Hey, look who's back with another software problem!
Once again, I've exhausted EVERY possible solution posted out there on the internet, and now look for specialized help from you guys. All my other computer problems vanish completely whenever I ask around here, hopefully this time will not be a combo breaker!
So, does anyone here know of the Ask.com toolbar? Here's what wikipedia has to say:
"The Ask Toolbar is a web-browser add-on that can appear as an extra bar added to the browser's window and/or menu. It is often installed (sometimes without warning) during the installation of other software. As an operating business of InterActiveCorp,[22] Ask Partner Network has entered into partnerships with some software security vendors, whereby they are paid to distribute the toolbar alongside their software.[23]
Installer packages for other software install the toolbar by default. Without further warnings the toolbar deletes all of the users homepages and inserts its own and makes Ask.com the default search in all web browsers. In turn, Ask.com's search results page tends to mislead readers into clicking on paid advertisements as if they were optimal search results"
tl;dr: It's "legitimate" (and I use legitimate as loosely as possible) spyware/malware. I think mine caught a ride on the last adobe photoshop version I installed, apparently it's been known to happen.
But that's not the problem. The problem is that this toolbar is like digital herpes, it won't fucking go away, no matter what I do and I cannot figure out why!
Some information that will prove useful:
I run Windows 7 64-bit home edition
Web browser the toolbar is attached to is Chrome
Yes, I have tried removing the toolbar from Chromes extensions menu. It will not let me since it does not have a delete button (little trashcan icon) and remains in a "grayed" state, preventing any sort of interaction.
Yes, I have tried forcibly uninstalling it from the programs list. Every time I do it just gives me an error saying "You must close all Internet Explorer windows to continue uninstallation, press OK when you are ready to continue." CLicking OK just repeats the message, despite the fact that I have not used internet explorer since installing chrome and never have it running at any given time.
Yes, I have checked to make sure that Internet Explorer, indeed, is NOT running from my task managers process list.
Yes, I have tried using third party uninstaller programs like Revo Uninstaller, I meet the same problem as normal uninstallation, that fucking error message.
That should cover the long and short of it. And no, a system restore is out of the question as for some reason my last restore point is a little over two weeks ago. And no, the Ask.com people have been less than helpful about removing their shitty malware. I swear, the only way that site can keep operating int he face of google is because it's run entirely by spambots and chatbots at this point.
So, anyone have any ideas? Or ever dealt with this before?
It may seem innocuous, but the fact that the toolbar is hideous, unnecessary, and stubborn is driving me completely insane. You know you're going insane when you find yourself browsing a thesaurus, looking for syonyms of "choke". Specifically, who(m)ever made Ask.com in the first place.
Thanks in advance for any and all help!
Posts
F8 on startup before the Windows logo appears should get you to the right screen.
This. And make sure you unclick/don't click the Install Ask Toolbar option when reinstalling.
Not any help on how to remove it, but might help in not getting it back.
I do like the uninstall, then reinstall chrome idea.
Tried that, no dice. I get a different error message when trying to uninstall it this time, though. Now it says "The Windows installer Service could not be accessed. This can occur if Windows Installer is not correctly installed. Contact your support personnel for assistance."
These Ask.com guys play dirty.
Still no dice, I don't even get the option to choose whether I want to install the ask bar upon reinstallation of chrome. And it STILL comes after reinstallation. This malware must have been made in hell, that is the only explanation for how impossible it is to get rid of.
Heh, that was my FIRST resort. Clearly we are not dealing with software made by mortal hands though.
So Safemode and reinstalling Chrome are out. Any other suggestions? Through the power of google I have scryed others suggesting deleting registry items from the regedit, but that is uncharted territory for me.
I'd like you to try two things :
1) uninstall Google Chrome. Make sure you have a backup of your bookmarks, cookies, and such. Then, go to c:\users\your_account_name\appdata\local\Google. If there is a chrome folder, delete it. Then try reinstalling Chrome.
2) Run HijackThis. Paste the log file it makes to a post, or PM me with it if you'd rather.
Just as a sanity check, the ask toolbar doesn't appear on IE too, does it?
Sounds like you've dealt with this before. Yeah, it doesn't show up on IE. I'll try doing what you suggest and report back.
EDIT: Didn't work. Here's the logfile from Hijack This though:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:31:19 PM, on 2/6/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Windows\PLFSetI.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Max\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchab.com/?aff=7&uid=7a21d368-4501-11e2-a3cb-b870f477efa1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchab.com/?aff=7&uid=7a21d368-4501-11e2-a3cb-b870f477efa1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Max\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU\..\Run: [AviraSpeedup] "C:\Program Files (x86)\AviraSpeedup\AviraSpeedup.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: c:\progra~2\zoomex\sprote~1.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GREGService - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - Unknown owner - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Unknown owner - C:\Windows\system32\Pen_Tablet.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer Group - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 13178 bytes
Wow, thanks, that's mighty generous of you. As an update, I've tried deleting the AskToolbar folder from my AppData, and it STILL somehow managed to survive. I dread that I may just have to throw in the towel and Exterminatus my computer back two weeks.
Re: HijackThis.
You can remove the following items, assuming you made a backup when it was run (just in case). Note that you need to have all Internet Browsers closed when you run HijackThis.
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
Questions:
Do you use LogMeIn? Because that's installed (O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) but I don't see all of the normal services for it. Might be a tech-support call legacy item?
Do you need Java for something? Given recent major security holes you might want to remove it unless it's crucial.
(Edit: I also want to add that there are a couple processes/services running that I don't recognize too, but I don't want to claim they're not legit without doing more googling than I'm up for right now. If you scan your computer with Rkill, as mentioned below, then Malwarebytes, they'll probably catch anything else bad besides the clear problem I pointed out, so it's all good.)
LogMeIn must be a legacy item, I uninstalled it after shutting down my terraria server (Why must port forwarding be such a bitch?)
Java? Nothing I can think of off the top of my head. I was under the impression that the most recent update Oracle has pumped out for it were to fix those security holes. Apparently it was actually so they could thread their diseased dicks through my registry and C drive.
Hmm, interesting. I mostly rely on Super AntiSpyware and Avira for security, but if those aren't enough then it my be time to up my arsenal. At this point a Scorched Earth policy may be the BEST policy, figuratively speaking. Thanks for the suggestions
Just make sure that your drivers are handy. Once you're done installing Windows (but before anything else), make sure to get either Avast (Free) or Microsoft Security Essentials (NOTE: There are scam websites out there, make sure of the URL in the Location bar for MSSE). Follow that up with Malwarebytes (or your malware scrubber of choice).
Also, installing Service Pack 1 right after that will save you some update time. I prefer the Piriform tools to the built-in Windows ones (CCleaner, Defraggler, Recuva), but that's just my opinion.
Ack, now I gotta dig up that external hard drive I bought just for this purpose. Oh well, I'm not gonna let those Ask.com assholes win. If they put HALF the effort into making their search engine better than they did making impossible-to-remove adware nobody would hate them.
Also, thanks for the information you sent me through the PM. Unfortunately a good 3rd of those registry items didn't show up, and the tool bar is STILL there even after I purged the other 2/3rds.
*sigh* Not sure who I'm made at more: Myself for not reading the Java update boxes, Oracle for needlessly tacking this crap on, Ask.com for making it in the first place, or those nebulous machine spirits for not working perfectly all the time.
Oh well, Scorched Earth it is. Thanks for all the help you guys, especially you Great Scott (and Essee!) it really warms the cockles of my heart to be on the receiving end of such generosity. You took time out of your day to lend your experience to a stranger, and that's the REAL Christmas miracle here!