Hi,

I've recently gotten a possible virus where I search something on Google, click on a link, and then having been redirected to another website that is not relevant to what I wanted. The virus has got serious where I now have to be on SAFE MODE to be able to use the internet cause it has totally cut me off when its on normal mode.

Thanks!


DDS Log (not sure if correct since I did it on Safe Mode):

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by User at 21:20:09 on 2012-01-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.766 [GMT -8:00]
.
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/406
BHO: {1252b80d-9470-4041-839c-c4551fdb1a1d} - c:\documents and settings\user\local settings\application data\ServiceSys32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Policies Update] rundll32 "c:\documents and settings\user\local settings\application data\adobe\adobeupdate\Adobeup.dll",DllRegisterServer
uRun: [DisplayBackupBackup] rundll32.exe "c:\documents and settings\all users\application data\DisplayBackupBackup.dll",DllRegisterServer
uRun: [GNU Update] rundll32 "c:\documents and settings\user\local settings\application data\temp\tempupdate\Tempup.dll",DllRegisterServer
uRun: [Privacy Protection] c:\documents and settings\all users\application data\privacy.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{6C8BC5C1-AACB-4CE1-962C-FC33BB5BFF43} : DhcpNameServer = 68.87.76.182 68.87.78.134
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\od56xxqk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&appid=119&systemid=406&sr=0&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-8-17 188272]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-8-17 64080]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-08 05:09:17 842752 ----a-w- c:\documents and settings\all users\application data\privacy.exe
2011-11-07 00:14:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-06 06:13:31 0 ---ha-w- c:\documents and settings\user\jecownkgxo.tmp
2011-10-29 06:50:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-29 06:49:49 339968 ----a-w- c:\documents and settings\all users\application data\DisplayBackupBackup.dll
.
============= FINISH: 21:20:31.39 ===============

Hello.

My nickname is vict0r and I will help you with the malware issues on your computer.

Please read the following information carefully.

IMPORTANT: Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

To make cleaning this machine easier:

Continue to respond to this thread until I I tell you that the logs are clean!
Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted.
If you have any questions or do not understand instructions, please ask before continuing.
Please reply to this thread. Do not start a new topic.
Your security program(s) may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

I am currently reviewing your log and will return, as soon as possible, with further instructions.

Meanwhile please answer this question:
Do you have another computer/device to access the internet?

Yes, I do have another computer that can be access to the internet.

Thanks for helping me out vict0r!

Please run the scans below and post the logs. Please use one reply per log.

CKScanner

Please download CKScanner (http://downloads.malwareremoval.com/CKScanner.exe) ... Save it to your desktop.
This program should only be run once!
Make sure that CKScanner.exe is saved directly on your desktop before running the application!
Double-click on the CKScanner.exe icon... then click the Search For Files button.
When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
A text file will be created on your desktop named "ckfiles.txt"
Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
Please copy/paste the contents of ckfiles.txt in your next reply.


Scan with WVCheck:

Please download WVCheck (http://artellos.com/ccount/click.php?id=7) and save it to the desktop.


Double click on WVCheck.exe and follow the prompts.
The scan may take some time depending on the Hard-Drive size.
Please post the contents of the notepad file WVCheck_1436_dd-mm-yyyy that can be located on the desktop.

Remember to post:
CKScanner log.
WVCheck log.

Should I be posting the logs in the infected computer on SAFE MODE?

Yes, please. Start the computer in safe mode with networking and access this topic to download the programs. Do not use a usb stick or similar to transfer files to your existing computer.

CKScanner and WVCheck both did not find anything

CKScanner log:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.PVAAKL
----- EOF -----

WVCheck log:

Windows Validation Check
Version: 1.9.12.5
Log Created On: 1144_07-01-2012
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2
Windows Mode: Safe Mode with Networking
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last Success Time for Update Detection: 2011-11-07 19:52:24
Last Success Time for Update Download: 2011-10-13 00:00:13
Last Success Time for Update Installation: 2011-10-14 05:59:38


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - b409909f6e2e8a7067076ed748abf1e7


-------- End of File, program close at 1145_07-01-2012 --------

If you do not follow the instructions exactly as given, it will complicate the process and cause significant delays. All scans and fixes must be run only once if not specifically requested.

It's not recommended to use a computer in safe mode with networking, however this is needed in this case to run the scans and fixes. I recommend that you keep the computer shut off while not performing the scans and fixes as instructed. Start your computer in safe mode with networking again.


Uninstall misc programs

Out of date Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect.

Click on Start > Run.
In the open text box copy/paste appwiz.cpl Then click Ok.
Wait for the list of programs in the Add/Remove control panel to appear, then uninstall the two programs listed below:

Java(TM) 6 Update 22
Windows iLivid Toolbar

Continue with the next step even if iLivid does not disappear.


Back up the registry with Erunt

Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
System registry.
Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.
Please stop following these instructions if the registry backup failed. Post back instead.


Download custom OTL script

Please right-click on the filename link below and select "Save target as..." or "Save Link as...", choose the Desktop as location, and choose to save as the filename :Fix.txt
SQWinXP_x32.TXT (http://downloads.malwareremoval.com/SQWinXP_x32.TXT)


OTL

Please download OTL.exe (http://oldtimer.geekstogo.com/OTL.exe) by OldTimer and save it to your desktop.

Double Click the OTL icon to start the program.
Click the Run Fix button at the top.
You will see a popup dialog reporting "No fix has been provided. Click OK to load from a file or Cancel". Click on OK
When the Open dialog comes up, Navigate to the Desktop, click to highlight the file named Fix.txt and click Open
Some text will appear in the Custom scans/Fixes box.
Click the Run Fix button.
Let the program run unhindered and reboot the PC when it is done.
When the computer Reboots, and you start your usual account, a Notepad text file will appear.
Copy the contents of that file and post it in your next reply. The file will also appear on your desktop as OTL.txt


SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy and paste the content of the following codebox into the main textfield:


:filefind
*Fun4IM*
*Bandoo*
*Searchqu*
*iLivid*
*whitesmoke*
*datamngr*
*trolltech*

:folderfind
*Fun4IM*
*Bandoo*
*Searchqu*
*iLivid*
*whitesmoke*
*datamngr*
*trolltech*

:Regfind
Fun4IM
Bandoo
Searchqu
iLivid
whitesmoke
datamngr
kelkoopartners
trolltech

Click the Look button to start the scan.
Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


ESET Online Scanner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Please open the following link in a new window:
ESET Online Scanner (http://www.eset.com/us/online-scanner/run)

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed downloading, the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When the scan is completed, use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Back in the scanner window, make sure Uninstall application on close is not selected.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif


Remember to post:
OTL log
SystemLook log
Eset log.

I think I mistakenly did something wrong.

OTL Log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls not found.
File pInit_DLLs: not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls not found.
File pInit_DLLs: not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry key HKEY_CURRENT_USER\Software\DataMngr_Toolbar\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid\ not found.
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar\ not found.
Registry key HKEY_CURRENT_USER\Software\DataMngr\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\menuorder\start menu2\programs\bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Trolltech\ not found.
Registry key HKEY_CURRENT_USER\Software\ilivid\ not found.
Registry key HKEY_CURRENT_USER\Software\searchqutoolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Bandoo\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BandooCore.EXE\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iLividSetupV1.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\ilivid.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\SearchquMediabarTb\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{8f5f1cb6-ea9e-40af-a5ca-c7fd63cc1971}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\app management\arpcache\searchqu 406 mediabar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{a40dc6c5-79d0-4ca8-a185-8ff989af1115}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{cc1ac828-bb47-4361-afb5-96eee259dd87}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{fefd3af5-a346-4451-aa23-a3ad54915515}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{5b4144e1-b61d-495a-9a50-cd1a95d86d15}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{6a4bcaba-c437-4c76-a54e-af31b8a76cb9}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{841d5a49-e48d-413c-9c28-eb3d9081d705}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\shared tools\msconfig\startupreg\datamngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0EDE4701-347A-45E0-81F0-D81D9F69BBFB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EDE4701-347A-45E0-81F0-D81D9F69BBFB}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs not found.
========== FILES ==========
File\Folder C:\Program Files\Windows iLivid Toolbar not found.
File\Folder C:\Program Files\Windows Searchqu Toolbar not found.
File\Folder C:\Program Files\iLivid not found.
File\Folder C:\Windows\Prefetch\ILIVID* not found.
File\Folder C:\Windows\Prefetch\SEARCHQUMEDIABAR* not found.
File\Folder C:\Windows\Prefetch\SETUPDATAMNGR* not found.
File\Folder C:\Program Files\mozilla firefox\searchplugins\SearchquWebSearch.xml not found.
File/Folder C:\Documents and Settings\User\Application Data\searchquband not found.
File/Folder C:\Documents and Settings\User\Application Data\searchqutoolbar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: User
->Temp folder emptied: 1097767 bytes
->Temporary Internet Files folder emptied: 593797 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb

Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

OTL by OldTimer - Version 3.2.31.0 log created on 01082012_135617

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:00 on 08/01/2012 by User
Administrator - Elevation successful

========== filefind ==========

Searching for "*Fun4IM*"
No files found.

