Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bandoo/Searchqu/iLivid

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 23rd, 2011, 7:53 pm

Hi


ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 23rd, 2011, 8:20 pm

Combofix "needed to run a deeper scan" and, upon finishing that, rebooted the PC.
This possibility wasn't mentioned anywhere in the instructions.
Is this proceeding normally?
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 23rd, 2011, 8:29 pm

yes - don't worry. ;)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 23rd, 2011, 8:31 pm

Great. Here's the ComboFix log:
=======================

ComboFix 11-06-23.01 - HP_Administrator 06/23/2011 20:09:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1838 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\Start
c:\documents and settings\HP_Administrator\Application Data\Start\temp_BB40E0B5\flash.10.0.32.18.ocx
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
----- File Replicators -----
.
c:\hp\bin\commands.exe
d:\i386\APPS\APP00926\commands.exe
d:\i386\APPS\APP04870\commands.exe
d:\i386\APPS\APP06722\commands.exe
d:\i386\APPS\APP08304\commands.exe
d:\i386\APPS\APP09288\commands.exe
d:\i386\APPS\APP09844\commands.exe
d:\i386\APPS\APP09983\commands.exe
d:\i386\APPS\APP11997\commands.exe
d:\i386\APPS\APP12305\commands.exe
d:\i386\APPS\APP12414\commands.exe
d:\i386\APPS\APP13812\commands.exe
d:\i386\APPS\APP15845\commands.exe
d:\i386\APPS\APP17171\commands.exe
d:\i386\APPS\APP19268\commands.exe
d:\i386\APPS\APP21273\commands.exe
d:\i386\APPS\APP22953\commands.exe
d:\i386\APPS\APP23828\commands.exe
d:\i386\APPS\APP24318\commands.exe
d:\i386\APPS\APP25458\commands.exe
d:\i386\APPS\APP26376\commands.exe
d:\i386\APPS\APP26679\commands.exe
d:\i386\APPS\APP26970\commands.exe
d:\i386\APPS\APP29229\commands.exe
d:\i386\DRV\APP05841\commands.exe
d:\i386\DRV\APP06678\commands.exe
d:\i386\DRV\APP08300\commands.exe
d:\i386\DRV\APP11212\commands.exe
d:\i386\DRV\APP13391\commands.exe
d:\i386\DRV\APP17160\commands.exe
d:\i386\DRV\APP17891\commands.exe
d:\i386\DRV\APP19897\commands.exe
d:\i386\DRV\APP20004\commands.exe
d:\i386\DRV\APP20091\commands.exe
d:\i386\DRV\APP25050\commands.exe
d:\i386\DRV\APP25826\commands.exe
d:\i386\DRV\APP26225\commands.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-23 23:27 . 2011-06-23 23:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-06-23 23:26 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 23:26 . 2011-06-23 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 23:26 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 23:26 . 2011-06-23 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:50 . 2011-06-23 21:50 -------- d-----w- C:\_OTL
2011-06-16 23:22 . 2011-06-16 23:22 50 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GLF264.tmp
2011-06-16 23:22 . 2011-06-16 23:22 -------- d-----w- c:\documents and settings\HP_Administrator\AppData
2011-06-16 23:20 . 2011-06-16 23:20 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\PackageAware
2011-06-15 23:38 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 12:14 . 2011-06-15 12:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-15 01:04 . 2011-06-15 01:04 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-08-14 14:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-05-24 23:14 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-02-24 04:31 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2010-05-24 23:15 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-05-24 23:15 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2010-05-24 23:15 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2010-05-24 23:15 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2010-05-24 23:15 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-05-24 23:15 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2010-05-24 23:15 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-02 15:31 . 2009-09-02 05:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2009-09-02 05:27 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-09-02 05:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-09-02 05:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2009-09-02 05:26 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2009-09-02 05:26 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-09-02 05:27 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-15 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 544768]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 180269]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-03 122368]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2009-9-2 36903]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58185:TCP"= 58185:TCP:Pando Media Booster
"58185:UDP"= 58185:UDP:Pando Media Booster
"57278:TCP"= 57278:TCP:Pando Media Booster
"57278:UDP"= 57278:UDP:Pando Media Booster
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/24/2011 12:31 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2010 7:15 PM 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2010 7:15 PM 19544]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/23/2011 7:26 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Searchqu 406 MediaBar - c:\program files\Windows iLivid Toolbar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 20:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(244)
c:\windows\system32\WININET.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Retrospect\Retrospect 7.5\retrorun.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\sm56hlpr.exe
c:\windows\eHome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-06-23 20:27:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-24 00:27
.
Pre-Run: 226,229,743,616 bytes free
Post-Run: 226,189,033,472 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A919D0244B31730AF996DCBB5D98B443
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 23rd, 2011, 9:02 pm

Hi

Great job!

