Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 - Can ping IPs, not domain names


  • This topic is locked This topic is locked
4 replies to this topic

#1 Cronyx

Cronyx

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 07 September 2012 - 12:52 AM

Fixing this computer for someone else. It was an absolute mess, been working on it for hours. Had a rootkit but that's gone, and some other stuff, also gone. To save time, here's what I've already run through:

Combofix
TDSSkiller
Tweaking.com AIO
Hitman
Emsisoft Emergency Kit
MBAM
MSSE
Super
ESET

Now for manual things I've done, I did the 0xA0 to 0X80 trick in nettcpip.inf to invalidate the driver signing on the IPv4 protocol in the TCP/IP stack and let me uninstall/reinstall it. Deleted the following reg keys before reinstalling:

HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla
HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2

That got me a little closer, but was still having problems. Wasn't able to get an IP address with DHCP leasing from the router, had to manually assign one, with gateway, subnet, DNS, etc. But I could browse if I did that. Wasn't fixed *right* though so I kept going.

Did an sfc /verifyonly, took the log file and ran it through a "findstr" looking for the "[SR]" string and dumped that to an other file to make it more manageable. Found some files it was hanging on, replaced afd.sys, netbt.sys, and tcpip.sys.

RPC service wasn't available. Turns out DHCP wasn't turning on, threw a file not found error with net start dhcp. Tracked that down, and DNScache, using FSS (Fubar Service Scanner) to missing reg keys. Copied them from a working Win 7 machine and imported them over here with a flash drive.

Ran FSS again, and this time no errors, but the odd thing is, it reports that google and yahoo are both accessible by IP and by name. Well, it got the IP part right.

So where am I right now...

DHCP is working again. I am being issued a leased IP address, gateway and subnet are autodetecting. However even though FSS says google.com and yahoo.com are accessable, they aren't. Can't ping them, nslookup or tracert. Can load pages just fine through any browser if I load the IP address, but clicking on any links (obviously) fails unless those links are IP based.

I wish I had saved any of the logs *during* all this, sorry. All the logs now are clean, including sfc /verifyonly's CBS.log, hijackthis, combofix, and all malware tools I run now also come up clean (though I can't update any of them anymore).

I've tried different NICs, and even easytether to my android. The same symptoms are across all adapters. Even uninstalled and reinstalled IPv4 again. (Oh, I also set the 0x08 back to 0xa8, so the certificate is back)

Also tried the obvious things like ipconfig /release, /flushdns, /registerdns, /renew, etc, and have tried google's 8.8.8.8 and 8.8.4.4. Nothing. I'm convinced it isn't anything viral related anymore; that dragon is dead, it's just a matter of cleaning up its corpse. I think I'm just tired and missing a setting some where.

Anyway, here's this.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:57 PM, on 9/6/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\SAMSUNG\Samsung SCX-4725 Series SmartPanel\SPanel\RCP\Scan2pc.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Owner\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
C:\Users\Owner\AppData\Local\DIRECTV Player\NDSPCShowServer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
O4 - HKLM\..\Run: [Util] C:\Windows\system32\Util.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Whitney2_S2P] C:\Program Files\SAMSUNG\Samsung SCX-4725 Series SmartPanel\SPanel\RCP\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe
O4 - HKCU\..\Run: [PCShowServer] "C:\Users\Owner\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe"
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0CD93B23-33FF-4B59-A25D-0DD6812478B1} (Manheim Media Player) - https://simulcast.ma...gin2-win-ie.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://simulcast.ma...v/LiveSound.dll
O16 - DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} (Simulcast Plugin (ActiveX) v1) - https://simulcast.ma...ugin-win-ie.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - https://www.ove.com/...geUploader5.cab
O16 - DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} (laiExcuter Class) - http://adus1.liveblo...ory/laiexec.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA7037A3-5F8E-4486-B561-71302F272547}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
O23 - Service: Broadcom Power monitoring service (BPowMon) - Broadcom Corp. - C:\Program Files\Broadcom\BPowMon\BPowMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: U2VSvr - Unknown owner - C:\Windows\system32\U2VSvr.exe

--
End of file - 5976 bytes



Farbar Service Scanner Version: 06-08-2012
Ran by Owner (administrator) on 06-09-2012 at 21:09:09
Running from "E:\Triage\Farbar Service Scanner"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

And here's this too.