Searching for "*Bandoo*"
No files found.

Searching for "*Searchqu*"
C:\WINDOWS\Prefetch\TB_SEARCHQU.EXE-2F87F767.pf --a---- 16878 bytes [02:27 11/10/2011] [02:27 11/10/2011] 67A5F92627EE2CD4CB69F82CCC28337E
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\SEARCHQUMEDIABAR.EXE-1621BC2D.pf --a---- 42786 bytes [02:27 11/10/2011] [02:27 11/10/2011] E5A29D95A347EEFF04CDDE06BD3F50B9
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\SETUPDATAMNGR_SEARCHQU.EXE-20430D07.pf --a---- 54446 bytes [02:24 11/10/2011] [02:27 11/10/2011] DE92B73C5C7DBE84C2491258A63D9EED

Searching for "*iLivid*"
C:\Documents and Settings\User\My Documents\Downloads\iLividSetupV1(1).exe --a---- 2108336 bytes [02:26 11/10/2011] [02:26 11/10/2011] 378D3A865E52755DBA1DFE596D36829C
C:\Documents and Settings\User\My Documents\Downloads\iLividSetupV1.exe --a---- 2108336 bytes [02:23 11/10/2011] [02:23 11/10/2011] 378D3A865E52755DBA1DFE596D36829C
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\ILIVID.EXE-0178C79C.pf --a---- 54736 bytes [02:25 11/10/2011] [02:28 11/10/2011] 71CA02F182B36E59C5425CEFE09A69D5
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\ILIVIDSETUPV1.EXE-0B1DF591.pf --a---- 24576 bytes [02:23 11/10/2011] [02:27 11/10/2011] 17D54861B92169B76301863BDAD9E457
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\ILIVIDSETUPV1.EXE-0DA1111D.pf --a---- 28414 bytes [02:23 11/10/2011] [02:23 11/10/2011] 139DD6EAC66F21D23D331A869602D137
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\ILIVIDSETUPV1.EXE-23B2BDB7.pf --a---- 38288 bytes [02:26 11/10/2011] [02:26 11/10/2011] 15F873F163D47B66B9C8582F228464A9
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\ILIVIDSETUPV1.EXE-36E1ED3D.pf --a---- 53102 bytes [02:31 11/10/2011] [02:31 11/10/2011] 0E49F70C75E0A1604A169321655AA350

Searching for "*whitesmoke*"
No files found.

Searching for "*datamngr*"
C:\_OTL\MovedFiles\01082012_135150\C_Windows\Prefetch\SETUPDATAMNGR_SEARCHQU.EXE-20430D07.pf --a---- 54446 bytes [02:24 11/10/2011] [02:27 11/10/2011] DE92B73C5C7DBE84C2491258A63D9EED

Searching for "*trolltech*"
No files found.

========== folderfind ==========

Searching for "*Fun4IM*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Searchqu*"
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\od56xxqk.default\searchqutoolbar d------ [02:27 11/10/2011]
C:\_OTL\MovedFiles\01082012_135150\C_Documents and Settings\User\Application Data\searchqutoolbar d------ [02:27 11/10/2011]

Searching for "*iLivid*"
C:\Documents and Settings\User\Local Settings\Application Data\Ilivid Player d------ [02:25 11/10/2011]

Searching for "*whitesmoke*"
No folders found.

Searching for "*datamngr*"
No folders found.

Searching for "*trolltech*"
No folders found.

========== Regfind ==========

Searching for "Fun4IM"
No data found.

Searching for "Bandoo"
No data found.

Searching for "Searchqu"
No data found.

Searching for "iLivid"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\User\My Documents\Downloads\iLividSetupV1.exe"="iLivid Installation "
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\User\LOCALS~1\Temp\mia10E5.tmp\iLividSetupV1.exe"="iLivid Installation "
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\iLivid\ilivid.exe"="ilivid"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\User\LOCALS~1\Temp\mia110E.tmp\iLividSetupV1.exe"="iLivid Installation "
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{1B0B54CA-AA7D-41D3-A84A-29E7C9CB13A2}\iLividSetupV1.exe"="iLivid Installation "
[HKEY_USERS\S-1-5-21-1275210071-1614895754-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\User\My Documents\Downloads\iLividSetupV1.exe"="iLivid Installation "
[HKEY_USERS\S-1-5-21-1275210071-1614895754-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\User\LOCALS~1\Temp\mia10E5.tmp\iLividSetupV1.exe"="iLivid Installation "
[HKEY_USERS\S-1-5-21-1275210071-1614895754-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\iLivid\ilivid.exe"="ilivid"
[HKEY_USERS\S-1-5-21-1275210071-1614895754-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\User\LOCALS~1\Temp\mia110E.tmp\iLividSetupV1.exe"="iLivid Installation "
[HKEY_USERS\S-1-5-21-1275210071-1614895754-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{1B0B54CA-AA7D-41D3-A84A-29E7C9CB13A2}\iLividSetupV1.exe"="iLivid Installation "

Searching for "whitesmoke"
No data found.

