1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot access Microsoft websites or any anti virus websites.

Discussion in 'Virus & Other Malware Removal' started by sidrvr04, Jul 14, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    Hello all,
    I am new here but have searched around but have only found old threads concerning my problem. I cannot access any microsoft websites or anti virus websites. Any help would be appreciated. I have gone through download.com to use hijackthis. I just re-installed my operating system tonight which is windows xp.
    here is my log file
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:29:54 AM, on 7/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IFXSPMGT.exe
    C:\WINDOWS\system32\IFXTCS.exe
    C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
    C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\system32\IfxUAGUI.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
    O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
    O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
    O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 4092 bytes
     
  2. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

      Click me

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  3. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    here is the log you requested. Thank you again for your help.
     

    Attached Files:

  4. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    don't attach the logs


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    http://forums.techguy.org/virus-other-malware-removal/935552-cannot-access-microsoft-websites-any.html
    
    Collect::
    c:\windows\system32\veleyhg.dll
    
    Driver::
    qhcgtcve
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2638:TCP"=-
    KillAll::
    
    NetSvc::
    qhcgtcve
    Suspect::
    Save this as CFScript.txt


    [​IMG]

    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  5. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    Here are the new logs

    ComboFix 10-07-14.01 - Brandon 07/14/2010 18:59:56.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.216 [GMT -4:00]
    Running from: c:\documents and settings\Brandon\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Brandon\Desktop\cfscript.txt

    file zipped: c:\windows\system32\veleyhg.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\veleyhg.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_QHCGTCVE
    -------\Service_qhcgtcve


    ((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
    .

    2010-07-14 22:49 . 2010-07-14 22:50 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Adobe
    2010-07-14 22:48 . 2010-07-14 22:49 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-14 03:58 . 2010-07-14 03:58 -------- d-----w- c:\program files\Trend Micro
    2010-07-14 03:52 . 2010-07-14 03:52 -------- d-----w- c:\program files\VideoLAN
    2010-07-14 03:45 . 2010-07-14 04:23 -------- d-----w- c:\program files\Ask.com
    2010-07-14 03:45 . 2010-07-14 03:45 -------- d-----w- c:\program files\uTorrent
    2010-07-14 03:45 . 2010-07-14 23:03 -------- d-----w- c:\documents and settings\Brandon\Application Data\uTorrent
    2010-07-14 03:40 . 2010-07-14 03:40 -------- d-----w- C:\Security Platform
    2010-07-14 03:31 . 2010-07-14 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Infineon
    2010-07-14 03:24 . 2010-07-14 03:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Infineon
    2010-07-14 03:18 . 2010-07-14 03:18 0 ----a-w- c:\windows\nsreg.dat
    2010-07-14 03:18 . 2010-07-14 03:18 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Mozilla
    2010-07-14 02:57 . 2010-07-14 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
    2010-07-14 02:49 . 2010-07-14 02:49 -------- d-s---w- c:\documents and settings\Brandon\UserData
    2010-07-14 02:29 . 2006-09-15 20:49 139264 ----a-w- c:\windows\system32\igfxres.dll
    2010-07-14 02:29 . 2010-07-14 02:29 -------- d-----w- c:\documents and settings\Brandon\Application Data\Infineon
    2010-07-14 02:28 . 2006-04-06 19:49 88192 ----a-w- c:\windows\system32\drivers\gtipci21.sys
    2010-07-14 02:28 . 2004-03-23 15:45 28672 ----a-w- c:\windows\cttib1.dll
    2010-07-14 02:27 . 2010-07-14 02:27 -------- d-----w- c:\windows\tiinst
    2010-07-14 02:21 . 2010-07-14 02:22 -------- d-----w- c:\program files\Apoint
    2010-07-14 02:21 . 2005-09-29 00:57 113847 ----a-r- c:\windows\system32\drivers\Apfiltr.sys
    2010-07-14 02:21 . 2005-03-05 00:31 95511 ----a-r- c:\windows\system32\Vxdif.dll
    2010-07-14 02:13 . 2010-07-14 02:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
    2010-07-14 02:13 . 2010-07-14 02:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
    2010-07-14 02:13 . 2010-07-14 02:13 -------- d-----w- c:\documents and settings\Brandon\Application Data\Intel
    2010-07-14 02:13 . 2010-07-14 02:13 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2010-07-14 02:12 . 2010-07-14 02:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
    2010-07-14 02:12 . 2010-07-14 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
    2010-07-14 02:12 . 2007-02-12 15:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
    2010-07-14 02:12 . 2007-02-12 15:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
    2010-07-14 02:12 . 2007-02-08 17:51 2209408 ----a-w- c:\windows\system32\drivers\w29n51.sys
    2010-07-14 02:12 . 2010-07-14 02:12 -------- d-----w- c:\program files\Intel
    2010-07-14 02:11 . 2010-07-14 02:28 -------- dc----w- c:\windows\system32\DRVSTORE
    2010-07-14 02:11 . 2006-05-10 19:00 156160 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
    2010-07-14 02:11 . 2006-05-10 19:00 156160 ----a-w- c:\windows\system32\drivers\b57xp32.sys
    2010-07-14 02:11 . 2010-07-14 02:25 -------- d-----w- c:\program files\Broadcom
    2010-07-14 02:10 . 2010-07-14 02:10 -------- d-----w- c:\program files\CONEXANT
    2010-07-14 02:10 . 2005-05-03 19:09 1033728 ----a-w- c:\windows\system32\drivers\HSF_DPV.SYS
    2010-07-14 02:10 . 2005-05-03 19:08 208384 ----a-w- c:\windows\system32\drivers\HSFHWICH.sys
    2010-07-14 02:10 . 2005-05-03 19:08 705408 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
    2010-07-14 02:10 . 2005-02-23 19:02 42858 ----a-w- c:\windows\system32\hsfci014.dll
    2010-07-14 02:10 . 2004-03-17 16:04 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
    2010-07-14 02:10 . 2004-03-17 16:00 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
    2010-07-14 02:06 . 2010-07-14 02:24 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-07-14 02:06 . 2010-07-14 02:06 -------- d-----w- C:\dell
    2010-07-14 02:06 . 2008-04-14 04:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-07-14 02:04 . 2010-07-14 02:04 12328 ----a-w- c:\documents and settings\Brandon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-14 02:02 . 2010-07-14 02:02 -------- d-s---w- c:\windows\system32\Microsoft
    2010-07-14 02:02 . 2010-07-14 02:02 -------- d-sh--w- c:\documents and settings\LocalService
    2010-07-14 02:02 . 2010-07-14 02:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft
    2010-07-14 02:01 . 2010-07-14 02:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft
    2010-07-14 02:01 . 2010-07-14 02:01 -------- d-sh--w- c:\documents and settings\NetworkService

