Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Something Disabling Network Connection and Not Allowing any virus removal or Malware program to run

  • This topic is locked This topic is locked
2 replies to this topic

#1 Derrick Pullen

Derrick Pullen

  • Members
  • 1 posts
  • Local time:01:05 AM

Posted 05 November 2010 - 01:02 PM

Hello All,

Where to start...Somehow one of my computers has obtained malware/spyware/virus not really sure what. It will not connect to the modem (at&t dsl, connected straight to the modem) I have unplugged and plugged a laptop into it and it works fine so I know it's not the dsl causing the problem. There are other issues as well. First off, it will NOT let me run Hijack This and get a log file. I have tried in regular as well as safe mode, and it shuts the program down shortly after it opens. The same holds true for any virus or malware removal program that I install. I've even renamed the install file as well as the actual exe file for the programs and it does the same thing. I have tried the following programs and have gotten no where: HijackThis, SuperAntiSpyware, Malwarebytes, Glary Utilities, CCcleaner, HostsXpert, Norman Malware Cleaner (program will start scan, then find something and immediatly shut down), SDFix, and SmitFraudFix. In addition, when the computer boots up, the following 2 error messages pop up:
Posted Image
Followed by:
Posted Image

Any time one of the programs tries to open an explorer window it throws up this image, then shuts down:
Posted Image

And this is what pops up when you try to run any malware/virus program:
Posted Image

System is Windows XP Home SP3
Unable to obtain HJT log.
Here is the DDS Log:

DDS (Ver_10-11-03.01) - NTFSx86
Run by Compaq_Owner at 13:07:21.56 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.647 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
J:\Computer Utilities\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [libcore707en0setup.exe] c:\documents and settings\compaq_owner\application data\4f7f2ebd2bd24543f31f2ae5bcd90be2\libcore707en0setup.exe
uRun: [SE11] c:\program files\secess\SE11.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [SE11] c:\program files\secess\SE11.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: winsock.dll
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: fastestdeploy.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: fastestdeploy.com
Trusted Zone: get-key-se10.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\cl7e14mt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S3 5DE6C4AB;5DE6C4AB; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 NDISKIO;NDISKIO;c:\docume~1\compaq~1\locals~1\temp\00000dd1.nmc\nse\bin\ndiskio.sys [2010-11-5 24168]

=============== Created Last 30 ================

2010-11-05 17:06:02 -------- d-----w- c:\program files\Trend Micro
2010-11-05 16:13:11 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-11-05 16:04:11 -------- d-----w- c:\windows\ERUNT
2010-11-05 15:50:53 -------- d-----w- C:\SDFix
2010-11-05 15:48:33 1364 ----a-w- c:\windows\system32\tmp.reg
2010-11-05 15:30:13 93671752 ----a-w- C:\nmc.exe
2010-11-04 21:46:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-11-04 21:30:48 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-11-04 21:30:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-04 21:30:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-04 21:30:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-04 21:30:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-04 20:40:51 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2010-11-04 20:40:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-04 20:40:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-04 20:39:33 -------- d-----w- c:\program files\CCleaner
2010-11-04 20:27:31 -------- d-----w- c:\program files\Ask.com
2010-11-04 20:27:08 -------- d-----w- c:\program files\Glary Utilities
2010-10-19 02:15:34 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{303572e2-a7fe-4e35-a3f5-fd793a6518c2}\mpengine.dll
2010-10-19 02:10:08 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-11 13:32:21 -------- d-----w- C:\a6fab4046aeef1aefab431351cab4d

==================== Find3M ====================

2010-09-28 19:37:55 147 ----a-w- c:\docume~1\compaq~1\applic~1\jsdfgs.bat
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.11 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF68B511B]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf68b8888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86308AB8]
3 CLASSPNP[0xF76D0FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85A8F0D0]
\Driver\Disk[0x85FE7F38] -> IRP_MJ_CREATE -> 0xF68B511B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskST380011A_______________________________8.11____#4a3553564c523551202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x862F2A9F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

Filesystem trace:
called modules: ntkrnlpa.exe hal.dll fltmgr.sys MpFilter.sys bb-run.sys sr.sys Ntfs.sys
c:\windows\system32\drivers\bb-run.sys Promise Technology, Inc. Promise® Disk Accelerator
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85E69020]
3 fltmgr[0xF73ACE95] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863081F0]
5 bb-run[0xF76E47E1] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86381020]
7 sr[0xF739C870] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863E16E0]
9 fltmgr[0xF73B96BD] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86376020]
11 ntkrnlpa[0x8057F97D] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85E69020]
13 fltmgr[0xF73AD098] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863081F0]
15 bb-run[0xF76E1014] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86381020]
17 sr[0xF7397453] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x863E16E0]
19 fltmgr[0xF73AD098] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86376020]

Registry trace:
called modules: ntkrnlpa.exe hal.dll >>UNKNOWN [0x85BA43E0]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; PUSH ESI; XOR ESI, ESI; CMP [0x85ba8030], ESI; JZ 0x13f; CALL [0x85ba701c]; }

============= FINISH: 13:09:02.71 ===============

Unable to run GMER. Does same thing as above programs.
Thank you for your assistance!

Attached Files

Edited by Derrick Pullen, 05 November 2010 - 01:15 PM.

BC AdBot (Login to Remove)


#2 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:05 AM

Posted 10 November 2010 - 04:38 PM

Hello Derrick Pullen ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:05 AM

Posted 14 November 2010 - 01:23 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users