Jump to content

searchqu virus/malware


Recommended Posts

Got a nasty infection with searchqu.exe and derivative. Think I got them all but want to make sure. Attached are the dds output files:

DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Administrator at 18:40:24 on 2012-06-07

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

C:\Program Files\Acer\Registration\GregHSRW.exe

C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdnserv.exe

C:\Windows\system32\lxdncoms.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe

C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Lexmark 2600 Series\lxdnmon.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe

C:\Windows\System32\dinotify.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Harrison1\Desktop\dds.com

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k secsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094705l0314ww15w47823685

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094705l0314ww15w47823685

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094705l0314ww15w47823685

uURLSearchHooks: N/A: {ff365cdc-88fe-4ffa-a3f3-357855231dfa} - c:\program files\puredefmusic\toolbar\2.bin\p3SrcAs.dll

mURLSearchHooks: Elf 1.11 Toolbar: {313a832a-aaf3-4880-a8d0-c42bee319c02} - c:\program files\elf_1.11\tbElf_.dll

mURLSearchHooks: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll

mURLSearchHooks: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program files\elf_1.13\tbElf_.dll

mURLSearchHooks: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} - c:\program files\viral_tube\prxtbVira.dll

mURLSearchHooks: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - c:\program files\game_master_2.1\prxtbGame.dll

BHO: Shop to Win 17: {00b48ab6-399b-4e4e-b07e-da47c34c453a} - c:\program files\shop to win 17\Shop to Win 17.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - c:\program files\game_master_2.1\prxtbGame.dll

BHO: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll

BHO: Elf 1.11 Toolbar: {313a832a-aaf3-4880-a8d0-c42bee319c02} - c:\program files\elf_1.11\tbElf_.dll

BHO: FBDownloader BHO: {553318da-d010-469e-84b1-496563cae1bf} - c:\program files\delortech, ltd\dfp 1.0\FBDownloader.dll

BHO: AppGraffiti: {6f6a5334-78e9-4d9b-8182-8b41ea8c39ef} - c:\progra~1\appgra~1\APPGRA~1.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100814193503.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} - c:\program files\viral_tube\prxtbVira.dll

BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program files\elf_1.13\tbElf_.dll

BHO: MediaBar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\bearsh~1\mediabar\datamngr\toolbar\bsdtxmltbpi.dll

BHO: SocialRibbons LP5: {cbf3fdca-6104-1864-d931-d737d2bfc202} - c:\program files\socialribbons lp5\Toolbar.dll

BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Elf 1.11 Toolbar: {313a832a-aaf3-4880-a8d0-c42bee319c02} - c:\program files\elf_1.11\tbElf_.dll

TB: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll

TB: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program files\elf_1.13\tbElf_.dll

TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll

TB: MediaBar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\progra~1\bearsh~1\mediabar\datamngr\toolbar\bsdtxmltbpi.dll

TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll

TB: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} - c:\program files\viral_tube\prxtbVira.dll

TB: Game Master 2.1 Toolbar: {22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - c:\program files\game_master_2.1\prxtbGame.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [Hardware Helper] c:\program files\hardware helper\HHLauncher.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\program files\launch manager\LManager.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe

mRun: [EgisTecLiveUpdate] "c:\program files\egistec egis software update\EgisUpdate.exe"

mRun: [mwlDaemon] c:\program files\egistec\mywinlocker 3\x86\mwlDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED

mRun: [PLFSetI] c:\windows\PLFSetI.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe

mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"

mRun: [lxdnamon] "c:\program files\lexmark 2600 series\lxdnamon.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [sSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRunOnce: [!iLividOnce] c:\users\harrison1\appdata\local\microsoft\windows\temporary internet files\content.ie5\w5vdydrt\iLividSetupV1.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553542300} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: Interfaces\{6DB09E9C-F96F-42AA-9941-1AA3454EF027} : NameServer = 192.168.1.254

TCP: Interfaces\{9BA8832F-8949-42C3-995F-7952FDCEA4C5} : DhcpNameServer = 192.168.0.1 68.94.157.1

TCP: Interfaces\{9BA8832F-8949-42C3-995F-7952FDCEA4C5}\2375942554539333 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{9BA8832F-8949-42C3-995F-7952FDCEA4C5}\7475D23456E6475627D223 : DhcpNameServer = 192.168.2.1

Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? fssfltr;fssfltr

R? fsssvc;Windows Live Family Safety Service

R? GamesAppService;GamesAppService

R? gupdate;Google Update Service (gupdate)

R? gupdatem;Google Update Service (gupdatem)

