I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

View previous topic View next topic Go down

I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Wed Feb 03, 2010 2:48 am

Here's the HTJ log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:28 PM, on 2/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe
C:\WINDOWS\essledv.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Administrator.YOSHILAPTOP.001\Desktop\mbam-setup.exe
C:\Documents and Settings\Henry\Application Data\U3\0000161A52708102\LaunchPad.exe
F:\PROGRAMFILES\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ykfhbfhq] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ofaeuv\eksrsysguard.exe
O4 - HKLM\..\Run: [Hqefudivosogike] rundll32.exe "C:\WINDOWS\uyihucopo.dll",Startup
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\essledv.exe
O4 - HKUS\S-1-5-18\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [settdebugx.exe] C:\WINDOWS\TEMP\settdebugx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ykfhbfhq] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ofaeuv\eksrsysguard.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - [You must be registered and logged in to see this link.]
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostsDhcp (LmHostsDhcp) - Unknown owner - C:\WINDOWS\system32\103d.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 11420 bytes


Now i was able to run this in the 60 seconds before the computer shut down. Off the bat, i see that lsass.exe and essledv.exe are running, and I know that these are viruses. However, when i run the bitdefender rescue disk, only Vundo shows up, and when i ran clamwin portable in safe mode, nothing came up. I've attempted to install Malwarebytes, but no dice. What do i need to do to get this computer working like normal? I'm not completely computer illiterate, but I need some help with this one... I can thank my cousin for the "help" with getting these problems

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Wed Feb 03, 2010 4:15 pm

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Fri Feb 05, 2010 12:31 am

Do I run combofix in normal or safe mode?

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Fri Feb 05, 2010 1:01 am

Normal, if possible.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Fri Feb 05, 2010 1:15 am

combofix wont run in normal mode. i'm starting over in safemode

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Fri Feb 05, 2010 1:21 am

no luck in safemode either. smh!!!

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Fri Feb 05, 2010 3:18 am

Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat


Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Wed Feb 10, 2010 5:22 am

here is the combofix log.


ComboFix 10-02-09.03 - Administrator 02/09/2010 21:54:22.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.975 [GMT -5:00]
Running from: c:\documents and settings\Henry\desktop\blackpudding.bat
Command switches used :: /killall
AV: avast! antivirus 4.8.1335 [VPS 090316-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.YOSHILAPTOP.001\Local Settings\Application Data\{48FE8487-DB1D-47B2-8A0F-15D8193888C1}
c:\documents and settings\Administrator.YOSHILAPTOP.001\Local Settings\Application Data\{48FE8487-DB1D-47B2-8A0F-15D8193888C1}\chrome.manifest
c:\documents and settings\Administrator.YOSHILAPTOP.001\Local Settings\Application Data\{48FE8487-DB1D-47B2-8A0F-15D8193888C1}\chrome\content\_cfg.js
c:\documents and settings\Administrator.YOSHILAPTOP.001\Local Settings\Application Data\{48FE8487-DB1D-47B2-8A0F-15D8193888C1}\chrome\content\overlay.xul
c:\documents and settings\Administrator.YOSHILAPTOP.001\Local Settings\Application Data\{48FE8487-DB1D-47B2-8A0F-15D8193888C1}\install.rdf
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\Heather\Local Settings\Application Data\{3257FF39-19F8-4CBB-A421-0C61FE36C1C9}
c:\documents and settings\Heather\Local Settings\Application Data\{3257FF39-19F8-4CBB-A421-0C61FE36C1C9}\chrome.manifest
c:\documents and settings\Heather\Local Settings\Application Data\{3257FF39-19F8-4CBB-A421-0C61FE36C1C9}\chrome\content\_cfg.js
c:\documents and settings\Heather\Local Settings\Application Data\{3257FF39-19F8-4CBB-A421-0C61FE36C1C9}\chrome\content\overlay.xul
c:\documents and settings\Heather\Local Settings\Application Data\{3257FF39-19F8-4CBB-A421-0C61FE36C1C9}\install.rdf
c:\documents and settings\Henry\Local Settings\Application Data\{B87BF3BB-2D87-4FBA-8E06-B6FB5E40875F}
c:\documents and settings\Henry\Local Settings\Application Data\{B87BF3BB-2D87-4FBA-8E06-B6FB5E40875F}\chrome.manifest
c:\documents and settings\Henry\Local Settings\Application Data\{B87BF3BB-2D87-4FBA-8E06-B6FB5E40875F}\chrome\content\_cfg.js
c:\documents and settings\Henry\Local Settings\Application Data\{B87BF3BB-2D87-4FBA-8E06-B6FB5E40875F}\chrome\content\overlay.xul
c:\documents and settings\Henry\Local Settings\Application Data\{B87BF3BB-2D87-4FBA-8E06-B6FB5E40875F}\install.rdf
c:\documents and settings\Henry\My Documents\blackpudding.bat
c:\documents and settings\Henry\Start Menu\Programs\Startup\MEMonitor.lnk
c:\windows\essledv.exe
c:\windows\odexedak.dll
c:\windows\patch.exe
c:\windows\system32\103d.exe
c:\windows\system32\1510935525.dat
c:\windows\system32\drivers\H8SRTxymecxoyme.sys
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\H8SRTauxnqjtdjm.log
c:\windows\system32\H8SRTbfpylkjlxi.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTqtssftiqoq.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTtirnaxsmxf.dll
c:\windows\system32\H8SRTxgerapinmc.dat
c:\windows\system32\H8SRTxnsiwbcjsr.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
c:\windows\Sysvxd.exe
c:\windows\uyihucopo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_LMHOSTSDHCP
-------\Service_LmHostsDhcp


((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 02:07 . 2006-12-11 15:20 180224 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2010-02-10 02:06 . 2006-12-11 15:20 983829 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2010-02-10 02:06 . 2006-12-11 15:20 72192 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2010-02-10 02:06 . 2006-12-11 15:20 72192 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2010-02-10 02:06 . 2006-12-11 15:20 325 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2010-02-10 02:06 . 2006-12-11 15:20 15 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2010-02-10 02:06 . 2006-12-11 15:20 40960 ----a-w- c:\documents and settings\Henry\Application Data\U3\0000161A52708102\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2010-02-01 00:12 . 2006-12-07 15:45 3096576 ---ha-w- c:\documents and settings\Administrator.YOSHILAPTOP.001\Application Data\U3\temp\Launchpad Removal.exe
2010-01-13 06:30 . 2010-01-13 06:30 49956 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-13 06:10 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 06:00 . 2010-02-10 02:28 0 ----a-w- c:\windows\Hrizocupuwowo.bin
2010-01-11 23:35 . 2010-02-05 01:12 120 ----a-w- c:\windows\Tveriracevenupe.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 02:32 . 2008-02-02 18:30 -------- d-----w- c:\documents and settings\Henry\Application Data\U3
2010-02-01 02:51 . 2008-01-23 21:04 -------- d-----w- c:\program files\iPod Access for Windows
2010-02-01 00:12 . 2010-02-01 00:12 -------- d-----w- c:\documents and settings\Administrator.YOSHILAPTOP.001\Application Data\U3
2010-01-31 23:59 . 2009-04-16 23:44 256 ----a-w- c:\windows\system32\pool.bin
2010-01-31 17:49 . 2010-01-31 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2010-01-13 06:49 . 2009-08-26 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2010-01-10 02:15 . 2009-04-21 08:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 22:17 . 2010-01-07 22:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-29 17:24 . 2009-12-29 17:24 -------- d-----w- c:\documents and settings\Heather\Application Data\HpUpdate
2009-12-29 17:19 . 2006-08-03 17:07 60952 -c--a-w- c:\documents and settings\Heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:51 . 2009-09-05 17:51 60952 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-23 01:44 . 2009-08-26 21:51 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-23 01:42 . 2009-12-23 01:41 -------- d-----w- c:\program files\Roxio
2009-12-23 01:41 . 2009-09-03 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-12-23 01:41 . 2005-11-05 02:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-23 01:33 . 2006-09-05 09:28 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-23 01:29 . 2009-09-03 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-12-21 19:14 . 2005-11-05 00:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 13:56 . 2009-09-12 01:55 -------- d-----w- c:\program files\QuickTime
2009-12-13 22:58 . 2009-12-13 22:56 -------- d-----w- c:\program files\iTunes
2009-12-13 22:57 . 2006-09-04 22:57 -------- d-----w- c:\program files\iPod
2009-12-13 22:57 . 2007-08-16 05:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-13 22:34 . 2009-12-13 22:34 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-13 22:30 . 2008-08-03 03:27 -------- d-----w- c:\program files\Safari
2009-12-13 22:27 . 2009-12-13 22:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-01 15:56 . 2009-12-01 15:56 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-11-29 11:33 . 2009-11-29 11:31 77297 ----a-w- c:\windows\hpqins05.dat
2009-11-21 15:51 . 2005-11-05 00:52 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

c:\documents and settings\Henry\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-24 327680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-2-5 54512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-2-5 54512]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"c:\\Program Files\\2Wire\\2PortalMon.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\cfmain.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Henry\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/17/2009 11:05 AM 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2009 11:05 AM 20560]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [6/27/2008 1:57 AM 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-02-01 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]

2010-02-01 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2009-08-26 14:36]

2010-02-01 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-02-01 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-02-01 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-08-26 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Hqefudivosogike - c:\windows\uyihucopo.dll
HKU-Default-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe
AddRemove-HijackThis - f:\programfiles\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-09 22:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B16618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba85fcb8
\Driver\atapi -> atapi.sys @ 0xba7f9852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Atheros AR5005G Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba693bd4
PacketIndicateHandler -> NDIS.sys @ 0xba69fa21
SendHandler -> NDIS.sys @ 0xba693d44
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3561660480-3653408265-3269854959-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,20,3f,a8,57,48,d9,42,93,10,71,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,20,3f,a8,57,48,d9,42,93,10,71,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-09 22:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 03:16

Pre-Run: 3,870,367,744 bytes free
Post-Run: 3,752,824,832 bytes free

- - End Of File - - 4E7F6560EBF8AC77182C93669D249B9B

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Wed Feb 10, 2010 2:58 pm

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Tue Feb 16, 2010 1:20 am

Here is the GMER log, as requested.

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-15 20:16:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\pxriapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBA8097A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[728] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0257000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89B27618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxymecxoyme.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxymecxoyme.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtirnaxsmxf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTxgerapinmc.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTxnsiwbcjsr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTbfpylkjlxi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTqtssftiqoq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTerrors \\?\globalroot\systemroot\system32\H8SRTauxnqjtdjm.log

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Tue Feb 16, 2010 2:30 pm

Download this [You must be registered and logged in to see this link.] & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Wed Feb 17, 2010 3:31 pm

10:25:06:796 1352 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
10:25:06:796 1352 ================================================================================
10:25:06:796 1352 SystemInfo:

10:25:06:796 1352 OS Version: 5.1.2600 ServicePack: 3.0
10:25:06:796 1352 Product type: Workstation
10:25:06:796 1352 ComputerName: YOSHILAPTOP
10:25:06:796 1352 UserName: Administrator
10:25:06:796 1352 Windows directory: C:\WINDOWS
10:25:06:796 1352 Processor architecture: Intel x86
10:25:06:796 1352 Number of processors: 1
10:25:06:796 1352 Page size: 0x1000
10:25:06:796 1352 Boot type: Safe boot with network
10:25:06:796 1352 ================================================================================
10:25:06:796 1352 UnloadDriverW: NtUnloadDriver error 2
10:25:06:796 1352 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:25:06:796 1352 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:06:796 1352 UtilityInit: KLMD drop and load success
10:25:06:796 1352 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
10:25:06:796 1352 KLMD_OpenDevice: CreateFileW(KLMD201010) error 2
10:25:06:796 1352 Driver load error!
10:25:06:796 1352 UnloadDriverW: NtUnloadDriver error 2
10:25:06:796 1352 KLMD_Unload: UnloadDriverW(klmd21) error 2
10:25:06:796 1352 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:06:796 1352 UtilityDeinit: KLMD(ARK) unloaded successfully

