remove iLivid

Staff:

I started to download iLivid and as it was downloading, thought to check to see if it was a bad guy and it appears to be so. I think I was able to remove major parts through the Uninstall process for named Folders I could see. But it appears it took over Google as the search engine and I see there is a folder named iLivid manager on my expansion harddrive.

Can someone tell me how to check the computer for other files or hidden stuff so it is completely removed.

Thanks for your time

fairweather

Hello dewalt.
I don't know your Operating System.

You need to Show hidden files then....
I'd start In Task manager (CTRL+SHIFT+ESC),click the Processes Tab.
Look for
ilivid.exe
iLividSetupV1.exe
Highlight each and Click the End Process button.

Boot to Safe Mode...

use windows search utility to search for and delete these.....
ilivid.exe
iLividSetupV1.exe

%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.dat
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.exe
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.lnk
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.msi
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.par
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.res
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\instance.dat
%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\mia.lib
%CommonDesktopDir%\Get free emoticons and winks!.url
%CommonDesktopDir%\iLivid Download Manager.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\iLivid\iLivid Download Manager.lnk
%Temp%\mia1\ilividsetupv1.msi
%Temp%\mia1\destination.dfm.miaf
%Temp%\mia1\unwelcome.dfm.miaf
C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
%AppData%\searchqutoolbar
%AppData%\vlc
%AppData%\Ilivid Player
%ProgramFiles%\iLivid\ilivid.exe


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Boopme:

Thanks for taking time. OS is W7 Pro. I think I stopped it before it got completely installed, but who knows. I still have internet access, it hasn't got the browser yet, Google either, but it did change the browser opening page to www.searchqu.com which I was able to change back so OK.

I have already run MBAM in Safe Mode, it didn't find anything, but I will rerun it after I check everything you listed, this may take a day or so.

Thing I am concerned with is there is a large, 34.2 MB folder called iLivid in the expansion drive with 11 files with the first 4 ID'd as ilivid, libgcc_s_dw2-1.dll,mingwm10.dll & phonon4.dll ID'd when you hover over the folder. I didn't want to go clicking on too many things to try to find the other file names. And I don't know how to search the expansion drive; don't know if the search on the control panel?, what comes up when you click on START, will also check the expansion drive.

Will start with going through your list and let you know what I find or happens, but again thanks for your time.

dewalt

Hi,you're welcome. After the list. Delete the folder and contents if asked.

I would run TFC.

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

NOTE: Reinstall MBAM if you installed it in safe mode.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to > Run... and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
• Disk Cleanup in Vista
• Disk Cleanup in Windows 7

Boopme:

Finally got a chance to start down the list of things to do to catch the rest of iLivid. Didn't get far though. Did do the find hidden files exercise, then opened Task Manager and checked the processes tab and could not find either of the executable you had listed. that was good. then went to safe mode and used what looked like the search function that checked as letters were typed in and nothing there either. Going the right direction.

But when I went down to the list of other things to check for such as

%CommonAppData%\{F01C14AE-F9C0-49DB-A28C-4C24EE6762FE}\iLividSetupV1.dat

Could not be sure what were zeros and what were "Os", that is until now that I have copied and pasted that line above that it looks like the characters within curly brackets (and not parentheses, right?) are zeros and not lower case "o"s. On the printed page they look very much alike. I'm surprised they don't make a special character with a slash or dash for potentially confusing applications like this. Will try with zeros but would like you to confirm.

And assuming no further problems or misunderstandings on my part, would like to get that folder (iLivid) with 11 files cleared off the expansion/external hard drive.

Thanks again for your time and help

dewalt