Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had virus. Think it is gone. Internet won't work. Dhcp service won't start. Err5


  • Please log in to reply
2 replies to this topic

#1 Dbouya

Dbouya

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 26 October 2015 - 05:51 PM

I got a virus. All sorts of programs suddenly installed themselves or opened websites like trovi on a browser mybrowser that had just installed itself. Along with pc speed up and cinemaplus and a dozen more. I tried to open the task manager and it failed. I downloaded malwarebytes but so many programs were opening at once I had to turn it off before using it. Turned it back on and it was a mess. Went into safe mode. Fixed taskmgr with scn /scannow ran rkill tdsskiller and malwarebytes. This took a few reboots. It found a backdoor and a rootkit (ten red items I removed). Then I went about asking all the malware to uninstall itself. Then I had malwarebytes run a full scan and removed hundreds of yellow items (pup).

I thought I'd won but my Windows now cannot connect to my router or internet. I am not sure this is all of why but in services.msc dhcp and dns services will not start. They say error 5 access denied. I tried editing the permissions as per another forum thread but I couldn't get either service to start. Apparently that first time I turned off my computer my virus disabled them (or maybe when malwarebytes killed the virus).

Trying to diagnose the conncection and let windows fix it results in a general troubleshooting error.

I thought someone might ask me to run combofix... So I did. The log file contains only a single "I". The system seems fine otherwise. Except the ncidia display driver service also won't start possibly unrelated.

Pinging 127.0.0.1 works. Lunging 198.168.1.1 does not. I uninstalled a winpk filter from my connection connection properties because it sounded suspicious when googled.

The network sharing center lists the connection as endlessly identifying. If I set an up for my computer (it is usually dhcp'd) I can get the connection to show instead as unidentified public network but it still won't connect to anything.

It is hard to look for help without the internet working... So I'd be willing to find a bandaid fix to connect without fixing the underlying windows service problems... If such a thing is even possible. I've never had a virus disable my internet before. What is the point of a backdoor that disabled the targets internet?

I do not have any restore points they wouldnt for on my old sad...which I now regret. Below are upcoming /all farbar service scanner logs


indows IP Configuration

Host Name . . . . . . . . . . . . : Win7-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

thernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : B8-97-5A-18-71-9E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::15b9:516b:8cde:3cd0%29(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.60.208(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
2001:4860:4860::8844
8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled



Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Action Center:
============


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


Edited by hamluis, 26 October 2015 - 05:57 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Dbouya

Dbouya
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 26 October 2015 - 06:59 PM

I finally got a friend to burn me a livecd so I can now type on my keyboard instead of my phone, I can also access all of my windows computer's system and media files this way.

I wanted to post a copy of cbs.log but it is 10megabytes and won't fit on pastebin even. so here's the final loop in the log file.





2015-10-26 17:51:32, Info CBS Starting TrustedInstaller initialization.
2015-10-26 17:51:32, Info CBS Loaded Servicing Stack v6.1.7601.17592 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscore.dll
2015-10-26 17:51:33, Info CSI 00000001@2015/10/26:21:51:33.393 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d1f0ad @0x7fef0fd9849 @0x7fef0fa34e3 @0xffe9e97c @0xffe9d799 @0xffe9db2f)
2015-10-26 17:51:33, Info CSI 00000002@2015/10/26:21:51:33.409 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d1f0ad @0x7fef1026816 @0x7fef0ff2aac @0x7fef0fa35b9 @0xffe9e97c @0xffe9d799)
2015-10-26 17:51:33, Info CSI 00000003@2015/10/26:21:51:33.424 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d1f0ad @0x7fef2e48738 @0x7fef2e48866 @0xffe9e474 @0xffe9d7de @0xffe9db2f)
2015-10-26 17:51:33, Info CBS Ending TrustedInstaller initialization.
2015-10-26 17:51:33, Info CBS Starting the TrustedInstaller main loop.
2015-10-26 17:51:33, Info CBS TrustedInstaller service starts successfully.
2015-10-26 17:51:33, Info CBS SQM: Initializing online with Windows opt-in: False
2015-10-26 17:51:33, Info CBS SQM: Cleaning up report files older than 10 days.
2015-10-26 17:51:33, Info CBS SQM: Requesting upload of all unsent reports.
2015-10-26 17:51:33, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [HRESULT = 0x80004005 - E_FAIL]
2015-10-26 17:51:33, Info CBS SQM: Failed to start standard sample upload. [HRESULT = 0x80004005 - E_FAIL]
2015-10-26 17:51:33, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6 [HRESULT = 0x80004005 - E_FAIL]
2015-10-26 17:51:33, Info CBS SQM: Failed to start always sample upload. [HRESULT = 0x80004005 - E_FAIL]
2015-10-26 17:51:33, Info CBS SQM: Warning: Failed to upload all unsent reports. [HRESULT = 0x80004005 - E_FAIL]
2015-10-26 17:51:33, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.
2015-10-26 17:51:33, Info CBS NonStart: Checking to ensure startup processing was not required.
2015-10-26 17:51:33, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0xfcf6c0
2015-10-26 17:51:33, Info CSI 00000005 Creating NT transaction (seq 1), objectname [6]"(null)"
2015-10-26 17:51:33, Info CSI 00000006 Created NT transaction (seq 1) result 0x00000000, handle @0x1e8
2015-10-26 17:51:33, Info CSI 00000007@2015/10/26:21:51:33.487 CSI perf trace:
CSIPERF:TXCOMMIT;576
2015-10-26 17:51:33, Info CBS NonStart: Success, startup processing not required as expected.
2015-10-26 17:51:33, Info CBS Startup processing thread terminated normally
2015-10-26 17:51:33, Info CSI 00000008 CSI Store 4125760 (0x00000000003ef440) initialized
2015-10-26 17:51:33, Info CBS Session: 30478392_2060359813 initialized by client lpksetup.
2015-10-26 17:51:36, Info CBS Session: 30478392_2060359813 finalized. Reboot required: no [HRESULT = 0x00000000 - S_OK]
2015-10-26 17:51:37, Info CBS Session: 30478392_2099983883 initialized by client lpksetup.
2015-10-26 17:51:39, Info CBS Session: 30478392_2099983883 finalized. Reboot required: no [HRESULT = 0x00000000 - S_OK]
2015-10-26 18:01:43, Info CBS Reboot mark refs incremented to: 1
2015-10-26 18:01:43, Info CBS Scavenge: Starts
2015-10-26 18:01:43, Info CSI 00000009@2015/10/26:22:01:43.566 CSI Transaction @0x3f3aa0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002 and client id [10]"TI6.0_0:0/"

2015-10-26 18:01:43, Info CBS Scavenge: Begin CSI Store
2015-10-26 18:01:45, Info CSI 0000000a Performing 1 operations; 1 are not lock/unlock and follow:
Scavenge (8): flags: 00000017
2015-10-26 18:01:46, Info CSI 0000000b Store coherency cookie matches last scavenge cookie, skipping scavenge.
2015-10-26 18:01:47, Info CSI 0000000c ICSITransaction::Commit calling IStorePendingTransaction::Apply - coldpatching=FALSE applyflags=7
2015-10-26 18:01:47, Info CSI 0000000d Creating NT transaction (seq 2), objectname [6]"(null)"
2015-10-26 18:01:47, Info CSI 0000000e Created NT transaction (seq 2) result 0x00000000, handle @0x224
2015-10-26 18:01:47, Info CSI 0000000f@2015/10/26:22:01:47.092 CSI perf trace:
CSIPERF:TXCOMMIT;15830
2015-10-26 18:01:47, Info CBS Scavenge: Completed, disposition: 0X1
2015-10-26 18:01:47, Info CSI 00000010@2015/10/26:22:01:47.092 CSI Transaction @0x3f3aa0 destroyed
2015-10-26 18:01:47, Info CBS Reboot mark refs: 0
2015-10-26 18:01:47, Info CBS Idle processing thread terminated normally
2015-10-26 18:01:47, Info CBS Ending the TrustedInstaller main loop.
2015-10-26 18:01:47, Info CBS Starting TrustedInstaller finalization.
2015-10-26 18:01:47, Info CBS Ending TrustedInstaller finalization.



I can't quite tell if that means I have an error or not.

#3 Dbouya

Dbouya
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 27 October 2015 - 07:32 PM

Sorry to waste everyone who read this's time.

 

I gave up and reformatted and reinstalled and now system is flawless. Oh well. The problem was over my head.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users