Searching for "datamngr"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAAFC13F-5D79-43FC-AEEA-1DBB5BE91658}]
"AppPath"="C:\PROGRA~1\WINDOW~4\Datamngr\ToolBar"

Searching for "kelkoopartners"
No data found.

Searching for "trolltech"
No data found.

-= EOF =-

ESET Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=1c050468b560a24e8eefc9dd82d7230d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-08 10:28:12
# local_time=2012-01-08 02:28:12 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777175 100 0 5351676 5351676 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32443
# found=7
# cleaned=0
# scan_time=997
C:\Documents and Settings\All Users\Application Data\DisplayBackupBackup.dll Win32/TrojanDownloader.Tracur.I trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\privacy.exe a variant of Win32/Kryptik.VCJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\od56xxqk.default\extensions\{0d9fcb1e-8fe6-42ba-8e32-9e917e496c11}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\od56xxqk.default\extensions\{0d9fcb1e-8fe6-42ba-8e32-9e917e496c11}\chrome\xulcache.jar JS/Agent.NDO trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Local Settings\Application Data\TCPIPWin32.dll a variant of Win32/Kryptik.UQZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Local Settings\Application Data\Adobe\AdobeUpdate\Adobeup.dll a variant of Win32/Kryptik.UQZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\My Documents\Downloads\KeyFinderInstaller.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

Please start your computer in safe mode with networking.

Download ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Please download ComboFix from one of the following links, do not run the tool until your Anti Virus is disabled:

Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.infospyware.net/antimalware/combofix/)


Disable Trend Micro AntiVirus

Right click on the Trend Micro Antivirus icon in the system tray and select Exit. Click Yes to confirm that you want to disable the program.


Run ComboFix

Double click the ComboFix icon on the desktop to run the tool and click Yes to the disclaimer.

Please install the Recovery Console if prompted.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode. This allows us to more easily help you if your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.

I am not able to disable Trend Micro (not on system tray on safe mode) or uninstall it from my computer because it is not letting me to do so.

Ok. Trend Micro is probably not running in safe mode. Go ahead and run Combofix. You will be alerted if it detects an active anti-virus.

It did notify me about Trend Micro. Do you still want me to run ComboFix?

Go ahead and run Combofix. Remember to install the recovery console.

I am posting this on another computer. ComboFix rebooted my computer and it asks me for a Windows Activation Key (which I don't have). Is that normal for ComboFix to do?

I am posting this on another computer. ComboFix rebooted my computer and it asks me for a Windows Activation Key (which I don't have). Is that normal for ComboFix to do?
That should not happen.

I need to do more research before I can get back to you on the issue. I have some questions and your answers may help me in my research:
Which make and model is this computer?
Is there a sticker somewhere on the computer with a Windows product key?
When did you buy this computer?
Do you have any blank writeable cd's?
Does your other computer have the ability to write cd's?
Do you own a usb-stick or usb hard drive?

Which make and model is this computer? It is a custom built computer
Is there a sticker somewhere on the computer with a Windows product key? No there isn't a sticker on the computer with a Windows product key
When did you buy this computer? I had the computer for 5 years
Do you have any blank writeable cd's? Yes I do
Does your other computer have the ability to write cd's? It can
Do you own a usb-stick or usb hard drive? I have an external hard drive

What happens if you start the computer in safe mode? Do you get blocked by the Activation wizard or are you allowed to reach the desktop?

Do you remember if Combofix successfully installed the Recovery Console?

I tried putting it on safe mode...got blocked by the activation wizard. The Recovery console was successfully installed

http://4windows.net/wp-content/uploads/2011/03/Windows-XP-activation-fix.jpg


http://i2.squidoocdn.com/resize/squidoo_images/-1/draft_lens2267816module12389736photo_12255123262.JPG

Please refer to the two screenshots above, the window in the second screenshot is displayed after clicking Yes in the alert box shown in the first screenshot.

Does the contents of the alert box and the window in the screenshots match exactly what you see or are there any differences?

Those screenshots match exactly what I see when I start up the computer.

Regarding your Windows Product key: Where is it? Did you stick it inside the computer case or do you store it elsewhere?

