Vista (Windows 7) Security 2012 / Spy Hunter 4

[LaPanthere]

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2012/01/12 20:56

Program Version: Version 1.3.5.0

Windows Version: Windows Vista SP2

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\Windows\System32\Drivers\dump_atapi.sys

Address: 0x90266000 Size: 32768 File Visible: No Signed: -

Status: -

 

Name: dump_dumpata.sys

Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys

Address: 0x9025B000 Size: 45056 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Address: 0x9E533000 Size: 49152 File Visible: No Signed: -

Status: -

 

Processes

-------------------

Path: SYSTEM

PID: 4 Status: Locked to the Windows API!

 

Path: C:\Windows\System32\audiodg.exe

PID: 1204 Status: Locked to the Windows API!

 

SSDT

-------------------

#: 075 Function Name: NtCreateSection

Status: Hooked by "<unknown>" at address 0x8edf2356

 

#: 289 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x8edf235b

 

#: 334 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x8edf22f7

 

Shadow SSDT

-------------------

#: 573 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "<unknown>" at address 0x8edf2360

 

#: 576 Function Name: NtUserSetWinEventHook

Status: Hooked by "<unknown>" at address 0x8edf2365

 

==EOF==

[Superdave]

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

[LaPanthere]

Thank you Dave running scan now, log coming :)

[LaPanthere]

TDS didn't find any thread, so i cut down the report, if you need the whole file anyway i'll post it of course

 

00:33:27.0338 5296 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26

00:33:27.0667 5296 ============================================================

00:33:27.0667 5296 Current date / time: 2012/01/13 00:33:27.0667

00:33:27.0667 5296 SystemInfo:

00:33:27.0667 5296

00:33:27.0667 5296 OS Version: 6.0.6002 ServicePack: 2.0

00:33:27.0667 5296 Product type: Workstation

00:33:27.0667 5296 ComputerName: WORKSTATION

00:33:27.0668 5296 UserName: Admin

00:33:27.0668 5296 Windows directory: C:\Windows

00:33:27.0668 5296 System windows directory: C:\Windows

00:33:27.0668 5296 Processor architecture: Intel x86

00:33:27.0668 5296 Number of processors: 1

00:33:27.0668 5296 Page size: 0x1000

00:33:27.0668 5296 Boot type: Normal boot

00:33:27.0668 5296 ============================================================

00:33:29.0129 5296 Drive \Device\Harddisk0\DR0 - Size: 0x2658AE0000, SectorSize: 0x200, Cylinders: 0x4E37, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000050

00:33:29.0469 5296 Initialize success

00:33:34.0191 5148 ============================================================

00:33:34.0191 5148 Scan started

00:33:34.0191 5148 Mode: Manual;

00:33:34.0191 5148 ============================================================

00:34:14.0636 5148 Scan finished

00:34:14.0636 5148 ============================================================

 

(...)

 

00:34:14.0651 5220 Detected object count: 0

00:34:14.0651 5220 Actual detected object count: 0

[Superdave]

How's your computer running now?

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[LaPanthere]

it's running smoothly, didn't see any troubles since I manually cleaned registry while my first posts and since working with your analyzes Dave. My biggest fear was that something could be stuck somewhere undiscovered (I'm no Pro, just quite comfortable with keeping my PC clean and also manually check entries/registry regularly since the old DOS days). This was my first Virus-Problem since 2005 and as I read that SH4 can delete the system BIOS I prefered to talk back to a pro genius like you who really KNOWS what he does (I'm more operating on feeling and gathering/crosschecking infos i find on the web in case of trooubles ;-)

 

Running the scan now and will post the log as soon as finished.

 

Again thank you very much Dave for all the time you're spending for my case :)

[LaPanthere]

Eset didnt find anything

 

Scanned Files 237871

Infected Files 0

Cleaned Files 0

Total scan time 03:24:03

Scan status finished

 

So I think I can remove all those tools?

 

Again thanks for all the help Dave :grin:

[Superdave]

Ok. Let's do some cleanup.

 

To uninstall ComboFix

 

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

 

http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

If this doesn't remove ComboFix please let me know.

*********************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

************************************************

Looking over your log it seems you don't have any evidence of a third party firewall.

 

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

 

Remember only install ONE firewall

 

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)

2) Online Armor

3) Agnitum Outpost

4) PC Tools Firewall Plus

 

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

***************************************************

Use the Secunia Software Inspector to check for out of date software.

 

•Click Start Now

 

•Check the box next to Enable thorough system inspection.

 

•Click Start

 

•Allow the scan to finish and scroll down to see if any updates are needed.

•Update anything listed.

.

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

[LaPanthere]

I have a foolish question Dave - my french install doesn't recognize "RUN" - any idea how it's named in the french version?

[LaPanthere]

oh, found it :-) Exécuter

[LaPanthere]

Can't uninstall Combofix, get a Pop-Up "Windows doesn't find ComboFix

[LaPanthere]

Reading a bit further I've seen you stating

 

"Looking over your log it seems you don't have any evidence of a third party firewall."

 

I have the Vista Firewall activated, do I have to disable it and change for one of the other ones?

 

Also one last question I wanted to ask - my winsxs is almost 15GB fat, i read on several forums that compcln include in SP2 can help a little bit - do you recommend use it or wait until I have no other choice?

 

Thanks for all your helping

[Superdave]

Can't uninstall Combofix, get a Pop-Up "Windows doesn't find ComboFix

That's because CF was installed in the incorrect location. Please do this:

 

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

You may have a problem deleting one of the folders. In that case, just empty the folder of whatever files you can and leave it.

 

To set a new Restore Point.

 

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.

Click the Start button , click Control Panel, click System and Maintenance, and then click System.

In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.

This will give you a new, clean Restore Point.

*************************************************************

I have the Vista Firewall activated, do I have to disable it and change for one of the other ones?

If you do on-line banking I would suggest changing to a third-party firewall for extra security.

my winsxs is almost 15GB fat, i read on several forums that compcln include in SP2 can help a little bit - do you recommend use it or wait until I have no other choice?

I wouldn't be concerned about it. You have 20 Gb of free space and you can go as low as 10 Gb.

[LaPanthere]

Again thanks alot for helping :-) I didn't have a "combfix" folder, just the Qoobox. Needed to modify authorization properties to delete but worked well. All files from the folder deleted. Will now run the other clean up steps and then setup the new restore point.

 

I don't use online banking on this PC so will leave it with the Vista Firewall.

 

Have a great day and keep up this gorgeous work you do :-)

[Superdave]

Again thanks alot for helping :-) I didn't have a "combfix" folder, just the Qoobox. Needed to modify authorization properties to delete but worked well. All files from the folder deleted. Will now run the other clean up steps and then setup the new restore point.

 

I don't use online banking on this PC so will leave it with the Vista Firewall.

 

Have a great day and keep up this gorgeous work you do :-)

 

Sounds great. You're welcome.