[Crag_Hack]

Hi thhenry. Your Combofix log looks clean. The next step is to run a special rootkit scanner called GMER. Please do the following:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Try using your computer for a while and see if it is still slow. How long do programs take to start up now? How long to boot your computer? How long did it take before for these actions?

[Advertisements]

Also are there any other symptoms besides slowness?

[Crag_Hack]

Also are there any other symptoms besides slowness?

[thhenry]

Hi my computer seems to be fine besides the slowness. Now it is not that slow, it takes 5 seconds to pull up a program. It is much faster than it was when i first got the virus. Thank you so much. Before it took about 30 seconds to open a program. If there is any left over viruses please let me know. Thank you

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-27 17:07:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.01.0
Running: gmer.exe; Driver: C:\DOCUME~1\Acer\LOCALS~1\Temp\kgldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA0845F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA0845FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA0846080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA084611C]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1872] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 00158970

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[504] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001F00] C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[504] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002AC0] C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[504] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[504] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CopyFileExW] [10001F70] C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[504] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002E10] C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)

---- EOF - GMER 1.0.15 ----

Attached Files

•  GMER.txt.log   4.99KB   91 downloads

[Crag_Hack]

Do you know at what point the computer started running quickly again? What tools we ran before that happened? just curious thanks

[Crag_Hack]

Everything looks good now I don't see any evidence of any malware. Now that we're done scanning for and disinfecting malware it's time to clean up. Please use your computer a couple hours at least and make sure there are no remaining symptoms. If there are no symptoms proceed with the following instructions. One final step to take in disinfecting your computer is to purge all system restore points. This ensures that you will not get reinfected by files hiding in the system restore points. To do this follow these instructions:

• Run OTL
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [ClearAllRestorePoints]

• Then click the Run Fix button at the top
• OTL may ask to reboot the machine. Please do so if asked.
• Post the log it produces in your next reply.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

You can now remove all the tools that were used to disinfect your computer by running OTL and clicking the CleanUp button.

Now that your computer is disinfected it is important to keep it that way. What follows are guidelines to keeping your computer malware-free.

You absolutely must have an antivirus program installed. This is important because the antivirus program runs in the background of the computer and prevents viruses from both infecting the computer and doing malicious things to the computer. This can prevent many infections in the first place. Just as a city without police would be chaotic so would a computer with an anti-virus program. I recommend the free programs Avira AntiVir Personal and avast! Free Anti-Virus or the paid programs Bit Defender Anti-Virus and Kaspersky Anti-Virus. Also make absolutely sure to only have one anti-virus installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.


It is also advised to have an anti-spyware program as well. I recommend the paid version of Malwarebytes' Anti-Malware. This program complementing your anti-virus can protect your computer from most infections out there. Make absolutely sure to only have one anti-spyware installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

A program to complement your anti-virus and anti-spyware with passive protection is SpywareBlaster. SpywareBlaster is not a malware scanner or removal tool and uses no system resources except a little disk space. It does a great job of preventing malware from being installed in the first place! It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them from malicious websites. You can download it here. To use it to protect your computer install it then do the following regularly at your concenience (once a week is adequate):

• Run SpywareBlaster
• Click Updates on the left of the screen
• Click the 'Check for Updates' button and let the program update
• Click 'Protection Status' on the left of the screen
• Click 'Enable All Protection' on the bottom of the screen and SpywareBlaster will implement its protection
• Exit the program

Another important thing to have installed is a firewall to secure communications to and from your computer. The firewall prevents inbound communications from the Internet to your computer that could be malicious in nature. Some firewalls also regulate outbound communications from your computer to the Internet that could be malicious as well. Inbound communications can take advantage of security holes in software running on your computer to gain control of your computer and infect you with malware. Outbound communications can be from malware on your computer to malicious websites on the Internet, containing information about your computer usage and even your passwords. For these reasons it is essential to the security of your computer to install a firewall. Make sure to only install one firewall as any more than that would prove to be redundant - one firewall is just as effective as multiple ones. Also more than one firewall could cause software conflicts. This applies to the Windows firewall as well - if you use a third-party firewall make sure to disable the Windows firewall. I recommend ZoneAlarm Free Firewall or Comodo Firewall as free solutions or Outpost Firewall Pro as a paid solution.

Besides these measures, an equally important step to take to protect your computer from malware is to update all programs regularly and do Windows Updates as well. Windows, Java, Adobe Flash, PDF readers, and other programs have security holes in them that leave your computer vulnerable to malicious code from hackers that could infect your computer with malware when taken advantage of. For this reason it is important to always update programs when prompted. Windows Updates is enabled by default in Windows and Java, Flash, and others have auto-update programs enabled by default as well. You will not have to worry about setting up the auto-update feature for these programs unless you altered the settings to begin with. Make sure as well to never update a program via e-mail - companies will never send e-mails to update their products. In order to help you update programs you might want to download and run FileHippo.com Update Checker from here. This program will tell you which programs need to be updated. Instructions for automating Windows Updates follow:

1. Right click My Computer and select properties
2. Select the automatic updates tab
3. Select the automatic option and configure appropriately

One last thing to consider is to exercise caution when browsing the web and viewing e-mails. Try to stay away from non-reputable websites including websites for software piracy and pornography. By staying away from these websites you decrease your chances of malware infection significantly. To help you exercise caution in your browsing habits you can download and install Web of Trust into your web browser here. This program will install in your browser and color code the website you are viewing to inform you if it is safe or not; green means safe, yellow means proceed with caution, and red means danger. Viewing e-mails should also be done with caution. If you don't recognize an email as one from a known or requested source then you will be safer to avoid opening it. File attachments should be opened only with extreme caution as they can contain files that exploit security holes on your computer and infect you with malware. Never open an attachment unless you are expecting it or you verify that the sender intended to send it to you. Also make sure to scan the attachment before opening it.

You might want to use an alternate browser than Internet Explorer. Firefox and Google Chrome are excellent candidates. They are more secure than Internet Explorer and are just as functional. You can download Google Chrome here and Firefox here.

Something just as important as preventing infection by malware is to backup your data. You can read about different methods here.

Some articles you might be interested in reading to reiterate points I have addressed in this post as well as make new points follow:

• How to prevent malware by miekiemoes
• Preventing Malware and Safe Computing by Rorschach112
• PC Safety and Security--What Do I Need?
• How did I get infected in the first place?

By following these steps you should ensure that you most likely will never get infected with malware again. Good luck and safe browsing!

-Josh

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[thhenry]

Hi sorry i for the late response i have been very busy with school lately. Unfortunately i cant seem to find the C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log file. If you could direct me i would really appreciate it. Also i have installed a few programs that you recommended. First, i think i was instructed to download spywareblaster before your last post. Second i also downloaded Avast. Then i downloaded comodo firewall. It seems like my computer is kind of slower and takes longer to open programs. I think it is because of the different programs that i have like you mentioned. Also i wanted to ask if you knew of another program that i could download for a anti-spyware program. I downloaded the malwarebytes anti-malware but i am currently on the trial. I know you have to pay to get the actual program but i do not have the money to spend on that. So my question is, is there any anti-spyware program that has good quality and also free?

Thank you

[Crag_Hack]

I have a quick question for you first - did you uninstall AVG before you installed Avast? Multiple antiviruses can significantly slow your computer. Also Malwarebytes will probably slow your computer a little too but probably not as much.

[thhenry]

yes i did. so should i delete malwarbytes?

[Crag_Hack]

Hi thhenry. The reason you can't find the OTL log is probably because you told it to cleanup after you ran the clearrestorepoints fix and it therefore deleted the log. If the fix with clearrestorepoints completed successfully there is nothing to worry about but we can run it again if you want. I don't like to clear restore points because they can help in certain circumstances so if you are confident you ran and completed the OTL fix let's leave it alone. Try uninstalling Malwarebytes and see if things speed up a little. I will get back to you soon about free anti-spyware programs. One I know of is spywareguard but I have no experience with it. It will slow your computer a little as well seeing as it adds realtime detection component that uses system resources.

[thhenry]

Yes i would feel comfortable scanning it once again so i am sure that everything was done correctly. Also is it possible between spyware blaster, comodo dragon, comodo firewall, comodo geekbuddy, avast and malwarebytes there was some type of conflict that made my computer slower? I have not uninstalled malewarebytes yet but i will after i post this and let you know if it helped. And okay, thank you i appreciate you looking into another free anti-spyware program.

[thhenry]

I actually have 13 days left until my trial expires. i thin i chose to do a 30 day trial of the update full version, but would the free version be good as well? or should i still uninstall it? if i uninstall it, will i start getting viruses?

[Crag_Hack]

Comodo firewall, avast, and malwarebytes will probably slow your computer a little since they operate continuously in the background. Getting rid of Malwarebytes might speed things up a little. Malwarebytes adds additional security to complement your antivirus. It's hard to say whether you will be significantly more prone to infections but I like to be on the safe side and have it present.

[Crag_Hack]

I just consulted a colleague and the only two anti-spyware programs worth anything are Malwarebytes and Superantispyware both of which are paid products. Spywareguard will add protection for free but it is nowhere near as good as the two aforementioned.

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.