is a random character set (or string) so now I know that the random string is mozilla’s not happili’s and I am happy
----------------------------------
So I do not know about prevention, that is for Norton etc, but I know about removal, manually, I have gotten pretty fast at it, and the bad guys now know how to defeat the good guys, on this,
[edit: Please do not link to malicious websites per the Participation Guidelines and Terms of Service.]