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-14 03:02 . 2010-07-14 03:01 115792 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    2010-07-14 03:02 . 2010-07-14 01:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-07-14 02:21 . 2010-07-14 02:07 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-14 02:07 . 2010-07-14 02:07 -------- d-----w- c:\program files\SigmaTel
    2010-07-14 01:58 . 2010-07-14 01:58 -------- d-----w- c:\program files\microsoft frontpage
    2010-07-14 01:54 . 2010-07-14 01:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\25097\AdobeARM.exe
    2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\25097\AdobeExtractFiles.dll
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\25097\ReaderUpdater.exe
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\25097\AcrobatUpdater.exe
    .

    ((((((((((((((((((((((((((((( [email protected]_22.08.43 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-18 09:05 . 2009-12-18 09:05 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\ViewerPS.dll
    + 2009-12-18 12:58 . 2009-12-18 12:58 40368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\reader_sl.exe
    + 2009-12-18 09:05 . 2009-12-18 09:05 67016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlrShim.exe
    + 2009-12-18 09:04 . 2009-12-18 09:04 83376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlr.dll
    + 2009-12-18 06:43 . 2009-12-18 06:43 95672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\nppdf32.dll
    + 2009-12-18 06:57 . 2009-12-18 06:57 13752 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32Info.exe
    + 2009-12-18 06:16 . 2009-12-18 06:16 65536 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\Acrofx32.dll
    + 2006-06-05 18:14 . 2006-06-05 18:14 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
    + 2006-06-05 18:14 . 2006-06-05 18:14 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
    + 2006-06-05 18:14 . 2006-06-05 18:14 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
    + 2010-07-14 22:49 . 2010-07-14 22:53 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
    + 2009-12-18 06:51 . 2009-12-18 06:51 372736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\pdfshell.dll
    + 2009-11-10 02:34 . 2009-11-10 02:34 448512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\JP2KLib.dll
    + 2009-12-18 06:14 . 2009-12-18 06:14 140728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeUpdateCheck.exe
    + 2009-12-18 08:55 . 2009-12-18 08:55 738776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeCollabSync.exe
    + 2009-12-18 07:21 . 2009-12-18 07:21 112048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRdIF.dll
    + 2009-12-18 12:58 . 2009-12-18 12:58 345520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.exe
    + 2009-12-18 06:17 . 2009-12-18 06:17 632240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroPDF.dll
    + 2010-07-14 22:50 . 2010-07-14 22:50 7220736 c:\windows\Installer\41a982a.msp
    + 2010-07-14 22:51 . 2010-07-14 22:51 3906560 c:\windows\Installer\41a9829.msp
    + 2010-07-14 22:49 . 2010-07-14 22:49 4272128 c:\windows\Installer\41a975f.msi
    + 2009-12-18 06:16 . 2009-12-18 06:16 1949696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\rt3d.dll
    + 2009-12-18 12:30 . 2009-12-18 12:30 13313464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-07-14 322352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
    "IfxSecurePlatformIndication"="c:\program files\Broadcom\Security Platform Software\SpTNA.exe" [2005-03-11 114688]
    "PSDruntime"="c:\program files\Broadcom\Security Platform Software\PSDrt.EXE" [2005-03-11 81920]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
    2005-03-11 15:05 360448 ----a-w- c:\windows\system32\IfxWlxEN.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSDNtfy]
    2005-03-11 14:43 45056 ----a-w- c:\program files\Broadcom\Security Platform Software\PSDNtfy.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [3/11/2005 10:43 AM 29283]
    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/13/2010 10:28 PM 88192]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Brandon\Application Data\Mozilla\Firefox\Profiles\rxpqamfg.default\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-14 19:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\wuapi.dll.mui
    c:\windows\system32\wuapi.dll.wusetup.104062.bak 430592 bytes executable
    c:\windows\system32\wuauclt.exe.wusetup.104640.bak 111104 bytes executable
    c:\windows\system32\wuaucpl.cpl.mui 15072 bytes executable
    c:\windows\system32\wuaucpl.cpl.wusetup.105890.bak 162304 bytes executable
    c:\windows\system32\wuaueng.dll.mui 17632 bytes executable
    c:\windows\system32\wuaueng.dll.wusetup.106453.bak 1135616 bytes executable
    c:\windows\system32\wucltui.dll.mui 21728 bytes executable

    scan completed successfully
    hidden files: 8

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(848)
    c:\program files\Broadcom\Security Platform Software\PSDNtfy.dll
    c:\windows\system32\IfxWlxEN.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\windows\System32\SCardSvr.exe
    c:\windows\system32\IFXSPMGT.exe
    c:\windows\system32\IFXTCS.exe
    c:\program files\Broadcom\Security Platform Software\PSDsrvc.EXE
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Apoint\HidFind.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    c:\windows\system32\IfxUAGUI.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-14 19:05:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-14 23:05
    ComboFix2.txt 2010-07-14 22:09

    Pre-Run: 32,605,016,064 bytes free
    Post-Run: 32,565,379,072 bytes free

    - - End Of File - - AB7ABD834715C903072A4345F4A55C4B
     
  6. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    I think the problem has been fixed! Thank you guys very much! Just out of curiousity, what the heck did I just do?
     
  7. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    ok nevermind, I thought it was fixed but its not... I did access microsoft.com and avg.com for a few minutes and then i was working with some files and moving them off of this computer and onto my other one and now it isnt working anymore. I have not opened any files tho...
     
  8. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click GMER.exe.
      [​IMG]
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
        [​IMG]
        Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please copy and paste the report into your Post.
     
  9. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    here it is

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-15 13:24:25
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Brandon\LOCALS~1\Temp\pwloypod.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[1300] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2512] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] tighvljwb <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] mpocxmg
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Reg HKLM\SYSTEM\CurrentControlSet\Services\tighvljwb\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\tighvljwb\[email protected] C:\WINDOWS\system32\veleyhg.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] mpocxmg
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 32
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 2
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Reg HKLM\SYSTEM\ControlSet002\Services\tighvljwb\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\tighvljwb\[email protected] C:\WINDOWS\system32\veleyhg.dll

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\indexd.dat 0 bytes
    File C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC.tmp 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  10. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    what external media have you used on this PC lately ? Whatever it is is infected and needs to be formatted


    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the Avenger folder to your desktop
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    
    Drivers to delete:
    tighvljwb
    Files to delete:
    C:\WINDOWS\system32\veleyhg.dll

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger&#8217;s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply
     
  11. sidrvr04

    sidrvr04 Thread Starter

    Joined:
    Jul 14, 2010
    Messages:
    7
    Would all of the items that are stored on the external media be infected also? I have only used a few thumb drives on this system since i re-installed xp. Thank you again for your help.



    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    Driver "tighvljwb" deleted successfully.

    Error: file "C:\WINDOWS\system32\veleyhg.dll" not found!
    Deletion of file "C:\WINDOWS\system32\veleyhg.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Completed script processing.

    *******************

    Finished! Terminate.
     
  12. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    no you can take the files off the external media so that you can have a backup, but you need to format it after that is done
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/935552

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice