Author Topic: [InActive K] Redirects (gimmeanswers, happli, and more)  (Read 4471 times)

0 Members and 1 Guest are viewing this topic.

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #30 on: March 13, 2012, 01:42:29 pm »
Hi Kevin,

Here's my ComboFix log:




ComboFix 12-03-13.01 - Laura Maggio 03/13/2012  15:09:24.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.272 [GMT -4:00]
Running from: c:\documents and settings\Laura Maggio\Desktop\2012 feb\Gotcha.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Laura Maggio\Application Data\.#
c:\documents and settings\Laura Maggio\Application Data\.#\MBX@F8@3E3F80.###
c:\documents and settings\Laura Maggio\Application Data\.#\MBX@F8@3E3FB0.###
c:\documents and settings\Laura Maggio\WINDOWS
c:\program files\che-ez1000.exe
c:\windows\dasetup.log
c:\windows\system32\dllcache\wmpvis.dll
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-13 to 2012-03-13  )))))))))))))))))))))))))))))))
.
.
2012-03-05 19:45 . 2012-03-05 19:45   --------   d-----w-   c:\documents and settings\Administrator
2012-03-05 18:45 . 2012-03-05 18:46   --------   d-----w-   c:\program files\ERUNT
2012-03-05 01:05 . 2012-03-05 01:05   --------   d-----w-   c:\program files\Common Files\Java
2012-03-05 01:04 . 2012-03-05 01:03   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-03-02 21:14 . 2012-03-02 21:14   --------   d-----w-   C:\_OTM
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 15:13 . 2009-05-29 06:43   17659   ----a-w-   c:\windows\system32\drivers\InetLock.sys
2012-03-05 01:03 . 2010-04-28 13:54   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2012-02-23 16:23 . 2011-03-20 21:25   41184   ----a-w-   c:\windows\avastSS.scr
2012-02-23 16:23 . 2011-03-20 21:25   201352   ----a-w-   c:\windows\system32\aswBoot.exe
2012-02-23 16:12 . 2011-03-20 21:27   610648   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-02-23 16:12 . 2011-03-20 21:27   337112   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2012-02-23 16:10 . 2011-03-20 21:27   35672   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2012-02-23 16:10 . 2011-03-20 21:27   53848   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2012-02-23 16:10 . 2011-03-20 21:27   95704   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2012-02-23 16:10 . 2011-03-20 21:27   89048   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2012-02-23 16:10 . 2011-03-20 21:27   20696   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2012-02-23 16:07 . 2011-03-20 21:27   24920   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2012-02-21 14:40 . 2011-05-22 04:19   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 01:03 . 2012-01-31 01:03   40960   ----a-r-   c:\documents and settings\Laura Maggio\Application Data\Microsoft\Installer\{6A255918-B37A-4B0E-A567-4F4D261E741B}\NewShortcut11_6A255918B37A4B0EA5674F4D261E741B.exe
2012-01-31 01:03 . 2012-01-31 01:03   40960   ----a-r-   c:\documents and settings\Laura Maggio\Application Data\Microsoft\Installer\{6A255918-B37A-4B0E-A567-4F4D261E741B}\NewShortcut1_6A255918B37A4B0EA5674F4D261E741B.exe
2012-01-31 01:03 . 2012-01-31 01:03   40960   ----a-r-   c:\documents and settings\Laura Maggio\Application Data\Microsoft\Installer\{6A255918-B37A-4B0E-A567-4F4D261E741B}\ARPPRODUCTICON.exe
2011-01-18 21:22 . 2011-01-18 21:21   47188480   ----a-w-   c:\program files\VisualThesaurus_3_0_3_windows.exe
2010-08-10 17:04 . 2010-08-10 17:04   1008936   ----a-w-   c:\program files\AmazonMP3Installer.exe
2005-04-05 04:46 . 2005-04-05 04:46   4826536   ----a-w-   c:\program files\Firefox Setup 1.0.2.exe
1999-04-16 21:02 . 2005-07-13 04:26   450048   ------w-   c:\program files\YDKJ Offline.exe
1999-03-27 06:16 . 2005-07-13 04:27   805376   ------w-   c:\program files\JackLaunch.exe
1999-03-17 00:03 . 2011-12-02 21:12   92672   ----a-w-   c:\program files\MOONTOOL.EXE
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23   123536   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"024h Lucky Reminder"="c:\program files\024h Lucky Reminder\LuckyReminder.exe" [2006-12-16 1567232]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"FFPSRV"="c:\windows\ffpext\ffpsrv.exe" [2007-11-02 84992]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Laura Maggio\Start Menu\Programs\Startup\
DesktopComic.exe [2006-4-13 1056291]
Shortcut to MOONTOOL.lnk - c:\program files\MOONTOOL.EXE [2011-12-2 92672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-21 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Laura Maggio^Start Menu^Programs^Startup^ePrompter.lnk]
path=c:\documents and settings\Laura Maggio\Start Menu\Programs\Startup\ePrompter.lnk
backup=c:\windows\pss\ePrompter.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 20:44   679936   ----a-w-   c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Email Notifier]
2010-01-04 18:42   349696   ----a-w-   c:\program files\NT Email Notifier\NTEmailNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52   50736   ----a-w-   c:\program files\Common Files\AOL\1144761249\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 18:06   290088   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 18:44   196608   ----a-w-   c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 19:24   458752   ----a-w-   c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 19:14   217088   ----a-w-   c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2005-11-29 23:19   40960   ----a-w-   c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 12:16   528384   ----a-r-   c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2010-05-17 21:10   437520   ----a-w-   c:\program files\TiVo\Desktop\TiVoNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2010-05-17 21:10   2264336   ----a-w-   c:\program files\TiVo\Desktop\TiVoServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2010-05-17 21:10   608016   ----a-w-   c:\program files\TiVo\Desktop\TiVoTransfer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-11 03:34   180269   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TranscodingService]
2010-05-17 21:10   855824   ----a-w-   c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48   479232   ----a-w-   c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKstudy.exe"=
.
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2003-04-10 636416]
R3 PTHDRBUS;PANTECH Handset HSUSB Composite Device;c:\windows\system32\DRIVERS\PTHDRBUS.sys [2009-12-15 55056]
R3 PTHDRMDM;PANTECH HSUSB Modem;c:\windows\system32\DRIVERS\PTHDRMDM.sys [2009-12-15 160784]
R3 PTHDRVSP;PANTECH HSUSB Diagnostic Serial Port;c:\windows\system32\DRIVERS\PTHDRVSP.sys [2009-12-15 160784]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2010-05-17 1104656]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2008-11-27 13440]
S1 aswSnx;aswSnx;

S1 aswSP;aswSP;

S1 FDCDNT;FDCDNT;c:\windows\system32\drivers\FDCDNT.SYS [2007-01-28 47854]
S2 aswFsBlk;aswFsBlk;

S2 INETLOCK;INETLOCK;c:\windows\system32\drivers\Inetlock.sys [2012-03-11 17659]
S2 INETLOCKSVC;Internet Lock Service;c:\program files\Internet Lock\ILSvc.exe [2009-07-13 143360]
S2 NIOC;NIOC Service;c:\windows\System32\NIOC.SYS [2002-09-27 22912]
S2 WZCBDLService;WZCBDL Service;c:\program files\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 86131258
*Deregistered* - 86131258
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://icanhascheezburger.com/tag/caption/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.10.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7C9C5968-FA32-4724-AA58-7BF98B40005D} - hxxps://secure.riosalado.edu/riowebapps/techcheck/SystemRequirements.cab
FF - ProfilePath - c:\documents and settings\Laura Maggio\Application Data\Mozilla\Firefox\Profiles\8oieqvkh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.salemweb.com/|http://www.pamsp.com/|https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=2&siteState=ver%3a3%7crt%3aSTANDARD%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&offerId=webmail-en-us&seamless=novl|http://www.beethoven.com/|http://yearof52adventures.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {5D81FADA-AE2D-4226-BF1C-5C61F6F2EE03} - c:\documents and settings\Laura Maggio\Local Settings\Application Data\{5D81FADA-AE2D-4226-BF1C-5C61F6F2EE03}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
FF - Ext: Multirow Bookmarks Toolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Advertising Cookie Opt-out: optout@google.com - %profile%\extensions\optout@google.com
FF - Ext: DoNotTrackPlus: donottrackplus@abine.com - %profile%\extensions\donottrackplus@abine.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Srajoj - c:\windows\ehiyorad.dll
AddRemove-Camera - c:\windows\restart.exe
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-{5B5FE75F-A999-45e7-AE6B-5B85E1DD0577} - c:\program files\Pantech\MSM USB Driver\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 15:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-03-13  15:34:13
ComboFix-quarantined-files.txt  2012-03-13 19:34
.
Pre-Run: 26,172,882,944 bytes free
Post-Run: 26,257,252,352 bytes free
.
- - End Of File - - FEE1E071C1B7DC58735C3DF204D91D70

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #31 on: March 13, 2012, 02:04:54 pm »
Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #32 on: March 14, 2012, 07:27:13 am »
Kevin,

Follows is my ESS Scan:




C:\Documents and Settings\Laura Maggio\Desktop\Kinda Laura Type Stuff\Cell Phone\MyPhoneExplorer_Setup_1.7.0.exe   a variant of Win32/Adware.ADON application
C:\Documents and Settings\Laura Maggio\Desktop\Kinda Laura Type Stuff\Cell Phone\MyPhoneExplorer_Setup_1.7.1.exe   a variant of Win32/Adware.ADON application
C:\Documents and Settings\Laura Maggio\Local Settings\TempImages\UpdateInstaller.exe   a variant of Win32/Agent.SZW trojan
C:\System Volume Information\_restore{E9432F6F-BD85-4C8A-ACD3-38A1D23466FF}\RP1672\A0226906.exe   a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{E9432F6F-BD85-4C8A-ACD3-38A1D23466FF}\RP1672\A0226911.exe   a variant of Win32/InstallCore.D application
E:\BS225.exe   multiple threats
E:\WINDOWS\InstallEx.exe   probably a variant of Win32/Agent.FLAKISU trojan
E:\WINDOWS\Profiles\Laura Maggio\Desktop\Laura Type Stuff!\HarryPotter\harryptheme.exe   Win32/Adware.Gator application
E:\Program Files\setup.exe   multiple threats
E:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\00003371.BUD   probably a variant of Win32/Agent.HLVUTKA trojan
E:\eGames\Mini_Car_Racing\homepage.reg   probably a variant of Win32/Agent.SNVGGP trojan

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #33 on: March 14, 2012, 09:29:48 am »
Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2 
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
:Files
ipconfig /flushdns /c
C:\Documents and Settings\Laura Maggio\Desktop\Kinda Laura Type Stuff\Cell Phone\MyPhoneExplorer_Setup_1.7.0.exe
C:\Documents and Settings\Laura Maggio\Desktop\Kinda Laura Type Stuff\Cell Phone\MyPhoneExplorer_Setup_1.7.1.exe
C:\Documents and Settings\Laura Maggio\Local Settings\TempImages\UpdateInstaller.exe
C:\System Volume Information\_restore{E9432F6F-BD85-4C8A-ACD3-38A1D23466FF}\RP1672\A0226906.exe
C:\System Volume Information\_restore{E9432F6F-BD85-4C8A-ACD3-38A1D23466FF}\RP1672\A0226911.exe
E:\BS225.exe
E:\WINDOWS\InstallEx.exe
E:\WINDOWS\Profiles\Laura Maggio\Desktop\Laura Type Stuff!\HarryPotter\harryptheme.exe
E:\Program Files\setup.exe
E:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\00003371.BUD
E:\eGames\Mini_Car_Racing\homepage.reg
:Commands
[ClearAllRestorePoints]
[EmptyTemp]
[Reboot]
 
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see those two logs, also give update on current issues....

Kevin

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #34 on: March 16, 2012, 09:12:06 am »
Well Kevin, my computer crashed.

