Removed Antivirus Action, now No Internet

Hi,
I removed antivirus action from my PC using this link:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-action
Now the computer doesn't connect to Internet. It just gives me a white screen.

Internet connection is Ok because laptops connected to via router is able to connect to Internet. Please help me how can I get Internet back on the PC.

Hi patdg and Welcome to GeekPolice!

Please read carefully and let me know if you have any questions.

Create a batch file:

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

• Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):
  

  Code:

  @echo off
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 10
del /f /q %0
  
  
• Once you've done that click on File and select Save As...
  
• In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  
• Name the file fix.bat (the .bat extension is very important)
  
• Save the file to your desktop and double click it to run it.
  
• Once it runs it will automatically restart your computer
  
• Once your computer boots again, check to see if have access to the internet.

Before I try this can you help me understand what this will do to my computer. I am not in IT, and no idea what this means.
Also what could have happened to internet after I removed the virus that it stopped working?


On some site someone suggested to do this to fix a similar problem. Do you know what this fix is for?
Start | Run | Type: services.msc | Click OK |
> Scroll down to and double click DNS Client | Set to Automatic under Startup
> type |
> Click the Apply button | Click the Start button | When it starts click OK
>
> Do the same for DHCP Client.
> Do the same for Remote Procedure Call (RPC).

Also what could have happened to internet after I removed the virus that it stopped working?

I need to look at a report. So lets get you on the internet to run one to see. Please run the batch file that will flush and resets the contents of the DNS client resolver cache.

I am so silly. I checked the internet setting on the desktop computer vs my laptop and noticed under Tools/Internet Options/Connections/Lan Setting, Automatically Detect Setting was unchecked while Proxy Server was checked on the PC.

So I put the checkmark back on Automatically Detect Setting, and unchecked Proxy Server..and Internet is back running now.

Now I am running Kasperky antivirus and doing a full scan on the computer. The PC had the basic Window forefront antivirus. I installed Kasperky after the virus attack hoping to clean it, but it couldn't run its update b/c couldn't connect to internet. So I ran the latest update and doing full scan now. It will take 4 hours.

Please let me know if I am doing anything wrong. I am no techie
Thank you for all the help.

Malware will change your Proxy as well. I like to see a X ray of this PC. With a DDS report... But if you feel your PC is doing well we can mark this solved.

To download DDS:

Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  
  
  • DDS.scr
    
  • DDS.pif
    
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.
  
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
  
• Save both reports to your desktop.
  
• The instructions here ask you to attach the Attach.txt.
  
  
  
• Instead of attaching, please copy/past both logs into your Thread
  
  
• Close the program window, and delete the program from your desktop.
  

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

I disabled Kasperky and saved the dds on my desktop. When tried running it, a dialog box popped up after a while with this message:
"The dependency service or gourp failed to start"
Any other way to run that report?

I ran full virus scan earlier, but computer is running really really slow.

Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

I did a right click on the saved file, but it doesn't have the option to run as an administrator.

Also, how do I turn on Kasperky back on when the icon on the taskbar is done. I tried to show the icon, but says program in not active.

Sounds like you still have malware on this PC.

1. Download ComboFix from below:
   
   Combofix download
   
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
3. Double click on combofix.exe & follow the prompts.
   
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

A quick check before I run the combofix you stated above. After reboot of the computer, the Kasperky icon came back on the task bar, so I enabled it again, thus green light showing computer is protected. Do I still do the combofix mentioned?

Lets try another diagnose tool before we run Combofix.


Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
  
• Doubleclick on the HJTInstall.exe icon on your desktop.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed, it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
  

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
  
• Click "Open Uninstall Manager"
  
• Click "Save List" (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List
* HijackThis log (new)

My Kasperrky is still avtive and on but internet/computer is super slow, took me so long to do this. Here are the files. Thank for helping.
-----------------------------------
HijackThis Uninstall List
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Coupon Printer for Windows
Google Earth Plug-in
Google Update Helper
hi5 Toolbar
Java(TM) 6 Update 17
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
king.com (remove only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Forefront Client Security Antimalware Service
Microsoft Silverlight
Nancy Drew: The Phantom of Venice
OpenOffice.org 3.1
Zynga Toolbar
-----------------------------------------------------------------------------------------
HijackThis log (new)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:04:14 PM, on 10/17/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\user1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
R3 - URLSearchHook: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O3 - Toolbar: hi5 Toolbar - {d3ecaceb-7079-4530-b82c-b20ece0422c5} - C:\Program Files\hi5\tbhi5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [cdloader] "C:\Users\user1\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--
End of file - 5111 bytes

I see your proxyserver settings were altered by malware here as well which may explain why your Internet Explorer probably did not open pages in your first post

So, start HijackThis, click scan and select the following entry in it if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775

Then click the fix checked button below.

Then run ComboFix as in my other post (Post 10) please and post the log.

