Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

WebSearch (*/search.php redirect virus)

Started by search.phpvictim , Dec 21 2009 03:43 PM

Please log in to reply

3 replies to this topic

#1 search.phpvictim

Members
2 posts
OFFLINE

Local time:07:26 PM

Posted 21 December 2009 - 03:43 PM

Many thanks to anyone who can give a hand here. When I do a google search in IE or FF, the results redirect to differing sites whose url's are appended with /search.php. For example, when clicking on a search result link, a link such as hxxp://microav/search.php will appear in the url bar before redirecting to a different site. Search and destroy hasn't worked. Neither Spybot nor ESET 32 has been able to remove the file/program, which I haven't been able to identify yet. I appreciate any help you can provide.

DDS (Ver_09-12-01.01) - NTFSx86
Run by loring.helfrich at 11:59:29.69 on Mon 12/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.734 [GMT -6:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Philips\VOIP151\VOIP151.exe
C:\Program Files\Toktumi\Toktumi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PROVID~1\LIVESU~1\PROVID~1.EXE
C:\Program Files\Eset\nod32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
\\Toolserver-1\Users\loring.helfrich\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by ToolServe
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [VOIP151] "c:\program files\philips\voip151\VOIP151.exe"
uRun: [<NO NAME>]
uRun: [ToktumiClient] c:\program files\toktumi\Toktumi.exe /m
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ProvideSupportOperatorConsole] c:\progra~1\provid~1\livesu~1\PROVID~1.EXE
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\loring~1.too\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-system: dontdisplaylockeduserid = 3 (0x3)
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\scansoft\omnipagepro14.0\pdfcnv\IEShellExt.dll /100
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://quickplace.milwaukeeconnect.com/qp2.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132788579737
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260475624078
DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} - hxxps://mscrm.demoservers.com/proxy/srdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxp://tso.tryrightnow.com:/rnt/rnw/client_files/RNTProcMan.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://tso.tryrightnow.com/rnt/common/editor/ewebeditpro4.cab
TCP: {D096D4DF-7190-4270-9571-822763659847} = 192.168.110.2,192.168.110.3
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\skype\toolbars\shared\Skype4ComAPI.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkklj.dll
Hosts: 91.212.127.227 winsecure2009.microsoft.com
Hosts: 91.212.127.227 winsecure2009.com
Hosts: 91.212.127.227 www.winsecure2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\loring~1.too\applic~1\mozilla\firefox\profiles\it84kvbw.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-3-19 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-7-10 552064]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent" --> db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2009-7-13 127656]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~2.0\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~2.0\QBDBMgrN.exe -hvQuickBooksDB19 [?]

=============== Created Last 30 ================

2009-12-21 16:58:30 0 d-----w- c:\program files\Trend Micro
2009-12-15 17:32:16 0 d-----w- c:\documents and settings\loring.helfrich.toolserve\.unlimitedftp
2009-12-12 00:21:03 0 d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-12-12 00:08:23 0 d-sh--w- c:\documents and settings\loring.helfrich.toolserve\PrivacIE
2009-12-11 21:02:33 0 d--h--w- c:\documents and settings\loring.helfrich.toolserve\InstallAnywhere
2009-12-11 03:52:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-11 03:52:43 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-10 22:00:40 0 d-----w- c:\documents and settings\loring.helfrich.toolserve\.ProvideSupportConsole
2009-12-10 22:00:30 0 d-----w- c:\documents and settings\loring.helfrich.toolserve\.PROVID~1
2009-12-10 21:59:59 0 d-sh--w- c:\documents and settings\loring.helfrich.toolserve\IETldCache
2009-12-10 20:46:36 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-10 20:45:32 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-10 20:25:07 4444 ----a-w- c:\windows\system32\pid.PNF
2009-12-10 19:56:16 0 d-----w- c:\windows\ie8updates
2009-12-10 19:52:50 0 dc-h--w- c:\windows\ie8
2009-12-10 19:48:16 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-10 19:48:16 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-10 19:48:15 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-10 19:48:15 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-10 19:48:13 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-10 19:48:11 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-10 19:47:15 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-10 19:42:50 0 d-----w- c:\program files\Z-Firm LLC
2009-12-10 19:17:57 21 ---ha-w- C:\qpmd8378.bin
2009-12-03 00:11:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-30 16:23:12 0 d-----w- c:\docume~1\loring~1.too\applic~1\Malwarebytes
2009-11-30 16:22:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 16:22:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 16:22:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-30 16:22:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-12-19 17:06:38 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-14 20:57:30 68448 ----a-w- c:\windows\Transaction Copier for QBooks Uninstaller.exe
2009-12-10 19:13:26 5595849 ----a-w- c:\program files\proglist.txt
2009-11-02 05:53:09 5522 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-09-12 21:58:51 44772717 ----a-w- c:\program files\ecpro46win.exe
2007-06-18 19:27:37 2061 ----a-w- c:\program files\gl_dnlf.pgl
2007-06-06 00:02:46 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-05-31 18:23:24 1163592 ----a-w- c:\program files\install_flash_player.exe
2006-12-15 19:49:09 44297024 ----a-w- c:\program files\MSDE2000A.exe
2001-05-26 06:05:22 466944 ----a-w- c:\program files\Autorun.exe
2001-05-23 16:39:28 285 ----a-w- c:\program files\AutoRun.ini
2001-05-21 11:45:06 49 ----a-w- c:\program files\AutoRun.inf
2002-08-01 00:55:12 106 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 12:03:41.92 ===============

Attached Files

Attach.txt 12.33KB 0 downloads

Edited by Orange Blossom, 21 December 2009 - 09:34 PM.
Deactivate link. ~ OB

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 suebaby41

W.A.M. (Women Against Malware)

Malware Response Team
6,248 posts
OFFLINE

Gender:Female
Location:South Carolina, USA
Local time:09:26 PM

Posted 03 January 2010 - 03:15 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Please post the contents of log.txt.

Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:

Reply to this thread; do not start another!
Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
Do not run any other tool until instructed to do so!
Let me know if any of the links do not work or if any of the tools do not work.
Tell me about problems or symptoms that occur during the fix.
Do not run any other programs or open any other windows while doing a fix.
Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.

Thanks.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate
Posted Image

Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 search.phpvictim

Topic Starter

Members
2 posts
OFFLINE

Local time:07:26 PM

Posted 04 January 2010 - 09:37 AM

Thanks suebaby41. I really appreciate your help.

Logfile of random's system information tool 1.06 (written by random/random)
Run by loring.helfrich at 2010-01-04 08:26:46
Microsoft Windows XP Professional Service Pack 3
System drive C: has 102 GB (68%) free of 149 GB
Total RAM: 1534 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:08 AM, on 1/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Philips\VOIP151\VOIP151.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PROVID~1\LIVESU~1\PROVID~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Eset\nod32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\Toolserver-1\Users\loring.helfrich\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\loring.helfrich.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ToolServe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickBooksDB17] C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe -n QB_TOOLSERVE13_17 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10172) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe C:\DOCUME~1\LORING~1.TOO\LOCALS~1\APPLIC~1\Intuit\QUICKB~1\Log\DBSTAR~1.LOG -y
O4 - HKCU\..\Run: [VOIP151] "C:\Program Files\Philips\VOIP151\VOIP151.exe"
O4 - HKCU\..\Run: [ToktumiClient] C:\Program Files\Toktumi\Toktumi.exe /m
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProvideSupportOperatorConsole] C:\PROGRA~1\PROVID~1\LIVESU~1\PROVID~1.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.milwaukeeconnect.com/qp2.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132788579737
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1260475624078
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (Surgient URA Remote Desktop Client) - https://mscrm.demoservers.com/proxy/srdp.cab
O16 - DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} (RNTProcessManager Control) - http://tso.tryrightnow.com:/rnt/rnw/client.../RNTProcMan.cab
O16 - DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} (eWebEditProLibCtl4.eWEPLoader) - http://tso.tryrightnow.com/rnt/common/edit...webeditpro4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TOOLSERVE.local
O17 - HKLM\Software\..\Telephony: DomainName = TOOLSERVE.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D096D4DF-7190-4270-9571-822763659847}: NameServer = 192.168.110.2,192.168.110.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TOOLSERVE.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\toolbars\Shared\Skype4ComAPI.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - db\slserver52\bin\swagent.exe (file missing)
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - db\slserver52\bin\swstrtr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe

--
End of file - 9956 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-10-11 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-C7D7-6BAD84E32FCB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]
{A057A204-BACC-4D26-C7D7-6BAD84E32FCB}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2007-03-19 949376]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"QuickBooksDB17"=C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe [2006-09-13 128536]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"VOIP151"=C:\Program Files\Philips\VOIP151\VOIP151.exe [2009-01-20 1262928]
""= []
"ToktumiClient"=C:\Program Files\Toktumi\Toktumi.exe [2009-10-07 5880904]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"ProvideSupportOperatorConsole"=C:\PROGRA~1\PROVID~1\LIVESU~1\PROVID~1.EXE [2009-04-15 15181312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^loring.helfrich.TOOLSERVE^Start Menu^Programs^Startup^AYS Internet Utility - Auto Start.lnk]
C:\WINDOWS\Installer\{B63A96AC-1442-4FC6-A60E-6B3856ADCA85}\_705f4f12.exe [2008-05-30 1078]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^loring.helfrich.TOOLSERVE^Start Menu^Programs^Startup^Google Updater.lnk]
C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~1.EXE -systray -startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^loring.helfrich.TOOLSERVE^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk]
C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\QBWEBC~1\QBWEBC~1.EXE [2009-02-09 300328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe

C:\Documents and Settings\loring.helfrich.TOOLSERVE\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-24 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-10-14 135168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\jkklj.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0
"dontdisplaylockeduserid"=3

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktop"=01000000
"NoActiveDesktopChanges"=0
"NoRecentDocsNetHood"=01000000
"NoSharedDocuments"=01000000
"NoSMBalloonTip"=1
"ForceStartMenuLogOff"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\FTP\CUTFTP32.EXE"="C:\FTP\CUTFTP32.EXE:*:Enabled:Winsock FTP Client"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 8.0 Data Manager"
"C:\Documents and Settings\loring.helfrich.TOOLSERVE\Local Settings\Temp\I1203973287\Windows\resource\jre\bin\javaw.exe"="C:\Documents and Settings\loring.helfrich.TOOLSERVE\Local Settings\Temp\I1203973287\Windows\resource\jre\bin\javaw.exe:*:Disabled:Java™ Platform SE binary"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\setup\HPZNET01.EXE"="D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\setup\hppapd.exe"="D:\setup\hppapd.exe:*:Enabled:hppapd.exe"
"D:\setup\HPPNICIFS01.EXE"="D:\setup\HPPNICIFS01.EXE:*:Enabled:hppnicifs01.exe"
"D:\setup\HPNTWKEXE.EXE"="D:\setup\HPNTWKEXE.EXE:*:Enabled:hpntwkexe.exe"
"C:\Program Files\WinHTTrack\WinHTTrack.exe"="C:\Program Files\WinHTTrack\WinHTTrack.exe:*:Enabled:WinHTTrack Website Copier, Web Site mirroring for professional and private purposes"
"C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe"="C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8"
"C:\WINDOWS\system32\SUPDSvc.exe"="C:\WINDOWS\system32\SUPDSvc.exe:*:Enabled:Samsung UPD Service"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\Toktumi\Toktumi.exe"="C:\Program Files\Toktumi\Toktumi.exe:*:Enabled:Toktumi client application"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2010-01-04 08:26:46 ----D---- C:\rsit
2009-12-21 14:28:34 ----A---- C:\RootRepeal report 12-21-09 (14-28-34).txt
2009-12-21 10:58:30 ----D---- C:\Program Files\Trend Micro
2009-12-11 18:21:03 ----D---- C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-12-11 18:11:36 ----D---- C:\Documents and Settings\loring.helfrich.TOOLSERVE\Application Data\Mozilla
2009-12-11 18:11:21 ----D---- C:\Program Files\Mozilla Firefox
2009-12-10 21:52:43 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-12-10 21:52:43 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-12-10 16:56:07 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-10 16:55:56 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-12-10 16:55:45 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2009-12-10 16:55:32 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-10 16:55:20 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-12-10 16:55:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-10 16:54:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-10 16:54:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-10 16:53:36 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-12-10 14:46:36 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-12-10 14:19:12 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-12-10 14:00:59 ----D---- C:\Program Files\7-Zip
2009-12-10 13:56:16 ----D---- C:\WINDOWS\ie8updates
2009-12-10 13:54:26 ----D---- C:\WINDOWS\WBEM
2009-12-10 13:52:50 ----HDC---- C:\WINDOWS\ie8
2009-12-10 13:42:50 ----D---- C:\Program Files\Z-Firm LLC
2009-12-10 13:10:05 ----A---- C:\Program Files\proglist.txt

======List of files/folders modified in the last 1 months======

2010-01-04 08:26:53 ----D---- C:\WINDOWS\Prefetch
2010-01-04 08:13:45 ----D---- C:\WINDOWS\Temp
2010-01-04 08:10:28 ----D---- C:\Documents and Settings\loring.helfrich.TOOLSERVE\Application Data\skypePM
2010-01-04 08:10:02 ----D---- C:\Documents and Settings\loring.helfrich.TOOLSERVE\Application Data\Skype
2010-01-04 08:08:13 ----D---- C:\WINDOWS\security
2010-01-04 08:08:13 ----D---- C:\LOGS
2009-12-31 23:46:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-31 16:01:02 ----D---- C:\WINDOWS\system32
2009-12-31 09:38:46 ----A---- C:\WINDOWS\win.ini
2009-12-31 08:38:14 ----D---- C:\Program Files\At Your Service
2009-12-30 11:16:58 ----D---- C:\WINDOWS
2009-12-30 08:39:16 ----D---- C:\Program Files\DYMO Label
2009-12-30 08:39:16 ----A---- C:\WINDOWS\iltwain.ini
2009-12-30 06:23:33 ----D---- C:\WINDOWS\system32\FxsTmp
2009-12-22 17:22:17 ----HD---- C:\WINDOWS\inf
2009-12-22 17:22:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-22 15:37:02 ----D---- C:\Program Files\Transaction Copier for QBooks
2009-12-21 14:16:49 ----D---- C:\WINDOWS\system32\drivers
2009-12-21 11:11:26 ----RD---- C:\Program Files
2009-12-21 11:09:47 ----D---- C:\WINDOWS\Debug
2009-12-21 10:55:46 ----SHD---- C:\WINDOWS\Installer
2009-12-21 10:55:44 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-12-14 15:06:00 ----D---- C:\Program Files\IIF Transaction Creator
2009-12-14 14:57:30 ----A---- C:\WINDOWS\Transaction Copier for QBooks Uninstaller.exe
2009-12-11 18:17:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-11 18:15:42 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-11 15:05:23 ----D---- C:\JRun4
2009-12-11 15:03:25 ----D---- C:\CFusionMX7
2009-12-10 23:47:46 ----D---- C:\WINDOWS\AppPatch
2009-12-10 16:54:21 ----D---- C:\WINDOWS\WinSxS
2009-12-10 16:54:13 ----D---- C:\WINDOWS\system32\en-us
2009-12-10 16:54:05 ----D---- C:\WINDOWS\system32\XPSViewer
2009-12-10 16:13:58 ----SD---- C:\Documents and Settings\loring.helfrich.TOOLSERVE\Application Data\Microsoft
2009-12-10 15:05:41 ----D---- C:\drivers
2009-12-10 14:49:14 ----RSD---- C:\WINDOWS\assembly
2009-12-10 14:20:53 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-10 14:18:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-10 14:05:11 ----D---- C:\WINDOWS\system32\Adobe
2009-12-10 14:01:29 ----D---- C:\Program Files\WinRAR
2009-12-10 13:57:58 ----D---- C:\WINDOWS\Help
2009-12-10 13:57:58 ----D---- C:\Program Files\Internet Explorer
2009-12-10 13:54:16 ----D---- C:\WINDOWS\Media
2009-12-10 13:43:42 ----D---- C:\Program Files\Common Files
2009-12-10 13:43:24 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-10 13:42:54 ----HD---- C:\Program Files\InstallShield Installation Information
2009-12-10 13:42:29 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-10 13:39:47 ----D---- C:\Program Files\Windows Installer Clean Up
2009-12-10 13:32:03 ----D---- C:\Documents and Settings\loring.helfrich.TOOLSERVE\Application Data\Lavasoft
2009-12-10 13:17:34 ----SHD---- C:\System Volume Information
2009-12-10 13:17:34 ----D---- C:\WINDOWS\system32\Restore
2009-12-10 11:56:41 ----D---- C:\Old_Accounts
2009-12-10 11:31:29 ----D---- C:\TEMP
2009-12-10 11:31:10 ----SHD---- C:\RECYCLER
2009-12-10 10:44:23 ----D---- C:\Program Files\Common Files\Roxio Shared
2009-12-10 10:44:07 ----D---- C:\Documents and Settings\All Users\Application Data\Roxio
2009-12-10 10:43:40 ----RSD---- C:\WINDOWS\Fonts
2009-12-10 10:35:22 ----D---- C:\Program Files\ACT
2009-12-10 10:24:11 ----D---- C:\Program Files\Dynamic Ventures
2009-12-10 09:46:48 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2009-12-09 13:45:24 ----D---- C:\DTU4
2009-12-09 10:05:39 ----D---- C:\Program Files\Citrix
2009-12-08 11:01:36 ----D---- C:\Program Files\Intuit
2009-12-08 11:01:36 ----D---- C:\Program Files\Common Files\Intuit

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2007-03-19 15424]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-10-28 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2007-03-19 512096]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-24 1478656]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2005-06-13 162816]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-11-08 21760]
R3 ROCKEYNT;Feitian ROCKEY4 Device Service; C:\WINDOWS\system32\DRIVERS\Rockey4.sys [2006-05-10 22016]
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-06-14 180864]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2006-06-11 41984]
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 RimSerPort;RIM Virtual Serial Port; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys []
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-10-28 5888]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2004-10-28 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2007-03-19 552064]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-03-29 72704]
S3 Adobe Version Cue CS2;Adobe Version Cue CS2; C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe [2005-04-04 163840]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent; db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent []
S3 ColdFusion MX ODBC Server;ColdFusion MX ODBC Server; db\slserver52\bin\swstrtr.exe ColdFusion MX ODBC Server []
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
S3 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
S3 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
S3 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2008-12-18 9158656]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-10-22 69632]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2007-05-24 61440]
S3 Samsung UPD Service;Samsung UPD Service; C:\WINDOWS\system32\SUPDSvc.exe [2009-03-24 127656]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2005-05-03 323584]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-24 405504]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2009-07-16 24576]
S4 QuickBooksDB19;QuickBooksDB19; C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe [2008-07-09 131072]
S4 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe []

-----------------EOF-----------------

#4 suebaby41

W.A.M. (Women Against Malware)

Malware Response Team
6,248 posts
OFFLINE

Gender:Female
Location:South Carolina, USA
Local time:09:26 PM

Posted 11 January 2010 - 08:39 AM

Is this a business computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?
I ask because I do not help in cleaning business or corporate computers or Windows Server editions, like Windows 2003, for several reasons:

There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
Any infection could jump terminals in a computer network.
There may also be legal issues regarding any loss of business data that I do not wish to deal with.

Edited by suebaby41, 11 January 2010 - 08:48 AM.