Welcome to GeekPolice!
HomeSymentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help
Page 1 of 2
Page 1 of 2 • 1, 2 
- entityxero
Novice
-
OS : windows xp
Posts : 7
Rubies : 3081
Likes : 0 
entityxero on 15th February 2010, 8:25 pm
I've tried using malwarebytes, even system restore... nothing is working. Any suggestions would be a HUGE help!
- Dr Jay
Head Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android, Linux
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security
Posts : 15182
Rubies : 289570
Likes : 161 -
Dr Jay on 15th February 2010, 9:23 pm
Download this << file >> & extract TDSSKiller.exe onto your Desktop
Then create this batch file to be placed next to TDSSKiller
=====
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
Then create this batch file to be placed next to TDSSKiller
=====
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
- Code:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
- entityxeroNovice
-
OS : windows xp
Posts : 7
Rubies : 3081
Likes : 0 -
entityxero on 15th February 2010, 11:08 pm
17:59:56:125 3828 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
17:59:56:125 3828 ================================================================================
17:59:56:125 3828 SystemInfo:
17:59:56:125 3828 OS Version: 5.1.2600 ServicePack: 2.0
17:59:56:125 3828 Product type: Workstation
17:59:56:125 3828 ComputerName: DDXMV7C1
17:59:56:125 3828 UserName: edpjgo
17:59:56:125 3828 Windows directory: C:\WINDOWS
17:59:56:125 3828 Processor architecture: Intel x86
17:59:56:125 3828 Number of processors: 2
17:59:56:125 3828 Page size: 0x1000
17:59:56:125 3828 Boot type: Normal boot
17:59:56:125 3828 ================================================================================
17:59:56:156 3828 UnloadDriverW: NtUnloadDriver error 2
17:59:56:156 3828 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:59:56:171 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:56:296 3828 UtilityInit: KLMD drop and load success
17:59:56:296 3828 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
17:59:56:296 3828 UtilityInit: KLMD open success
17:59:56:296 3828 UtilityInit: Initialize success
17:59:56:296 3828
17:59:56:296 3828 Scanning Services ...
17:59:56:296 3828 CreateRegParser: Registry parser init started
17:59:56:296 3828 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: DisableWow64Redirection error
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3F4D50
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3F4DF8
17:59:56:296 3828 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: EnableWow64Redirection error
17:59:56:296 3828 CreateRegParser: RegParser init completed
17:59:57:046 3828 GetAdvancedServicesInfo: Raw services enum returned 468 services
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:59:57:062 3828
17:59:57:062 3828 Scanning Kernel memory ...
17:59:57:062 3828 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:59:57:062 3828 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:59:57:062 3828
17:59:57:062 3828 DetectCureTDL3: DEVICE_OBJECT: 8B08FC68
17:59:57:062 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B08FC68
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B08FC68[0x38]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:062 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:062 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:062 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:062 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:062 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:062 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B067C68
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B067C68
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B067C68[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8AFE4AB8
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFE4AB8
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06DF18
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06DF18
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06CD98
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06CD98
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06CD98[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B0C4818
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B0C4818[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18311B0[0x1A]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: B9F1D592
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: B9F197B4
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: B9F1D5BC
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: B9F24164
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xB9F1A7C6[0x400]
17:59:57:078 3828 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:59:57:078 3828 TDL3_FileDetect: Processing driver: atapi
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:109 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
17:59:57:109 3828
17:59:57:109 3828 Completed
17:59:57:109 3828
17:59:57:109 3828 Results:
17:59:57:109 3828 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828
17:59:57:109 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:57:109 3828 UtilityDeinit: KLMD(ARK) unloaded successfully
17:59:56:125 3828 ================================================================================
17:59:56:125 3828 SystemInfo:
17:59:56:125 3828 OS Version: 5.1.2600 ServicePack: 2.0
17:59:56:125 3828 Product type: Workstation
17:59:56:125 3828 ComputerName: DDXMV7C1
17:59:56:125 3828 UserName: edpjgo
17:59:56:125 3828 Windows directory: C:\WINDOWS
17:59:56:125 3828 Processor architecture: Intel x86
17:59:56:125 3828 Number of processors: 2
17:59:56:125 3828 Page size: 0x1000
17:59:56:125 3828 Boot type: Normal boot
17:59:56:125 3828 ================================================================================
17:59:56:156 3828 UnloadDriverW: NtUnloadDriver error 2
17:59:56:156 3828 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:59:56:171 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:56:296 3828 UtilityInit: KLMD drop and load success
17:59:56:296 3828 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
17:59:56:296 3828 UtilityInit: KLMD open success
17:59:56:296 3828 UtilityInit: Initialize success
17:59:56:296 3828
17:59:56:296 3828 Scanning Services ...
17:59:56:296 3828 CreateRegParser: Registry parser init started
17:59:56:296 3828 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: DisableWow64Redirection error
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3F4D50
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3F4DF8
17:59:56:296 3828 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: EnableWow64Redirection error
17:59:56:296 3828 CreateRegParser: RegParser init completed
17:59:57:046 3828 GetAdvancedServicesInfo: Raw services enum returned 468 services
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:59:57:062 3828
17:59:57:062 3828 Scanning Kernel memory ...
17:59:57:062 3828 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:59:57:062 3828 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:59:57:062 3828
17:59:57:062 3828 DetectCureTDL3: DEVICE_OBJECT: 8B08FC68
17:59:57:062 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B08FC68
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B08FC68[0x38]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:062 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:062 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:062 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:062 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:062 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:062 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B067C68
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B067C68
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B067C68[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8AFE4AB8
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFE4AB8
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06DF18
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06DF18
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06CD98
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06CD98
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06CD98[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B0C4818
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B0C4818[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18311B0[0x1A]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: B9F1D592
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: B9F197B4
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: B9F1D5BC
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: B9F24164
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xB9F1A7C6[0x400]
17:59:57:078 3828 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:59:57:078 3828 TDL3_FileDetect: Processing driver: atapi
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:109 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
17:59:57:109 3828
17:59:57:109 3828 Completed
17:59:57:109 3828
17:59:57:109 3828 Results:
17:59:57:109 3828 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828
17:59:57:109 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:57:109 3828 UtilityDeinit: KLMD(ARK) unloaded successfully
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android, Linux
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security
Posts : 15182
Rubies : 289570
Likes : 161 -
Dr Jay on 16th February 2010, 2:26 pm
Please download RootRepeal from GooglePages.com.
Please remove any e-mail address in the RootRepeal report (if present).
- Extract the program file to your Desktop.
- Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the Desktop.
- Please copy/paste the contents of the report in your next reply.
Please remove any e-mail address in the RootRepeal report (if present).
- entityxeroNovice
-
OS : windows xp
Posts : 7
Rubies : 3081
Likes : 0 -
entityxero on 16th February 2010, 4:04 pm
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/16 09:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8352000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA61B3000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\RootRepeal report 02-16-10 (09-43-16).txt
Status: Visible to the Windows API, but not on disk.
Path: c:\windows\temp\perflib_perfdata_3f8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100214.004\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8aea8290
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823350
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823580
==EOF==
==================================================
Scan Start Time: 2010/02/16 09:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8352000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA61B3000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\RootRepeal report 02-16-10 (09-43-16).txt
Status: Visible to the Windows API, but not on disk.
Path: c:\windows\temp\perflib_perfdata_3f8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100214.004\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823350
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823580
==EOF==
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android, Linux
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security
Posts : 15182
Rubies : 289570
Likes : 161 -
Dr Jay on 17th February 2010, 2:43 am
Please run a free online scan with the ESET Online Scanner
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
- entityxeroNovice
-
OS : windows xp
Posts : 7
Rubies : 3081
Likes : 0 -
entityxero on 17th February 2010, 12:26 pm
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=777c9632b097da439fd0f7308e47899b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-17 09:16:12
# local_time=2010-02-17 04:16:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=527374
# found=3
# cleaned=3
# scan_time=14859
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gNoWvyay.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=777c9632b097da439fd0f7308e47899b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-17 09:16:12
# local_time=2010-02-17 04:16:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=527374
# found=3
# cleaned=3
# scan_time=14859
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gNoWvyay.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
- entityxeroNovice
-
OS : windows xp
Posts : 7
Rubies : 3081
Likes : 0 -
entityxero on 17th February 2010, 2:20 pm
thanks for your help so far, BTW. My anti-virus has been going off about once a day with this bug, however when i ran that scan, it went off about 10 times... what causes that?
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android, Linux
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security
Posts : 15182
Rubies : 289570
Likes : 161 -
Dr Jay on 18th February 2010, 5:18 am
Please download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Post the contents of GMER.txt in your next reply.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity. - Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android, Linux
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security
Posts : 15182
Rubies : 289570
Likes : 161 -
Dr Jay on 24th February 2010, 6:18 pm
Still with us? If so, please tell me how your computer is running.
Page 1 of 2 • 1, 2
Similar topics
Create an account or log in to leave a reply
You need to be a member in order to leave a reply.
Page 1 of 2
Permissions in this forum:
You cannot reply to topics in this forum
