[Closed at member's request] Pop up made computer go nuts

[kel1987]

I was searching stuff on google and clicked on a link and a bunch of stuff popped up, since then the computer has been acting very slow.




GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-25 17:05:28
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541612J9SA00 rev.SBDOC70P
Running: tf5t679g.exe; Driver: C:\Users\Jessica\AppData\Local\Temp\axrdrfoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

[kel1987]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5603

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/25/2011 5:13:13 PM
mbam-log-2011-01-25 (17-13-13).txt

Scan type: Quick scan
Objects scanned: 141853
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[kel1987]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2010 8:20:20 AM
System Uptime: 1/25/2011 4:37:43 PM (1 hours ago)

Motherboard: Acer, Inc. | | Prespa1
Processor: Intel(R) Celeron(R) M CPU 520 @ 1.60GHz | U2E1 | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 69 GiB total, 38.317 GiB free.
D: is FIXED (NTFS) - 35 GiB total, 20.403 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP274: 1/19/2011 11:29:17 AM - Scheduled Checkpoint
RP275: 1/21/2011 2:28:51 AM - Scheduled Checkpoint
RP276: 1/24/2011 2:58:41 PM - Scheduled Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AC3Filter 1.63b
Acer Arcade
Acer Assist
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Acer Tour
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems HDA Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
Cheat Engine 5.6.1
COMODO Internet Security
Content Transfer
Device Doctor
DivX Setup
Enhanced Multimedia Keyboard Solution
Fiddler2
FileHippo.com Update Checker
Foxit Reader
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Picasso Media Center Add-In
HP Update
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Launch Manager
LightScribe 1.4.136.1
Logitech Webcam Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mouse Recorder Pro 2.0.5.0
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
Orbit Downloader
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Smart Defrag
Spybot - Search & Destroy
SUPERAntiSpyware
Switch Sound File Converter
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.5
WavePad Sound Editor
WinRAR archiver
XnView 1.97.8

==== Event Viewer Messages From Past Week ========

1/25/2011 8:31:55 AM, Error: Service Control Manager [7034] - The COMODO Internet Security Helper Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2011 4:39:05 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/24/2011 7:32:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
1/22/2011 10:04:02 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.
1/20/2011 4:34:35 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
1/18/2011 4:47:04 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

==== End Of File ===========================

 

[kel1987]

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jessica at 17:01:47.18 on Tue 01/25/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.494 [GMT -5:00]

AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\notepad.exe
C:\Users\Jessica\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z016&form=ZGAPHP
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jessica\appdata\roaming\mozilla\firefox\profiles\tlvu53p1.kellie\
FF - prefs.js: browser.startup.homepage - facebook.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=
FF - component: c:\users\jessica\appdata\roaming\mozilla\firefox\profiles\tlvu53p1.kellie\extensions\afom@idevfh\components\npAFOM.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AFOM Addon: afom@idevfh - %profile%\extensions\afom@idevfh
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: FiddlerHook: fiddlerhook@fiddler2.com - c:\program files\fiddler2\FiddlerHook

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(general.useragent.extra.brc,

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-6-1 17256]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 236600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 34744]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-12 38224]
S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-7-12 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-7-23 16640]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-11 1153368]

=============== Created Last 30 ================

2011-01-14 03:42:25 -------- d-----w- c:\users\jessica\appdata\local\Flock
2011-01-14 00:59:41 -------- d-----w- c:\users\jessica\appdata\roaming\SUPERAntiSpyware.com
2011-01-14 00:59:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-13 10:35:53 -------- d-----w- c:\program files\Software Informer
2011-01-13 10:35:01 -------- d-----w- c:\progra~2\ProcessLasso
2011-01-13 10:34:27 -------- d-----w- c:\program files\Process Lasso
2011-01-11 23:56:35 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-11 23:56:29 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-11 23:56:26 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-11 23:56:26 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-11 23:56:24 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-11 23:56:24 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-11 23:53:21 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-01-11 05:16:21 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-01-11 05:16:20 -------- d-----w- c:\program files\AC3Filter
2011-01-09 05:56:26 -------- d-----w- c:\users\jessica\appdata\roaming\HamsterSoft
2010-12-30 01:18:46 -------- d-----w- c:\program files\iPod
2010-12-30 01:18:45 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2011-01-12 23:16:36 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-01 20:07:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

============= FINISH: 17:03:09.79 ===============

 

[Bobbye]

I'll be glad to help with the malware- if you can be more specific about this:

a bunch of stuff popped up, since then the computer has been acting very slow.

