Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Infected laptop - corrupted search engines  (Read 3124 times)

0 Members and 1 Guest are viewing this topic.

SteveG60558

    Topic Starter


    Starter

    Infected laptop - corrupted search engines
    « on: July 30, 2010, 06:13:31 PM »
    Thanks in advance for any time and effort you make helping me.  Before I found this site, I did the following because I believe my laptop has been infected by some sort of virus, spyware or malware.  I had already ran complete scans with:
     
    McAfee, Malware, Ad-Aware, SpyBot and CCleaner
     
    I found a few things in the scans cleaned them out, rebooted but continued to experience some problems..  Here are the symptoms that I continued to experience:
     
    When I run a web search with Google or Bing, the first page of results that I get have generic names related to whatever I run a search on but the actual URL that each of them links to the following (I ran a search on Chicago)  (further below are copies of all the shortcuts and attached are copies of results from a few searches in Google and Bing.  Notice the lower left corner of the browsers where the actual URL is shown when searching or hovering over a link).   
    •   The second page of the results seem to be alright however all of the “advertising” seem to be corrupted regardless of what page it shows up on
    •   If I keep trying to work with search and try to figure out what is going on I get some error messages (see 2 attached screenshots)
    •   When these errors show up, I loose connectivity between Outlook and the server and between all browsers and the internet (even though my wireless connection remains strong)
    •   Also, I can’t launch programs, open taskmanager (even from Cntrl Alt Del – I can click on the option but no response) or shutdown the computer.  I have to do a “Hard Shutdown” with the power button
     Copies of Shortcuts from first page of results from Google Search  (see screen shots for what is displayed vs what the link actually is)
    http://bitstub.com/public/go.php?to=874623
    http://bitstub.com/public/go.php?to=874624
    http://bitstub.com/public/go.php?to=874626
    http://109.235.49.54:81/a/click.php?s=eAEFwUdyo0BcMFwwwL_4js0MIMBbW1sEgQhcIojMhVwiXCchcnz9ds-_
    JMB-v6plGX5_fm74N1ww4BsC-A0x_Fwn_R6q4d_8N9f6xZmh3rdMUHCMHSXEehNxPQUsyjK2Q73SrYO3MnTY_WiFw-
    Yjqp1h53y8ASjeaLUGIyyHGT6v-xBEDxBN2s5yEgUoWWK4Tyk1TtYeXFw9XCL3jc_
    HHJsvSzYFZTXieyW9PU16NUtI8L10Kj1P3QOlrj JVcVhNdvDgOXpPVq9H124JyyTKSu6RjQRQpN6nf iBGMORSM8qFxpXJA7Ps-
    NCyN1nQO_4msPZAwG2WEkjjyUSrbz-RtoWa6sTfwk9Io1GL-jOGaTYCrcVVczLhLLtwJHqiLjmdOspgRdFelxeBTjuIPZD5kZC6
    bVMUDxcIQrR9XFxLWfFH8Ww72ncPfSyTOhvorkn uziHEg7b7SVOsyLRi7miRcw5YhLgIGTrFoobxiY rdZJ-iBiSPXCfWPqU2ugWbt
    FCb2xt2EBvvljJX77zVXR9ZO4dW_nGlZ0pPczCI HzMPk8NTHwnmqjAZQl2nhi77jDc5LKQ6uhBdHZB dKREX0Q8U3aQKbgm6INaE-
    3eIYUGYlauptLYOzwWe5MWXtLOr121bhmbCdEwg LaM0c3riRP1V19L-bO2FP0oYFL3yDBtrRm1So3EvDoiHhsMlOHYEkKux83gcDyr
    BWA21I8lLfcVMxDCN6FClYBJcXMwcWaqHY_WxhN N-gYbASUt6dGMeEvHmDW0rptQSV6aSZRGTTcix719__gPvRvBcJw,,&aff=625&as=1
    http://bitstub.com/public/go.php?to=874628
    http://bitstub.com/public/go.php?to=874629
    http://bitstub.com/public/go.php?to=874630
    http://bitstub.com/public/go.php?to=874632
    http://109.235.49.54:81/a/click.php?s=eAENysttwzAMXDDQXTKAwz8pF0VnkSgSKdqDgWZ_1Kd3eX9cJ5Gej9f7fZ3Pp8WBNg6TAxmf-
    fudP8f1ur7yc-1YWb5ojZI1dkOLhsLiKJ8BvjYP6umCBdoGggNFVblcMHPHLt2CsZ1sRjKzSUJ1ZRk4t3LLvaw45iAy15nCOYYSqjUJjTYE0ekE
    KVYNMyRVbNOmUW3OvqBxXCf6RAMLd8Z7Wda6eXz 8A3wSP4A,&aff=625&as=1
    http://109.235.49.54:81/a/click.php?s=eAENzltqAzEMQNG9ZAEzeth6TCldiy3JJKQfA83-qf8Pl_t3EfXr8fx87us8xQ4UP6QdyHjG7yvex_
    28f-IbLdIQ2uTKlcNk9WSjlDAsbsBBfVS1RQRq6NA7OrGSMa0QLojtkyboiAwbZICtJZALVrqa41K1wiUk6dLnYM7Rw7eSkkoUVrAxXFzZbU3s
    1lAFaGr6mEa6RtkOUETfo1N1P8k0rtb08fUPEns-1Q,,&aff=625&as=1
    http://bitstub.com/public/go.php?to=874635

    I then followed instructions posted at this site:

    Here are the log files from the scans I ran.