R? massfilter;Mass Storage Filter Driver

R? MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver

R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader

R? RtsUIR;Realtek IR Driver

R? TsUsbFlt;TsUsbFlt

R? wlcrasvc;Windows Live Mesh remote connections service

R? ZTEusbgps;ZTE GPS Port

R? ZTEusbnmeaext;ZTE NMEAExt Port

S? eamonm;eamonm

S? ekrn;ESET Service

S? epfwwfpr;epfwwfpr

S? ePowerSvc;Acer ePower Service

S? Greg_Service;GRegService

S? L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller

S? lxdn_device;lxdn_device

S? lxdnCATSCustConnectService;lxdnCATSCustConnectService

S? MBAMProtector;MBAMProtector

S? MBAMService;MBAMService

S? mwlPSDFilter;mwlPSDFilter

S? mwlPSDNServ;mwlPSDNServ

S? mwlPSDVDisk;mwlPSDVDisk

S? MWLService;MyWinLocker Service

S? Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher

S? PCCUJobMgr;Common Client Job Manager Service

S? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service

S? RS_Service;Raw Socket Service

S? Updater Service;Updater Service

S? vwififlt;Virtual WiFi Filter Driver

S? vwifimp;Microsoft Virtual WiFi Miniport Service

.

=============== Created Last 30 ================

.

2012-06-06 00:02:14 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aa08ecf6-60da-4e32-ab5e-24df31fecccf}\offreg.dll

2012-06-05 22:52:28 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aa08ecf6-60da-4e32-ab5e-24df31fecccf}\mpengine.dll

2012-05-26 19:46:21 -------- d-----w- c:\program files\Microsoft LifeCam

2012-05-26 19:46:04 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2012-05-26 19:46:03 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2012-05-25 15:06:20 -------- d-----w- c:\users\administrator\appdata\roaming\DriverCure

2012-05-25 06:41:13 -------- d-----w- c:\users\administrator\appdata\roaming\Hardware Helper

2012-05-25 06:41:11 -------- d-----w- c:\program files\Hardware Helper

2012-05-19 00:50:07 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll

2012-05-17 14:49:30 388096 ----a-r- c:\users\administrator\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-05-17 14:49:26 -------- d-----w- c:\program files\Trend Micro

2012-05-17 05:16:59 -------- d-----w- c:\program files\ESET

2012-05-17 04:42:37 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2012-05-17 03:25:46 92208 ----a-w- c:\windows\system\wing.dll

2012-05-17 03:01:31 -------- d-----w- c:\program files\VS Revo Group

2012-05-16 15:02:46 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-05-16 04:25:30 -------- d-----w- c:\users\administrator\appdata\local\Yahoo

2012-05-16 04:24:44 -------- d-----w- c:\users\administrator\appdata\local\Google

2012-05-16 03:46:46 -------- d-----w- c:\users\administrator\appdata\roaming\Malwarebytes

2012-05-16 03:33:56 -------- d-----w- c:\users\administrator\appdata\roaming\AVG2012

2012-05-16 03:33:24 -------- d-----w- c:\users\administrator\appdata\roaming\FaxCtr

2012-05-16 03:33:20 -------- d-----w- c:\users\administrator\appdata\roaming\Acer

2012-05-16 03:32:45 -------- d-----w- c:\users\administrator\appdata\local\EgisTec

2012-05-15 21:25:52 -------- d-----w- c:\programdata\Malwarebytes

2012-05-15 21:25:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-15 21:25:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-15 20:55:43 -------- d-----w- c:\program files\Enigma Software Group

2012-05-15 20:52:47 -------- d-----w- C:\Ziphold

2012-05-15 00:47:01 -------- d-----w- c:\programdata\AVG2012

2012-05-15 00:45:13 -------- d-----w- c:\program files\AVG

2012-05-15 00:39:54 -------- d-----w- c:\programdata\MFAData

2012-05-10 05:58:48 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-10 05:58:34 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll

2012-05-10 05:57:54 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-10 05:57:50 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-10 05:57:49 2343424 ----a-w- c:\windows\system32\win32k.sys

2012-05-10 05:57:26 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-10 05:57:21 1077248 ----a-w- c:\windows\system32\DWrite.dll

.

==================== Find3M ====================

.

2012-03-14 15:40:02 169080 ----a-w- c:\windows\system32\drivers\eamonm.sys

2012-03-14 15:40:02 120152 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2012-03-14 15:40:02 103112 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys

2012-03-11 20:04:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 18:41:45.45 ===============

------------------------------------------------

attach.txt

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

6500_E709_BasicWeb

6500_E709_Help_BasicWeb

7-Zip

7-Zip 9.20

ABBYY FineReader 6.0 Sprint

Acer Assist

Acer Crystal Eye Webcam

Acer ePower Management

Acer eRecovery Management

Acer Games

Acer Registration

Acer ScreenSaver

Acer Updater

Acer VCM

Acrobat.com

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.1 MUI

Advertising Center

AppGraffiti

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ARO 2012

ASPCA Reminder by We-Care.com v5.0.5.1

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Bonjour

bpd_scan

BPDSoftware_Ini

BringMeSports

Broadcom Wireless LAN Driver Installation Program for Windows7

BufferChm

Compatibility Pack for the 2007 Office system

D3DX10

dfp 1.0

Driver Detective

Driver Manager

Driver Robot

eBay Worldwide

Elf 1 Toolbar

Elf 1.11 Toolbar

Elf 1.13 Toolbar

ESET NOD32 Antivirus

eSobi v2

Facebook Video Calling 1.0.0.8953

Facebook Video Calling 1.1.0.13

Facebook Video Calling 1.1.1.1

Facebook Video Calling 1.2.0.159

fbDownloader 1.0.2

Feedback Tool

Game Master 2.1 Toolbar

Google Earth Plug-in

Google Toolbar for Internet Explorer

Google Update Helper

Hardware Helper v3.0

HiJackThis

HP Officejet 6500 E709 Series

Identity Card

iLivid

ImagXpress

Inbox Toolbar

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Itibiti RTC

iTunes

Java Auto Updater

Java™ 6 Update 26

Junk Mail filter update

KeyBlaze Typing Tutor

Launch Manager

Lexmark 2600 Series

Lexmark Fax Solutions

Lexmark Toolbar

Malwarebytes Anti-Malware version 1.61.0.1400

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Corporation

Microsoft LifeCam

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Suite Activation Assistant

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Music Oasis

MyWinLocker

Nero 9 Essentials

Nero CoverDesigner

Nero Installer

Nero StartSmart

neroxml

Network

Norton Online Backup

Norton PC Checkup

OGA Notifier 2.0.0048.0

ParetoLogic DriverCure

QuickTime

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Registry Mechanic 10.0

Revo Uninstaller 1.94

RivalGaming

Rosetta Stone Version 3

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Shop To Win

SocialRibbons LP5

Synaptics Pointing Device Driver

Toolbox

TweetDeck

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update Installer for WildTangent Games App

Viral Tube Toolbar

VLC media player 2.0.1

WebReg

Welcome Center

WildTangent Games App (Acer Games)

Windows iLivid Toolbar

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Yahoo! Install Manager

Yahoo! Software Update

ZTE USB Drivers

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

I still see some signs of it, we have to use OTL to delete it though......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

-------------------------------

BTW here's an excellent guide for uninstalling it:

http://deletemalware.blogspot.ca/2012/04/remove-searchnu-uninstall-guide.html

MrC

Link to post
Share on other sites

Thanks Mr C. Link was an interesting read. iLivid was where the guy got this infection. I try to warn the kids at school of what not to install and download, but maybe when their PC is OTL for a while, they'll get the point.

OK here's the logs attached

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKU\S-1-5-21-2917202170-3497865473-2251337169-1000\..\URLSearchHook: - No CLSID value found
    IE - HKU\S-1-5-21-2917202170-3497865473-2251337169-1000\..\URLSearchHook: {06b5b051-1d05-443d-822f-39ab0d05f018} - No CLSID value found
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not found
    O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    [2012/05/25 08:08:11 | 000,001,807 | ---- | M] () -- C:\Users\Public\Desktop\iLivid.lnk
    O4 - HKLM..\RunOnce: [!iLividOnce] C:\Users\Harrison1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5VDYDRT\iLividSetupV1.exe (Bandoo Media Inc)
    :Commands
    [EMPTYJAVA]
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

OK, here's the log file after the reboot

All processes killed

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-2917202170-3497865473-2251337169-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-2917202170-3497865473-2251337169-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{06b5b051-1d05-443d-822f-39ab0d05f018} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06b5b051-1d05-443d-822f-39ab0d05f018}\ not found.

Registry key HKEY_USERS\S-1-5-21-2917202170-3497865473-2251337169-1000\SOFTWARE\Classes\CLSID\{06b5b051-1d05-443d-822f-39ab0d05f018}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

C:\Users\Public\Desktop\iLivid.lnk moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\!iLividOnce deleted successfully.

C:\Users\Harrison1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5VDYDRT\iLividSetupV1.exe moved successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Harrison1

->Java cache emptied: 339661 bytes

User: Harrison2

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 6122738 bytes

->Temporary Internet Files folder emptied: 22506283 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 51455 bytes

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Harrison1

->Temp folder emptied: 3132575473 bytes

->Temporary Internet Files folder emptied: 1086861192 bytes

->Java cache emptied: 0 bytes

->Google Chrome cache emptied: 7267602 bytes

->Flash cache emptied: 44631 bytes

User: Harrison2

->Temp folder emptied: 3382071 bytes

->Temporary Internet Files folder emptied: 1682015 bytes

->Flash cache emptied: 41911 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 279121958 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 4,329.00 mb

OTL by OldTimer - Version 3.2.47.0 log created on 06082012_124359

Link to post
Share on other sites

Great....

A little clean up to do....

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Pay particular attention to outdated programs such as Java.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.