today I got infected by a couple of Malware!

I did a scan by Avira and it removed some parts of it:

too many of each one:

Virus or unwanted program 'RKIT/Agent.oyb [trojan]' detected in file 'C:\Windows\System32\drivers\kbiwkmbuxihwvr.sys. Action performed: Delete file __________ Virus or unwanted program 'TR/Dropper.Gen [trojan]' detected in file 'C:\Windows\System32\kbiwkmvyddyhcq.dll. Action performed: Delete file __________ Virus or unwanted program 'TR/PCK.Tdss.Z.1541 [trojan]' detected in file 'C:\Windows\System32\kbiwkmdvaiqfiw.dll. Action performed: Delete file __________ Virus or unwanted program 'TR/PCK.Tdss.Z.1541 [trojan]' detected in file 'C:\Windows\System32\KBIWKMIERCPNOI.DLL. Action performed: Delete file __________ Virus or unwanted program 'TR/Alureon.19456U.3 [trojan]' detected in file 'C:\Windows\System32\kbiwkmswvocfhs.dll. Action performed: Delete file

also, it missed something and MBAM caught them:

8 Rootkit.TDSS
1 Trojan.Sasfis
1 Trojan.Dropper

after it, I did a scan with SAS and it found what both Avira and MBAM missed (Thanks SAS, their Definition in morning did not detect these things, their latest update in afternoon could detect these, I saw name of this malware in their update list ;D ):

Rootkit.Agent/Gen-Rustock[KBI] (5 of them in system32/driver folder, and 3 registry keys in HKLM\system-----\services\kbi xxxxxx etc)

all of them removed those things that they found, also my HijackThis log file is clean now, I did overwrite my Hosts File and Locked it using Avira, all my temps folder are clean in safe mode, do you advice me to do something else? my computer performance is almost normal again

edit: correcting typo (recommendetion to recommendation)

Try som online scanner for a second opinion

Panda active scan http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63
ESET online scanner http://www.eset.com/onlinescan/

Ok, Thanks
I would try them soon.

You could try a mcafee online scan too.

http://home.mcafee.com/downloads/freescan.aspx?cid=60447

I would have posted kaspersky’s as well but it seems they are updating it so their online-scan is unavailable… it seems to have been this way for a few months =(.

Thanks Metallica, oh sorry, DarkLegend! ;D JK
I maybe would try that, if McAfee don’t block my IP because of embargo.

Lol. NP man! I would have posted some other programs but it seems you have tryed the majority of the ones I have found work the best! Eset’s SysInspector is a good tool that gives you an idea of what is running on your PC and whether or not it is a threat. be aware that it only gives you an idea based on how the program acts. I have found it mark display drivers as unsafe.

http://www.eset.com/download/sysinspector.php

good idea, I run it now

edit:
Thanks so much! I did not know this program, it’s very nice, same what I need, it’s giving me very good info in a nice interface.

Glad I could help! Hope it works nicely for you

Try rootrepeal
http://ad13.geekstogo.com/RootRepeal.zip

After you have download and open the interface, go to the “report” tab and put a checkmark next to the follwing:

http://i33.tinypic.com/rj2kxc.png

Let it run a scan and attatch a log after it is done.

here is what you wanted

Hi DarkLegend,

This sysinspector scanner is awesome, very good for inspection and logs saving on demand,
thank you very much for that link there, great tool, but one has to analyze and validate all the finds -
You are right it questions normal driver sys files if present, for instance:

Arcsoft(R) ASPI Shell - Arcsoft(R) ASPI Shell - Arcsoft, Inc.
Filetype : driver A device driver is a program that let windows to control your hardware(printer,sound card,monitor,cdrom,modem,mouse,etc.). Each hardware component in your computer requires a driver, otherwise it cannot be used by windows 98/2000/xp/vista.Update drivers of your PC will improve system performance and stability

Product name: Arcsoft(R) ASPI Shell
Description: Arcsoft(R) ASPI Shell
Manufacturer: Arcsoft, Inc.

This is OK and absolutely vital for your hardware health…same with CPU-Z for processors -
cpuz_x32.sys
So one should know what should be on the machine and what should not,

polonus

Hi Omid.Something happened to the log and it is somehow in mixed language.Can you copy and paste the log here?

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/10/26 00:57
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2

Drivers

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8D2F1000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8D2E6000 Size: 45056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9B7B2000 Size: 49152 File Visible: No Signed: -
Status: -

Processes

Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1360 Status: Locked to the Windows API!

SSDT

#: 334 Function Name: NtTerminateProcess
Status: Hooked by “C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys” at address 0x8d22d0b0

==EOF==

I agree.The same could be said about HijackThis though because both can be very great tools if used properly and then again… they can cause some serious issues if the user has no idea in the least what he/she is doing.

Hi Omid.Your rootrepeal log looks clean.

I know! thanks ;D

Hi Omid

I notice u used sandboxie pro, wouldn’t that program help protect u from getting those viruses in to ur computer.

I got that malware when SAS and MBAM were closed, Avira disabled and I ran that file without sandbox, it was a special situation which never would happen again, always Sandbox works well.