Possible infection due to weird system behavior


I have this weird problem with my internet connection. Sometimes after X time my firefox browser cannot connect to any page. It keeps on waiting. I can access menus and close the application. Problem is that the process is still running and i cannot kill it via taskmanager or sysinternals Process Explorer. the process seems legit as it is pointing to C:\program files\mozilla foundation\firefox.exe.
I searched internet and came up with several scary articles telling me that i have a rootkit/malwar infection.
but the process it not killed and reappearing. it just does not disappear.
When i get this behavior, most of the times i can internet using IE, but sometimes also IE’s process iexplore.exe is not able to be killed.
I can ping, tracert and if i have VPN connection open, i can continue to work on that. just port 80 is not accessable

So i downloaded Superantispyware, Ad-aware, McAfee stinger and installed them
I used AVG av and ZoneAlarm firewall
I updated all definitions and scanned my system with
Superantispyware, Ad-aware, AVG and Stinger in normal mode and safe mode
all came up empty
I even tried Panda’s online scanner and that came up emtpy

the problem persisted. I had to reboot in order to use my browser(s) again

I have uninstalled ZoneAlarm and AVG and replaced them with
Comodo IS (firewall only)
Avast! antivirus

Avast did a boottime scan after install and reported no issues
Comodo did a scan and found a Backdoor.Trojan.NetBot in WMFDist.exe in 4 locations. All Acer Deluxe (my laptop) programs. No other AV’s reported errors on them. I got scared, paniced and let comodo delete the files.

I put comodo in paranoid mode and it asked permission for everything. Very good. I have not experienced my firefox problem just yet, but my question is
Do i need to take more steps in order to be absolutely sure that i do not have rootkits or anything nasty on my system? Can a rootkit hide so well that as well as AVG, ZA, SuperAntSpyware, Ad-aware, Pnda onlinescanner, Stringer, Avast (with boottime scanner) and Comodo are fooled?

I can’t say I’m an expert, but…
Believe me zero day viruses can be deadly, botnets and rookits are the viruses of the future and have only recently been able to be removed (e.g. Microsoft’s Malicious Removal Tool for Feb. 2009 has been able to stop some botnets)

I would suggest downloading and running the MS Removal Tool from here:

Next thing that is generally asked for is HiJackThis Log’s you can run HiJackThis and post your logs here. The download is from TrendMicro: Download Free Tools| Trend Micro

Or if your feeling really ambitious you can run a program such as ComboFix from bleeping computer: ComboFix: A guide and tutorial on using ComboFix
It will create a hijackthis log and attempt to remove suspicious files. BUT I would only suggest running it if you have any more problems, because it is quite powerful and is generally only used with tech supervision.

I hope this information helps until a Comodo Tech arrives(grue155, eXperience, 3x, etc.) :slight_smile:

Edit: BTW You mentioned VPN, perhaps it’s just me but VPN can be one of the most insecure things on a computer allowing anyone or any bot to login passed your firewall or router if not properly configured… just a thought. :-/

I doubt whether you have a problem, the Acer files were false positives from heuristics.

If you want to do a scan for rootkits for peace of mind you could use Gmer:
Or FSecure Blacklight:

It is not recommended to use Combofix unless you have special training, it can make your system unusable. It should only be used with supervision from an experienced HijackThis helper.


I’m glad Comodo did find some malware that others missed and it’s good Firefox is working again. As JamesFrance suggested, Good anti-rookit tools are indeed GMER and blacklight.

On the other hand however, It’s always much better to prevent something then detect something (real time detection or manual/on-demand if your system is infected). Comodo Internet Security uses a 3 layered approach, Where Prevention comes first - No detection solution can keep up with the latest malware, Prevention (HIPS - Defense+) of Comodo is CIS’s first layer of defense, followed by detection (Antivirus).

I see you are running Comodo Firewall only & Avast! AV, That’s good enough. You still have a Prevention layer there, So you know who is trying to “knock on your door” (Enter your PC), And you being able to determine that unrecognized malware is probably a bad file (not detected by your Avast! but caught by Defense+). Both Malwarebytes’ Anti-Malware & SUPERAntiSpyware are excellent on-demand scanners and I highly suggest keeping them. You can get rid of Stinger & Ad-aware.

If you really want some one to help check your PC now to see if everything is OK, You can PM me your MSN or download Comodo EasyVPN So I can help you identify any problems your having.


Hi Josh,

Those Acer files were FPs, I had them too on my Acer notebook. They are not detected now with the updates.

Try uninstalling Comodo and reinstalling it. I had a similar problem after a windows updat and installing a fresh version of Comodo fixed it. I think I might have denied an action that was requested in a Comodo ‘pop-up box’, which stopped the installation of the windows update. The easiest wasy to remedy it was to reinstall Comodo.