Removed Antivirus Action, now No Internet

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Removed Antivirus Action, now No Internet

Post by patdg on Sat 16 Oct 2010, 3:07 pm

Hi,
I removed antivirus action from my PC using this link:
[You must be registered and logged in to see this link.]
Now the computer doesn't connect to Internet. It just gives me a white screen.

Internet connection is Ok because laptops connected to via router is able to connect to Internet. Please help me how can I get Internet back on the PC.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Sun 17 Oct 2010, 2:22 am

Hi patdg and Welcome to GeekPolice!

Please read carefully and let me know if you have any questions.

Create a batch file:

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

  • Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):
    Code:
    @echo off
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 10
    del /f /q %0
  • Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file fix.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it runs it will automatically restart your computer
  • Once your computer boots again, check to see if have access to the internet.






Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Sun 17 Oct 2010, 6:03 am

Before I try this can you help me understand what this will do to my computer. I am not in IT, and no idea what this means.
Also what could have happened to internet after I removed the virus that it stopped working?


On some site someone suggested to do this to fix a similar problem. Do you know what this fix is for?
Start | Run | Type: services.msc | Click OK |
> Scroll down to and double click DNS Client | Set to Automatic under Startup
> type |
> Click the Apply button | Click the Start button | When it starts click OK
>
> Do the same for DHCP Client.
> Do the same for Remote Procedure Call (RPC).

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Sun 17 Oct 2010, 8:17 am

Also what could have happened to internet after I removed the virus that it stopped working?
I need to look at a report. So lets get you on the internet to run one to see. Please run the batch file that will flush and resets the contents of the DNS client resolver cache.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Sun 17 Oct 2010, 4:12 pm

I am so silly. I checked the internet setting on the desktop computer vs my laptop and noticed under Tools/Internet Options/Connections/Lan Setting, Automatically Detect Setting was unchecked while Proxy Server was checked on the PC.

So I put the checkmark back on Automatically Detect Setting, and unchecked Proxy Server..and Internet is back running now.

Now I am running Kasperky antivirus and doing a full scan on the computer. The PC had the basic Window forefront antivirus. I installed Kasperky after the virus attack hoping to clean it, but it couldn't run its update b/c couldn't connect to internet. So I ran the latest update and doing full scan now. It will take 4 hours.

Please let me know if I am doing anything wrong. I am no techie
Thank you for all the help.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Mon 18 Oct 2010, 1:12 am

Malware will change your Proxy as well. I like to see a X ray of this PC. With a DDS report... But if you feel your PC is doing well we can mark this solved.

To download DDS:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    • DDS.scr
    • DDS.pif

  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.


  • Instead of attaching, please copy/past both logs into your Thread

  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Mon 18 Oct 2010, 8:37 am

I disabled Kasperky and saved the dds on my desktop. When tried running it, a dialog box popped up after a while with this message:
"The dependency service or gourp failed to start"
Any other way to run that report?

I ran full virus scan earlier, but computer is running really really slow.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Mon 18 Oct 2010, 8:47 am

Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)





Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Mon 18 Oct 2010, 8:54 am

I did a right click on the saved file, but it doesn't have the option to run as an administrator.

Also, how do I turn on Kasperky back on when the icon on the taskbar is done. I tried to show the icon, but says program in not active.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Mon 18 Oct 2010, 10:27 am

Sounds like you still have malware on this PC.


  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------







Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Mon 18 Oct 2010, 12:58 pm

A quick check before I run the combofix you stated above. After reboot of the computer, the Kasperky icon came back on the task bar, so I enabled it again, thus green light showing computer is protected. Do I still do the combofix mentioned?

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Mon 18 Oct 2010, 1:05 pm

Lets try another diagnose tool before we run Combofix.


Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.




Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.



In your next reply, please include these log(s):

* HijackThis Uninstall List
* HijackThis log (new)




Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Mon 18 Oct 2010, 2:29 pm

My Kasperrky is still avtive and on but internet/computer is super slow, took me so long to do this. Here are the files. Thank for helping.
-----------------------------------
HijackThis Uninstall List
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Coupon Printer for Windows
Google Earth Plug-in
Google Update Helper
hi5 Toolbar
Java(TM) 6 Update 17
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
king.com (remove only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Forefront Client Security Antimalware Service
Microsoft Silverlight
Nancy Drew: The Phantom of Venice
OpenOffice.org 3.1
Zynga Toolbar
-----------------------------------------------------------------------------------------
HijackThis log (new)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:04:14 PM, on 10/17/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\user1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
R3 - URLSearchHook: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O3 - Toolbar: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [cdloader] "C:\Users\user1\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--
End of file - 5111 bytes

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Mon 18 Oct 2010, 10:53 pm

I see your proxyserver settings were altered by malware here as well which may explain why your Internet Explorer probably did not open pages in your first post

So, start HijackThis, click scan and select the following entry in it if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775

Then click the fix checked button below.

Then run ComboFix as in my other post (Post 10) please and post the log.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Tue 19 Oct 2010, 8:50 am

I got this message before and also now when running hijackthis not sure if it means anything.
"For some reason your system denied write access to the hosts file. If anyu hijacked domains are in this file, HijacThis may not be able to fis this.
If that happens, you need to edit the file yourself. To di this, Click Start, Run and type:
notepad C:Windows\Systems32\dirvers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts'. (with quotes), and reboot.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Tue 19 Oct 2010, 9:15 am

I found ran the HijackThis app again, and found that R1-HKCU.... and went to fix it. Noticed a backup folder was created on my desktop after this process.

Then I paused my Kasperky and went to run Combofix, and got this message:
"C:\Users\User1\Desktop\Combofix.exe
The dependency service or group failed to start."

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Tue 19 Oct 2010, 10:35 pm

Appears you have some system files corrupted caused by the following factors:

1.Abnormal shutdown.

2.pc virus/Malware

3.Program which is not certified for Windows 7


Lets run Scannow SFC on your PC.

Click Start > Run and type sfc /scannow and the click OK.
Note the space between the c and the / You may need your Windows 7 CD so have it ready.

Allow the scan to run and when completed, reboot the system. Then try to run Combofix.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Wed 20 Oct 2010, 6:51 am

Attached is combofix log. Thank you.

ComboFix 10-10-17.04 - user1 10/19/2010 12:15:56.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1023.452 [GMT -7:00]
Running from: c:\users\user1\Desktop\ComboFix.exe
* Created a new restore point
.
PEV Error: CookiesFile

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 19:03 . 2010-10-19 19:06 -------- d-----w- C:\32788R22FWJFW
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\users\user1\AppData\Roaming\Malwarebytes
2010-10-15 21:06 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\programdata\Malwarebytes
2010-10-15 21:06 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 20:31 . 2010-10-15 20:31 -------- d-----w- c:\users\user1\AppData\Local\ElevatedDiagnostics
2010-10-15 19:37 . 2010-10-17 03:25 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-10-15 19:37 . 2010-10-17 03:25 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-10-15 19:35 . 2010-10-19 18:22 -------- d-----w- c:\programdata\Kaspersky Lab
2010-10-15 19:35 . 2010-10-15 19:35 -------- d-----w- c:\program files\Kaspersky Lab
2010-10-15 17:44 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{07D34FB6-D100-45D9-83E6-BB82EC3899D6}\mpengine.dll
2010-10-15 02:19 . 2010-08-26 04:39 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-10-03 04:34 . 2010-10-03 04:34 -------- d-----w- c:\program files\hi5
2010-09-28 23:48 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 19:02 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 19:01 . 2010-08-27 05:30 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-22 16:50 . 2010-09-22 16:50 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{d3ecaceb-7079-4530-b82c-b20ece0422c5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 19:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]
2010-03-25 20:26 2349152 ----a-w- c:\program files\hi5\tbhi5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{d3ecaceb-7079-4530-b82c-b20ece0422c5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{D3ECACEB-7079-4530-B82C-B20ECE0422C5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\user1\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-09-09 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-07-20 1033600]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-17 340520]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [2010-07-20 16896]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 22:14]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 22:14]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-19 12:35:53
ComboFix-quarantined-files.txt 2010-10-19 19:35

Pre-Run: 130,708,066,304 bytes free
Post-Run: 130,838,532,096 bytes free

- - End Of File - - D717F2A82F41559CBD8D874E2C07269B

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Wed 20 Oct 2010, 1:54 pm

Hi,
some additional updates. After running HijackThis and fixing that line Internet got faster. When I ran the scf scanner command a small black box appeared and closed immediately. Now after running combofix Internet has gotten slower again. It takes a while to open a page. Once on the page, performance is ok. It has been freezing also. And problems closing the internet page. At times I did it by Task Manager.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Wed 20 Oct 2010, 10:35 pm

You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK
Code:
CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30



Please download ATF Cleaner by Atribune.


  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.


Click Exit on the Main menu to close the program.


Next

Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Thu 21 Oct 2010, 7:39 am

Did everything you mentioned in the last post. Please see the log details below. 3 log files were generated:


1)
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/20/2010 1:28:14 PM
mbam-log-2010-10-20 (13-28-14).txt

Scan type: Quick scan
Objects scanned: 131547
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------

2)
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/15/2010 2:31:58 PM
mbam-log-2010-10-15 (14-31-58).txt

Scan type: Quick scan
Objects scanned: 131992
Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------

3)
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4841

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

10/15/2010 2:15:38 PM
mbam-log-2010-10-15 (14-15-38).txt

Scan type: Quick scan
Objects scanned: 130933
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mprumdcj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\user1\AppData\Local\Temp\ueapwlugh\feryfrgyhsn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\user1\AppData\Local\Temp\045426ac.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------

Thank you!

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Thu 21 Oct 2010, 10:43 pm

How is your PC doing patdg?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Fri 22 Oct 2010, 6:18 am

I just ran a full malwarebytes scan and 22 infected files were found. ALl of them said websearch. I removed them all.
I think Internet is working fine now. But maybe too soon to be sure since I just did the updates. Maybe use a couple days and see the performance.

Since after the virus I installed Kaspersky on it, everytime the program does updates, Internet slows down a bit. I guess I have to get used to it. But for whatever reasonI don't have this issue on my laptop during the Kaspersky updates. And it has Vista on it.
Is it normal for a PC to slow down in performance during updates?
How did all the log reports look?

I can't tell you enough how much I appreciate your help. Thank you again.

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Kenny94 on Fri 22 Oct 2010, 6:33 am

I just ran a full malwarebytes scan and 22 infected files were found. ALl of them said websearch
Be carefull what you download. As WebSearch was not in your previous log/logs

Is it normal for a PC to slow down in performance during updates?
Yes it does. Also, If your Internet speed is fast one day and slow on another day? Talked to your ISP Server if this happens a lot. To test internet speed. Go to [You must be registered and logged in to see this link.]

Your Computer is Clean



Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware


  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)

  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.


Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit [You must be registered and logged in to see this link.] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips









Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by patdg on Fri 22 Oct 2010, 6:43 am

I will do combofix uninstall as you mentioned.

Here is the log that I got from full scan Malwarebytes:
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/21/2010 11:49:43 AM
mbam-log-2010-10-21 (11-49-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 263057
Time elapsed: 1 hour(s), 49 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{AFEA99AF-490C-456F-AADA-B5BA8FF5A67F}\RP51\A0047353.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AFEA99AF-490C-456F-AADA-B5BA8FF5A67F}\RP53\A0048424.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Windows\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Anything to worry about?

patdg

Newbie Surfer
Newbie Surfer

Posts : 37
Joined : 2010-10-16
Operating System : 7

View user profile

Back to top Go down

Re: Removed Antivirus Action, now No Internet

Post by Sponsored content Today at 2:59 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum