Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet connection after virus removal


  • Please log in to reply
6 replies to this topic

#1 cpwesquire

cpwesquire

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 12:39 AM

I am unable to connect to the internet after removing multiple viruses from a laptop. It is a Toshiba L645D-S4040
running Windows 7 Premium. I have attempted reloading the drivers, running registry scanners and repair tools all to no effect. The viruses seem to be gone but still cannot connect to the internet. Please assist.

Edited by bloopie, 18 January 2013 - 10:27 AM.
Topic moved to MRL forum due to DDS log being posted. ~bloopie


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 AM

Posted 18 January 2013 - 02:34 AM

after removing multiple viruses ....... running registry scanners and repair tools all to no effect.

Hello cpwesquire -
Can you please be a bit more specific about these programs and steps taken. Also (if known) can you please list the infection.

Without knowing how you removed this, or who has taken what steps to remove it we are at a bit of a loss.
Also how long since the infection was removed, and how long you have been without internet -

Thank You

#3 cpwesquire

cpwesquire
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 09:35 AM

The malicious program appears to have deleted my AVG antivirus so I started by reinstalling it yesterday from a flash drive. After reinstalling AVG, it found and repaired multiple infections. Most appeared to be trojans (Generic15.BJKE)(Generic16.AAEZ)(PSW.Keylogger.AXD)(Luhe.Sirefef.A). They appeared to be imbedded in a windows update. When I restarted the computer this morning, the internet appears to be working again but the infections are back as well. AVG is now saying that is cannot repair an infections of (C:\Windows\System32\services.exe)

#4 cpwesquire

cpwesquire
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 09:44 AM

I ran HijackThis but get an error stating that the sytetem is denying access to the Hosts file. It also will not allow me to create a HijackThis log. I also tried AVG's Rescue CD program and Spybot Search and Destroy. I am tempted to run Combofix but know that there are other tests the techs want run first.

#5 cpwesquire

cpwesquire
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 09:58 AM

Following instructions from another thread, I ran Defogger and DSS. The logs from each are attached.Attached File  defogger_disable.log   474bytes   0 downloadsAttached File  DDS.txt   8.35KB   1 downloadsAttached File  Attach.txt   34.92KB   0 downloads

#6 cpwesquire

cpwesquire
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 10:55 AM

This morning I downloaded and ran Malwarebytes Anti-Malware. The log is attached.Attached File  MBAM-log-2013-01-18 (09-53-07).txt   3.24KB   1 downloads

#7 cpwesquire

cpwesquire
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2013 - 11:07 AM

I reread the instructions and see that I was supposed to past the test of the DSS log rather then attaching it. here is the text of my DSS log:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16447
Run by Purple at 8:51:12 on 2013-01-18
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.2074 [GMT -6:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: AVG Anti-Virus 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\AVG\AVG2013\avgcfgex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
mStart Page = hxxp://www.yahoo.com/?ilc=8
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
mWinlogon: Userinit = userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: EnableUIADesktopToggle = dword:0
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{7331F4A1-CAFF-459E-80DE-1F90693766C8} : DHCPNameServer = 66.233.164.12 64.13.115.12
TCP: Interfaces\{E3F32B62-0B60-4D9F-8215-0549769CAB49} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E3F32B62-0B60-4D9F-8215-0549769CAB49}\2416C6C6162746 : DHCPNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{E3F32B62-0B60-4D9F-8215-0549769CAB49}\56874756E646564637471697 : DHCPNameServer = 192.168.90.1
TCP: Interfaces\{E3F32B62-0B60-4D9F-8215-0549769CAB49}\C696E6B6379737 : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{E3F32B62-0B60-4D9F-8215-0549769CAB49}\E6F6475626F6F6B63723 : DHCPNameServer = 192.168.2.1
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-11-15 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2011-4-18 203888]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-4-16 202752]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-2-22 75304]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2012-4-16 35008]
R3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192Ce.sys [2012-4-16 877088]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 bcm;WiMAX Network Adapter;C:\Windows\System32\drivers\drxvi314_64.sys [2011-10-17 382848]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\System32\drivers\BcmBusCtr_64.sys [2011-10-17 60416]
S3 CACLEARWIRE;Clearwire Con App Svc;"C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" --> C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [?]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;"C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" --> C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 98688]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 291696]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-4-16 239136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-4-16 1255736]
.
=============== Created Last 30 ================
.
2013-01-18 07:09:14 388096 ----a-r- C:\Users\Purple\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-18 07:09:14 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-01-18 06:48:07 -------- d-----w- C:\Users\Purple\AppData\Roaming\TuneUp Software
2013-01-18 04:44:43 -------- d-----w- C:\temp.realtek
2013-01-16 09:39:30 -------- d-----w- C:\ff657a37daa24936958f01e8bdcaacf4
2013-01-16 05:36:47 -------- d-----w- C:\Program Files (x86)\Pandora Recovery
2013-01-16 04:24:07 -------- d-----w- C:\Users\Purple\AppData\Roaming\AVG2013
2013-01-16 01:30:53 -------- d--h--w- C:\$AVG
2013-01-16 01:30:52 -------- d-----w- C:\ProgramData\AVG2013
2013-01-16 01:20:31 -------- d-----w- C:\Users\Purple\AppData\Local\MFAData
2013-01-16 01:20:31 -------- d-----w- C:\Users\Purple\AppData\Local\Avg2013
.
==================== Find3M ====================
.
2013-01-18 06:49:13 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-18 06:49:13 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-16 05:33:24 111968 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-10-22 19:02:44 154464 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
.
============= FINISH: 8:51:30.98 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users