After CF has run and combofix.txt has been produced, can you also navigate to C:\Qoobox and post me the contents of: ComboFix-quarantined-files.txt along with combofix.txt

Thanks.


COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DDS::
    AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 23rd, 2011, 9:30 pm

ComboFix Script log:

ComboFix 11-06-23.01 - HP_Administrator 06/23/2011 21:12:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1851 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-23 23:27 . 2011-06-23 23:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-06-23 23:26 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 23:26 . 2011-06-23 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 23:26 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 23:26 . 2011-06-23 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:50 . 2011-06-23 21:50 -------- d-----w- C:\_OTL
2011-06-16 23:22 . 2011-06-16 23:22 50 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GLF264.tmp
2011-06-16 23:22 . 2011-06-16 23:22 -------- d-----w- c:\documents and settings\HP_Administrator\AppData
2011-06-16 23:20 . 2011-06-16 23:20 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\PackageAware
2011-06-15 23:38 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 12:14 . 2011-06-15 12:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-15 01:04 . 2011-06-15 01:04 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-08-14 14:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-05-24 23:14 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-02-24 04:31 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2010-05-24 23:15 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-05-24 23:15 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2010-05-24 23:15 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2010-05-24 23:15 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2010-05-24 23:15 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-05-24 23:15 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2010-05-24 23:15 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-02 15:31 . 2009-09-02 05:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2009-09-02 05:27 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-09-02 05:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-09-02 05:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2009-09-02 05:26 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2009-09-02 05:26 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-09-02 05:27 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-15 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 544768]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 180269]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-03 122368]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2009-9-2 36903]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58185:TCP"= 58185:TCP:Pando Media Booster
"58185:UDP"= 58185:UDP:Pando Media Booster
"57278:TCP"= 57278:TCP:Pando Media Booster
"57278:UDP"= 57278:UDP:Pando Media Booster
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/24/2011 12:31 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2010 7:15 PM 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2010 7:15 PM 19544]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/23/2011 7:26 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 21:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-06-23 21:23:10
ComboFix-quarantined-files.txt 2011-06-24 01:23
ComboFix2.txt 2011-06-24 00:27
.
Pre-Run: 226,199,375,872 bytes free
Post-Run: 226,179,477,504 bytes free
.
- - End Of File - - F1514C053D908E603EAFCECEDA2ABA6F
==========

ComboFix quarantined files:

2011-06-24 00:26:54 . 2011-06-24 00:26:54 1,258 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Searchqu 406 MediaBar.reg.dat
2011-06-24 00:26:07 . 2011-06-24 00:26:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SunJavaUpdateSched.reg.dat
2011-06-24 00:26:05 . 2011-06-24 00:26:05 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PCDrProfiler.reg.dat
2011-06-24 00:22:13 . 2009-09-02 17:28:19 24,613 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll.vir
2011-06-24 00:21:07 . 2004-04-30 10:01:14 53 ----a-w- C:\Qoobox\Quarantine\D\Autorun.inf.vir
2011-06-24 00:17:16 . 2004-09-23 17:30:38 200,704 ----a-w- C:\Qoobox\Quarantine\Replicators\E7166D4E0FF2BF4236F2976E587F133B
2011-06-24 00:15:04 . 2011-06-24 00:15:04 9,068 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-24 00:03:46 . 2011-06-24 00:03:46 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-26 02:10:33 . 2010-08-26 02:10:34 3,979,680 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\start\temp_BB40E0B5\flash.10.0.32.18.ocx.vir
2009-09-02 17:07:07 . 2004-10-25 22:17:56 90,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ps2.bat.vir
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 26th, 2011, 2:55 am

Hi

Sorry for the delay - I was consulting with combofix's developer, sUBs.


Dequarantine

  • Open Notepad by clicking start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad (Do Not Include Code:)

    Code: Select all
    @ECHO OFF
    IF EXIST Logit.txt DEL Logit.txt
    CD /D C:\Qoobox\Quarantine\Replicators
    FOR %%G IN (
    "c:\hp\bin\commands.exe"
    "d:\i386\APPS\APP00926\commands.exe"
    "d:\i386\APPS\APP04870\commands.exe"
    "d:\i386\APPS\APP06722\commands.exe"
    "d:\i386\APPS\APP08304\commands.exe"
    "d:\i386\APPS\APP09288\commands.exe"
    "d:\i386\APPS\APP09844\commands.exe"
    "d:\i386\APPS\APP09983\commands.exe"
    "d:\i386\APPS\APP11997\commands.exe"
    "d:\i386\APPS\APP12305\commands.exe"
    "d:\i386\APPS\APP12414\commands.exe"
    "d:\i386\APPS\APP13812\commands.exe"
    "d:\i386\APPS\APP15845\commands.exe"
    "d:\i386\APPS\APP17171\commands.exe"
    "d:\i386\APPS\APP19268\commands.exe"
    "d:\i386\APPS\APP21273\commands.exe"
    "d:\i386\APPS\APP22953\commands.exe"
    "d:\i386\APPS\APP23828\commands.exe"
    "d:\i386\APPS\APP24318\commands.exe"
    "d:\i386\APPS\APP25458\commands.exe"
    "d:\i386\APPS\APP26376\commands.exe"
    "d:\i386\APPS\APP26679\commands.exe"
    "d:\i386\APPS\APP26970\commands.exe"
    "d:\i386\APPS\APP29229\commands.exe"
    "d:\i386\DRV\APP05841\commands.exe"
    "d:\i386\DRV\APP06678\commands.exe"
    "d:\i386\DRV\APP08300\commands.exe"
    "d:\i386\DRV\APP11212\commands.exe"
    "d:\i386\DRV\APP13391\commands.exe"
    "d:\i386\DRV\APP17160\commands.exe"
    "d:\i386\DRV\APP17891\commands.exe"
    "d:\i386\DRV\APP19897\commands.exe"
    "d:\i386\DRV\APP20004\commands.exe"
    "d:\i386\DRV\APP20091\commands.exe"
    "d:\i386\DRV\APP25050\commands.exe"
    "d:\i386\DRV\APP25826\commands.exe"
    "d:\i386\DRV\APP26225\commands.exe"
    ) DO @IF NOT EXIST %%G (
    COPY E7166D4E0FF2BF4236F2976E587F133B %%G
    IF EXIST %%G ECHO.%%~G .. restored >> "%~DP0Logit.txt"
    )>NUL 2>&1
    IF EXIST Logit.txt START "." "%~DP0Logit.txt"
    DEL %0
    
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as Fix1.bat
  • Change Save as type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click Fix1.bat on your Desktop
  • The batch file will self delete when finished



SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield (Do Not Include Code:)
    Code: Select all
    :file
    c:\hp\bin\commands.exe
    d:\i386\APPS\APP00926\commands.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.



In your next reply:
  1. SystemLook.txt
  2. ESET log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 26th, 2011, 6:19 pm

melboy,
when I follow the link for the ESET online scanner, I don't see a terms-of-use and a Start button. There's a Scan Now button that, when clicked, opens a window with the options to purchase, etc. It doesn't seem to match your instructions, so I'm reluctant to go further.
jlars
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 27th, 2011, 2:25 am

Hi

Make sure you run TFC prior to the online scan. If you've run it once already you do need to run it again before the scan.

See if this link works better for you.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.



In your next reply:
  1. SystemLook.txt
  2. ESET log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 27th, 2011, 7:55 am

SystemLook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 17:59 on 26/06/2011 by HP_Administrator
Administrator - Elevation successful

========== file ==========

c:\hp\bin\commands.exe - File found and opened.
MD5: E7166D4E0FF2BF4236F2976E587F133B
Created at 21:58 on 26/06/2011
Modified at 17:30 on 23/09/2004
Size: 200704 bytes
Attributes: --a----
FileDescription: commands
FileVersion: 8, 6, 0, 0
ProductVersion: 8, 6, 0, 0
OriginalFilename: commands.exe
InternalName: commands
ProductName: Hewlett Packard commands
CompanyName: Hewlett Packard
LegalCopyright: Copyright © 2004

d:\i386\APPS\APP00926\commands.exe - File found and opened.
MD5: E7166D4E0FF2BF4236F2976E587F133B
Created at 21:58 on 26/06/2011
Modified at 17:30 on 23/09/2004
Size: 200704 bytes
Attributes: --a----
FileDescription: commands
FileVersion: 8, 6, 0, 0
ProductVersion: 8, 6, 0, 0
OriginalFilename: commands.exe
InternalName: commands
ProductName: Hewlett Packard commands
CompanyName: Hewlett Packard
LegalCopyright: Copyright © 2004

-= EOF =-
==========================

ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=fea978697563614485e8491882b92a40
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-27 11:47:56
# local_time=2011-06-27 07:47:56 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 33501757 33501757 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=99169
# found=1
# cleaned=0
# scan_time=5437
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP533\A0323034.exe a variant of Win32/Adware.WhiteSmoke.B application (unable to clean) 00000000000000000000000000000000 I
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 27th, 2011, 3:46 pm

Hi

Great! We'll flush system restore when we're done - which should be after this round of instructions - How are things running now?


Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.

  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader X (10.0.1)

    Please visit the Adobe Site & download & install Adobe Reader X (10.1).



Update Java Runtime

You are using an old version of Java. Oracle's Java (Was Sun Java) is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Oracle Java is: Java Runtime Environment Version 6 Update 26.

  • Go to Oracle Java
  • Scroll down to where it says "Java Platform, Standard Edition. Java SE 6 Update 26"
  • Click the Download JRE button to the right.
  • Check the box to Accept License Agreement
  • In the list of files, Look to Windows x86 Offline & click on the link to the right which says "jre-6u26-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java(TM) 6 Update 24
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



Defence Inspector

Please download Defence Inspector and save it to your desktop.

  • Double-click DefenceInspector.exe to run it.
  • When presented with the option to begin the scan, please press any key to continue.
  • When DefenceInspector has finished scanning a log will appear.
  • Please post the contents of this log in your next reply.



Re-run DDS

Please disable any anti-malware program that will block scripts from running before running DDS.
  • Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, Please copy & paste the contents of :
    • DDS.txt
And post it in your next reply.




In your next reply:
  1. DDS.txt
  2. DefenceInspector log
  3. How are things running now
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 27th, 2011, 7:32 pm

1. DDS.txt:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 19:23:17 on 2011-06-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1809 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/sho ... wflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{00DA3221-7847-4EAB-91B5-66194C079360} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6FCFC3C2-828C-4CBF-B2A2-25A2FF6700C6} : DhcpNameServer = 192.168.1.1 71.243.0.12
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-24 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-24 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-24 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-24 42184]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 cpuz132;cpuz132;\??\c:\docume~1\hp_adm~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\hp_adm~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-23 39984]
.
=============== Created Last 30 ================
.
2011-06-27 22:41:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-24 00:07:12 -------- d-sha-r- C:\cmdcons
2011-06-24 00:03:59 98816 ----a-w- c:\windows\sed.exe
2011-06-24 00:03:59 518144 ----a-w- c:\windows\SWREG.exe
2011-06-24 00:03:59 256512 ----a-w- c:\windows\PEV.exe
2011-06-24 00:03:59 208896 ----a-w- c:\windows\MBR.exe
2011-06-23 23:27:15 -------- d-----w- c:\documents and settings\hp_administrator\application data\Malwarebytes
2011-06-23 23:26:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 23:26:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-23 23:26:40 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 23:26:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-23 21:50:05 -------- d-----w- C:\_OTL
2011-06-16 23:22:30 50 ----a-w- c:\documents and settings\hp_administrator\local settings\application data\GLF264.tmp
2011-06-16 23:22:07 -------- d-----w- c:\documents and settings\hp_administrator\AppData
2011-06-16 23:20:18 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\PackageAware
2011-06-15 23:38:34 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 12:14:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-15 01:04:12 -------- d-----w- c:\program files\CCleaner
2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-06-27 22:41:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 19:24:32.90 ===============

2. DefenceInspector log

Defence Inspector (Version 1.0.1)
Log created at 19:21:29 on June 27, 2011

-= System =-
Windows XP (32-bit, Service Pack 3)
Windows Update: Notify before installation
System Restore: ON (41 restore point(s) available)

-= User Accounts =-
Administrator (Admin)
Guest
HelpAssistant (Disabled)
HP_Administrator (Admin)
SUPPORT_388945a0 (Disabled)
SUPPORT_fddfa904 (Disabled)

-= Security Programs =-
Avast! 5 (5.1)
Avast! AntiVirus (6.0)
Malwarebytes' Anti-Malware
SUPERAntiSpyware
Windows Firewall: Enabled

-= Other Programs =-
Adobe AIR 2.5.1.17730
Adobe Flash Player (Plugin) 10.0.45.2
Adobe Flash Player (ActiveX) 10.3.181.26
Internet Explorer 8.0.6001.18702
Java 1.6.0_26

-= EOF =-

3. How are things running now:
- Aside: Adobe had furnished an auto-update prior to your last reply, so I updated Reader via that. I checked the version and it is 10.1, so that should be fine. I have java on auto-notification; I'm surprised I hadn't seen one for that version. Anyway, that updated fine also.
- Everything is running well. Actually, it always was (for an ancient desktop), but I knew that once I got rid of the Searchqu/Bandoo items I could see, there would still be residual items related to Bandoo and Searchqu that I didn't know how to eliminate . . . lucky for me, you answered the call.

How are we doing?
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 29th, 2011, 3:05 pm

Hi

Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below.



Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTL by OldTimer

You should still have this on your Desktop.

  • Double-click OTL.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


========================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.



  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install. Even if you do not use Internet Explorer as you Primary/Default browser it is important to keep it updated. Internet Explorer can be utilised by other programs and therefore must be kept updated to avoid exploitable vulnerabilities.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.
    You can now trial the full versions features within the program. Click the Protection Tab to see.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Bandoo/Searchqu/iLivid

Unread postby jlars » June 29th, 2011, 11:16 pm

Melboy,

First off, let me say that I can't thank you enough. I have nothing but admiration for folks like you who offer their time, free of charge, to help others with problems. I don't have a lot of money--if I did, I'd likely buy a new PC!--but I'd like to contribute to the upkeep and continuation of this site. What is the best way to do that?

Also, could you give me a little background as to what we cleaned up and where I was infected. We probably ran 8 or 10 different scans: do they all hit different areas of the PC? Or are they designed to root out different types of malware? Was there more going on than just the Bandoo/Searchqu that first brought me here?

Finally, the system is running fine and I will do the final clean-up steps you outlined. I do notice some web pages failing to load--usually need a refresh--but aside from that everything is good. I will likely switch to a different browser soon. What's your opinion of Chrome?

So, thanks again. Your help is very much appreciated.

Kind Regards,
jlars
jlars
Regular Member
 
Posts: 16
Joined: June 17th, 2011, 10:01 pm

Re: Bandoo/Searchqu/iLivid

Unread postby melboy » June 30th, 2011, 12:59 pm

You're most welcome! :)

Our help is always free, but any donation to help with the running costs of this volunteer site would be very much appreciated & is always gratefully received. You can do so through the "Support Us" link at the top of the page.

Thank you. :)

http://www.malwareremoval.com/donations.php


The scans I had you run help us determine what malware may be affecting your system, and how & where it may be affecting your system. There is a high level of expert knowledge on malware throughout our community, and we're very lucky to have excellent developers that can produce tools to help us root out & remove even the worst malware - wherever it may be on the system. Sometimes, some of our more powerful tools are needed to remove the malware efficiently & safely.


As it turned out, there was nothing more going on than the Bandoo/Searchqu that first brought you here.
It can be introduced to the system by more serious malware however, so it is always worthwhile checking further.


With any software, always look to review it from trusted sources before downloading & installing, and always download from a reputable source. Visit the vendors site & read Terms & Condition's and Privacy policies. Check the EULA (End User License Agreement) when installing, & look out for any pre-checked additional extra's that may also be installed along with the program & decide whether or not you want it or not, and "Opt out" of the extra's if necessary.

I don't use Google Chrome as a browser myself, so couldn't comment too much on it. I do know some have issue with Google's Privacy policies - It might be worth checking out further to decide for yourself. You could always start a thread in our General Discussions Forum, to ask users opinions on it. ;)

viewforum.php?f=26
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware