system
41
Ok I know that I didnt mean anything by it but I understand your point.
system
43
hey Essexboy…I did what you said and posted the OTL file on here…I think my browser is hi-jacked…I keep getting redirected when doing google searches…
Luvj19 sorry it was lost among the othe posts
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
[2011/08/20 21:56:50 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\2050979796
[2011/06/29 19:13:08 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.119889580931711767808769176
[2011/06/07 10:22:58 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/06/07 10:22:57 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\r5ku7gdgmu5b3sx20
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\r5ku7gdgmu5b3sx20
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\43w6lxpv7oi544k68hcx16hdbx
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () -- C:\Documents and Settings\Adrianj\Local Settings\Application Data\43w6lxpv7oi544k68hcx16hdbx
:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2A 45 33 04 4D 3B 30 49 9A B0 EB AD D0 EC B0 C5 [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
45
the scan won’t run…it gets to this point
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
and locks up, shoots cpu usage to 100 and will not run any further…tried twice
Hmm they have twigged that I am trying to remove it
Lets try the sneaky way, stop OTL and run this new fix please
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[quote]
:OTL
[2011/08/20 21:56:50 | 000,000,100 | ---- | M] () – C:\WINDOWS\System32\2050979796
[2011/06/29 19:13:08 | 000,000,026 | -H-- | C] () – C:\Documents and Settings\All Users\Application Data.119889580931711767808769176
[2011/06/07 10:22:58 | 000,001,538 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/06/07 10:22:57 | 000,001,538 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\qf7j006i307x31d2eq0db61ygjdt21e46428472a
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\r5ku7gdgmu5b3sx20
[2011/05/07 12:05:36 | 000,002,334 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\r5ku7gdgmu5b3sx20
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () – C:\Documents and Settings\All Users\Application Data\43w6lxpv7oi544k68hcx16hdbx
[2011/05/03 02:35:26 | 000,004,322 | -HS- | C] () – C:\Documents and Settings\Adrianj\Local Settings\Application Data\43w6lxpv7oi544k68hcx16hdbx
:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-2983767572-2663097725-3796344406-1008\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
quote]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
system
47
running scan now…just stopped with this msg: Access violation at address 0040295B in module ‘OTL.exe’. Read of address 00252000.
system
48
ok…after I clicked okay on that message…it hung up at creating restore point. DO NOT INTERRUPT…
OK close it down as that is an unessential bit
Once done reboot and let me know if the problems are still present
system
50
still need me to run quick scan and post log?
Yep just to make sure it has gone… How is the computer behaving ?
system
52
I think its running better now…here’s the log
system
53
nope…still hijacked firefox browser
OK I have a little tool that should clear that ;D
Is it only firefox ?
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
system
55
yea…I only used FF…very rarely IE but who knows…it may be hijacked too
system
56
GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:22 on 23/08/2011 (Adrianj)
Firefox version 6.0 (en-US)
========== GooredScan ==========
Deleting “C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions{52c6f63b-425f-439e-bd73-0f1203ef04f2}” → Success!
Deleting “C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions{bfde4c04-c2a2-450a-98e9-18c48a94d71a}” → Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{F1BB9CEF-7526-4BDA-A496-C6F9EE99D75F} → Success!
Deleting C:\Documents and Settings\Adrianj\Local Settings\Application Data{F1BB9CEF-7526-4BDA-A496-C6F9EE99D75F} → Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{8D2034B8-A54C-4335-AC63-649EE997E7CA} → Success!
Deleting C:\Documents and Settings\oup.ADRIAN\Local Settings\Application Data{8D2034B8-A54C-4335-AC63-649EE997E7CA} → Success!
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:05 04/03/2011]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [22:57 18/09/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [16:54 11/11/2010]
C:\Documents and Settings\Adrianj\Application Data\Mozilla\Firefox\Profiles\oxfnw983.default\extensions
vshareus@toolbar [21:29 09/01/2011]
{20a82645-c095-46ed-80e3-08825760534b} [04:20 21/09/2010]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [15:14 15/09/2010]
“jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [16:25 29/12/2009]
-=E.O.F=-
Could you now recheck all browsers for redirects please
system
58
all seems to be okay now. Thanks a lot!
If all is well tomorrow let me know and I will remove my tools