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Thu Feb 18, 2010 5:31 am

Please try to run it again. It appears to not have functioned properly.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Thu Feb 18, 2010 2:52 pm

In safe or normal mode?

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Thu Feb 18, 2010 3:35 pm

Either one.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Fri Feb 19, 2010 2:58 am

21:53:39:187 1584 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
21:53:39:187 1584 ================================================================================
21:53:39:187 1584 SystemInfo:

21:53:39:187 1584 OS Version: 5.1.2600 ServicePack: 3.0
21:53:39:187 1584 Product type: Workstation
21:53:39:187 1584 ComputerName: YOSHILAPTOP
21:53:39:187 1584 UserName: Henry
21:53:39:187 1584 Windows directory: C:\WINDOWS
21:53:39:187 1584 Processor architecture: Intel x86
21:53:39:187 1584 Number of processors: 1
21:53:39:187 1584 Page size: 0x1000
21:53:39:187 1584 Boot type: Normal boot
21:53:39:187 1584 ================================================================================
21:53:39:203 1584 UnloadDriverW: NtUnloadDriver error 1
21:53:39:203 1584 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:53:39:203 1584 LoadDriverW: Driver already loaded
21:53:39:203 1584 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
21:53:39:203 1584 UtilityInit: KLMD drop and load failed, trying to open device
21:53:39:203 1584 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
21:53:39:203 1584 UtilityInit: KLMD open success
21:53:39:203 1584 UtilityInit: Initialize success
21:53:39:203 1584
21:53:39:203 1584 Scanning Services ...
21:53:39:203 1584 CreateRegParser: Registry parser init started
21:53:39:203 1584 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
21:53:39:203 1584 CreateRegParser: DisableWow64Redirection error
21:53:39:203 1584 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
21:53:39:203 1584 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:53:39:203 1584 wfopen_ex: Trying to KLMD file open
21:53:39:203 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
21:53:39:203 1584 wfopen_ex: File opened ok (Flags 2)
21:53:39:203 1584 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 2749F0
21:53:39:203 1584 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
21:53:39:203 1584 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:53:39:203 1584 wfopen_ex: Trying to KLMD file open
21:53:39:203 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
21:53:39:203 1584 wfopen_ex: File opened ok (Flags 2)
21:53:39:203 1584 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274A98
21:53:39:203 1584 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
21:53:39:203 1584 CreateRegParser: EnableWow64Redirection error
21:53:39:203 1584 CreateRegParser: RegParser init completed
21:53:39:640 1584 GetAdvancedServicesInfo: Raw services enum returned 388 services
21:53:39:640 1584 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:53:39:640 1584 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:53:39:640 1584
21:53:39:640 1584 Scanning Kernel memory ...
21:53:39:640 1584 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:53:39:640 1584 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89B51910
21:53:39:640 1584 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
21:53:39:640 1584
21:53:39:640 1584 DetectCureTDL3: DEVICE_OBJECT: 8999A2D0
21:53:39:640 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8999A2D0
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0x8999A2D0[0x38]
21:53:39:640 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:640 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:640 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:640 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:640 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:656 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:656 1584
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 89975948
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89975948
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 89961ED0