ComboFix 12-09-06.02 - Owner 09/06/2012 22:09:45.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.1394 [GMT -5:00]
Running from: c:\temp\triage\Armoury\ComboFix\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-07 to 2012-09-07 )))))))))))))))))))))))))))))))
.
.
2012-09-07 03:13 . 2012-09-07 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-07 03:06 . 2012-09-07 03:06 388096 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-07 03:06 . 2012-09-07 03:06 -------- d-----w- c:\program files\Trend Micro
2012-09-07 00:03 . 2012-09-07 00:31 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-09-06 17:38 . 2012-09-06 17:38 302592 ----a-w- C:\0uodmh5o.exe
2012-09-06 16:29 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EE9AE63-0285-46B2-AB02-BC8B4B329D58}\mpengine.dll
2012-09-06 16:28 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-09-06 16:13 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-06 14:22 . 2012-09-06 14:22 -------- d-----w- c:\program files\ESET
2012-09-06 14:18 . 2012-09-06 14:18 -------- d-----w- c:\program files\Combined Community Codec Pack
2012-09-06 14:18 . 2012-09-06 14:18 -------- d-----w- c:\windows\system32\Adobe
2012-09-06 14:18 . 2012-09-06 14:18 -------- d-----w- c:\program files\Common Files\Java
2012-09-06 14:18 . 2012-09-06 14:17 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-06 14:17 . 2012-09-06 14:17 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-09-06 14:14 . 2012-09-06 14:17 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-06 14:14 . 2012-09-06 14:17 -------- d-----w- c:\program files\Java
2012-09-06 14:11 . 2012-09-06 14:11 -------- d-----w- c:\programdata\McAfee
2012-09-05 21:59 . 2012-09-05 21:59 -------- d-----w- c:\programdata\Dell
2012-09-05 21:48 . 2012-09-05 21:49 -------- d-----w- c:\programdata\HitmanPro
2012-09-05 21:48 . 2012-09-05 21:48 -------- d-----w- c:\programdata\Hitman Pro
2012-09-05 21:30 . 2011-02-18 04:47 66112 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2012-09-05 21:30 . 2010-12-21 05:55 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2012-09-05 21:30 . 2010-12-21 05:55 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2012-09-05 21:26 . 2012-09-05 21:26 -------- d-----w- c:\programdata\Samsung
2012-09-05 21:25 . 2012-09-06 16:12 -------- dc----w- c:\windows\system32\DRVSTORE
2012-09-05 20:39 . 2008-05-08 03:03 303616 ----a-w- C:\SetACL.exe
2012-09-05 20:29 . 2004-06-11 21:33 290304 ----a-w- C:\subinacl.exe
2012-09-05 20:28 . 2012-09-07 00:14 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-09-05 20:19 . 2012-09-07 03:15 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-09-05 15:45 . 2012-09-05 15:45 -------- d-----w- c:\programdata\PC-Doctor for Windows
2012-08-29 16:02 . 2012-08-29 16:02 3993600 ----a-w- c:\program files\GUT8102.tmp
2012-08-29 15:52 . 2012-08-29 15:55 -------- d-----w- c:\users\Owner\AppData\Local\Google
2012-08-29 15:52 . 2012-08-29 15:59 -------- d-----w- c:\program files\Google
2012-08-22 21:01 . 2012-08-22 21:01 63120 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{C199DEA2-657E-46C2-9FDB-7C1C068B6B35}\ARPPRODUCTICON.exe
2012-08-22 21:01 . 2012-09-05 21:44 -------- d-----w- c:\users\Owner\AppData\Local\DIRECTV Player
2012-08-22 20:58 . 2012-09-06 14:17 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-16 03:11 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-16 03:11 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-16 03:11 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-16 03:11 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-16 03:11 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-16 03:11 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-16 03:11 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-06 14:17 . 2010-12-23 17:40 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-06 14:17 . 2011-06-04 18:19 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShowServer"="c:\users\Owner\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [2012-08-16 524976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-23 175128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-23 166424]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"Util"="c:\windows\system32\Util.exe" [2009-08-26 189816]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
"Whitney2_S2P"="c:\program files\SAMSUNG\Samsung SCX-4725 Series SmartPanel\SPanel\RCP\Scan2pc.exe" [2006-12-12 274432]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2006-12-02 520192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 T1PExGrp;T1PExGrp;c:\windows\system32\DRIVERS\T1PExGrp.sys [x]
R3 T1PMrGrp;T1PMrGrp;c:\windows\system32\DRIVERS\T1PMrGrp.sys [x]
R3 t1pusb;Trigger 1+ Graphics Card;c:\windows\system32\drivers\t1pusb.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\temp\triage\Armoury\Emsisoft Emergency Kit\Run\a2ddax86.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
S2 U2VSvr;U2VSvr;c:\windows\system32\U2VSvr.exe [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-22 14:17]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DA7037A3-5F8E-4486-B561-71302F272547}: NameServer = 8.8.8.8,8.8.4.4
DPF: {0CD93B23-33FF-4B59-A25D-0DD6812478B1} - hxxps://simulcast.manheim.com/simulcast_docs/av/ManheimAVPlugin2-win-ie.cab
DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} - hxxps://simulcast.manheim.com/simulcast_docs/av/SimulcastAVPlugin-win-ie.cab
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveblockauctions.com/container_repository/laiexec.cab
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\MTri1+.exe
c:\users\Owner\AppData\Local\DIRECTV Player\NDSPCShowServer.exe
c:\windows\system32\conhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-09-06 22:19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-07 03:19
ComboFix2.txt 2012-09-06 19:37
ComboFix3.txt 2012-09-05 20:19
.
Pre-Run: 128,856,731,648 bytes free
Post-Run: 128,431,730,688 bytes free
.
- - End Of File - - 0228F139191D524823274EC48F195D69


Goin to bed, will check back tomorrow. Thanks guys. o/

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:20 PM

Posted 10 September 2012 - 01:33 PM

Hello, Cronyx
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.


Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.


I will review your log now. In the meantime, please have a look if you can find C:\Combofix.txt and/or C:\Qoobox\Quarantined-files.txt. If so, please post them in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 10 September 2012 - 07:28 PM

Sorry Tom, he told me to just wipe and redo it as he couldn't wait any longer. Thanks anyway! :)

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:20 PM

Posted 10 September 2012 - 10:16 PM

Thanks for letting me know :)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:20 PM

Posted 10 September 2012 - 10:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users