Something Disabling Network Connection and Not Allowing any virus removal or Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by sdpullen, Nov 8, 2010.

  1. sdpullen

    sdpullen Private E-2

    Hello All,

    Where to start...Somehow one of my computers has obtained malware/spyware/virus not really sure what. It will not connect to the modem (at&t dsl, connected straight to the modem) I have unplugged and plugged a laptop into it and it works fine so I know it's not the dsl causing the problem. There are other issues as well. First off, it will NOT let me run Hijack This and get a log file. I have tried in regular as well as safe mode, and it shuts the program down shortly after it opens. The same holds true for any virus or malware removal program that I install. I've even renamed the install file as well as the actual exe file for the programs and it does the same thing. I have tried the following programs and have gotten no where: HijackThis, SuperAntiSpyware, Malwarebytes, Glary Utilities, CCcleaner, HostsXpert, Norman Malware Cleaner (program will start scan, then find something and immediatly shut down), SDFix, and SmitFraudFix. In addition, when the computer boots up, the following 2 error messages pop up:
    http://www.voiceoverguys.com/mal/error1.jpg

    Followed by:
    http://www.voiceoverguys.com/mal/error2.jpg


    Any time one of the programs tries to open an explorer window it throws up this image, then shuts down:
    http://www.voiceoverguys.com/mal/error3.jpg

    And this is what pops up when you try to run any malware/virus program:
    http://www.voiceoverguys.com/mal/error4.jpg

    System is Windows XP Home SP3
    Unable to obtain HJT log.
    Here is the DDS Log:


    DDS (Ver_10-11-03.01) - NTFSx86
    Run by Compaq_Owner at 13:07:21.56 on Fri 11/05/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.647 [GMT -5:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    "\\.\globalroot\Device\svchost.exe\svchost.exe"
    svchost.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    "C:\WINDOWS\system32\svchost.exe"
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\wscntfy.exe
    J:\Computer Utilities\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    uRun: [libcore707en0setup.exe] c:\documents and settings\compaq_owner\application data\4f7f2ebd2bd24543f31f2ae5bcd90be2\libcore707en0setup.exe
    uRun: [SE11] c:\program files\secess\SE11.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    dRun: [SE11] c:\program files\secess\SE11.exe
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    LSP: winsock.dll
    Trusted Zone: download-soft-package.com
    Trusted Zone: download-software-package.com
    Trusted Zone: fastestdeploy.com
    Trusted Zone: get-key-se10.com
    Trusted Zone: is-software-download.com
    Trusted Zone: fastestdeploy.com
    Trusted Zone: get-key-se10.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\cl7e14mt.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    S3 5DE6C4AB;5DE6C4AB; [x]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 NDISKIO;NDISKIO;c:\docume~1\compaq~1\locals~1\temp\00000dd1.nmc\nse\bin\ndiskio.sys [2010-11-5 24168]

    =============== Created Last 30 ================

    2010-11-05 17:06:02 -------- d-----w- c:\program files\Trend Micro
    2010-11-05 16:13:11 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
    2010-11-05 16:04:11 -------- d-----w- c:\windows\ERUNT
    2010-11-05 15:50:53 -------- d-----w- C:\SDFix
    2010-11-05 15:48:33 1364 ----a-w- c:\windows\system32\tmp.reg
    2010-11-05 15:30:13 93671752 ----a-w- C:\nmc.exe
    2010-11-04 21:46:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-11-04 21:30:48 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
    2010-11-04 21:30:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-04 21:30:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-04 21:30:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-04 21:30:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-04 20:40:51 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
    2010-11-04 20:40:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-11-04 20:40:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-04 20:39:33 -------- d-----w- c:\program files\CCleaner
    2010-11-04 20:27:31 -------- d-----w- c:\program files\Ask.com
    2010-11-04 20:27:08 -------- d-----w- c:\program files\Glary Utilities
    2010-10-19 02:15:34 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{303572e2-a7fe-4e35-a3f5-fd793a6518c2}\mpengine.dll
    2010-10-19 02:10:08 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-10-11 13:32:21 -------- d-----w- C:\a6fab4046aeef1aefab431351cab4d