    SuperAntispyware Scan Results:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/30/2010 at 06:24 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5291
    Trace Rules Database Version: 3103

    Scan type       : Complete Scan
    Total Scan Time : 01:53:17

    Memory items scanned      : 610
    Memory threats detected   : 0
    Registry items scanned    : 7504
    Registry threats detected : 0
    File items scanned        : 109328
    File threats detected     : 0

    Malware Scan Results:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4372

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/30/10 06:37:19 PM
    mbam-log-2010-07-30 (18-37-19).txt

    Scan type: Quick scan
    Objects scanned: 145191
    Time elapsed: 8 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\javaw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Hijack This Scan results:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 06:57:58 PM, on 7/30/10
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
    C:\Program Files\Xobni\XobniService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    C:\Program Files\IObit\Advanced Spyware Remover\ASRtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\FriendlyHijackThis\Sniper.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Advanced Spyware Remover] "C:\Program Files\IObit\Advanced Spyware Remover\ASRtray.exe" /autostart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
    O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - https://amqp1.ansell.com/qp2.cab
    O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://cpc.on.intercall.com/confmgr/installs/ICWMInstall.cab
    O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-am1.infor.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://vpn-am1.infor.com/CACHE/stc/1/binaries/vpnweb.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199978753218
    O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} (InstallShield Setup Player V11.5) - http://w2003e/deciweb/clientconfig/setup.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.com/IDC/client/player/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC7D77DA-E1AC-4D40-930B-B87B2954E034} (QuickMksAxCtl Class) - https://10.130.129.1/LabManager/ControlPanel/Machines/MachineDetails/ActiveXControls/ViewerXVNC/vmware-mks.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infor.com
    O17 - HKLM\Software\..\Telephony: DomainName = infor.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infor.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = infor.com,infor.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = infor.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = infor.com,infor.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = infor.com,infor.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASRservice - IObit - C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    O23 - Service: SSA License Server (Master:6005) (BCLMD_M) - SSA Global - C:\Program Files\Baan\shared\bin\BclmServer.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
    O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
    O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: VMware vCenter Converter Agent (vmware-converter-agent) - VMware, Inc. - C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
    O23 - Service: VMware vCenter Converter Server (vmware-converter-server) - VMware, Inc. - C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
    O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

    --
    End of file - 18424 bytes
    « Last Edit: August 08, 2010, 01:28:58 PM by SuperDave »

    SteveG60558

      Topic Starter


      Starter

      Re: Infected laptop - corrupted search engines
      « Reply #1 on: July 30, 2010, 06:15:27 PM »
      Sorry for duplicate post ... I got a time-out error when I submitted and just redid it rather than checking first.  My apologies.

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 991
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Infected laptop - corrupted search engines
      « Reply #2 on: August 08, 2010, 04:21:29 PM »
      Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

      1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
      2. The fixes are specific to your problem and should only be used for this issue on this machine.
      3. If you don't know or understand something, please don't hesitate to ask.
      4. Please DO NOT run any other tools or scans while I am helping you.
      5. It is important that you reply to this thread. Do not start a new topic.
      6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
      7. Absence of symptoms does not mean that everything is clear.

      Please go to Jotti's malware scan
      (If more than one file needs scanned they must be done separately and links posted for each one)

      * Copy the file path in the below Code box:

      Code: [Select]
      C:\WINDOWS\system32\msjava.dll
       

      * At the upload site, click once inside the window next to Browse.
      * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      * Next click Submit file
      * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      * This will perform a scan across multiple different virus scanning engines.
      * Important: Wait for all of the scanning engines to complete.
      * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

      ========================================

      Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

      Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

      Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

      Exit out of MessengerDisable then delete the two files that were put on the desktop.

      ========================================

      Open HijackThis and select Do a system scan only

      Place a check mark next to the following entries: (if there)

      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll
      O10 - Unknown file in Winsock LSP: c:\windows\system32\pmpta.dll

      Important: Close all open windows except for HijackThis and then click Fix checked.

      Once completed, exit HijackThis.

      =================================

      Download ComboFix by sUBs from one of the below links. 

      Important! You MUST save ComboFix to your desktop

      link # 1
      Link # 2

      Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      Double click on ComboFix.exe & follow the prompts.

      Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

      Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

      When the scan completes it will open a text window.
       
      Post the contents of that log in your next reply.

      Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender