As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Computer Exorcism: cannot remove Ask toolbar alone?

SyzygySyzygy Registered User regular
Hey, look who's back with another software problem!

Once again, I've exhausted EVERY possible solution posted out there on the internet, and now look for specialized help from you guys. All my other computer problems vanish completely whenever I ask around here, hopefully this time will not be a combo breaker!

So, does anyone here know of the Ask.com toolbar? Here's what wikipedia has to say:

"The Ask Toolbar is a web-browser add-on that can appear as an extra bar added to the browser's window and/or menu. It is often installed (sometimes without warning) during the installation of other software. As an operating business of InterActiveCorp,[22] Ask Partner Network has entered into partnerships with some software security vendors, whereby they are paid to distribute the toolbar alongside their software.[23]
Installer packages for other software install the toolbar by default. Without further warnings the toolbar deletes all of the users homepages and inserts its own and makes Ask.com the default search in all web browsers. In turn, Ask.com's search results page tends to mislead readers into clicking on paid advertisements as if they were optimal search results"

tl;dr: It's "legitimate" (and I use legitimate as loosely as possible) spyware/malware. I think mine caught a ride on the last adobe photoshop version I installed, apparently it's been known to happen.

But that's not the problem. The problem is that this toolbar is like digital herpes, it won't fucking go away, no matter what I do and I cannot figure out why!

Some information that will prove useful:

I run Windows 7 64-bit home edition
Web browser the toolbar is attached to is Chrome
Yes, I have tried removing the toolbar from Chromes extensions menu. It will not let me since it does not have a delete button (little trashcan icon) and remains in a "grayed" state, preventing any sort of interaction.
Yes, I have tried forcibly uninstalling it from the programs list. Every time I do it just gives me an error saying "You must close all Internet Explorer windows to continue uninstallation, press OK when you are ready to continue." CLicking OK just repeats the message, despite the fact that I have not used internet explorer since installing chrome and never have it running at any given time.
Yes, I have checked to make sure that Internet Explorer, indeed, is NOT running from my task managers process list.
Yes, I have tried using third party uninstaller programs like Revo Uninstaller, I meet the same problem as normal uninstallation, that fucking error message.

That should cover the long and short of it. And no, a system restore is out of the question as for some reason my last restore point is a little over two weeks ago. And no, the Ask.com people have been less than helpful about removing their shitty malware. I swear, the only way that site can keep operating int he face of google is because it's run entirely by spambots and chatbots at this point.

So, anyone have any ideas? Or ever dealt with this before?

It may seem innocuous, but the fact that the toolbar is hideous, unnecessary, and stubborn is driving me completely insane. You know you're going insane when you find yourself browsing a thesaurus, looking for syonyms of "choke". Specifically, who(m)ever made Ask.com in the first place.

Thanks in advance for any and all help!

Posts

  • Options
    FyndirFyndir Registered User regular
    Might be worth trying booting into safe mode (without networking) and then trying to uninstall it from the Control Panel/Programs List.

    F8 on startup before the Windows logo appears should get you to the right screen.

  • Options
    ducttapeenthusiastducttapeenthusiast Registered User regular
    I'm not sure of a solution exactly, but I have an idea of how it snuck in. I recently spotted one of the adobe programs attempting to sneak it into an update. It's a box you have to uncheck during the install setup. If you have something adobe you've updated recently, maybe try uninstalling that update.

  • Options
    TheKoolEagleTheKoolEagle Registered User regular
    I second going into safemode and trying to purge the shitdemon from there, make sure to go into safemode without network access, hopefully the IE message won't pop up again from it, but let us know if it does.

    uNMAGLm.png Mon-Fri 8:30 PM CST - 11:30 PM CST
  • Options
    pacbowlpacbowl Los AngelesRegistered User regular
    Maybe un/reinstalling Chrome?

    steammicro.php?id=pacbowl&pngimg=background&tborder=0
  • Options
    BlazeFireBlazeFire Registered User regular
    Maybe this is too simple, but did you have Chrome or any other browser running when it was giving you the "You must close all Internet Explorer windows to continue uninstallation, press OK when you are ready to continue." prompt?

  • Options
    EshEsh Tending bar. FFXIV. Motorcycles. Portland, ORRegistered User regular
    pacbowl wrote: »
    Maybe un/reinstalling Chrome?

    This. And make sure you unclick/don't click the Install Ask Toolbar option when reinstalling.

  • Options
    Lt Muffin360Lt Muffin360 Registered User regular
    Not sure about anyone else but the Ask Toolbar appears in the Oracle Java update installer for me. It is on a page that doesn't look like it has user inputs but does have a checkbox in the middle to uncheck in order to not install the toolbar, most annoying thing ever.

    Not any help on how to remove it, but might help in not getting it back.

    I do like the uninstall, then reinstall chrome idea.

    steam_sig.png
  • Options
    SyzygySyzygy Registered User regular
    Fyndir wrote: »
    Might be worth trying booting into safe mode (without networking) and then trying to uninstall it from the Control Panel/Programs List.

    F8 on startup before the Windows logo appears should get you to the right screen.

    Tried that, no dice. I get a different error message when trying to uninstall it this time, though. Now it says "The Windows installer Service could not be accessed. This can occur if Windows Installer is not correctly installed. Contact your support personnel for assistance."

    These Ask.com guys play dirty.
    Esh wrote: »
    pacbowl wrote: »
    Maybe un/reinstalling Chrome?

    This. And make sure you unclick/don't click the Install Ask Toolbar option when reinstalling.

    Still no dice, I don't even get the option to choose whether I want to install the ask bar upon reinstallation of chrome. And it STILL comes after reinstallation. This malware must have been made in hell, that is the only explanation for how impossible it is to get rid of.
    BlazeFire wrote: »
    Maybe this is too simple, but did you have Chrome or any other browser running when it was giving you the "You must close all Internet Explorer windows to continue uninstallation, press OK when you are ready to continue." prompt?

    Heh, that was my FIRST resort. Clearly we are not dealing with software made by mortal hands though.

    So Safemode and reinstalling Chrome are out. Any other suggestions? Through the power of google I have scryed others suggesting deleting registry items from the regedit, but that is uncharted territory for me.

  • Options
    Great ScottGreat Scott King of Wishful Thinking Paragon City, RIRegistered User regular
    The Ask toolbar is an pain. Yes, the windows installer services don't start in safe mode, which is why you can't uninstall it that way.

    I'd like you to try two things :
    1) uninstall Google Chrome. Make sure you have a backup of your bookmarks, cookies, and such. Then, go to c:\users\your_account_name\appdata\local\Google. If there is a chrome folder, delete it. Then try reinstalling Chrome.

    2) Run HijackThis. Paste the log file it makes to a post, or PM me with it if you'd rather.

    Just as a sanity check, the ask toolbar doesn't appear on IE too, does it?

    I'm unique. Just like everyone else.
  • Options
    SyzygySyzygy Registered User regular
    edited February 2013
    The Ask toolbar is an pain. Yes, the windows installer services don't start in safe mode, which is why you can't uninstall it that way.

    I'd like you to try two things :
    1) uninstall Google Chrome. Make sure you have a backup of your bookmarks, cookies, and such. Then, go to c:\users\your_account_name\appdata\local\Google. If there is a chrome folder, delete it. Then try reinstalling Chrome.

    2) Run HijackThis. Paste the log file it makes to a post, or PM me with it if you'd rather.

    Just as a sanity check, the ask toolbar doesn't appear on IE too, does it?

    Sounds like you've dealt with this before. Yeah, it doesn't show up on IE. I'll try doing what you suggest and report back.

    EDIT: Didn't work. Here's the logfile from Hijack This though:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:31:19 PM, on 2/6/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
    C:\Program Files (x86)\Launch Manager\LManager.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Users\Max\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchab.com/?aff=7&uid=7a21d368-4501-11e2-a3cb-b870f477efa1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchab.com/?aff=7&uid=7a21d368-4501-11e2-a3cb-b870f477efa1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Max\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
    O4 - HKCU\..\Run: [AviraSpeedup] "C:\Program Files (x86)\AviraSpeedup\AviraSpeedup.exe" -autorun
    O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O15 - Trusted Zone: *.soe.com
    O15 - Trusted Zone: *.sony.com
    O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O20 - AppInit_DLLs: c:\progra~2\zoomex\sprote~1.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GREGService - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - Unknown owner - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: TabletServicePen - Unknown owner - C:\Windows\system32\Pen_Tablet.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Updater Service - Acer Group - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 13178 bytes

    Syzygy on
  • Options
    Great ScottGreat Scott King of Wishful Thinking Paragon City, RIRegistered User regular
    Thanks. Wow, that's a larger log than I'm used to seeing. I'll try to have a full analysis by tomorrow morning.

    I'm unique. Just like everyone else.
  • Options
    SyzygySyzygy Registered User regular
    Thanks. Wow, that's a larger log than I'm used to seeing. I'll try to have a full analysis by tomorrow morning.

    Wow, thanks, that's mighty generous of you. As an update, I've tried deleting the AskToolbar folder from my AppData, and it STILL somehow managed to survive. I dread that I may just have to throw in the towel and Exterminatus my computer back two weeks.

  • Options
    Great ScottGreat Scott King of Wishful Thinking Paragon City, RIRegistered User regular
    edited February 2013
    Syzygy, sent you a PM for some long removal instructions. Short version, there are files in Program Files as well as re-install keys in the Registry.

    Re: HijackThis.

    You can remove the following items, assuming you made a backup when it was run (just in case). Note that you need to have all Internet Browsers closed when you run HijackThis.

    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

    Questions:

    Do you use LogMeIn? Because that's installed (O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) but I don't see all of the normal services for it. Might be a tech-support call legacy item?

    Do you need Java for something? Given recent major security holes you might want to remove it unless it's crucial.

    Great Scott on
    I'm unique. Just like everyone else.
  • Options
    EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    edited February 2013
    I don't know whether you covered this in your PM to the OP, @Great Scott, but I notice from the log that @Syzygy's IE start pages look to have been hijacked by Searchab (although luckily s/he happens to not use IE), which from googling indicates an unpleasant infection of some sort. This may or may not be related to the Ask Toolbar issue, but at the very least those two entries should be removed via HijackThis, and you should run Malwarebytes Anti-Malware (they also have an anti-rootkit tool in beta now if you want to try that on top of the regular malware removal) and Microsoft Security Essentials to kill it. (MSE has the added bonus of giving you some free anti-virus protection, but remember you only ought to have one anti-virus installed and running at a time.) So in addition to having an annoying "LEGIT" piece of adware, you almost certainly also have a malware infection! Yay!

    (Edit: I also want to add that there are a couple processes/services running that I don't recognize too, but I don't want to claim they're not legit without doing more googling than I'm up for right now. If you scan your computer with Rkill, as mentioned below, then Malwarebytes, they'll probably catch anything else bad besides the clear problem I pointed out, so it's all good.)

    Essee on
  • Options
    TheKoolEagleTheKoolEagle Registered User regular
    if you do anything with malwarebytes you should also grab rkill, really great program for some nasty files

    uNMAGLm.png Mon-Fri 8:30 PM CST - 11:30 PM CST
  • Options
    Great ScottGreat Scott King of Wishful Thinking Paragon City, RIRegistered User regular
    Good catch, Essee. I noticed that [SUPERAntiSpyware] was running, so I didn't worry about real malware. I was going to suggest Malwarebytes as well until I saw that.

    I'm unique. Just like everyone else.
  • Options
    SyzygySyzygy Registered User regular
    Syzygy, sent you a PM for some long removal instructions. Short version, there are files in Program Files as well as re-install keys in the Registry.

    Re: HijackThis.

    You can remove the following items, assuming you made a backup when it was run (just in case). Note that you need to have all Internet Browsers closed when you run HijackThis.

    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

    Questions:

    Do you use LogMeIn? Because that's installed (O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) but I don't see all of the normal services for it. Might be a tech-support call legacy item?

    Do you need Java for something? Given recent major security holes you might want to remove it unless it's crucial.

    LogMeIn must be a legacy item, I uninstalled it after shutting down my terraria server (Why must port forwarding be such a bitch?)

    Java? Nothing I can think of off the top of my head. I was under the impression that the most recent update Oracle has pumped out for it were to fix those security holes. Apparently it was actually so they could thread their diseased dicks through my registry and C drive.


    Essee wrote: »
    I don't know whether you covered this in your PM to the OP, @Great Scott, but I notice from the log that @Syzygy's IE start pages look to have been hijacked by Searchab (although luckily s/he happens to not use IE), which from googling indicates an unpleasant infection of some sort. This may or may not be related to the Ask Toolbar issue, but at the very least those two entries should be removed via HijackThis, and you should run Malwarebytes Anti-Malware (they also have an anti-rootkit tool in beta now if you want to try that on top of the regular malware removal) and Microsoft Security Essentials to kill it. (MSE has the added bonus of giving you some free anti-virus protection, but remember you only ought to have one anti-virus installed and running at a time.) So in addition to having an annoying "LEGIT" piece of adware, you almost certainly also have a malware infection! Yay!

    (Edit: I also want to add that there are a couple processes/services running that I don't recognize too, but I don't want to claim they're not legit without doing more googling than I'm up for right now. If you scan your computer with Rkill, as mentioned below, then Malwarebytes, they'll probably catch anything else bad besides the clear problem I pointed out, so it's all good.)

    Hmm, interesting. I mostly rely on Super AntiSpyware and Avira for security, but if those aren't enough then it my be time to up my arsenal. At this point a Scorched Earth policy may be the BEST policy, figuratively speaking. Thanks for the suggestions

  • Options
    Great ScottGreat Scott King of Wishful Thinking Paragon City, RIRegistered User regular
    edited February 2013
    Scorched Earth is really the best. As long as you have a good backup of your personal data, sure, do a format and then a re-install.

    Just make sure that your drivers are handy. Once you're done installing Windows (but before anything else), make sure to get either Avast (Free) or Microsoft Security Essentials (NOTE: There are scam websites out there, make sure of the URL in the Location bar for MSSE). Follow that up with Malwarebytes (or your malware scrubber of choice).

    Also, installing Service Pack 1 right after that will save you some update time. I prefer the Piriform tools to the built-in Windows ones (CCleaner, Defraggler, Recuva), but that's just my opinion.

    Great Scott on
    I'm unique. Just like everyone else.
  • Options
    SyzygySyzygy Registered User regular
    Scorched Earth is really the best. As long as you have a good backup of your personal data, sure, do a format and then a re-install.

    Just make sure that your drivers are handy. Once you're done installing Windows (but before anything else), make sure to get either Avast (Free) or Microsoft Security Essentials (NOTE: There are scam websites out there, make sure of the URL in the Location bar for MSSE). Follow that up with Malwarebytes (or your malware scrubber of choice).

    Also, installing Service Pack 1 right after that will save you some update time. I prefer the Piriform tools to the built-in Windows ones (CCleaner, Defraggler, Recuva), but that's just my opinion.

    Ack, now I gotta dig up that external hard drive I bought just for this purpose. Oh well, I'm not gonna let those Ask.com assholes win. If they put HALF the effort into making their search engine better than they did making impossible-to-remove adware nobody would hate them.

    Also, thanks for the information you sent me through the PM. Unfortunately a good 3rd of those registry items didn't show up, and the tool bar is STILL there even after I purged the other 2/3rds.

    *sigh* Not sure who I'm made at more: Myself for not reading the Java update boxes, Oracle for needlessly tacking this crap on, Ask.com for making it in the first place, or those nebulous machine spirits for not working perfectly all the time.

    Oh well, Scorched Earth it is. Thanks for all the help you guys, especially you Great Scott (and Essee!) it really warms the cockles of my heart to be on the receiving end of such generosity. You took time out of your day to lend your experience to a stranger, and that's the REAL Christmas miracle here!

Sign In or Register to comment.