    ==================== Find3M ====================

    2010-09-28 19:37:55 147 ----a-w- c:\docume~1\compaq~1\applic~1\jsdfgs.bat
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST380011A rev.8.11 -> \Device\Ide\IdePort0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF68B511B]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf68b8888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86308AB8]
    3 CLASSPNP[0xF76D0FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85A8F0D0]
    \Driver\Disk[0x85FE7F38] -> IRP_MJ_CREATE -> 0xF68B511B
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
    detected hooks:
    \Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskST380011A_______________________________8.11____#4a3553564c523551202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    \Driver\atapi DriverStartIo -> 0x862F2A9F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    Filesystem trace:
    called modules: ntkrnlpa.exe hal.dll fltmgr.sys MpFilter.sys bb-run.sys sr.sys Ntfs.sys
    c:\windows\system32\drivers\bb-run.sys Promise Technology, Inc. PromiseĀ® Disk Accelerator
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85E69020]
    3 fltmgr[0xF73ACE95] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863081F0]
    5 bb-run[0xF76E47E1] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86381020]
    7 sr[0xF739C870] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863E16E0]
    9 fltmgr[0xF73B96BD] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86376020]
    11 ntkrnlpa[0x8057F97D] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85E69020]
    13 fltmgr[0xF73AD098] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863081F0]
    15 bb-run[0xF76E1014] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86381020]
    17 sr[0xF7397453] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863E16E0]
    19 fltmgr[0xF73AD098] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86376020]

    Registry trace:
    called modules: ntkrnlpa.exe hal.dll >>UNKNOWN [0x85BA43E0]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; PUSH ESI; XOR ESI, ESI; CMP [0x85ba8030], ESI; JZ 0x13f; CALL [0x85ba701c]; }

    ============= FINISH: 13:09:02.71 ===============

    Unable to run GMER. Does same thing as above programs.
    Thank you for your assistance!
     

    Attached Files:

    sdpullen, Nov 8, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    Please uninstall Antivirus 2010. You may need to use a program such as UnLocker.

    Also uninstall your old Java:
    J2SE Runtime Environment 5.0 Update 6

    Now use windows explorer to find and delete:
    C:\Documents and Settings\Compaq_Owner\Application Data\4F7F2EBD2BD24543F31F2AE5BCD90BE2
    C:\Documents and Settings\Compaq_Owner\Application Data\jsdfgs.bat
    C:\Documents and Settings\All Users\Application Data\.wtav
    C:\Program Files\SecEss
    C:\Documents and Settings\Compaq_Owner\Application Data\4F7F2EBD2BD24543F31F2AE5BCD90BE2

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download and install:
    Java Runtime 6

    Now see if you can run any of the other scans.
     
    Last edited: Nov 8, 2010
    TimW, Nov 8, 2010
    #2
  3. sdpullen

    sdpullen Private E-2

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    Thank you for helping!
    I managed to get all of your instructions to work. I ran scans for SuperAntiSpyware, Malwarebytes, and ccleaner. I also installed the java update you instructed and it installed but I received the following error several times before it installed:

    jre-6u22-windows-i586-s.exe - Bad Image

    The application or DLL C:\WINDOWS\system3winsock.dll is not a valid Windows image. Please check this against your installation diskette.

    OK

    The following is the HiJackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
     
    Last edited by a moderator: Nov 9, 2010
    sdpullen, Nov 9, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    Please attach the following logs:
    SAS
    MBAM
    C:\MGLogs.zip --> from running the C:\MGTools.exe
    ComboFix. --> if it will run. Make sure you have it downloaded to your desktop.
     
    TimW, Nov 9, 2010
    #4
  5. sdpullen

    sdpullen Private E-2

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    Here ya go!
     

    Attached Files:

    sdpullen, Nov 10, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    Can you tell me what this is:
    c:\program files\hjj

    Use windows explorer to find and delete:
    C:\SE11.lnk
    C:\WINDOWS\system32\drivers\oxbp.sys

    Now tell me what malware issues you are still having, if any.
     
    TimW, Nov 10, 2010
    #6
  7. sdpullen

    sdpullen Private E-2

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    hjj is what I renamed HiJackThis to so that I could maybe get it to run. After taking your steps, I finally got to reinstall it with the proper name and it worked. I have since delted the hjj folder and contents.

    I'm not showing any more malware/spyware items. I have ran a scan with Avast and it cleaned up 32 items. Those were:

    PUP: Win32:KillApp-W
    Win32:Agent-ALXE
    Win32:Shutdowner-CD

    I can now see the network connection as connected in the bottom right and it has an assiged ip address, gateway, etc. But still cannot surf with Explorer or Firefox.

    Also, i keep getting the winsock.dll error.
     
    sdpullen, Nov 12, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Something Disabling Network Connection and Not Allowing any virus removal or Malw

    These are issues you need to address in the software forum. But I would suggest that you first try uninstalling them both and after running CCLeaner, reinstall them.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Nov 12, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds