WiredWX Hobby Weather ToolsLog in

 


descriptiongoogle redirect in firefox Emptygoogle redirect in firefox

more_horiz
hello. my name is kevin, and its my first time here. thank you for advance for any help you can offer me!

recently i have had a problem with a google / yahoo re-direct that affects firefox only. i have tried many different things:
running malwarebytes / avira,
running them again in safe mode, (worked for about 2 searches) but it came right back.
tried turning off my system restore, thinking there was something in there.... then running malwarebytes / avira and again and it still came back.

no idea how to get rid of this mess! please help!

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
OTL logfile created on: 11/23/2010 6:45:18 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Tim\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 534.00 Mb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 71.44 Gb Free Space | 47.93% Space Free | Partition Type: NTFS
Drive D: | 551.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: YOUR-E97D201098 | User Name: Tim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/23 18:40:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
PRC - [2010/10/28 14:01:44 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/01 20:10:32 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/09/06 12:38:06 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/11/23 18:40:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/09/06 12:38:06 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\kxitkj.sys -- (qjtxe)
DRV - [2009/12/07 23:44:41 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/09/28 20:57:28 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/05/11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/01/11 07:00:00 | 003,493,984 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/01/11 07:00:00 | 000,393,088 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/01/11 07:00:00 | 000,141,312 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/01/11 07:00:00 | 000,034,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/11 07:00:00 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/01/11 07:00:00 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2005/03/09 17:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/10/27 17:21:30 | 000,145,920 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com/
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:23012

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://broadband.zoomtown.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1039
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/07/01 20:11:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/17 03:40:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 14:01:49 | 000,000,000 | ---D | M]

[2010/01/07 14:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Mozilla\Extensions
[2010/11/23 00:36:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\0mgucnbc.default\extensions
[2010/06/29 20:01:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\0mgucnbc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/16 17:44:48 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\0mgucnbc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}(2)
[2010/01/07 14:24:45 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/11/15 02:30:57 | 000,000,164 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 esysprotector2009.microsoft.com
O1 - Hosts: 91.212.127.227 esysprotector2009.com
O1 - Hosts: 91.212.127.227 www.esysprotector2009.com
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [Lexmark X74-X75] C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [{D5A29A19-074B-2C90-F06D-20D04E4B875D}] C:\Documents and Settings\Tim\Application Data\Leyfer\ucet.exe File not found
O4 - HKCU..\Run: [aqmfhluw] C:\DOCUME~1\Tim\LOCALS~1\Temp\ithrkofwj\dixbmkqtsbl.exe File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252976746984 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\Tim\Application Data\hotfix.exe) - C:\Documents and Settings\Tim\Application Data\hotfix.exe File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (bywuuv.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/14 23:01:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/08/30 18:37:39 | 000,000,000 | R--D | M] - D:\Autorun -- [ CDFS ]
O32 - AutoRun File - [2002/07/31 18:40:10 | 000,151,552 | R--- | M] () - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2002/08/28 21:23:59 | 000,000,054 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{8a3bf7b5-ac5f-11de-8366-0015f25c429e}\Shell - "" = AutoRun
O33 - MountPoints2\{8a3bf7b5-ac5f-11de-8366-0015f25c429e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b6a9c982-a16d-11de-9d63-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b6a9c982-a16d-11de-9d63-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b6a9c982-a16d-11de-9d63-806d6172696f}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2002/07/31 18:40:10 | 000,151,552 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/23 18:40:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
[2010/11/17 22:54:02 | 000,000,000 | ---D | C] -- C:\Program Files\ASIO4ALL v2
[2010/11/17 22:53:14 | 000,225,280 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\rewire.dll
[2010/11/17 22:53:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\My Documents\Image-Line
[2010/11/17 22:53:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/11/17 22:53:01 | 001,554,944 | ---- | C] (HMS http://hp.vector.co.jp/authors/VA012897/) -- C:\WINDOWS\System32\vorbis.acm
[2010/11/17 22:52:46 | 000,000,000 | ---D | C] -- C:\Program Files\VstPlugins
[2010/11/17 22:52:43 | 000,000,000 | ---D | C] -- C:\Program Files\Outsim
[2010/11/17 22:50:53 | 000,000,000 | ---D | C] -- C:\Program Files\Image-Line
[2010/11/11 20:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\Leyfer
[2010/11/11 20:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\Irimpu
[2010/10/25 01:27:09 | 000,000,000 | ---D | C] -- C:\Program Files\Free WMA to MP3 Converter
[2010/10/24 22:02:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/10/24 22:02:28 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/10/24 22:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/10/24 21:59:45 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/10/24 21:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/23 18:44:17 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1606980848-839522115-725345543-1003.job
[2010/11/23 18:44:16 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1606980848-839522115-725345543-1003.job
[2010/11/23 18:40:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
[2010/11/23 18:17:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/23 18:08:00 | 000,000,410 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/11/23 18:00:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\pbtslbwu.job
[2010/11/23 02:17:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/22 22:17:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/22 03:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/22 02:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/22 01:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/22 00:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/21 23:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/21 22:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/21 21:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/21 20:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/21 19:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/21 18:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/21 17:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/21 16:34:59 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/21 15:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/21 14:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/21 13:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/21 12:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/21 11:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/21 10:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/21 09:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/21 08:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/21 07:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/21 06:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/21 05:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/21 04:35:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/18 19:16:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1606980848-839522115-725345543-500.job
[2010/11/17 22:54:02 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\ASIO4ALL v2 Instruction Manual.lnk
[2010/11/17 03:40:09 | 000,030,277 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/17 03:39:43 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1606980848-839522115-725345543-500.job
[2010/11/17 03:39:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/17 03:39:36 | 1005,965,312 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/17 03:26:23 | 000,000,332 | ---- | M] () -- C:\Documents and Settings\Tim\Application Data\scgdfgasfbh.bat
[2010/11/11 19:48:08 | 000,441,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/11 19:48:08 | 000,071,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/03 16:16:46 | 000,162,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netbt.sys
[2010/10/28 17:26:48 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/25 12:36:03 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/17 22:54:02 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\ASIO4ALL v2 Instruction Manual.lnk
[2010/11/17 03:39:36 | 1005,965,312 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/17 03:26:34 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/11/17 03:26:34 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/11/17 03:26:33 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/11/17 03:26:33 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/11/17 03:26:33 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/11/17 03:26:32 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/11/17 03:26:31 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/11/17 03:26:31 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/11/17 03:26:30 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/11/17 03:26:29 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/11/17 03:26:29 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/11/17 03:26:28 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/11/17 03:26:28 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/11/17 03:26:27 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/11/17 03:26:27 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/11/17 03:26:26 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/11/17 03:26:26 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/11/17 03:26:23 | 000,000,332 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\scgdfgasfbh.bat
[2010/10/24 22:03:07 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/02 17:14:03 | 000,005,087 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\2596.js
[2010/09/29 22:09:05 | 000,007,063 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\33393.js
[2010/05/18 02:02:56 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/23 16:07:23 | 000,014,402 | -HS- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\5CMRU2
[2010/04/23 16:07:23 | 000,014,402 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5CMRU2
[2010/02/10 00:01:16 | 000,010,442 | -HS- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\1B1wF12WWq6oc
[2010/01/30 13:39:44 | 000,000,088 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2009/10/12 22:22:00 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/09/29 08:04:31 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/28 10:26:12 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\fusioncache.dat
[2009/09/15 06:16:46 | 000,000,334 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/09/14 20:27:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/14 15:40:40 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/11 07:00:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/01/11 07:00:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/01/11 07:00:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/01/11 07:00:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/01/11 07:00:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/01/11 07:00:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/01/11 07:00:00 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/01/11 07:00:00 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/01/11 07:00:00 | 000,001,266 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2002/10/14 15:39:18 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\lxbbcoin.ini

< End of report >

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKCU..\Run: [{D5A29A19-074B-2C90-F06D-20D04E4B875D}] C:\Documents and Settings\Tim\Application Data\Leyfer\ucet.exe File not found
    O4 - HKCU..\Run: [aqmfhluw] C:\DOCUME~1\Tim\LOCALS~1\Temp\ithrkofwj\dixbmkqtsbl.exe File not found
    O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\Tim\Application Data\hotfix.exe) - C:\Documents and Settings\Tim\Application Data\hotfix.exe File not found
    O30 - LSA: Authentication Packages - (bywuuv.dll) - File not found
    [2010/11/17 03:26:23 | 000,000,332 | ---- | M] () -- C:\Documents and Settings\Tim\Application Data\scgdfgasfbh.bat
    [2010/10/02 17:14:03 | 000,005,087 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\2596.js
    [2010/09/29 22:09:05 | 000,007,063 | ---- | C] () -- C:\Documents and Settings\Tim\Application Data\33393.js
    [2010/04/23 16:07:23 | 000,014,402 | -HS- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\5CMRU2
    [2010/04/23 16:07:23 | 000,014,402 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5CMRU2
    [2010/02/10 00:01:16 | 000,010,442 | -HS- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\1B1wF12WWq6oc

    :files
    C:\WINDOWS\tasks\At*.job

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
i'm having trouble posting the extras? it keeps telling me my connection has been reset while trying to send?

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{D5A29A19-074B-2C90-F06D-20D04E4B875D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5A29A19-074B-2C90-F06D-20D04E4B875D}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\aqmfhluw deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Tim\Application Data\hotfix.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:bywuuv.dll deleted successfully.
C:\Documents and Settings\Tim\Application Data\scgdfgasfbh.bat moved successfully.
C:\Documents and Settings\Tim\Application Data\2596.js moved successfully.
C:\Documents and Settings\Tim\Application Data\33393.js moved successfully.
C:\Documents and Settings\Tim\Local Settings\Application Data\5CMRU2 moved successfully.
C:\Documents and Settings\All Users\Application Data\5CMRU2 moved successfully.
C:\Documents and Settings\Tim\Local Settings\Application Data\1B1wF12WWq6oc moved successfully.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 16729072 bytes
->Temporary Internet Files folder emptied: 28899766 bytes
->FireFox cache emptied: 46155566 bytes
->Flash cache emptied: 2240 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 13076855 bytes
->Java cache emptied: 3676 bytes
->Flash cache emptied: 17758 bytes

User: NetworkService
->Temp folder emptied: 223960 bytes
->Temporary Internet Files folder emptied: 2081237 bytes
->Java cache emptied: 7364 bytes
->Flash cache emptied: 31603 bytes

User: Tim
->Temp folder emptied: 681518949 bytes
->Temporary Internet Files folder emptied: 73077253 bytes
->Java cache emptied: 27313984 bytes
->FireFox cache emptied: 492414408 bytes
->Flash cache emptied: 3374946 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1410719 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49022269 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23971982 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 39484 bytes
RecycleBin emptied: 19920089 bytes

Total Files Cleaned = 1,411.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 11232010_185713

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    google redirect in firefox CF_download_FF

    google redirect in firefox CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    google redirect in firefox Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    google redirect in firefox Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptiongoogle redirect in firefox EmptyRe: google redirect in firefox

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum