[Closed at member's request] Pop up made computer go nuts

By kel1987 · 27 replies
Jan 25, 2011
  1. I was searching stuff on google and clicked on a link and a bunch of stuff popped up, since then the computer has been acting very slow.

    GMER - http://www.gmer.net
    Rootkit quick scan 2011-01-25 17:05:28
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541612J9SA00 rev.SBDOC70P
    Running: tf5t679g.exe; Driver: C:\Users\Jessica\AppData\Local\Temp\axrdrfoc.sys

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  2. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    Malwarebytes' Anti-Malware

    Database version: 5603

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    1/25/2011 5:13:13 PM
    mbam-log-2011-01-25 (17-13-13).txt

    Scan type: Quick scan
    Objects scanned: 141853
    Time elapsed: 7 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  3. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75


    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/11/2010 8:20:20 AM
    System Uptime: 1/25/2011 4:37:43 PM (1 hours ago)

    Motherboard: Acer, Inc. | | Prespa1
    Processor: Intel(R) Celeron(R) M CPU 520 @ 1.60GHz | U2E1 | 1600/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 69 GiB total, 38.317 GiB free.
    D: is FIXED (NTFS) - 35 GiB total, 20.403 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP274: 1/19/2011 11:29:17 AM - Scheduled Checkpoint
    RP275: 1/21/2011 2:28:51 AM - Scheduled Checkpoint
    RP276: 1/24/2011 2:58:41 PM - Scheduled Checkpoint

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    AC3Filter 1.63b
    Acer Arcade
    Acer Assist
    Acer eDataSecurity Management
    Acer eLock Management
    Acer Empowering Technology
    Acer eNet Management
    Acer ePower Management
    Acer ePresentation Management
    Acer eSettings Management
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer Registration
    Acer ScreenSaver
    Acer Tour
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Agere Systems HDA Modem
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Cheat Engine 5.6.1
    COMODO Internet Security
    Content Transfer
    Device Doctor
    DivX Setup
    Enhanced Multimedia Keyboard Solution
    FileHippo.com Update Checker
    Foxit Reader
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Picasso Media Center Add-In
    HP Update
    Intel(R) Graphics Media Accelerator Driver
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    Launch Manager
    Logitech Webcam Software
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mouse Recorder Pro
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NTI Backup NOW! 4.7
    NTI CD & DVD-Maker
    NVIDIA Drivers
    Orbit Downloader
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Smart Defrag
    Spybot - Search & Destroy
    Switch Sound File Converter
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.1.5
    WavePad Sound Editor
    WinRAR archiver
    XnView 1.97.8

    ==== Event Viewer Messages From Past Week ========

    1/25/2011 8:31:55 AM, Error: Service Control Manager [7034] - The COMODO Internet Security Helper Service service terminated unexpectedly. It has done this 1 time(s).
    1/25/2011 4:39:05 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/24/2011 7:32:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
    1/22/2011 10:04:02 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.
    1/20/2011 4:34:35 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
    1/18/2011 4:47:04 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

    ==== End Of File ===========================
  4. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Jessica at 17:01:47.18 on Tue 01/25/2011
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.494 [GMT -5:00]

    AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
    SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}

    ============== Running Processes ===============

    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/?pc=Z016&form=ZGAPHP
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://en.us.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [<NO NAME>]
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\jessica\appdata\roaming\mozilla\firefox\profiles\tlvu53p1.kellie\
    FF - prefs.js: browser.startup.homepage - facebook.com
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=
    FF - component: c:\users\jessica\appdata\roaming\mozilla\firefox\profiles\tlvu53p1.kellie\extensions\afom@idevfh\components\npAFOM.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
    FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: AFOM Addon: afom@idevfh - %profile%\extensions\afom@idevfh
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: FiddlerHook: fiddlerhook@fiddler2.com - c:\program files\fiddler2\FiddlerHook

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(general.useragent.extra.brc,

    ============= SERVICES / DRIVERS ===============

    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-6-1 17256]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 236600]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 34744]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-12 38224]
    S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-7-12 21504]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-7-23 16640]
    S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-11 1153368]

    =============== Created Last 30 ================

    2011-01-14 03:42:25 -------- d-----w- c:\users\jessica\appdata\local\Flock
    2011-01-14 00:59:41 -------- d-----w- c:\users\jessica\appdata\roaming\SUPERAntiSpyware.com
    2011-01-14 00:59:33 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-13 10:35:53 -------- d-----w- c:\program files\Software Informer
    2011-01-13 10:35:01 -------- d-----w- c:\progra~2\ProcessLasso
    2011-01-13 10:34:27 -------- d-----w- c:\program files\Process Lasso
    2011-01-11 23:56:35 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-11 23:56:29 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-11 23:56:26 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-11 23:56:26 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-11 23:56:24 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-01-11 23:56:24 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-11 23:53:21 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-11 05:16:21 497664 ----a-w- c:\windows\system32\ac3filter.acm
    2011-01-11 05:16:20 -------- d-----w- c:\program files\AC3Filter
    2011-01-09 05:56:26 -------- d-----w- c:\users\jessica\appdata\roaming\HamsterSoft
    2010-12-30 01:18:46 -------- d-----w- c:\program files\iPod
    2010-12-30 01:18:45 -------- d-----w- c:\program files\iTunes

    ==================== Find3M ====================

    2011-01-12 23:16:36 285480 ----a-w- c:\windows\system32\guard32.dll
    2011-01-01 20:07:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

    ============= FINISH: 17:03:09.79 ===============
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I'll be glad to help with the malware- if you can be more specific about this:
    What was the popup?
    What was the stuff
    What is happening with the system other than acting slow?

    While you get that together, I'll be checking the logs you left.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  6. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    It was popups saying that I had virus's - which I know the ad's themselves are just trying to get you to download stuff but last time it happened I did infected pretty bad with virus's.

    The computer doesn't want to start properly, nothing will really load even basic programs like calculator and notepad.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I notice you have many addons for Firefox. I checked Fiddler2 for Firefox(3.6.13) and it is not compatible. There is a Beta version, but part of the problem is within Firefox itself. Since you appears to be having system problems, I suggest you uninstall Fiddler2, then restart FF.

    Another addon, AFOM has very mixed reviews. I'm almost ready to stop using Firefox because of it's huge memory consumption, but some say this can cause more memory use. some also suggested using "Memory Fox" instead.

    Okay, no more clicking on popups that say you have a virus! Let's see how much damage it did:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  8. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    I could not get Eset to run for more than 10 minutes then it would completely freeze, I tried 3 times and 1 time in safe mode.

    ComboFix 11-01-25.01 - Jessica 01/25/2011 20:36:32.5.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.435 [GMT -5:00]
    Running from: c:\users\Jessica\Desktop\ComboFix.exe
    AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
    FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
    SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    ----- BITS: Possible infected sites -----

    ((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))))))))

    2011-01-26 01:44 . 2011-01-26 01:45 -------- d-----w- c:\users\Jessica\AppData\Local\temp
    2011-01-26 01:44 . 2011-01-26 01:44 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-01-26 01:44 . 2011-01-26 01:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-26 00:16 . 2011-01-26 00:16 -------- d-----w- c:\program files\ESET
    2011-01-14 03:42 . 2011-01-17 08:48 -------- d-----w- c:\users\Jessica\AppData\Local\Flock
    2011-01-14 00:59 . 2011-01-14 00:59 -------- d-----w- c:\users\Jessica\AppData\Roaming\SUPERAntiSpyware.com
    2011-01-14 00:59 . 2011-01-14 00:59 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-13 10:35 . 2011-01-13 10:43 -------- d-----w- c:\program files\Software Informer
    2011-01-13 10:35 . 2011-01-13 10:35 -------- d-----w- c:\programdata\ProcessLasso
    2011-01-13 10:34 . 2011-01-13 10:42 -------- d-----w- c:\program files\Process Lasso
    2011-01-11 23:56 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-11 23:56 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-11 23:56 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-11 23:56 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-11 23:56 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-11 23:56 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-11 23:53 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-11 05:16 . 2009-08-12 02:18 497664 ----a-w- c:\windows\system32\ac3filter.acm
    2011-01-11 05:16 . 2011-01-11 05:16 -------- d-----w- c:\program files\AC3Filter
    2011-01-09 05:56 . 2011-01-09 05:56 -------- d-----w- c:\users\Jessica\AppData\Roaming\HamsterSoft
    2010-12-30 01:18 . 2010-12-30 01:18 -------- d-----w- c:\program files\iPod
    2010-12-30 01:18 . 2010-12-30 01:19 -------- d-----w- c:\program files\iTunes

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2011-01-12 23:16 . 2010-06-01 23:00 285480 ----a-w- c:\windows\system32\guard32.dll
    2011-01-12 23:16 . 2010-06-01 23:00 80064 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-01-12 23:16 . 2010-06-01 23:00 34744 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-01-12 23:16 . 2010-06-01 23:00 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-01-12 23:16 . 2010-06-04 15:55 236600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-01-01 20:07 . 2010-07-19 03:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-20 23:09 . 2010-07-12 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-07-12 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-04 18:56 . 2010-12-14 20:31 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55 . 2010-12-14 20:31 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55 . 2010-12-14 20:31 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55 . 2010-12-14 20:31 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34 . 2010-12-14 20:31 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01 . 2010-12-14 20:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57 . 2010-12-14 20:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57 . 2010-12-14 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57 . 2010-12-14 20:30 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57 . 2010-12-14 20:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01 . 2010-12-14 20:30 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26 . 2010-12-14 20:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24 . 2010-12-14 20:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44 . 2010-12-14 20:30 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27 . 2010-12-14 20:30 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20 . 2010-12-14 20:30 2048 ----a-w- c:\windows\system32\tzres.dll

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown

    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-19 2548552]

    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
    backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Orbit.lnk

    [HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Acer Product Registration.lnk]
    path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acer Product Registration.lnk
    backup=c:\windows\pss\Acer Product Registration.lnk.Startup

    [HKLM\~\startupfolder\C:^Users^Jessica^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
    path=c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
    backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    %ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
    2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
    2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
    2007-01-17 17:01 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
    2009-11-19 22:15 583016 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
    2007-02-07 08:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDSMSNfix]
    2007-02-08 17:40 13312 ----a-w- c:\acer\Empowering Technology\eDSMSNfix.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2008-02-12 00:13 166424 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2008-02-12 00:13 141848 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-08-11 19:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-08-11 19:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
    2006-12-08 19:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
    2007-01-11 07:47 483328 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2009-10-14 17:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2007-01-09 08:55 151552 ----a-w- c:\program files\Acer\Acer Arcade\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2008-02-12 00:13 133656 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-12-14 20:02 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2236743762-159487141-3334895427-1000]

    R3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2008-11-19 16640]
    R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-01-12 17256]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-01-12 236600]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-01-12 34744]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - axrdrfoc

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Contents of the 'Scheduled Tasks' folder

    2011-01-25 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-07-12 22:08]
    ------- Supplementary Scan -------
    uStart Page = hxxp://www.bing.com/?pc=Z016&form=ZGAPHP
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://en.us.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\tlvu53p1.Kellie\
    FF - prefs.js: browser.startup.homepage - facebook.com
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
    FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(general.useragent.extra.brc,
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    MSConfigStartUp-Bing Bar - c:\program files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
    MSConfigStartUp-Macro Manager - c:\program files\GrassSoft\Mouse Recorder\MacroManager.exe
    MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe


    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-25 20:45
    Windows 6.0.6002 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    --------------------- LOCKED REGISTRY KEYS ---------------------

    @Denied: (A 2) (Everyone)




    @Denied: (A 2) (Everyone)



    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(588)

    - - - - - - - > 'lsass.exe'(628)
    Completion time: 2011-01-25 20:49:45
    ComboFix-quarantined-files.txt 2011-01-26 01:49
    ComboFix2.txt 2010-10-21 02:29

    Pre-Run: 43,724,197,888 bytes free
    Post-Run: 43,699,539,968 bytes free

    - - End Of File - - 6387C9F862EC06F7898B13026DDAB07C
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Per the instructions, security programs are suppose to be disabled before running Combofix. You left them running. Per the instructions, the AV program is suppose to be disabled before running the Eset scan. If you did not do this, that is the reason why the scan won't progress. There is also a chance that an Active X object included in a rootkit may be preventing the scan.

    catchme in Combofix: Showing this entry:
    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    This may refer to the Gromozon_Rootkit

    Please run the Gromozon Rootkit Removal Tool It should be saved to the desktop and run from there. This is a small utility that can rapidly detect and remove the Gromozon rootkit.

    Please follow any prompts given and include log in next reply.
  10. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    I did disable them before I started the scans so I'm not sure why it's saying they were enabled. I tried the Gromozon link you gave me and it says it is expired.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Well that's weird! That entire page had the download information when I left the link!

    Try this link from PREVX.

    They wrote the program and it's working now.
  12. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    Well I downloaded it and it won't run, it opens up and I hit run and nothing happens :s
  13. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    I've given a few more attempts to get the program to work, tried in safe mode, with antivirus programs turned off and everything. Still not luck.

    Thanks for the help so far though :) I'm hoping to get this issue resolved soon, the computer is driving me nuts lmfao
  14. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    Am I still going to be able to get help with this? :s
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Yes, you're going to get help. I have been busy helping other members. And I did take a bit of time out to eat and sleep> that's what's good about being a volunteer> I can do that without being docked pay!.

    When people only give us information like this:
    it takes longer to get a handle on the cause and resolution.
    The computer is slow because you have everything that's installed on the computer starting on boot>then running in the background>> slow load, slow shutdown, excess use of RAM.

    But you did it again!

    This doesn't point to malware as much as system problems>What maintenance other than defrag do you do on the system? Error check? When was the last time you did it?
    Since you can't run the other program, please run this:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
  16. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    Wow no need AT ALL to be rude.

    You are obviously reading the logs wrong because I DO NOT have everything starting on boot, I do know a few things about computers! Want me to prove it? I'll attach screen shots of MSCONFIG. As of now I only have 40 process's running which is down from well over 70.

    And let me clarify, since you seem to have problems understanding what I originally said. I was searching stuff on google. I clicked on a link from google that automatically opened a bunch of pop ups. I DID NOT click on any of the pop ups I immediately shut my machine off and disconnected the internet asap, waited a while then got back on.

    I do all the maintainance on my computer often usually about once ever 2 weeks, again I do know something about computers and maintaining them but when you get a virus, malware what have you then that is when I have problems especially when the programs I use dont solve the issue.
  17. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    Scan came back clean.

    But as I restarted my firefox it popped up and said something about an ad on that was malware, the name was Feeder but I haven't installed anything and it's not showing up in my add on list.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Using just the search term Feeder the only identification I can find is:
    Feeder is an award-winning Welsh rock band that formed in Newport, Wales in 1992.

    You can try doing these 2 things:
    1. I note you have AdBlockPlus> good> add the following for better blocking:
    Easy List

    2. Block the 'feeder' domain: Open Firefox> Tools> Advanced> Check 'Allow Cookies from sites'> Click on Exceptions> type this in and click on Block.
    The following Registry entries show programs or apps on the Startup menu and/or msconfig:
    Please see the following reply for instructions for Cleaning out those unwanted msconfig files:
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Cleaning out those unwanted msconfig files
    This may require you to edit the registry. Doing this incorrectly can cause permanent damage to your operating system, and should therefore be done with extreme caution. Follow these steps to make a backup copy of your registry in case something does go wrong.
    1. Click the Start Menu.
    2. Go to Run.
    3. Type "regedit" without the quotes, and hit enter.
    4. Click the "Registry" (or "File") menu
    5. Click "Export Registry File..."
    6. Choose an easy to remember place to save the file and give it a name.
    7. At the bottom of that box, under Export Range, are 2 buttons, click the one that says "All", and then click Save.

    Now that this is done, navigate thru the Registry like you navigate your hard drive in windows explorer.
    1. In the left pane, go to KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    2. In the right pane, find the name of a program you want to remove from your msconfig (look at msconfig if need be), and click on it.
    3. Hit the delete key on your keyboard, and click Yes in the resulting dialog.
    4. Close MSconfig (if it is open) and then reopen it. If the file is still there it is located somewhere else, if not, repeat the above steps for the rest of the ones you want removed from msconfig.
    I hope this is helpful. If you have any more information on the 'Feeder' popup, it would help identify the source.
  20. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    I have Easy List installed already.
    I googled the feeder thing and it popped up recipe.feeder. IDK

    Also tried the msconfig clean out, followed the steps and when I got to run nothing but DEFAULT popped up in the right side panel.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Wish you'd share more of your information. Are you saying the you're being directed to a recipe site?

    You saw the Registry entries on Startup. So 'Default' what is coming up?
  22. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    This is what I found when I looked up Feeder: Adware.RecipeFeeder
    I am not being redirected or anything just my PC is running very slow since the original pop up.

    When I rent to : KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , in the right panel all the pops up is Default, Reg_sz, value not set.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're slow because you have too many processes running.
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    Click on Control Panel> Internet Options> Security tab> Restricted Sites> Sites> type the following in, then Add to Restricted Sites:
    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.

      Uncheck everything except the antivirus, firewall if using 3rd party firewall, touchpad if on laptop and network processes if using Pure Network (Citrix) This includes all HP Digital Imaging
    • Click on Apply> OK when finished.

    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  24. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    As I have ALREADY stated I do not have everything running at startup. I have already turned most all programs off from MSCONFIG! I have attached pictures to show proof!

    As of now I only have 36 processes running with Firefox open.

    I will follow the other steps now.

    Attached Files:

  25. kel1987

    kel1987 TS Rookie Topic Starter Posts: 75

    When trying to follow the Combofix instructions this is what I get each time.

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...