[InActive K] Redirects (gimmeanswers, happli, and more)

[kevinf80]

That key has been deleted, do not think anything we`ve done would have had that effect. OK do this:

Create a back up of your registry with ERUNT.....

• Download ERUNT
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  
• Install ERUNT by following the prompts
  (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  
• Start ERUNT
  (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  
• Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

• Make sure that at least the first two check boxes are ticked
• Press OK
  
• Press YES to create the folder.
  

Next,

I`ve attached a zip file to this reply fixme.zip Unzip this to your Desktop, you should now have a file on your desktop called fixme.reg it will look like this 

Double click on fixme.reg accept any alerts and agree the merge, re-boot and see if the sound works....

Kevin

[monkeeluv6]

Hi Kevin,

Still no luck. Sound doesn't work on internet (but does work via Windows Media player). I checked the Drivers32 key and it still says Default/value not set.

[monkeeluv6]

Hi again Kevin,

I fixed the problem! I've got sound again!

After doing some research on the internet, I discovered many people had the same problem as me after doing malware cleanup. Turns out some malware programs mess with the permissions for the Drivers32 key. The drivers were all there, but they're hidden/denied. I had to go into the advance permission control and remove the 'denied' permissions--and presto! Sound!

Music to my ears! Literally!

[kevinf80]

Nice one, do you have any remaining issues or concerns...

[monkeeluv6]

Nope--everything else seems to be working properly, and I still haven't encountered any redirects!

[kevinf80]

Do you want to run your system for a day or so and see how it responds. Post back if all OK and we`ll clean up the stuff we`ve used etc...

Kevin

[monkeeluv6]

Ok, great--will do! Thanks, Kevin!

[kevinf80]

"Sounds" like we have a plan, leave any tools we`ve used where they are, we`ll clean up when you`ve tested you`re system and are happy to progress....

[monkeeluv6]

Oh crud. Things were running great--sound! No redirects!

And then I clicked on a link from Google and Avast! flagged the site as malicious and I got the "Threat Detected" warning.

After that, I've been getting re-directs again (from searchoffice.net, for example.) Ugh!

[kevinf80]

OK do the following:

Step 1

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• Click on "Change parameters" and place a checkmark next to Verify Driver Digital Signature  and Detect TDLFS file system, then click OK
  
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Step 2

Delete any versions of aswMBR.exe and associated files from your Desktop (aswMBR.txt - aswMBR.dat - aswMBR.zip)

Re-Download aswMBR from Here
If it asks to update during the process please allow this to happen.

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Ensure Quick scan is selected,then select Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

   

• Once the scan finishes click Save log to save the log to your Desktop.

   

• Copy and paste the contents of aswMBR.txt back here for review
• You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

Let me see the following:

• Log from TDSSKiller
• Log from aswMBR
• Attach aswMBR.zip

Kevin

[monkeeluv6]

Kevin,

I tried to post the logs and attached zip file, and I received this notice:

HTTP Error 403 Forbidden

You don't have permission to access

/simplemachinesforum/index.php?action=post2;start=15;board=10 on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Request Entity Attack: Repeated!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

[monkeeluv6]

Kevin,

It seems to let me post short messages here, but when I try to post my logs, i receive the same error...

[kevinf80]

Zip the files up and attach them....

[monkeeluv6]

Kevin,

I'm attaching a zip file with TDS txt log, MBR dat and MBR text...hopefully this works...

[kevinf80]

Thanks for those logs, run the following:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
  Before saving Combofix to the Desktop re-name to Gotcha.exe as below:
  
  
  
  
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
  
• Close any open browsers and any other programs you might have running
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
  
• Instructions for running Combofix available Here if required.
  
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin