Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

http://www.searchqu.com/406 is always start page

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » May 30th, 2011, 3:27 pm

Hello,

since yesterday ht tp://w ww.searchqu.co m/406 is the fixed start page in internet explorer and also firefox and I am not able to change it. I have read some things about it, but could not find some good answer.

My DDS logs are below.

Thank you very much.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Run by Helmut at 21:18:40 on 2011-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.439 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Helmut\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.de
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\helmut\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe
mRun: [DATAMNGR] c:\progra~1\window~4\datamngr\DATAMN~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
TCP: {3693541E-112A-489D-A212-F5CE43E2213F} = 192.168.0.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\window~4\datamngr\datamngr.dll c:\progra~1\window~4\datamngr\iebho.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\helmut\application data\mozilla\firefox\profiles\96cjgmc7.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - plugin: c:\documents and settings\helmut\local settings\application data\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2011-4-5 21664]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\avira\antivir desktop\sched.exe [2011-4-5 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-5 269480]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-3-8 61440]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-5 61960]
S2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-5 532224]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
.
=============== Created Last 30 ================
.
2011-05-30 18:23:22 -------- d-----w- c:\windows\system32\NtmsData
2011-05-30 18:21:17 -------- d-----w- d:\helmut\application data\Avira
2011-05-30 18:21:03 -------- d-----w- d:\helmut\application data\Malwarebytes
2011-05-30 18:18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-30 18:18:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-30 18:18:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-30 18:18:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-29 18:22:11 -------- d-----w- d:\helmut\local settings\application data\Ilivid Player
2011-05-29 18:21:19 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-05-29 18:20:29 -------- d-----w- d:\helmut\local settings\application data\PackageAware
2011-05-29 17:28:31 -------- d-----w- c:\program files\gs
2011-05-29 17:21:10 -------- d-----w- c:\program files\IZArc
2011-05-29 17:10:20 45056 ----a-w- c:\windows\system32\unredmon.exe
2011-05-29 17:10:20 116224 ----a-w- c:\windows\system32\redmonnt.dll
2011-05-29 17:10:19 -------- d-----w- c:\program files\FreePDF_XP
2011-05-29 17:10:19 -------- d-----w- c:\documents and settings\all users\application data\FreePDF
2011-05-29 15:53:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-22 15:50:41 -------- d-----w- c:\program files\Canon
2011-05-22 09:26:36 -------- d-----w- c:\program files\OO Software
2011-05-10 18:55:35 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2011-05-10 18:55:35 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-05-10 18:55:35 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2011-05-10 18:55:33 64512 ----a-w- c:\windows\system32\MSCC2DE.DLL
2011-05-10 18:55:33 158208 ----a-w- c:\windows\system32\MSCMCDE.DLL
2011-05-10 18:55:33 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2011-05-10 18:55:32 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-05-10 18:55:32 -------- d-----w- c:\program files\PDFCreator
2011-05-08 16:40:49 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2011-05-08 16:40:49 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2011-05-08 16:40:49 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2011-05-08 16:40:49 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2011-05-08 16:40:49 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2011-05-08 16:40:49 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2011-05-08 16:40:48 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
.
==================== Find3M ====================
.
2011-04-23 17:18:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-23 17:18:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-09 16:05:00 276480 ----a-w- C:\~GLHTTP1.TMP
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 12:36:34 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD080HJ/P rev.ZH100-34 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk1\DR1[0x86B3DAB8]
3 CLASSPNP[0xF764EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T0L0-17[0x86B8CB00]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
.
============= FINISH: 21:19:14,42 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 05.04.2011 19:34:51
System Uptime: 30.05.2011 20:33:22 (1 hours ago)
.
Motherboard: Dell Inc. | | 0HH807
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 64,455 GiB free.
D: is FIXED (NTFS) - 297 GiB total, 248,551 GiB free.
E: is FIXED (NTFS) - 100 GiB total, 77,041 GiB free.
F: is FIXED (NTFS) - 70 GiB total, 64,393 GiB free.
G: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 05.04.2011 19:42:30 - System Checkpoint
RP2: 05.04.2011 20:05:13 - Installed SoundMAX
RP3: 05.04.2011 20:05:26 - Installed SoundMAX
RP4: 05.04.2011 20:19:54 - Installed Broadcom Advanced Control Suite
RP5: 05.04.2011 20:21:17 - Installed Broadcom ASF Management Applications
RP6: 05.04.2011 20:21:53 - Installed Broadcom Gigabit Integrated Controller
RP7: 05.04.2011 20:22:31 - Installed Chipset Software Installer
RP8: 05.04.2011 20:22:43 - Installed Windows XP KB921411.
RP9: 05.04.2011 20:54:36 - Installed STMicroelectronics TPM Software Package
RP10: 05.04.2011 21:07:57 - Installed Adobe Reader X (10.0.1) - Deutsch.
RP11: 05.04.2011 21:09:22 - Installed Windows XP KB943232.
RP12: 05.04.2011 21:19:44 - Microsoft Office Professional Edition 2003 wird installiert
RP13: 06.04.2011 20:31:12 - Works Suite-Betriebssystem-Pack wird installiert
RP14: 06.04.2011 20:33:37 - Microsoft Works 6.0 wird installiert
RP15: 06.04.2011 20:36:52 - Works-Synchronisierung wird installiert
RP16: 06.04.2011 20:40:24 - Microsoft Picture It! Foto 2001 wird installiert
RP17: 06.04.2011 20:45:54 - Microsoft Works 6.0 wird entfernt
RP18: 06.04.2011 21:36:40 - Software Distribution Service 3.0
RP19: 07.04.2011 19:38:39 - Software Distribution Service 3.0
RP20: 07.04.2011 20:23:58 - Software Distribution Service 3.0
RP21: 08.04.2011 19:36:18 - Software Distribution Service 3.0
RP22: 08.04.2011 19:50:37 - Software Distribution Service 3.0
RP23: 08.04.2011 19:50:59 - Installed Windows XP WgaNotify.
RP24: 08.04.2011 19:53:59 - Software Distribution Service 3.0
RP25: 08.04.2011 20:31:19 - Software Distribution Service 3.0
RP26: 09.04.2011 14:48:56 - Software Distribution Service 3.0
RP27: 09.04.2011 17:47:59 - Software Distribution Service 3.0
RP28: 12.04.2011 21:41:41 - Software Distribution Service 3.0
RP29: 16.04.2011 18:29:05 - Software Distribution Service 3.0
RP30: 18.04.2011 21:13:34 - System Checkpoint
RP31: 21.04.2011 18:17:01 - System Checkpoint
RP32: 23.04.2011 10:25:54 - System Checkpoint
RP33: 23.04.2011 19:18:09 - Java(TM) 6 Update 22 wird installiert
RP34: 25.04.2011 17:03:41 - System Checkpoint
RP35: 27.04.2011 14:51:48 - System Checkpoint
RP36: 27.04.2011 15:33:43 - Software Distribution Service 3.0
RP37: 29.04.2011 09:54:56 - System Checkpoint
RP38: 30.04.2011 12:01:31 - System Checkpoint
RP39: 01.05.2011 17:24:52 - System Checkpoint
RP40: 02.05.2011 18:33:55 - System Checkpoint
RP41: 03.05.2011 21:12:20 - System Checkpoint
RP42: 05.05.2011 20:43:19 - System Checkpoint
RP43: 07.05.2011 12:16:48 - System Checkpoint
RP44: 08.05.2011 12:33:02 - System Checkpoint
RP45: 08.05.2011 18:41:02 - Installed Google Earth
RP46: 10.05.2011 18:33:38 - System Checkpoint
RP47: 10.05.2011 20:55:50 - Printer Driver PDFCreator Installed
RP48: 11.05.2011 06:42:50 - Software Distribution Service 3.0
RP49: 13.05.2011 09:35:24 - System Checkpoint
RP50: 17.05.2011 17:40:39 - System Checkpoint
RP51: 22.05.2011 10:08:38 - System Checkpoint
RP52: 22.05.2011 11:26:35 - O&O DiskRecovery wurde installiert.
RP53: 23.05.2011 20:57:17 - System Checkpoint
RP54: 25.05.2011 18:55:47 - System Checkpoint
RP55: 26.05.2011 19:24:04 - System Checkpoint
RP56: 28.05.2011 17:42:11 - System Checkpoint
RP57: 29.05.2011 17:42:18 - System Checkpoint
RP58: 29.05.2011 19:11:01 - Unsigned printer driver FreePDF_XP installed.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1) - Deutsch
Avira AntiVir Personal - Free Antivirus
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Canon iP4300
Canon iP4300 User Registration
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
Easy-WebPrint
EMBASSY Security Center
FreePDF (Remove only)
Google Earth
GPL Ghostscript
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
IZArc 4.1.6
Java Auto Updater
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Office Professional Edition 2003
Microsoft Picture It! Foto 2001
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2001-Setup-Start
Mozilla Firefox 4.0.1 (x86 de)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Print Monitor for Windows 2000/XP/2003
NTRU Hybrid TSS v1.05
PDFCreator
Personal Backup 5.0
Recuva
RedMon - Redirection Port Monitor
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Shockwave
SoundMAX
Spybot - Search & Destroy
STMicroelectronics TPM Software Package
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
VLC media player 1.1.8
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows iLivid Toolbar
Windows XP Service Pack 3
Works-Synchronisierung
Works Suite-Betriebssystem-Pack
ZoneAlarm
.
==== Event Viewer Messages From Past Week ========
.
28.05.2011 13:35:16, error: Service Control Manager [7019] - Circular dependency: The vsdatant service depends on a service in a group which starts later.
28.05.2011 13:35:16, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: Circular service dependency was specified.
28.05.2011 13:35:15, error: Service Control Manager [7017] - Detected circular dependencies demand starting TrueVector Internet Monitor.
.
==== End Of File ===========================
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm
Advertisement
Register to Remove

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 2nd, 2011, 1:53 am

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 2nd, 2011, 2:06 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi Helmut13

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista or Windows7, it will be necessary to right click all tools we use and select ----> Run as Administrator
Important As I said earlier removing Malware is a potentially hazardous thing to do, so to increase our chances of recovery in the event of something unexpected happening, I'd like you to make a backup of your Registry before we start to clean your computer.
  • Download ERUNT to your desktop
  • Alternate Download
  • Double-click on erunt_setup.exe to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt.
  • Accept the default options for running a backup.
  • Erunt will then backup your registry.
  • Click OK to finish.
  • If you are unable to back up your Registry with ERUNT ....
    • Let me know.
    • Do not follow any further instructions until I tell you to.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


There are a number of things that need removing from your computer, but to do that I first need you to run a further scan for me .....

Download OTL by OldTimer to your Desktop.

Alternative Download

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Under Custom Scans/Fixes copy/paste the contents of the code box below.
Code: Select all
c:|Fun4IM;true;true;true; /FP
c:|Bandoo;true;true;true; /FP
c:|Searchqu;true;true;true; /FP
c:|iLivid;true;true;true; /FP

  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 2nd, 2011, 12:42 pm

Hi Gary R,

thanks for your quick replay.

here are my logs:

OTL logfile created on: 02.06.2011 18:29:51 - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = D:\Helmut\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

1014,07 Mb Total Physical Memory | 492,19 Mb Available Physical Memory | 48,54% Memory free
2,38 Gb Paging File | 1,96 Gb Available in Paging File | 82,12% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,50 Gb Total Space | 64,36 Gb Free Space | 86,39% Space Free | Partition Type: NTFS
Drive D: | 296,56 Gb Total Space | 248,55 Gb Free Space | 83,81% Space Free | Partition Type: NTFS
Drive E: | 99,59 Gb Total Space | 77,01 Gb Free Space | 77,33% Space Free | Partition Type: NTFS
Drive F: | 69,61 Gb Total Space | 64,39 Gb Free Space | 92,50% Space Free | Partition Type: NTFS

Computer Name: COMPUTER | User Name: Helmut | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.06.02 18:27:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Helmut\My Documents\Downloads\OTL(1).exe
PRC - [2011.05.14 07:54:32 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011.04.30 19:57:15 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011.03.24 14:30:12 | 001,115,536 | ---- | M] (Discordia, LTD) -- C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
PRC - [2011.03.04 14:36:11 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011.03.04 14:36:11 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011.02.18 17:28:38 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010.06.17 21:56:44 | 000,370,176 | ---- | M] (shbox.de) -- C:\Program Files\FreePDF_XP\fpassist.exe
PRC - [2010.01.14 21:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009.01.26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008.04.14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005.08.30 14:54:10 | 000,290,816 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe
PRC - [2005.03.08 19:46:12 | 000,061,440 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2005.03.07 13:30:46 | 000,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe


========== Modules (SafeList) ==========

MOD - [2011.06.02 18:27:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Helmut\My Documents\Downloads\OTL(1).exe
MOD - [2010.08.23 18:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011.05.14 07:54:32 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011.03.04 14:36:11 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.02.18 17:30:32 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Stopped] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2005.08.30 14:54:10 | 000,290,816 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr)
SRV - [2005.03.08 19:46:12 | 000,061,440 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2005.03.07 13:30:46 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe -- (tcsd_win32.exe)


========== Driver Services (SafeList) ==========

DRV - [2011.03.04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011.03.04 14:36:34 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010.06.17 14:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.06.17 14:26:52 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2010.05.13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005.05.02 16:51:38 | 000,021,664 | ---- | M] (STMicroelectronics, INC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\stm_tpm.sys -- (stmtpm)
DRV - [2005.03.17 16:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004.09.17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003.04.24 15:21:50 | 000,006,025 | R--- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
IE - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/406"
FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&systemid=406&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.04.30 19:57:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011.05.29 20:21:28 | 000,000,000 | ---D | M] (No name found) -- D:\Helmut\Application Data\Mozilla\Extensions
[2011.05.29 20:25:28 | 000,000,000 | ---D | M] (No name found) -- D:\Helmut\Application Data\Mozilla\Firefox\Profiles\96cjgmc7.default\extensions
[2011.03.23 14:24:21 | 000,005,529 | ---- | M] () -- D:\Helmut\Application Data\Mozilla\Firefox\Profiles\96cjgmc7.default\searchplugins\SearchquWebSearch.xml
[2011.05.29 20:21:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.04.23 19:18:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011.04.23 19:18:18 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011.04.30 19:57:14 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010.01.01 10:00:00 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.01.01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2010.01.01 10:00:00 | 000,001,153 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.01.01 10:00:00 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2011.03.23 14:24:21 | 000,005,529 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
[2010.01.01 10:00:00 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.01.01 10:00:00 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2004.08.04 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Discordia, LTD)
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [Microsoft Works Update Detection] File not found
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003..\Run: [Google Update] File not found
O4 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\datamngr.dll) - c:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Discordia, LTD)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\iebho.dll) - c:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Discordia, LTD)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.04.05 19:32:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\AutoRun\command - "" = D:\SETUP.EXE /AUTORUN
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\configure\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\install\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.06.02 18:22:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011.06.02 18:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011.06.02 18:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011.05.30 21:18:41 | 000,000,000 | R--D | C] -- D:\Helmut\My Documents\My Videos
[2011.05.30 21:18:41 | 000,000,000 | R--D | C] -- D:\Helmut\Start Menu\Programs\Administrative Tools
[2011.05.30 20:23:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011.05.30 20:21:17 | 000,000,000 | ---D | C] -- D:\Helmut\Application Data\Avira
[2011.05.30 20:21:03 | 000,000,000 | ---D | C] -- D:\Helmut\Application Data\Malwarebytes
[2011.05.30 20:18:39 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011.05.30 20:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.05.30 20:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011.05.30 20:18:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011.05.30 20:18:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.05.29 20:22:11 | 000,000,000 | ---D | C] -- D:\Helmut\Local Settings\Application Data\Ilivid Player
[2011.05.29 20:21:19 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011.05.29 20:20:29 | 000,000,000 | ---D | C] -- D:\Helmut\Local Settings\Application Data\PackageAware
[2011.05.29 19:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ghostscript
[2011.05.29 19:28:31 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2011.05.29 19:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IZArc
[2011.05.29 19:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\IZArc
[2011.05.29 19:10:19 | 000,000,000 | ---D | C] -- C:\Program Files\FreePDF_XP
[2011.05.29 19:10:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FreePDF
[2011.05.29 19:10:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreePDF
[2011.05.29 17:53:36 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011.05.28 17:46:37 | 000,000,000 | ---D | C] -- D:\Helmut\Desktop\ebay
[2011.05.23 18:50:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon iP4300 User Registration
[2011.05.23 18:45:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CD-LabelPrint
[2011.05.23 18:44:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities
[2011.05.23 18:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon iP4300 Manual
[2011.05.23 18:43:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon iP4300
[2011.05.22 17:52:49 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011.05.22 17:52:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\CanonIJ Uninstaller Information
[2011.05.22 17:51:47 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2011.05.22 17:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2011.05.22 11:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\OO Software
[2011.05.13 10:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Recuva
[2011.05.13 10:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Recuva
[2011.05.10 20:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDFCreator
[2011.05.10 20:55:35 | 000,662,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCT2.OCX
[2011.05.10 20:55:35 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSMAPI32.OCX
[2011.05.10 20:55:33 | 000,158,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCMCDE.DLL
[2011.05.10 20:55:33 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6DE.DLL
[2011.05.10 20:55:33 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCC2DE.DLL
[2011.05.10 20:55:32 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSMPIDE.DLL
[2011.05.10 20:55:32 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2011.05.08 19:03:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011.05.08 18:43:04 | 000,000,000 | ---D | C] -- D:\Helmut\Application Data\Google
[2011.05.08 18:41:03 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.06.02 18:31:00 | 000,001,192 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1202660629-682003330-1003UA.job
[2011.06.02 18:25:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.06.02 18:25:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.06.02 18:24:29 | 003,145,728 | -H-- | M] () -- D:\Helmut\NTUSER.bak
[2011.06.02 18:21:47 | 000,000,527 | ---- | M] () -- D:\Helmut\Desktop\NTREGOPT.lnk
[2011.06.02 18:21:47 | 000,000,514 | ---- | M] () -- D:\Helmut\Desktop\ERUNT.lnk
[2011.06.02 18:02:17 | 000,000,600 | ---- | M] () -- D:\Helmut\Local Settings\Application Data\PUTTY.RND
[2011.05.30 20:18:39 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.05.30 19:58:21 | 000,002,435 | ---- | M] () -- D:\Helmut\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003 (2).lnk
[2011.05.29 17:53:36 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011.05.25 17:49:37 | 000,002,403 | ---- | M] () -- D:\Helmut\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2011.05.23 18:50:58 | 000,001,641 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Canon iP4300 User Registration.LNK
[2011.05.23 18:46:00 | 000,001,725 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Canon Easy-PrintToolBox.lnk
[2011.05.23 18:45:18 | 000,001,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Easy-PhotoPrint.lnk
[2011.05.23 18:44:06 | 000,001,870 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iP4300 On-screen Manual.lnk
[2011.05.23 06:50:45 | 072,171,734 | ---- | M] () -- D:\Helmut\My Documents\rettungsversuch.drd
[2011.05.22 21:31:00 | 000,001,140 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1202660629-682003330-1003Core.job
[2011.05.22 19:37:56 | 000,936,575 | ---- | M] () -- D:\Helmut\My Documents\Daten, Häufigkeit und Wahrscheinlichkeit.pdf
[2011.05.22 19:37:56 | 000,936,575 | ---- | M] () -- D:\Helmut\Desktop\Daten, Häufigkeit und Wahrscheinlichkeit.pdf
[2011.05.13 10:01:18 | 000,001,512 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Recuva.lnk
[2011.05.13 09:57:44 | 000,010,752 | ---- | M] () -- D:\Helmut\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.05.10 20:55:43 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2011.05.08 19:03:21 | 000,002,319 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.06.02 18:21:47 | 000,000,527 | ---- | C] () -- D:\Helmut\Desktop\NTREGOPT.lnk
[2011.06.02 18:21:47 | 000,000,514 | ---- | C] () -- D:\Helmut\Desktop\ERUNT.lnk
[2011.05.30 20:18:39 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.05.29 19:10:20 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2011.05.29 19:10:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2011.05.23 18:50:58 | 000,001,641 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Canon iP4300 User Registration.LNK
[2011.05.23 18:46:00 | 000,001,725 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Canon Easy-PrintToolBox.lnk
[2011.05.23 18:45:18 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Easy-PhotoPrint.lnk
[2011.05.23 18:44:06 | 000,001,870 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iP4300 On-screen Manual.lnk
[2011.05.23 06:50:40 | 072,171,734 | ---- | C] () -- D:\Helmut\My Documents\rettungsversuch.drd
[2011.05.22 19:38:40 | 000,936,575 | ---- | C] () -- D:\Helmut\My Documents\Daten, Häufigkeit und Wahrscheinlichkeit.pdf
[2011.05.22 19:37:56 | 000,936,575 | ---- | C] () -- D:\Helmut\Desktop\Daten, Häufigkeit und Wahrscheinlichkeit.pdf
[2011.05.13 10:01:18 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Recuva.lnk
[2011.05.10 20:55:43 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2011.05.10 20:55:35 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2011.04.17 11:27:18 | 000,000,600 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\PUTTY.RND
[2011.04.16 18:49:21 | 000,010,752 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.04.16 18:49:21 | 000,000,129 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\fusioncache.dat
[2011.04.05 21:22:36 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011.04.05 21:19:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.04.05 21:16:07 | 000,254,272 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.04.05 21:12:56 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011.04.05 21:04:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011.04.05 19:34:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011.04.05 19:28:55 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005.08.30 14:50:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2005.08.30 14:42:22 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2005.08.30 14:42:14 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2005.08.30 14:42:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2005.08.30 14:41:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2005.08.30 14:41:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2005.08.30 14:41:32 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2005.08.30 14:41:24 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2005.08.30 14:41:14 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2005.08.30 14:41:04 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2005.08.30 14:40:56 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2005.03.22 01:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005.03.22 01:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005.03.07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2005.03.07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2005.03.07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2005.03.07 13:30:46 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2005.03.07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2005.03.07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2005.03.07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2005.03.07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2004.08.04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004.08.04 12:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004.08.04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004.08.04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004.08.04 12:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004.08.04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004.08.04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004.08.04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004.08.04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004.08.04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011.04.16 18:54:08 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\CheckPoint
[2011.04.27 20:24:00 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\PersBackup5

========== Purity Check ==========



========== Custom Scans ==========


< c:|Fun4IM;true;true;true; /FP >

< c:|Bandoo;true;true;true; /FP >

< c:|Searchqu;true;true;true; /FP >

< c:|iLivid;true;true;true; /FP >
[2011.05.29 20:21:29 | 000,000,000 | ---D | M] -- c:\Program Files\Windows iLivid Toolbar
[2011.05.29 20:21:28 | 000,000,000 | ---D | M] -- c:\Program Files\Windows iLivid Toolbar\Datamngr
[2011.05.29 20:21:27 | 000,000,000 | ---D | M] -- c:\Program Files\Windows iLivid Toolbar\ToolBar

< End of report >
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 2nd, 2011, 12:43 pm

and the second log (Extras.txt):

OTL Extras logfile created on: 02.06.2011 18:29:51 - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = D:\Helmut\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

1014,07 Mb Total Physical Memory | 492,19 Mb Available Physical Memory | 48,54% Memory free
2,38 Gb Paging File | 1,96 Gb Available in Paging File | 82,12% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,50 Gb Total Space | 64,36 Gb Free Space | 86,39% Space Free | Partition Type: NTFS
Drive D: | 296,56 Gb Total Space | 248,55 Gb Free Space | 83,81% Space Free | Partition Type: NTFS
Drive E: | 99,59 Gb Total Space | 77,01 Gb Free Space | 77,33% Space Free | Partition Type: NTFS
Drive F: | 69,61 Gb Total Space | 64,39 Gb Free Space | 92,50% Space Free | Partition Type: NTFS

Computer Name: COMPUTER | User Name: Helmut | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1004336348-1202660629-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)
"C:\Documents and Settings\Helmut\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe" = C:\Documents and Settings\Helmut\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}" = Broadcom ASF Management Applications
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300" = Canon iP4300
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{63E949F6-03BC-5C40-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
"{725F7446-EAC3-4279-97EF-5A5F6A9F6BF8}" = STMicroelectronics TPM Software Package
"{7e09afc2-65bd-482f-ba8a-501ecc6429bf}" = NTRU Hybrid TSS v1.05
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1.6
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM
"{AC76BA86-7AD7-1031-7B44-AA0000000001}" = Adobe Reader X (10.0.1) - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{BE06114F-559D-11E0-B5A1-001D0926B1BF}" = Google Earth
"{C7B8E06E-EBBC-4210-93AB-DFC8760E3FC9}" = Works Suite-Betriebssystem-Pack
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D28FDA7D-15C6-48A2-9868-6BCB28BE6254}" = Microsoft Picture It! Foto 2001
"{D768EBA6-7C43-4F65-B165-1B1EF9BD5DD8}" = EMBASSY Security Center
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F2260E94-80F2-4CB1-B6B1-6043D9BFFA47}" = Works-Synchronisierung
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Canon iP4300 User Registration" = Canon iP4300 User Registration
"Canon Setup Utility 2.3" = Canon Setup Utility 2.3
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PrintToolBox" = Canon Utilities Easy-PrintToolBox
"Easy-WebPrint" = Easy-WebPrint
"ERUNT_is1" = ERUNT 1.1j
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript" = GPL Ghostscript
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox 4.0.1 (x86 de)" = Mozilla Firefox 4.0.1 (x86 de)
"Network Print Monitor" = Network Print Monitor for Windows 2000/XP/2003
"Personal Backup 5_is1" = Personal Backup 5.0
"Recuva" = Recuva
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"Searchqu 406 MediaBar" = Windows iLivid Toolbar
"Shockwave" = Shockwave
"VLC media player" = VLC media player 1.1.8
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2001Setup" = Microsoft Works 2001-Setup-Start
"ZoneAlarm" = ZoneAlarm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01.05.2011 03:40:50 | Computer Name = COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 2.0.1.4120, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 02.06.2011 10:18:46 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%1059

Error - 02.06.2011 10:18:46 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7017
Description = Detected circular dependencies demand starting TrueVector Internet
Monitor.

Error - 02.06.2011 10:18:47 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7019
Description = Circular dependency: The vsdatant service depends on a service in
a group which starts later.

Error - 02.06.2011 10:18:47 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%1059

Error - 02.06.2011 10:18:47 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7017
Description = Detected circular dependencies demand starting TrueVector Internet
Monitor.

Error - 02.06.2011 10:18:48 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7019
Description = Circular dependency: The vsdatant service depends on a service in
a group which starts later.

Error - 02.06.2011 10:18:48 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%1059

Error - 02.06.2011 10:18:48 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7017
Description = Detected circular dependencies demand starting TrueVector Internet
Monitor.

Error - 02.06.2011 10:18:49 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7019
Description = Circular dependency: The vsdatant service depends on a service in
a group which starts later.

Error - 02.06.2011 10:18:49 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%1059


< End of report >
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 2nd, 2011, 5:16 pm

Please go to Control Panel > Add/Remove Programs and Uninstall the following:

Java(TM) 6 Update 22


Old versions of java can be exploited.

Now reboot your computer.

Now download and install JDK 6 Update 25 (JDK or JRE).

Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/406"
FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&systemid=406&q="
[2011.03.23 14:24:21 | 000,005,529 | ---- | M] () -- D:\Helmut\Application Data\Mozilla\Firefox\Profiles\96cjgmc7.default\searchplugins\SearchquWebSearch.xml
[2011.03.23 14:24:21 | 000,005,529 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Discordia, LTD)
O4 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003..\Run: [Google Update] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\datamngr.dll) - c:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Discordia, LTD)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\iebho.dll) - c:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Discordia, LTD)
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\AutoRun\command - "" = D:\SETUP.EXE /AUTORUN
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\configure\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\Shell\install\command - "" = D:\SETUP.EXE

:Files
D:\Helmut\Local Settings\Application Data\Ilivid Player
C:\Program Files\Windows iLivid Toolbar
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[emptyflash]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

Run a scan with Malwarebytes anti-malware ....

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Next

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Summary of the logs I need from you in your next post:
  • OTL log
  • MBAM log
  • E-Set log
  • Let me know how your computer is behaving now please.


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 3rd, 2011, 8:33 am

All processes killed
========== OTL ==========
Prefs.js: "Web Search" removed from browser.search.defaultenginename
Prefs.js: "Web Search" removed from browser.search.order.1
Prefs.js: "Web Search" removed from browser.search.selectedEngine
Prefs.js: "http://www.searchqu.com/406" removed from browser.startup.homepage
Prefs.js: "http://www.searchqu.com/web?src=ffb&systemid=406&q=" removed from keyword.URL
D:\Helmut\Application Data\Mozilla\Firefox\Profiles\96cjgmc7.default\searchplugins\SearchquWebSearch.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR deleted successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1004336348-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~1\window~4\datamngr\datamngr.dll deleted successfully.
c:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~1\window~4\datamngr\iebho.dll deleted successfully.
c:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
File D:\SETUP.EXE /AUTORUN not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
File D:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87f11ba9-5fb3-11e0-88b5-806d6172696f}\ not found.
File D:\SETUP.EXE not found.
========== FILES ==========
D:\Helmut\Local Settings\Application Data\Ilivid Player folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\components folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\searchbar folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\options folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\weatherbutton\panels\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\weatherbutton\panels folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\weatherbutton\icons folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\weatherbutton folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\uwa folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\radio\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\radio\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\radio folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\default\scripts folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\default\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\default\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\default folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib\panels folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin\lib folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\skin folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\skin\scripts folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\skin\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\skin\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\skin folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\js folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.YouTube_v2 folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\skin\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\skin\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\skin folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\js folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Twitter folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.PPCBully folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\skin\scripts folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\skin\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\skin\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\skin folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\js folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.MyStartFacebook folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\skin\scripts folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\skin\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\skin\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\skin folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\js folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\images folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2\css folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets\net.vmn.www.Coupons_v2 folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\widgets folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\modules folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\lib folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\data\search folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content\data folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome\content folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar\chrome folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\ToolBar folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr\FirefoxExtension\content folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr\FirefoxExtension\components folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr\FirefoxExtension folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr folder moved successfully.
C:\Program Files\Windows iLivid Toolbar folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
D:\Helmut\My Documents\Downloads\cmd.bat deleted successfully.
D:\Helmut\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Helmut
->Temp folder emptied: 168914324 bytes
->Temporary Internet Files folder emptied: 48831342 bytes
->Java cache emptied: 741282 bytes
->FireFox cache emptied: 48920051 bytes
->Flash cache emptied: 604 bytes

User: RECYCLER

User: System Volume Information

User: _OTL

%systemdrive% .tmp files removed: 276480 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3086795 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 990 bytes

Total Files Cleaned = 260,00 mb


[EMPTYFLASH]

User: Helmut
->Flash cache emptied: 0 bytes

User: RECYCLER

User: System Volume Information

User: _OTL

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06032011_105808

Files\Folders moved on Reboot...
File\Folder D:\Helmut\Local Settings\Temp\~DF3B61.tmp not found!

Registry entries deleted on Reboot...
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 3rd, 2011, 8:33 am

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Datenbank Version: 6758

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

03.06.2011 11:11:43
mbam-log-2011-06-03 (11-11-43).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 165019
Laufzeit: 3 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 3rd, 2011, 8:34 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3691ff2d31e376429a1ffbf60b8866ff
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-03 10:32:12
# local_time=2011-06-03 12:32:12 (+0100, W. Europe Daylight Time)
# country="Germany"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775145 100 93 312316 43633154 305790 0
# compatibility_mode=8192 67108863 100 0 176 176 0 0
# compatibility_mode=9217 16777214 75 59 4727648 9053435 0 0
# scanned=138316
# found=2
# cleaned=0
# scan_time=4399
D:\Helmut\My Documents\Downloads\IZArc4.1.6.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
D:\Helmut\My Documents\Installationsdateien\zlsSetup_80_020_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 3rd, 2011, 8:36 am

Thank you very much. The computer works normal again. There is no more http://www.searchqu.com/406.
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 3rd, 2011, 10:18 am

There's a couple of files found by E-Set still to remove ....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
D:\Helmut\My Documents\Downloads\IZArc4.1.6.exe
D:\Helmut\My Documents\Installationsdateien\zlsSetup_80_020_000_en.exe

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: http://www.searchqu.com/406 is always start page

Unread postby Helmut13 » June 3rd, 2011, 12:26 pm

========== FILES ==========
D:\Helmut\My Documents\Downloads\IZArc4.1.6.exe moved successfully.
D:\Helmut\My Documents\Installationsdateien\zlsSetup_80_020_000_en.exe moved successfully.

OTL by OldTimer - Version 3.2.23.0 log created on 06032011_182553
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 3rd, 2011, 4:06 pm

Looks like we got everything, time for a little tidying up and then I'll make a few suggestions about security.

Let's clear out OTL and the files and folders it created.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: http://www.searchqu.com/406 is always start page

Unread postby Gary R » June 5th, 2011, 1:33 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 63 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware