I can't access any search engines, google, etc

By sasasasa
Oct 10, 2009
Topic Status:
Not open for further replies.
  1. At first, I got problem with security tool-spyware (lsas.blaster.keylogger) but that problem is now already over, it's OK right now...

    after that, I noticed that it's not the only problem, now I can't access any search engines, when I type something I want to search at google toolbar or when I type "www.google.com" manually in IE bar, the page turns to "Internet Explorer cannot display the webpage"....it is also happened to other search engines...

    I already followed your instruction on "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" but the problem still exist, so now I attach my logs from your instruction, in case of anyone can help...

    big thanks for your help!
  2. sasasasa

    sasasasa Newcomer, in training Topic Starter

    Today finally I got its solution!

    In case of it happened to anyone else here, I put the solution here.
    All you have to do is to search a file named "hosts" without any extensions (just 1 kb).
    Open that file with notepad and you can find some paragraphs in it.
    Delete all those paragraphs, and then save.
    Check your browser and do googling, from my experience it succesfully restored my google or other search engines back to normal.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Actually, your problem isn't solved. For one thing, you have pirated software. Additionally you have/had infections from Backdoor Trojans, Trojan Downloader and Backdoor.Bot. Eventually it's likely that these infections will show through again.

    Your temp files and the system restore points have malware.are infected. Just because you can use a search engine, it does not mean the system is clean.

    Where and what did you get about the 'host' search?
  4. sasasasa

    sasasasa Newcomer, in training Topic Starter

    Yeah, I think you're right, it's not as simple as that, is it? I'm just too excited that I can google again without thinking those infections still remain.

    So when I wait to get an answer from techspot I keep searching its solution, and my friend told me about the "hosts" search...As I said above:
    "All you have to do is to search a file named "hosts" without any extensions (just 1 kb).
    Open that file with notepad and you can find some paragraphs in it.
    Delete all those paragraphs, and then save"


    I find the "hosts" file in "G:\WINDOWS\system32\drivers\etc", just erase the paragraphs in it without deleting the file, so the file still exist right now.

    So, from your opinion what should I do right now to make the system totally clean?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I would like to see you repeat the three scans. Update Malwarebytes and Superantispyware, then run. Follow with rescan of HijackThis. We'll see what's still on the system. Attach the Mbam and SAS logs like you did previously, but paste the HijackThis log in the next reply. (it's easier for me to work with that way)

    Your copy of MP3.DISC.BURNER.V1.70 is a pirated program. Start by uninstalling it. If you want this program, you can pay for it and download from here:
    http://www.mp3machine.com/software/MP3DiscBurner/
  6. sasasasa

    sasasasa Newcomer, in training Topic Starter

    about MP3.DISC.BURNER.V1.70, it's just the master software that I keep in my laptop without installing it, so I can't uninstall it...is it the same if I just simply delete the folder?
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    It shows a crack key with it along with a Trojan:

    Trojan.Agent/Gen-FSG
    G:\ARYA!!!\APLIKASI\MASTER SOFTWARE 1\AUDIO CONV\MP3.DISC.BURNER.V1.70.INCL.KEYGEN-TSZ\KEYGEN.EXE
  8. momok

    momok Newcomer, in training Posts: 2,272

    I would strongly recommend you delete and uninstall all crack and pirated software from your system before you approach us for further help.

    Techspot has a strict policy against cracks and we do not condone piracy.
  9. WinXPert

    WinXPert TechSpot Booster Posts: 525

    Remove all BHO's with HijackThis or you can reset the settings of IE. Launch Explorer. Go to C:\WINDOWS\inf, it's a hidden folder. Right click on ie.inf and select Install. Reboot.
  10. sasasasa

    sasasasa Newcomer, in training Topic Starter

    for bobbye:
    these are my scan results, and yes I began it with deleting the MP3.DISC.BURNER.V1.70 (because I'm not installing it, so the only way to make it not exist in my laptop is deleting it), hope my system is all clean right now

    and this is for Hijack log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:36:12 PM, on 10/14/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    G:\WINDOWS\system32\spoolsv.exe
    G:\Program Files\Avira\AntiVir Desktop\sched.exe
    G:\WINDOWS\Explorer.EXE
    G:\Program Files\Avira\AntiVir Desktop\avguard.exe
    G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    G:\Program Files\Apoint\Apoint.exe
    G:\Program Files\Bonjour\mDNSResponder.exe
    G:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    G:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    G:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    G:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    G:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    G:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
    G:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    G:\Program Files\iTunes\iTunesHelper.exe
    G:\Program Files\Java\jre6\bin\jqs.exe
    G:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    G:\Program Files\Apoint\ApMsgFwd.exe
    G:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    G:\Program Files\Java\jre6\bin\jusched.exe
    G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    G:\WINDOWS\system32\ctfmon.exe
    G:\Program Files\Apoint\Apntex.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    G:\WINDOWS\system32\svchost.exe
    G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    G:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    G:\Program Files\iPod\bin\iPodService.exe
    G:\Program Files\RapidBIT\cidaemon.exe
    G:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    G:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    G:\WINDOWS\System32\svchost.exe
    G:\Program Files\Internet Explorer\IEXPLORE.EXE
    G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Apoint] G:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "G:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "G:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    O4 - HKLM\..\Run: [Switcher.exe] "G:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
    O4 - HKLM\..\Run: [VAIOCameraUtility] "G:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
    O4 - HKLM\..\Run: [SonyPowerCfg] "G:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [Google Quick Search Box] "G:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] G:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "G:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Svchost] G:\Documents and Settings\All Users\Application Data\csrss.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Svchost] G:\Documents and Settings\All Users\Application Data\csrss.exe (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: Csrss - G:\WINDOWS\SYSTEM32\csrss2.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - G:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - G:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - G:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Remote Connections Service (FlexService) - BitMicro Software Corporation - G:\Program Files\RapidBIT\cisvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - G:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - G:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - G:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: VAIO Event Service - Sony Corporation - G:\Program Files\Sony\VAIO Event Service\VESMgr.exe

    --
    End of file - 9213 bytes

    Anyway, thanks for helping me this far! :p
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Sorry for the delay- I could use a clone!
    A recap if you don't mine:
    1.The original problem wasn't a redirect> that's where you put one site in search but get taken to another. It was 'web page won't display. That problem was 'handled'

    2. Mbam shows (Trojan.Downloader) in System Restore. We will remove the infected restore points at end of cleaning. Don't use system Restore now. Also found (Backdoor.Bot) in System 32 files.

    3. SAS shows malware in temp files and prefetch. (will clean both later)

    4. HJT shows about:blank homepage: did you set a homepage to come up as a blank page? If so, okay. IT not, it's malware.

    5. HJT shows .svchost/ csrss.exe entry: Added by a new Rbot variant. This infection when started connects to a remote IRC server where it waits for commands to execute. it is in All Users\Application Data.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Update and do a full system scan with Avira. Save the log and attach in next reply.
    Rescan with HJT and paste log in next reply.
    (Attach Combofix report and Avira logs)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.