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89961ED0
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 899BEEA0
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 899BEEA0
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0x899BEEA0[0x38]
21:53:39:656 1584 DetectCureTDL3: DRIVER_OBJECT: 89945DA0
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0x89945DA0[0xA8]
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1AA6828[0x1E]
21:53:39:656 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE : B7547218
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CLOSE : B7547218
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_READ : B754723C
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_WRITE : B754723C
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B7547180
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B75429E6
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_POWER : B75465F0
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B7544A6E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:656 1584 TDL3_FileDetect: Processing driver: USBSTOR
21:53:39:656 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:656 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xB7543F26[0x400]
21:53:39:671 1584 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
21:53:39:671 1584 TDL3_FileDetect: Processing driver: USBSTOR
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
21:53:39:671 1584
21:53:39:671 1584 DetectCureTDL3: DEVICE_OBJECT: 89B83C68
21:53:39:671 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B83C68
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B83C68[0x38]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:671 1584
21:53:39:671 1584 DetectCureTDL3: DEVICE_OBJECT: 89B239F0
21:53:39:671 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B239F0
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B239F0[0x38]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:687 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:687 1584
21:53:39:687 1584 DetectCureTDL3: DEVICE_OBJECT: 89B50AB8
21:53:39:687 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B50AB8
21:53:39:687 1584 DetectCureTDL3: DEVICE_OBJECT: 89B87B00
21:53:39:687 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B87B00
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B87B00[0x38]
21:53:39:687 1584 DetectCureTDL3: DRIVER_OBJECT: 89AF8F38
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89AF8F38[0xA8]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B27030[0x38]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B574A8[0xA8]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0xE19543F0[0x1A]
21:53:39:687 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CLOSE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_READ : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_WRITE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_EA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_POWER : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 89B2B618
21:53:39:687 1584 TDL3_FileDetect: Processing driver: atapi
21:53:39:687 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:687 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 DetectCureTDL3: All IRP handlers pointed to one addr: 89B2B618
21:53:39:703 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B2B618[0x400]
21:53:39:703 1584 TDL3_IrpHookDetect: TDL3 is already cured
21:53:39:703 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B2B4BF[0x400]
21:53:39:703 1584 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
21:53:39:703 1584 TDL3_FileDetect: Processing driver: atapi
21:53:39:703 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk26.tmp - Verdict: Clean
21:53:39:703 1584
21:53:39:703 1584 Completed
21:53:39:703 1584
21:53:39:703 1584 Results:
21:53:39:703 1584 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584
21:53:39:703 1584 UnloadDriverW: NtUnloadDriver error 1
21:53:39:703 1584 KLMD_Unload: UnloadDriverW(klmd21) error 1
21:53:39:703 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:53:39:703 1584 UtilityDeinit: KLMD(ARK) unloaded successfully

I was able to get this running in normal mode.

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Fri Feb 19, 2010 4:45 pm

Please download [You must be registered and logged in to see this link.] and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Sat Feb 20, 2010 3:08 pm

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 13 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:55 Go - Free:2 Go )
D:\ [CD_Rom]
.
Scan : 09:59.57
Path : C:\Documents and Settings\Henry\Desktop\Rooter.exe
User : Henry ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (508)
______ \??\C:\WINDOWS\system32\csrss.exe (568)
______ \??\C:\WINDOWS\system32\winlogon.exe (604)
______ C:\WINDOWS\system32\services.exe (648)
______ C:\WINDOWS\system32\lsass.exe (660)
______ C:\WINDOWS\system32\Ati2evxx.exe (832)
______ C:\WINDOWS\system32\svchost.exe (848)
______ C:\WINDOWS\system32\svchost.exe (928)
______ C:\WINDOWS\System32\svchost.exe (968)
______ C:\WINDOWS\system32\svchost.exe (1004)
______ C:\WINDOWS\system32\svchost.exe (1256)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1444)
______ C:\WINDOWS\system32\spoolsv.exe (1824)
______ C:\WINDOWS\system32\acs.exe (1868)
______ C:\WINDOWS\system32\svchost.exe (1924)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (912)
______ C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (1084)
______ C:\WINDOWS\system32\CSHelper.exe (1164)
______ C:\WINDOWS\system32\DVDRAMSV.exe (1220)
______ C:\WINDOWS\system32\svchost.exe (1328)
______ C:\WINDOWS\System32\svchost.exe (1368)
______ C:\WINDOWS\System32\svchost.exe (1384)
______ C:\WINDOWS\system32\RioMSC.exe (1408)
______ C:\WINDOWS\system32\svchost.exe (1628)
______ c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (1696)
______ C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (1712)
______ C:\WINDOWS\system32\wuauclt.exe (276)
______ C:\WINDOWS\System32\alg.exe (1200)
______ C:\WINDOWS\system32\Ati2evxx.exe (1624)
______ C:\WINDOWS\system32\wscntfy.exe (2252)
______ C:\WINDOWS\Explorer.EXE (4032)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2372)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2412)
______ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (2784)
______ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (2808)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2848)
______ C:\WINDOWS\system32\rundll32.exe (3324)
______ C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe (2896)
______ C:\WINDOWS\system32\wuauclt.exe (2968)
______ C:\Program Files\Toshiba\Tvs\TvsTray.exe (2996)
______ C:\Program Files\ltmoh\Ltmoh.exe (3052)
______ C:\WINDOWS\System32\DLA\DLACTRLW.EXE (2020)
______ C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (3228)
______ C:\toshiba\ivp\ism\pinger.exe (3252)
______ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (2628)
______ C:\toshiba\ivp\ism\ivpsvmgr.exe (3292)
______ C:\WINDOWS\system32\TPSBattM.exe (3348)
______ C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe (3380)
______ C:\WINDOWS\system32\ctfmon.exe (3432)
______ C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (3440)
______ C:\Program Files\Messenger\msmsgs.exe (3512)
______ C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe (3520)
______ C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe (3568)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (3972)
______ C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe (4064)
______ C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (4076)
______ C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (1532)
______ C:\Documents and Settings\Henry\Desktop\Rooter.exe (3388)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (3400)
______ C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (3484)
______ C:\WINDOWS\system32\msiexec.exe (3648)
______ C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe (3952)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:59748401664)
\Device\Harddisk0\Partition2 (Start_Offset:59748433920 | Length:263208960)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\DriverCure.job
C:\WINDOWS\Tasks\Pareto UNS.job
C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job
C:\WINDOWS\Tasks\ParetoLogic Registration.job
C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
C:\WINDOWS\Tasks\ParetoLogic Update.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:00.23
.
C:\Rooter$\Rooter_1.txt - (20/02/2010 | 10:00.23)

rooter log as requested.

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Sat Feb 20, 2010 5:23 pm

How is Paretologic products working for you?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Sat Feb 20, 2010 6:13 pm

it stinks!

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Sat Feb 20, 2010 7:48 pm

Good. Because, their products are not recommended.

Care to remove them, and get something else?

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Sun Feb 21, 2010 3:05 pm

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Antivirus
``````````````````````````````
Anti-malware/Other Utilities Check:

ParetoLogic Anti-Spyware
CCleaner (remove only)
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Sun Feb 21, 2010 6:56 pm

i did notice that security check tried to update avast, but that failed.

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Sun Feb 21, 2010 7:13 pm

I asked about ParetoLogic:
Care to remove them, and get something else?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Sun Feb 21, 2010 7:29 pm

sorry. yes. absoƖute.

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Mon Feb 22, 2010 1:18 am

paretologic products have been removed using revo uninstaller.

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Tue Feb 23, 2010 2:00 am

Good. Now, how is your computer running? Please tell me of any issues.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Infinite on Tue Feb 23, 2010 2:25 am

lots better.

I ran malwarebytes and that cleaned up more stuff. I think i can manage it from here. thanks a lot!

Infinite
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-07-15
OS OS : Windows Vista Home Premium, XP
Points Points : 27256
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

Post by Dr Jay on Tue Feb 23, 2010 2:37 am

ok


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum