cannot use search engines such as google

[pmullins]

I have problems accessing google and yahoo search engines which I assume is a virus. The relevant logs are attached.



[Saving space, attachment deleted by admin]

[evilfantasy]

Welcome to CH.

1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar
- Ask Jeeves

5. Click Change/Remove for each and uninstall all found.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
• R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=029&gwCountry=US&language=en&PURCH_DT_MONTH=03&PURCH_DT_DAY=23&PURCH_DT_YEAR=2006&PROD_SERIAL_ID=CNN5510PP4&application=305&modelID=EL470AA&LF=blue
• O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
• O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
• O1 - Hosts: 74.125.45.100 secure-plus-payments.com
• O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
• O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
• O1 - Hosts: 74.125.45.100 www.getavplusnow.com
• O1 - Hosts: 74.125.45.100 securesoftwarebill.com
• O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
• O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
• O1 - Hosts: 64.86.17.32 google.ae
• O1 - Hosts: 64.86.17.32 google.as
• O1 - Hosts: 64.86.17.32 google.at
• O1 - Hosts: 64.86.17.32 google.az
• O1 - Hosts: 64.86.17.32 google.ba
• O1 - Hosts: 64.86.17.32 google.be
• O1 - Hosts: 64.86.17.32 google.bg
• O1 - Hosts: 64.86.17.32 google.bs
• O1 - Hosts: 64.86.17.32 google.ca
• O1 - Hosts: 64.86.17.32 google.cd
• O1 - Hosts: 64.86.17.32 google.com.gh
• O1 - Hosts: 64.86.17.32 google.com.hk
• O1 - Hosts: 64.86.17.32 google.com.jm
• O1 - Hosts: 64.86.17.32 google.com.mx
• O1 - Hosts: 64.86.17.32 google.com.my
• O1 - Hosts: 64.86.17.32 google.com.na
• O1 - Hosts: 64.86.17.32 google.com.nf
• O1 - Hosts: 64.86.17.32 google.com.ng
• O1 - Hosts: 64.86.17.32 google.ch
• O1 - Hosts: 64.86.17.32 google.com.np
• O1 - Hosts: 64.86.17.32 google.com.pr
• O1 - Hosts: 64.86.17.32 google.com.qa
• O1 - Hosts: 64.86.17.32 google.com.sg
• O1 - Hosts: 64.86.17.32 google.com.tj
• O1 - Hosts: 64.86.17.32 google.com.tw
• O1 - Hosts: 64.86.17.32 google.dj
• O1 - Hosts: 64.86.17.32 google.de
• O1 - Hosts: 64.86.17.32 google.dk
• O1 - Hosts: 64.86.17.32 google.dm
• O1 - Hosts: 64.86.17.32 google.ee
• O1 - Hosts: 64.86.17.32 google.fi
• O1 - Hosts: 64.86.17.32 google.fm
• O1 - Hosts: 64.86.17.32 google.fr
• O1 - Hosts: 64.86.17.32 google.ge
• O1 - Hosts: 64.86.17.32 google.gg
• O1 - Hosts: 64.86.17.32 google.gm
• O1 - Hosts: 64.86.17.32 google.gr
• O1 - Hosts: 64.86.17.32 google.ht
• O1 - Hosts: 64.86.17.32 google.ie
• O1 - Hosts: 64.86.17.32 google.im
• O1 - Hosts: 64.86.17.32 google.in
• O1 - Hosts: 64.86.17.32 google.it
• O1 - Hosts: 64.86.17.32 google.ki
• O1 - Hosts: 64.86.17.32 google.la
• O1 - Hosts: 64.86.17.32 google.li
• O1 - Hosts: 64.86.17.32 google.lv
• O1 - Hosts: 64.86.17.32 google.ma
• O1 - Hosts: 64.86.17.32 google.ms
• O1 - Hosts: 64.86.17.32 google.mu
• O1 - Hosts: 64.86.17.32 google.mw
• O1 - Hosts: 64.86.17.32 google.nl
• O1 - Hosts: 64.86.17.32 google.no
• O1 - Hosts: 64.86.17.32 google.nr
• O1 - Hosts: 64.86.17.32 google.nu
• O1 - Hosts: 64.86.17.32 google.pl
• O1 - Hosts: 64.86.17.32 google.pn
• O1 - Hosts: 64.86.17.32 google.pt
• O1 - Hosts: 64.86.17.32 google.ro
• O1 - Hosts: 64.86.17.32 *Blocked Russian URL*
• O1 - Hosts: 64.86.17.32 google.rw
• O1 - Hosts: 64.86.17.32 google.sc
• O1 - Hosts: 64.86.17.32 google.se
• O1 - Hosts: 64.86.17.32 google.sh
• O1 - Hosts: 64.86.17.32 google.si
• O1 - Hosts: 64.86.17.32 google.sm
• O1 - Hosts: 64.86.17.32 google.sn
• O1 - Hosts: 64.86.17.32 google.st
• O1 - Hosts: 64.86.17.32 google.tl
• O1 - Hosts: 64.86.17.32 google.tm
• O1 - Hosts: 64.86.17.32 google.tt
• O1 - Hosts: 64.86.17.32 google.us
• O1 - Hosts: 64.86.17.32 google.vu
• O1 - Hosts: 64.86.17.32 google.ws
• O1 - Hosts: 64.86.17.32 google.co.ck
• O1 - Hosts: 64.86.17.32 google.co.id
• O1 - Hosts: 64.86.17.32 google.co.il
• O1 - Hosts: 64.86.17.32 google.co.in
• O1 - Hosts: 64.86.17.32 google.co.jp
• O1 - Hosts: 64.86.17.32 google.co.kr
• O1 - Hosts: 64.86.17.32 google.co.ls
• O1 - Hosts: 64.86.17.32 google.co.ma
• O1 - Hosts: 64.86.17.32 google.co.nz
• O1 - Hosts: 64.86.17.32 google.co.tz
• O1 - Hosts: 64.86.17.32 google.co.ug
• O1 - Hosts: 64.86.17.32 google.co.uk
• O1 - Hosts: 64.86.17.32 google.co.za
• O1 - Hosts: 64.86.17.32 google.co.zm
• O1 - Hosts: 64.86.17.32 google.com
• O1 - Hosts: 64.86.17.32 google.com.af
• O1 - Hosts: 64.86.17.32 google.com.ag
• O1 - Hosts: 64.86.17.32 google.com.ar
• O1 - Hosts: 64.86.17.32 google.com.au
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download HostsXpert[/B][/COLOR] and then follow the below steps.

* Unzip HostXpert to your desktop.
* Open up the HostXpert program.
* Make sure that the "Make Hosts Writable?" button in the upper left corner is enabled (unlocked).
* Click Create Back Up.
* Then click on Restore Microsoft's Host Files.
* Close the HostXpert program.

Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[pmullins]

Thanks for this advice. I am having trouble trying to enable 'Make Hosts Writable?' with HostXpert. I click okay on the two prompts to remove the systems file and hidden file attributes, but it then locks the button as read only - that is, the button simply says 'Make Writable?' but when clicked it will not change.

[evilfantasy]

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

:Services

:Reg

:Files
C:\Program Files\Ask.com

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.

[pmullins]

Thanks again. Attached is the log from combofix.

[Saving space, attachment deleted by admin]

[evilfantasy]

That's only the top part of the log. Did you remove some of it?

Run it again if needed. I need the entire log.

[pmullins]

Sorry here is the entire log. Last time the system rebooted midway through obtaining the log.

[Saving space, attachment deleted by admin]

[evilfantasy]

Thank you.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[pmullins]

Thanks. Attached is the eset log.

[Saving space, attachment deleted by admin]

[evilfantasy]

If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.