Ok I know that I didnt mean anything by it but I understand your point.

No problem.

hey Essexboy…I did what you said and posted the OTL file on here…I think my browser is hi-jacked…I keep getting redirected when doing google searches…

Luvj19 sorry it was lost among the othe posts

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data] IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data] IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data] IE - HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data] [2011/08/20 21:56:50 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\2050979796 [2011/06/29 19:13:08 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.119889580931711767808769176 [2011/06/07 10:22:58 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a [2011/06/07 10:22:57 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a [2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\r5ku7gdgmu5b3sx20 [2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\r5ku7gdgmu5b3sx20 [2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\43w6lxpv7oi544k68hcx16hdbx [2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\43w6lxpv7oi544k68hcx16hdbx

:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

the scan won’t run…it gets to this point

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

and locks up, shoots cpu usage to 100 and will not run any further…tried twice

Hmm they have twigged that I am trying to remove it

Lets try the sneaky way, stop OTL and run this new fix please

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

[quote]
:OTL
[2011/08/20 21:56:50 | 000,000,100 | ---- | M] () – C:\WINDOWS\System32\2050979796
[2011/06/29 19:13:08 | 000,000,026 | -H-- | C] () – C:\Documents and Settings\All Users\Application Data.119889580931711767808769176
[2011/06/07 10:22:58 | 000,001,538 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/06/07 10:22:57 | 000,001,538 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\r5ku7gdgmu5b3sx20
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\r5ku7gdgmu5b3sx20
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\43w6lxpv7oi544k68hcx16hdbx
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\43w6lxpv7oi544k68hcx16hdbx

:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
quote]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

running scan now…just stopped with this msg: Access violation at address 0040295B in module ‘OTL.exe’. Read of address 00252000.

ok…after I clicked okay on that message…it hung up at creating restore point. DO NOT INTERRUPT…

OK close it down as that is an unessential bit

Once done reboot and let me know if the problems are still present

still need me to run quick scan and post log?

Yep just to make sure it has gone… How is the computer behaving ?

I think its running better now…here’s the log

nope…still hijacked firefox browser

OK I have a little tool that should clear that ;D

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

yea…I only used FF…very rarely IE but who knows…it may be hijacked too

GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:22 on 23/08/2011 (Adrianj)
Firefox version 6.0 (en-US)

========== GooredScan ==========

Deleting “C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions{52c6f63b-425f-439e-bd73-0f1203ef04f2}” → Success!
Deleting “C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions{bfde4c04-c2a2-450a-98e9-18c48a94d71a}” → Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{F1BB9CEF-7526-4BDA-A496-C6F9EE99D75F} → Success!
Deleting C:\Documents and Settings\Adrianj\Local Settings\Application Data{F1BB9CEF-7526-4BDA-A496-C6F9EE99D75F} → Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{8D2034B8-A54C-4335-AC63-649EE997E7CA} → Success!
Deleting C:\Documents and Settings\oup.ADRIAN\Local Settings\Application Data{8D2034B8-A54C-4335-AC63-649EE997E7CA} → Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:05 04/03/2011]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [22:57 18/09/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [16:54 11/11/2010]

C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions
vshareus@toolbar [21:29 09/01/2011]
{20a82645-c095-46ed-80e3-08825760534b} [04:20 21/09/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [15:14 15/09/2010]
jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [16:25 29/12/2009]

-=E.O.F=-

Could you now recheck all browsers for redirects please

all seems to be okay now. Thanks a lot!

If all is well tomorrow let me know and I will remove my tools

okay