I received a blue screen error that said 'If this is the first time receiving this message, restart your computer.' So, I did. From then on my computer gets stuck in a bootup circle. It gets to a certain point when booting up then restarts itself. I tried Chkdsk but that would get to 75% completion and also restart itself.

Within the bootup sequence, it seems to restart at a certain driver (whose exact name I forget)...Adpte? Atgap? Adati? Something like that...

I'm trying to get my hands on a Windows boot CD so I can boot from it and maybe fix the problem once I'm logged on? That's my only plan of action thus far.

I'd imagine this goes far beyond the realm of Spywarehammer, but I wanted to give you an update on why I won't be posting here for awhile.

thanks for you help!

Oh, also--does this booting error/circle sound like the work of malware? Or, perhaps, my computer has finally grown too old...

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #35 on: March 16, 2012, 01:22:34 pm »
Try booting to safemode with networking. As your PC boots continuously tap the f8 key until you see the Advanced Windows Menu. From those options select Safe Mode with Networking. Can you boot to that?

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #36 on: March 16, 2012, 02:21:46 pm »
Nope, cannot boot to safemode. Also, cannot boot to 'last working configuration/setting.' The boot sequence restarts in a continuous loop regardless of what I choose--normal mode, safe mode, last working bootup.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #37 on: March 16, 2012, 06:08:18 pm »
When you boot do you have the option to select the Recovery Console? CF usually installs that if not already on your system...

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #38 on: March 17, 2012, 12:37:55 pm »
Yes, I can get to recovery console. Do you have any suggests to try from there? I tried Scandsk from there, but it didn't work. (It kept repeating itself and then gave up)

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #39 on: March 17, 2012, 02:47:45 pm »
Combofix will have made a backup with erunt, try this:

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups should begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows should now begin loading.

Let me how you get on....

Kevin

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #40 on: March 19, 2012, 02:15:11 pm »
Kevin,

typing "cd erdnt\subs" didn't work. I got the message that the directory couldn't be found.

I started poking around, and by listing all the directories in C:/Windows, then finding the ERDNT directory and listing the directories in that, I could get into:

C:/Windows/Erdnt/3-5-2012. Within that I found "Erdnt.con"

since the  "cd erdnt\subs" command didn't work, should I go into the C:/Windows/Erdnt/3-5-2012 directory manually and run "batch erdnt.con" from there?

In my head, this is the same as running the commands you previously listed. But I wanted to make sure and get your OK before I started doing things on my own...

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #41 on: March 19, 2012, 02:20:06 pm »
Oh and one more thing...

My husband recently gave me a new monitored and installed it for me (on about March 12), which included the need to download some new drivers.

He thinks that perhaps one of the new drivers might be conflicting with a critical system file perhaps?

Thought I should let you know in case that changes how I should approach this...

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #42 on: March 19, 2012, 06:09:38 pm »
There should be another erunt backup available, see if this one will work:

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups should begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows should now begin loading.

Let me how you get on....

Offline monkeeluv6

  • Bronze Member
  • Posts: 33
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #43 on: March 19, 2012, 07:54:38 pm »
kevin,

After doing the steps you posted, I am still unable to boot to Windows.

The commands worked this time and the files were copied. However, when the computer restarted it did the same thing it did prior to doing these steps. It starts to boot up--I see the WindowsXP screen, but at a certain point (before it boots all the way to Windows) it restarts and tries to boot again, and again, repeatedly.

I tried to boot in safe mode, so I could see all the steps it was attempting and always at the same place it reboots. Always right after it gets to "agp400.sys" it stops the booting process and restarts.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [InActive K] Redirects (gimmeanswers, happli, and more)
« Reply #44 on: March 20, 2012, 01:35:09 am »
Boot into the recovery console again, at the prompt type the following bold text:

listsvc  Tap enter, then type the following bold text:

disable agp440  Tap enter, note the space between disable and gp440

You will receive a message about the service being disabled, after that type the following bold text

exit

Your system should re-boot, you may be offered Safe Mode or Normal Mode, choose Normal.....

Does your OS boot OK now?

Kevin