I got this message before and also now when running hijackthis not sure if it means anything.
"For some reason your system denied write access to the hosts file. If anyu hijacked domains are in this file, HijacThis may not be able to fis this.
If that happens, you need to edit the file yourself. To di this, Click Start, Run and type:
notepad C:Windows\Systems32\dirvers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts'. (with quotes), and reboot.

I found ran the HijackThis app again, and found that R1-HKCU.... and went to fix it. Noticed a backup folder was created on my desktop after this process.

Then I paused my Kasperky and went to run Combofix, and got this message:
"C:\Users\User1\Desktop\Combofix.exe
The dependency service or group failed to start."

Appears you have some system files corrupted caused by the following factors:

1.Abnormal shutdown.

2.pc virus/Malware

3.Program which is not certified for Windows 7


Lets run Scannow SFC on your PC.

Click Start > Run and type sfc /scannow and the click OK.
Note the space between the c and the / You may need your Windows 7 CD so have it ready.

Allow the scan to run and when completed, reboot the system. Then try to run Combofix.

Attached is combofix log. Thank you.

ComboFix 10-10-17.04 - user1 10/19/2010 12:15:56.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1023.452 [GMT -7:00]
Running from: c:\users\user1\Desktop\ComboFix.exe
* Created a new restore point
.
PEV Error: CookiesFile

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 19:03 . 2010-10-19 19:06 -------- d-----w- C:\32788R22FWJFW
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\users\user1\AppData\Roaming\Malwarebytes
2010-10-15 21:06 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 21:06 . 2010-10-15 21:06 -------- d-----w- c:\programdata\Malwarebytes
2010-10-15 21:06 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 20:31 . 2010-10-15 20:31 -------- d-----w- c:\users\user1\AppData\Local\ElevatedDiagnostics
2010-10-15 19:37 . 2010-10-17 03:25 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-10-15 19:37 . 2010-10-17 03:25 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-10-15 19:35 . 2010-10-19 18:22 -------- d-----w- c:\programdata\Kaspersky Lab
2010-10-15 19:35 . 2010-10-15 19:35 -------- d-----w- c:\program files\Kaspersky Lab
2010-10-15 17:44 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{07D34FB6-D100-45D9-83E6-BB82EC3899D6}\mpengine.dll
2010-10-15 02:19 . 2010-08-26 04:39 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-10-03 04:34 . 2010-10-03 04:34 -------- d-----w- c:\program files\hi5
2010-09-28 23:48 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 19:02 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 19:01 . 2010-08-27 05:30 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-22 16:50 . 2010-09-22 16:50 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{d3ecaceb-7079-4530-b82c-b20ece0422c5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 19:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]
2010-03-25 20:26 2349152 ----a-w- c:\program files\hi5\tbhi5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{d3ecaceb-7079-4530-b82c-b20ece0422c5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]
"{D3ECACEB-7079-4530-B82C-B20ECE0422C5}"= "c:\program files\hi5\tbhi5.dll" [2010-03-25 2349152]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CLASSES_ROOT\clsid\{d3ecaceb-7079-4530-b82c-b20ece0422c5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\user1\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-09-09 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-07-20 1033600]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-17 340520]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [2010-07-20 16896]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 22:14]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 22:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride =
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-19 12:35:53
ComboFix-quarantined-files.txt 2010-10-19 19:35

Pre-Run: 130,708,066,304 bytes free
Post-Run: 130,838,532,096 bytes free

- - End Of File - - D717F2A82F41559CBD8D874E2C07269B

Hi,
some additional updates. After running HijackThis and fixing that line Internet got faster. When I ran the scf scanner command a small black box appeared and closed immediately. Now after running combofix Internet has gotten slower again. It takes a while to open a page. Once on the page, performance is ok. It has been freezing also. And problems closing the internet page. At times I did it by Task Manager.

You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK




Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

Click Exit on the Main menu to close the program.


Next

Update Run Malwarebytes

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Did everything you mentioned in the last post. Please see the log details below. 3 log files were generated:


1)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/20/2010 1:28:14 PM
mbam-log-2010-10-20 (13-28-14).txt

Scan type: Quick scan
Objects scanned: 131547
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------

2)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/15/2010 2:31:58 PM
mbam-log-2010-10-15 (14-31-58).txt

Scan type: Quick scan
Objects scanned: 131992
Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------

3)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4841

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

10/15/2010 2:15:38 PM
mbam-log-2010-10-15 (14-15-38).txt

Scan type: Quick scan
Objects scanned: 130933
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mprumdcj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\user1\AppData\Local\Temp\ueapwlugh\feryfrgyhsn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\user1\AppData\Local\Temp\045426ac.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------

Thank you!

How is your PC doing patdg?

I just ran a full malwarebytes scan and 22 infected files were found. ALl of them said websearch. I removed them all.
I think Internet is working fine now. But maybe too soon to be sure since I just did the updates. Maybe use a couple days and see the performance.

Since after the virus I installed Kaspersky on it, everytime the program does updates, Internet slows down a bit. I guess I have to get used to it. But for whatever reasonI don't have this issue on my laptop during the Kaspersky updates. And it has Vista on it.
Is it normal for a PC to slow down in performance during updates?
How did all the log reports look?

I can't tell you enough how much I appreciate your help. Thank you again.

I just ran a full malwarebytes scan and 22 infected files were found. ALl of them said websearch

Be carefull what you download. As WebSearch was not in your previous log/logs

Is it normal for a PC to slow down in performance during updates?

Yes it does. Also, If your Internet speed is fast one day and slow on another day? Talked to your ISP Server if this happens a lot. To test internet speed. Go to http://www.speedtest.net/

Your Computer is Clean



Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

I will do combofix uninstall as you mentioned.

Here is the log that I got from full scan Malwarebytes:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4841

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/21/2010 11:49:43 AM
mbam-log-2010-10-21 (11-49-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 263057
Time elapsed: 1 hour(s), 49 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{AFEA99AF-490C-456F-AADA-B5BA8FF5A67F}\RP51\A0047353.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AFEA99AF-490C-456F-AADA-B5BA8FF5A67F}\RP53\A0048424.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows.old\Windows\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Anything to worry about?

Anything to worry about?

Nope.

I removed combofix, and was checking Windows Update. My PC was set to check updates automatically. But when I clicked on the little 'flag' incon on bottom right of taskbar, and clicked on Windows update on the left pane, I saw the last update was done on 15th, that's when I had the virus attack. When I clicked to check for updates, I am not able to do it. I get his message:
An error occured when checking for new updates.
Code 80072EFE

So I clicked on the www.windows update link above and got the white error page:
IE cann't display the webpage.

Might let Kaspersky know to access microsoft or use troubleshooter:

http://windows.microsoft.com/en-US/windows7/Windows-Update-error-80072ee2

1.Open the Kaspersky application Settings window
2.select Firewall under Protection.
3.Click on Settings under Filtration System.
4.In the Settings: Firewall window, select the Rules for Applications tab for MS udates.

I think I need more directions here. I have Kasperksy 2010.
I went to Protections\Firewall
On the right side are two options:
Setting- Click Settings button to configure allowing and blocking rules for data transferring according to direction, protocol,port and distinations address.
Rules for Application Statuses-Configure Rules.

When I clicked on Setting there are 3 tabs:
Filtering Rules, Networks, Resources

There is no Rules for Application tab for MS updates.

Disable Kaspersky Firewall and see if you can update windows. See site below:

http://www.ehow.com/how_6002548_disable-kaspersky-firewall.html

Be sure to set it back when you are done.

I disabled Kaspersky fireweall and it still didn't work.
Anything else I can do?
Also my PC in general has gotten slower at times. Other times it works fine. But at times it "thinks" too much, even when I am not on the Internet. During those slow times it 'blinks" one or two times before returning to normalcy. Could it be due to the installation of different programs trying to get clean my PC?
I also have Kaspersky on my laptop and I have no performance issue.

A fragmented drive causes a slow system.
Easy steps to defragment your drive:

1. open My Computer.
2. Rightclick on the drive you want to defragment and select "Properties".
3. Click on the Tools tab.
4. Select Defragment Now....

As for Windows updates:

Please visit the links HERE and HERE first to read about this new Microsoft tool!

Then you can download and use: Microsoft Fix it Center Online
Microsoft Fix it Center Client contains troubleshooters that help detect issues on target PCs and solve them on demand or proactively before you even know they exist!
It finds and fixes many common PC and device problems automatically. It also helps prevent new problems by proactively checking for known issues and installing updates. Fix it Center helps to consolidate the many steps of diagnosing and repairing a problem into an automated tool that does the work for you.

Microsoft Fix it Center makes getting support easier than ever, with tools that help solve the issues you have now and prevent new ones.

• Easy to Install and Run: Easy-to-use wizards will guide you through the set-up process and help you anytime you need support.
  
  
• Automated: With automated troubleshooters, Fix it Center helps solve issues with your PC, even if you're not sure what the exact problem is. Fix It Center scans your device to diagnose and repair problems, then gives you the option to "Find and fix" or to "Find and report.
  
  
• Preventive Care: By helping you find and fix issues before they become real problems, Fix it Center helps keep your PC running smoothly and automatically downloading the latest solutions.
  

Let me know after you had run all the troubleshooters on your pc if it corrected your problem.

Hi,
PC has gotten a bit faster, still testing it out. But Fix It did not work when I tried to run it both from the website and by saving on my desktop.
Error Message:
Fix It Center Setup encountered an error.
An unexpected error has occured. Please close and try to run setup again later.

I will try at a later time, hoping it would work.
Thanks

Sorry to say still slow, at times freezes and I have to do a force shutdown.
Still can't update windows or run fixit.

Still the same issue as above, on top of it have search engine redirect error.
I have been using yahoo, when search for something, the list of result is displayed. But clicking on any result, redirects me to a different website, very annoying, so using google now, so far works.
I will run full scan tomorrow for malwarebytes, maybe it will pick up the search engine errror as it did before.