What was the popup?
What was the stuff
What is happening with the system other than acting slow?

While you get that together, I'll be checking the logs you left.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[kel1987]

It was popups saying that I had virus's - which I know the ad's themselves are just trying to get you to download stuff but last time it happened I did infected pretty bad with virus's.

The computer doesn't want to start properly, nothing will really load even basic programs like calculator and notepad.

 

[Bobbye]

I notice you have many addons for Firefox. I checked Fiddler2 for Firefox(3.6.13) and it is not compatible. There is a Beta version, but part of the problem is within Firefox itself. Since you appears to be having system problems, I suggest you uninstall Fiddler2, then restart FF.

Another addon, AFOM has very mixed reviews. I'm almost ready to stop using Firefox because of it's huge memory consumption, but some say this can cause more memory use. some also suggested using "Memory Fox" instead.

Okay, no more clicking on popups that say you have a virus! Let's see how much damage it did:
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[kel1987]

I could not get Eset to run for more than 10 minutes then it would completely freeze, I tried 3 times and 1 time in safe mode.


ComboFix 11-01-25.01 - Jessica 01/25/2011 20:36:32.5.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.435 [GMT -5:00]
Running from: c:\users\Jessica\Desktop\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://update.flock.com
hxxp://dl00.flock.com
.
((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))))))))
.

2011-01-26 01:44 . 2011-01-26 01:45 -------- d-----w- c:\users\Jessica\AppData\Local\temp
2011-01-26 01:44 . 2011-01-26 01:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-01-26 01:44 . 2011-01-26 01:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-26 00:16 . 2011-01-26 00:16 -------- d-----w- c:\program files\ESET
2011-01-14 03:42 . 2011-01-17 08:48 -------- d-----w- c:\users\Jessica\AppData\Local\Flock
2011-01-14 00:59 . 2011-01-14 00:59 -------- d-----w- c:\users\Jessica\AppData\Roaming\SUPERAntiSpyware.com
2011-01-14 00:59 . 2011-01-14 00:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-13 10:35 . 2011-01-13 10:43 -------- d-----w- c:\program files\Software Informer
2011-01-13 10:35 . 2011-01-13 10:35 -------- d-----w- c:\programdata\ProcessLasso
2011-01-13 10:34 . 2011-01-13 10:42 -------- d-----w- c:\program files\Process Lasso
2011-01-11 23:56 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-11 23:56 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-11 23:56 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-11 23:56 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-11 23:56 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-11 23:56 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-11 23:53 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-01-11 05:16 . 2009-08-12 02:18 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-01-11 05:16 . 2011-01-11 05:16 -------- d-----w- c:\program files\AC3Filter
2011-01-09 05:56 . 2011-01-09 05:56 -------- d-----w- c:\users\Jessica\AppData\Roaming\HamsterSoft
2010-12-30 01:18 . 2010-12-30 01:18 -------- d-----w- c:\program files\iPod
2010-12-30 01:18 . 2010-12-30 01:19 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-12 23:16 . 2010-06-01 23:00 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 23:16 . 2010-06-01 23:00 80064 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 23:16 . 2010-06-01 23:00 34744 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 23:16 . 2010-06-01 23:00 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-12 23:16 . 2010-06-04 15:55 236600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-01 20:07 . 2010-07-19 03:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-20 23:09 . 2010-07-12 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-07-12 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56 . 2010-12-14 20:31 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55 . 2010-12-14 20:31 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55 . 2010-12-14 20:31 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55 . 2010-12-14 20:31 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34 . 2010-12-14 20:31 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01 . 2010-12-14 20:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57 . 2010-12-14 20:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57 . 2010-12-14 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57 . 2010-12-14 20:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57 . 2010-12-14 20:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01 . 2010-12-14 20:30 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26 . 2010-12-14 20:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24 . 2010-12-14 20:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44 . 2010-12-14 20:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27 . 2010-12-14 20:30 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20 . 2010-12-14 20:30 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-19 2548552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Acer Product Registration.lnk]
path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acer Product Registration.lnk
backup=c:\windows\pss\Acer Product Registration.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-01-17 17:01 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
2009-11-19 22:15 583016 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-02-07 08:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDSMSNfix]
2007-02-08 17:40 13312 ----a-w- c:\acer\Empowering Technology\eDSMSNfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 00:13 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 00:13 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 19:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 19:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 19:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-11 07:47 483328 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 17:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-01-09 08:55 151552 ----a-w- c:\program files\Acer\Acer Arcade\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 00:13 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-12-14 20:02 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2236743762-159487141-3334895427-1000]
"EnableNotificationsRef"=dword:00000001

R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2008-11-19 16640]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-01-12 17256]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-01-12 236600]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-01-12 34744]


--- Other Services/Drivers In Memory ---

*Deregistered* - axrdrfoc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-07-12 22:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z016&form=ZGAPHP
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\tlvu53p1.Kellie\
FF - prefs.js: browser.startup.homepage - facebook.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(general.useragent.extra.brc,
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Bing Bar - c:\program files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
MSConfigStartUp-Macro Manager - c:\program files\GrassSoft\Mouse Recorder\MacroManager.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-25 20:45
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\System32\guard32.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\System32\guard32.dll
.
Completion time: 2011-01-25 20:49:45
ComboFix-quarantined-files.txt 2011-01-26 01:49
ComboFix2.txt 2010-10-21 02:29

Pre-Run: 43,724,197,888 bytes free
Post-Run: 43,699,539,968 bytes free

- - End Of File - - 6387C9F862EC06F7898B13026DDAB07C

 

[Bobbye]

AV: COMODO Antivirus *Enabled/Updated*
FW: COMODO Firewall *Enabled*
SP: COMODO Defense+ *Enabled/Updated*

Per the instructions, security programs are suppose to be disabled before running Combofix. You left them running. Per the instructions, the AV program is suppose to be disabled before running the Eset scan. If you did not do this, that is the reason why the scan won't progress. There is also a chance that an Active X object included in a rootkit may be preventing the scan.

catchme in Combofix: Showing this entry:
detected NTDLL code modification:
ZwClose, ZwOpenFile
This may refer to the Gromozon_Rootkit

Gromozon is not a single infection, but a blended attack designed to bypass traditional anti-malware tools. The end result meaning that the machine is not only infected by several well known Trojans but also a highly dangerous Rootkit. Traditional AV vendors are at the moment dealing with the known infections but overlooking the rootkit.

Please run the Gromozon Rootkit Removal Tool It should be saved to the desktop and run from there. This is a small utility that can rapidly detect and remove the Gromozon rootkit.

Please follow any prompts given and include log in next reply.

 

[kel1987]

I did disable them before I started the scans so I'm not sure why it's saying they were enabled. I tried the Gromozon link you gave me and it says it is expired.

 

[Bobbye]

Well that's weird! That entire page had the download information when I left the link!

Try this link from PREVX.

They wrote the program and it's working now.

 

[kel1987]

Well I downloaded it and it won't run, it opens up and I hit run and nothing happens :s

 

[kel1987]

I've given a few more attempts to get the program to work, tried in safe mode, with antivirus programs turned off and everything. Still not luck.

Thanks for the help so far though I'm hoping to get this issue resolved soon, the computer is driving me nuts lmfao

 

[kel1987]

Am I still going to be able to get help with this? :s

 

[Bobbye]

Yes, you're going to get help. I have been busy helping other members. And I did take a bit of time out to eat and sleep> that's what's good about being a volunteer> I can do that without being docked pay!.

When people only give us information like this:

I was searching stuff on google and clicked on a link and a bunch of stuff popped up, since then the computer has been acting very slow.

it takes longer to get a handle on the cause and resolution.
The computer is slow because you have everything that's installed on the computer starting on boot>then running in the background>> slow load, slow shutdown, excess use of RAM.

last time it happened I did infected pretty bad with virus's.

But you did it again!

The computer doesn't want to start properly, nothing will really load even basic programs like calculator and notepad.

This doesn't point to malware as much as system problems>What maintenance other than defrag do you do on the system? Error check? When was the last time you did it?
=======================================
Since you can't run the other program, please run this:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

 

[kel1987]

Wow no need AT ALL to be rude.

You are obviously reading the logs wrong because I DO NOT have everything starting on boot, I do know a few things about computers! Want me to prove it? I'll attach screen shots of MSCONFIG. As of now I only have 40 process's running which is down from well over 70.

And let me clarify, since you seem to have problems understanding what I originally said. I was searching stuff on google. I clicked on a link from google that automatically opened a bunch of pop ups. I DID NOT click on any of the pop ups I immediately shut my machine off and disconnected the internet asap, waited a while then got back on.

I do all the maintainance on my computer often usually about once ever 2 weeks, again I do know something about computers and maintaining them but when you get a virus, malware what have you then that is when I have problems especially when the programs I use dont solve the issue.

 

[kel1987]

Scan came back clean.

But as I restarted my firefox it popped up and said something about an ad on that was malware, the name was Feeder but I haven't installed anything and it's not showing up in my add on list.

 

[Bobbye]

Using just the search term Feeder the only identification I can find is:
Feeder is an award-winning Welsh rock band that formed in Newport, Wales in 1992.
www.feederweb.com
http://www.last.fm/music/Feeder

You can try doing these 2 things:
1. I note you have AdBlockPlus> good> add the following for better blocking:
Easy List

2. Block the 'feeder' domain: Open Firefox> Tools> Advanced> Check 'Allow Cookies from sites'> Click on Exceptions> type this in and click on Block.
*.feederweb.com
===================================
The following Registry entries show programs or apps on the Startup menu and/or msconfig:

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Sta rt Menu^Programs^Startup^Acer Product Registration.lnk]
path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acer Product Registration.lnk
backup=c:\windows\pss\Acer Product Registration.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Sta rt Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-01-17 17:01 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
2009-11-19 22:15 583016 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-02-07 08:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDSMSNfix]
2007-02-08 17:40 13312 ----a-w- c:\acer\Empowering Technology\eDSMSNfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 00:13 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 00:13 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 19:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 19:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 19:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-11 07:47 483328 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 17:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-01-09 08:55 151552 ----a-w- c:\program files\Acer\Acer Arcade\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 00:13 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-12-14 20:02 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

=====================================
Please see the following reply for instructions for Cleaning out those unwanted msconfig files:

 

[Bobbye]

Cleaning out those unwanted msconfig files
This may require you to edit the registry. Doing this incorrectly can cause permanent damage to your operating system, and should therefore be done with extreme caution. Follow these steps to make a backup copy of your registry in case something does go wrong.

1. Click the Start Menu.
2. Go to Run.
3. Type "regedit" without the quotes, and hit enter.
4. Click the "Registry" (or "File") menu
5. Click "Export Registry File..."
6. Choose an easy to remember place to save the file and give it a name.
7. At the bottom of that box, under Export Range, are 2 buttons, click the one that says "All", and then click Save.

Now that this is done, navigate thru the Registry like you navigate your hard drive in windows explorer.

1. In the left pane, go to KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2. In the right pane, find the name of a program you want to remove from your msconfig (look at msconfig if need be), and click on it.
3. Hit the delete key on your keyboard, and click Yes in the resulting dialog.
4. Close MSconfig (if it is open) and then reopen it. If the file is still there it is located somewhere else, if not, repeat the above steps for the rest of the ones you want removed from msconfig.

================================
I hope this is helpful. If you have any more information on the 'Feeder' popup, it would help identify the source.

 

[kel1987]

I have Easy List installed already.
I googled the feeder thing and it popped up recipe.feeder. IDK

Also tried the msconfig clean out, followed the steps and when I got to run nothing but DEFAULT popped up in the right side panel.

 

[Bobbye]

Wish you'd share more of your information. Are you saying the you're being directed to a recipe site?

You saw the Registry entries on Startup. So 'Default' what is coming up?

 

[kel1987]

This is what I found when I looked up Feeder: Adware.RecipeFeeder
I am not being redirected or anything just my PC is running very slow since the original pop up.

When I rent to : KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , in the right panel all the pops up is Default, Reg_sz, value not set.

 

[Bobbye]

You're slow because you have too many processes running.
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

KillAll::
File::
c:\users\Jessica\AppData\Local\Flock

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Click on Control Panel> Internet Options> Security tab> Restricted Sites> Sites> type the following in, then Add to Restricted Sites:
*.flock.com
================================
To remove entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  
  Uncheck everything except the antivirus, firewall if using 3rd party firewall, touchpad if on laptop and network processes if using Pure Network (Citrix) This includes all HP Digital Imaging
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
====================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[kel1987]

As I have ALREADY stated I do not have everything running at startup. I have already turned most all programs off from MSCONFIG! I have attached pictures to show proof!

As of now I only have 36 processes running with Firefox open.

I will follow the other steps now.

 

[kel1987]

When trying to follow the Combofix instructions this is what I get each time.