Author Topic: [Inactive] possible malware - no wireless internet, network suddenly "hidden"  (Read 3212 times)

0 Members and 1 Guest are viewing this topic.

Offline littleghoul

  • Bronze Member
  • Posts: 16
I didn't do anything to my computer - but I think combofix has stalled.  It has been at "completed stage 4" for an hour.  What should I do, is there any way to restart it?

BTW - it was quite a chore to disable all the norton stuff.  The simple turn off that was explained where I got the combofix didn't even scratch the surface of the things that were "active".  I'm pretty sure I got everything turned off.  Don't know if maybe I missed something and if that could be causing the stall.

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Use the power button to turn off the computer. Then reboot into safe mode and then run combofix from there.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline littleghoul

  • Bronze Member
  • Posts: 16
OK, here's the log file from combofix


ComboFix 12-02-25.02 - TeamSkeie 02/26/2012  12:43:02.2.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.2854 [GMT -8:00]
Running from: c:\users\TeamSkeie\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\TeamSkeie\g2mdlhlpx.exe
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-26 to 2012-02-26  )))))))))))))))))))))))))))))))
.
.
2012-02-26 20:50 . 2012-02-26 20:50   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-02-26 04:30 . 2012-02-26 04:30   --------   d-----w-   c:\users\TeamSkeie\AppData\Roaming\Malwarebytes
2012-02-26 04:30 . 2012-02-26 04:30   --------   d-----w-   c:\programdata\Malwarebytes
2012-02-26 04:30 . 2011-12-10 23:24   23152   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-26 04:30 . 2012-02-26 04:30   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-24 20:30 . 2011-09-23 01:18   89960   ----a-w-   c:\windows\SysWow64\SQSRVRES.DLL
2012-02-24 20:30 . 2011-09-23 01:18   73064   ----a-w-   c:\windows\SysWow64\perf-MSSQL$MSSMLBIZ-sqlctr10.3.5500.0.dll
2012-02-24 19:48 . 2011-12-30 06:26   515584   ----a-w-   c:\windows\system32\timedate.cpl
2012-02-24 19:48 . 2011-12-30 05:27   478720   ----a-w-   c:\windows\SysWow64\timedate.cpl
2012-02-24 19:48 . 2011-12-28 03:59   498688   ----a-w-   c:\windows\system32\drivers\afd.sys
2012-02-24 19:48 . 2012-01-04 10:44   509952   ----a-w-   c:\windows\system32\ntshrui.dll
2012-02-24 19:48 . 2012-01-04 08:58   442880   ----a-w-   c:\windows\SysWow64\ntshrui.dll
2012-02-24 19:48 . 2012-01-14 04:06   3145728   ----a-w-   c:\windows\system32\win32k.sys
2012-02-24 19:46 . 2011-12-16 08:46   634880   ----a-w-   c:\windows\system32\msvcrt.dll
2012-02-24 19:46 . 2011-12-16 07:52   690688   ----a-w-   c:\windows\SysWow64\msvcrt.dll
2012-02-24 18:54 . 2012-02-24 18:54   388096   ----a-r-   c:\users\TeamSkeie\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-24 18:54 . 2012-02-24 18:54   --------   d-----w-   c:\program files (x86)\Trend Micro
2012-02-23 19:21 . 2012-02-24 19:12   --------   d-----w-   c:\users\TeamSkeie\AppData\Local\NPE
2012-02-23 19:05 . 2012-02-23 19:05   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-02-07 22:21 . 2012-02-09 17:03   --------   d-----w-   c:\windows\system32\drivers\N360x64\0502000.00D
2012-02-06 00:50 . 2012-02-06 00:50   --------   d-----w-   c:\program files\iPod
2012-02-06 00:50 . 2012-02-06 00:51   --------   d-----w-   c:\program files\iTunes
2012-02-06 00:50 . 2012-02-06 00:51   --------   d-----w-   c:\program files (x86)\iTunes
2012-02-01 20:20 . 2011-11-17 05:38   1292080   ----a-w-   c:\windows\SysWow64\ntdll.dll
2012-02-01 20:20 . 2011-11-17 06:41   1731920   ----a-w-   c:\windows\system32\ntdll.dll
2012-02-01 20:20 . 2011-11-19 14:58   77312   ----a-w-   c:\windows\system32\packager.dll
2012-02-01 20:20 . 2011-11-19 14:01   67072   ----a-w-   c:\windows\SysWow64\packager.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 19:02 . 2010-09-03 06:39   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-02-22 02:23 . 2011-06-10 21:16   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-09 18:28 . 2012-01-09 18:35   485576   ----a-w-   c:\users\TeamSkeie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-16 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"QuickFinder Scheduler"="c:\program files (x86)\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-02-26 77887]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-29 140640]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"GIDDesktop"="c:\program files (x86)\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-6-8 1128224]
Constant Guard.lnk - c:\program files (x86)\Constant Guard Protection Suite\IDVault.exe [2012-2-15 4720200]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-4-8 1207312]
Secure Backup and Share Status.lnk - c:\program files\SecureBackupShare\ComcastSecureBackupSharestat.exe [2010-12-14 4800232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120215.001\BHDrvx64.sys [2011-12-01 1157240]
R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\DRIVERS\ComcastSecureBackupShare.sys

R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120224.002\IDSvia64.sys [2011-12-15 488568]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502000.00D\Ironx64.SYS

R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502000.00D\SYMNETS.SYS

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-03-02 89600]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\SecureBackupShare\ComcastSecureBackupSharebackup.exe [2010-12-14 16104]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-25 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-10 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe

R2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2012-02-15 65096]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe [2011-04-17 130008]
R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE

R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys

R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys

R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys

R3 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-05 138360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-25 136176]
R3 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys

R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys

R4 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [2011-09-23 370024]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502000.00D\SYMDS64.SYS

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502000.00D\SYMEFA64.SYS

S1 GIDv2;GIDv2;

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-03-04 19:29   451872   ----a-w-   c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 17:26   435976   ----a-w-   c:\program files (x86)\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-25 23:44]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-25 23:44]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2936744551-1845201072-548879614-1000Core.job
- c:\users\TeamSkeie\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-27 03:00]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2936744551-1845201072-548879614-1000UA.job
- c:\users\TeamSkeie\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-27 03:00]
.
2012-02-16 c:\windows\Tasks\HPCeeScheduleForTeamSkeie.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare]
@="{72bcb80d-7778-eb4a-ec51-22340ad33e07}"
[HKEY_CLASSES_ROOT\CLSID\{72bcb80d-7778-eb4a-ec51-22340ad33e07}]
2010-12-14 20:06   4345576   ----a-w-   c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare2]
@="{b723586e-9ca0-5b27-341a-4990a8c342cf}"
[HKEY_CLASSES_ROOT\CLSID\{b723586e-9ca0-5b27-341a-4990a8c342cf}]
2010-12-14 20:06   4345576   ----a-w-   c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare3]
@="{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}"
[HKEY_CLASSES_ROOT\CLSID\{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}]
2010-12-14 20:06   4345576   ----a-w-   c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-02 487424]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/?_bc=1
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-26  12:52:21
ComboFix-quarantined-files.txt  2012-02-26 20:52
.
Pre-Run: 405,601,083,392 bytes free
Post-Run: 405,026,594,816 bytes free
.
- - End Of File - - DA5CD27E39E10E092015C560E07C9DFF

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Please go to c:\qoobox and see if there is a combofix1.txt or a combofix2.txt. If there is, open and copy and paste the log into a response.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline littleghoul

  • Bronze Member
  • Posts: 16
I can't get the laptop on the internet now. 
There is a not a combofix1 or 2, but there is a combofix quarantined-files.txt.  there is also an add-remove programs.txt and a snapshot@2012-2-26_20.50.28.dat

Here is the combofix quarantined files one:

2012-02-26 20:51:22 . 2012-02-26 20:51:22               80 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
2012-02-26 20:48:54 . 2012-02-26 20:48:54           19,311 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-02-26 19:35:19 . 2012-02-26 20:42:11              102 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2012-02-24 19:24:05 . 2012-02-24 20:27:31              375 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\hosts.ics.vir
2011-09-13 02:55:03 . 2012-02-19 21:42:38           60,304 ----a-w-  C:\Qoobox\Quarantine\C\Users\TeamSkeie\g2mdlhlpx.exe.vir

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Reset the Winsock again.

Click Start. click run, type: cmd, and press CTRL+SHIFT+Enter
Type: netsh winsock reset, and then press the ENTER key.
Type: Exit and press ENTER.
Restart the computer.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline littleghoul

  • Bronze Member
  • Posts: 16
OK, reset the winsock and still no internet connection at all, even with the ethernet it says "unidentified network" "no internet access".

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Go into the network and sharing center and then to manage wireless networks and delete the network and reboot the computer. Let me know if the network is detected.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline littleghoul

  • Bronze Member
  • Posts: 16
It showed up, then I clicked on it and it gave me the screen to enter the security key - thought all was fixed.  Now it pops up "possible network security key mismatch" - so I entered the code from one of the other keys (key 1 instead of key 4).  It found the network location but renamed is mlskeie2 on the popup where I named is as a home network.  What's up with the 2 anyway?  It's showing that it's a secure network and it's working, so I guess it's fixed.  I should have thought of deleting the thing and creating a new one.

Offline littleghoul

  • Bronze Member
  • Posts: 16
should I uninstall combofix?  It said only to uninstall if you are 100% sure your computer is operating correctly ad that you no longer need ay of the files that were backed up or quarantined.

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Before we start cleaning up, I would like you to run this for a day or two. Reboot several times during that period, see if the connection breaks again.

About the number 2 showing up on the connection, the previous one is still around somewhere. You may need to look in both the wired and wireless connections. Try renaming it in the wireless connections list (right click on the connection and select rename).

After you have run your computer for a name or two, come on back and let me know how it is going. If you run into a problem, let me know right away. After you tell me all is well, we will do some cleanup and call it done.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline littleghoul

  • Bronze Member
  • Posts: 16
ok.will do.Thanks

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
littleghoul, how is your computer running?

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25526
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
This thread is being closed due to inactivity. If you need it reopened send me a PM. This applies to the originator only. Anyone else please start a new thread.


Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!