You may want to print out these instructions.

Enter the Recovery Console:

Start your computer, press the up arrow key on the keyboard as soon as the black screen is displayed during the boot asking you to select which operating system to start. This will keep the computer from booting into Windows XP.
Use the up and down arrow keys to select the Microsoft Windows Recovery Console option and then press the Enter key. A numbered list of start options will be displayed and you will be asked to enter the number associated with the installation you would like to start.
Type the number associated with the c:\WINDOWS option (normally 1).
At the c:\WINDOWS prompt type the command shown in the box below, press the Enter key to execute the command.
dir /s /p \Qoobox\Quarantine\c\windows\system32You will have to use your other computer to post back which files Combofix has quarantined. Stop after 10 files if there's a lot.
If there are more than ten and we do not find the culprit it could be that we will have to check more entries.
Press Ctrl+C on your keyboard, then type exit and press the Enter key. The computer will reboot.
Press the up arrow key on the keyboard as soon as the black screen is displayed during the boot asking you to select which operating system to start. This will keep the computer from booting into Windows XP.
Press the power button on your computer to power down.

The command code isn't working. When I press enter it says "The parameter is not valid. Try /? for help."

Try the following command:
dir /s /p c:\Qoobox\Quarantine\c\windows\system32
Note that there are 3 spaces in the command.

The command still doesn't work

Do anyone of these work?
dir c:\Qoobox
dir c:\
dir

Those 3 work

I did a Google search on the command:

dir /s /p c:\Qoobox\Quarantine\c\windows\system32

They changed the "/p" into a "/b"

Try the following command, make sure you spell it correctly:
type C:\Qoobox\ComboFix-quarantined-files.txt
If successful post back 10 entries in that file starting from the bottom.

You can also try this:
dir c:\Qoobox\Quarantine\c\windows\system32

I did a Google search on the command:

dir /s /p c:\Qoobox\Quarantine\c\windows\system32

They changed the "/p" into a "/b"

There seems to be no "/p"-parameter in the recovery console. This is the command I prefer you to try:
dir c:\Qoobox\Quarantine\c\windows\system32
Post back with 10 files from the bottom.

Here's what it shows when I type in "c:\Qoobox\Quarantine\c\windows\system32"

01/9/12 03:08p d------- 0 .
01/9/12 03:08p d------- 0 ..
08/04/04 05:00a -a------ 502272 winlogon.bak.vir
08/17/11 05:27p -a------ 502272 winlogon.exe.vir
4 file(s) 1004544 bytes
152074321920 bytes free

Are there more files listed by the following command?
type C:\Qoobox\ComboFix-quarantined-files.txt

Also, don't forget to answer my questions about the Windows product key:

Where is it? Did you stick it inside the computer case or do you store it elsewhere?

When I typed in C:\Qoobox\ComboFix-quarantined-files.txt it said, "The command is not recognized Type HELP for a list of supported commands."

I was never given a Windows product key since the computer was custom built.

The command is the line in the box below:

type C:\Qoobox\ComboFix-quarantined-files.txt

Will I be able to use the product key from another computer onto the one with the infection?

And I've tried that code many times and the same message shows.

And I've tried that code many times and the same message shows.

Please note that the word type is part of the command. You must type 'type C:\Qoobox\ComboFix-quarantined-files.txt' without the single quotes.

It said access is denied

Ok, power down the computer:
Type the command exit, then press the Enter key. The computer will reboot.
Press the up arrow key on the keyboard as soon as the black screen is displayed during the boot asking you to select which operating system to start. This will keep the computer from booting into Windows XP.
Press the power button on your computer to power down.


I'll be back later with my next post.

Yes sir. Thanks for helping me so far vict0r. It was very much appreciated! :thanks:

I'll wait for you patiently.

I was never given a Windows product key since the computer was custom built.Since you were never given a Windows Product Key and Windows was deactivated by Combofix, it is likely that the built in activation system has been tampered with and that the Windows install on the computer is not legitimate.

You can attempt to resolve the problem by following the activation wizard to activate windows. It is recommended that you choose the option to activate by phone but you can also attempt to activate over the internet (i.e. in safe mode with networking). Remember that Microsoft will not ask for payment/credit card information for the activation.

If you are able to activate Windows and then asked to activate again at next boot, then refer to this article by Microsoft:
http://support.microsoft.com/kb/312295/en-us

Unsuccessful activation means that the Windows install is not legitimate. Refer to this post:
http://forums.spybot.info/showpost.php?p=25290&postcount=4

Please lock this thread. If anything comes up I will PM someone to reopen this thread. Thanks!

Thank you vict0r. :)

Topic archived.