I have pc-cillin and it found the following problems on my system.
"Virus Scan Logs","2007/10/30","TRULUCK"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"09:59","File Monitor","File","HTML_IESLICE.JS","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\HIXC18OI\data1[1].htm","Quarantine Fail",""
"09:59","File Monitor","File","HTML_IESLICE.JS","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\HIXC18OI\data1[1].htm","Quarantine Success",""
"12:04","Manual Scan","File","JAVA_BYTEVER.BJ","MagicApplet.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","JAVA_BYTEVER.DL","OwnClassLoader.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","JAVA_BYTEVER.DK","ProxyClassLoader.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","---","C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip","Quarantine Success",""
"12:05","Manual Scan","File","EXPL_ANICMOO.GEN","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QXOGTLV7\324123[1].htm","Quarantine Success",""
"13:11","File Monitor","File","TROJ_DLOADER.QLP","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\G2SP4OWF\hlpsrv[1].exe","Quarantine Success",""
"13:13","File Monitor","File","TROJ_DLOADER.QLP","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QXOGTLV7\hlpsrv[1].exe","Quarantine Fail",""
"13:13","File Monitor","File","TROJ_DLOADER.QLP","C:\Program Files\hlpsrv.exe","Quarantine Success",""
"13:17","File Monitor","File","PAK_Generic.001","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QZPAWQ7G\ucleaner_setup[1].exe","Quarantine Fail",""
"13:25","Manual Scan","File","PAK_Generic.001","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QZPAWQ7G\ucleaner_setup[1].exe","Quarantine Success",""
"19:31","File Monitor","File","EXPL_ANICMOO.GEN","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\G2SP4OWF\324123[1].htm","Quarantine Fail",""
This is when the search2find.biz redirect started. The system has also been slugish since then. Here is the startuplog
StartupList report, 11/1/2007, 8:00:06 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\MARK TRULUCK\Desktop\Windows-KB890830-V1.34.exe
c:\d6532403f86aee3912e966a48d775c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WG111v2 Smart Wizard Wireless Setting.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
pccguide.exe = "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[MRI_DISABLED]
MSKAGENTEXE = c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - MRI_DISABLED
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
e404 helper - C:\Program Files\E404 Helper\e404.v1.dll - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
--------------------------------------------------
Enumerating Task Scheduler jobs:
HP DArC Task #Hewlett-Packard#hp psc 2400 series#1082927422.job
WebReg 20040425171130.job
--------------------------------------------------
Enumerating Download Program Files:
[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=67633
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www2.snapfish.com/SnapfishActivia.cab
[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
[{D27CDB6E-AE6D-11CF-96B8-444553548000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 6,587 bytes
Report generated in 0.937 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Any help would be greatly appreciated.
"Virus Scan Logs","2007/10/30","TRULUCK"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"09:59","File Monitor","File","HTML_IESLICE.JS","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\HIXC18OI\data1[1].htm","Quarantine Fail",""
"09:59","File Monitor","File","HTML_IESLICE.JS","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\HIXC18OI\data1[1].htm","Quarantine Success",""
"12:04","Manual Scan","File","JAVA_BYTEVER.BJ","MagicApplet.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","JAVA_BYTEVER.DL","OwnClassLoader.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","JAVA_BYTEVER.DK","ProxyClassLoader.class (C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip)","Quarantine Fail",""
"12:04","Manual Scan","File","---","C:\Documents and Settings\MARK TRULUCK\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-23c3ab22-649f5a04.zip","Quarantine Success",""
"12:05","Manual Scan","File","EXPL_ANICMOO.GEN","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QXOGTLV7\324123[1].htm","Quarantine Success",""
"13:11","File Monitor","File","TROJ_DLOADER.QLP","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\G2SP4OWF\hlpsrv[1].exe","Quarantine Success",""
"13:13","File Monitor","File","TROJ_DLOADER.QLP","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QXOGTLV7\hlpsrv[1].exe","Quarantine Fail",""
"13:13","File Monitor","File","TROJ_DLOADER.QLP","C:\Program Files\hlpsrv.exe","Quarantine Success",""
"13:17","File Monitor","File","PAK_Generic.001","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QZPAWQ7G\ucleaner_setup[1].exe","Quarantine Fail",""
"13:25","Manual Scan","File","PAK_Generic.001","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\QZPAWQ7G\ucleaner_setup[1].exe","Quarantine Success",""
"19:31","File Monitor","File","EXPL_ANICMOO.GEN","C:\Documents and Settings\MARK TRULUCK\Local Settings\Temporary Internet Files\Content.IE5\G2SP4OWF\324123[1].htm","Quarantine Fail",""
This is when the search2find.biz redirect started. The system has also been slugish since then. Here is the startuplog
StartupList report, 11/1/2007, 8:00:06 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\MARK TRULUCK\Desktop\Windows-KB890830-V1.34.exe
c:\d6532403f86aee3912e966a48d775c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WG111v2 Smart Wizard Wireless Setting.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
pccguide.exe = "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[MRI_DISABLED]
MSKAGENTEXE = c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - MRI_DISABLED
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
e404 helper - C:\Program Files\E404 Helper\e404.v1.dll - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
--------------------------------------------------
Enumerating Task Scheduler jobs:
HP DArC Task #Hewlett-Packard#hp psc 2400 series#1082927422.job
WebReg 20040425171130.job
--------------------------------------------------
Enumerating Download Program Files:
[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=67633
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www2.snapfish.com/SnapfishActivia.cab
[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
[{D27CDB6E-AE6D-11CF-96B8-444553548000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 6,587 bytes
Report generated in 0.937 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Any help would be greatly appreciated.
