WiredWX Hobby Weather ToolsLog in

 


I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

2 posters

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 Bat_icon
Double click on fix.bat & allow it to run

Post back to tell me what it says

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
10:25:06:796 1352 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
10:25:06:796 1352 ================================================================================
10:25:06:796 1352 SystemInfo:

10:25:06:796 1352 OS Version: 5.1.2600 ServicePack: 3.0
10:25:06:796 1352 Product type: Workstation
10:25:06:796 1352 ComputerName: YOSHILAPTOP
10:25:06:796 1352 UserName: Administrator
10:25:06:796 1352 Windows directory: C:\WINDOWS
10:25:06:796 1352 Processor architecture: Intel x86
10:25:06:796 1352 Number of processors: 1
10:25:06:796 1352 Page size: 0x1000
10:25:06:796 1352 Boot type: Safe boot with network
10:25:06:796 1352 ================================================================================
10:25:06:796 1352 UnloadDriverW: NtUnloadDriver error 2
10:25:06:796 1352 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:25:06:796 1352 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:06:796 1352 UtilityInit: KLMD drop and load success
10:25:06:796 1352 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
10:25:06:796 1352 KLMD_OpenDevice: CreateFileW(KLMD201010) error 2
10:25:06:796 1352 Driver load error!
10:25:06:796 1352 UnloadDriverW: NtUnloadDriver error 2
10:25:06:796 1352 KLMD_Unload: UnloadDriverW(klmd21) error 2
10:25:06:796 1352 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:06:796 1352 UtilityDeinit: KLMD(ARK) unloaded successfully

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Please try to run it again. It appears to not have functioned properly.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
In safe or normal mode?

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Either one.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
21:53:39:187 1584 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
21:53:39:187 1584 ================================================================================
21:53:39:187 1584 SystemInfo:

21:53:39:187 1584 OS Version: 5.1.2600 ServicePack: 3.0
21:53:39:187 1584 Product type: Workstation
21:53:39:187 1584 ComputerName: YOSHILAPTOP
21:53:39:187 1584 UserName: Henry
21:53:39:187 1584 Windows directory: C:\WINDOWS
21:53:39:187 1584 Processor architecture: Intel x86
21:53:39:187 1584 Number of processors: 1
21:53:39:187 1584 Page size: 0x1000
21:53:39:187 1584 Boot type: Normal boot
21:53:39:187 1584 ================================================================================
21:53:39:203 1584 UnloadDriverW: NtUnloadDriver error 1
21:53:39:203 1584 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:53:39:203 1584 LoadDriverW: Driver already loaded
21:53:39:203 1584 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
21:53:39:203 1584 UtilityInit: KLMD drop and load failed, trying to open device
21:53:39:203 1584 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
21:53:39:203 1584 UtilityInit: KLMD open success
21:53:39:203 1584 UtilityInit: Initialize success
21:53:39:203 1584
21:53:39:203 1584 Scanning Services ...
21:53:39:203 1584 CreateRegParser: Registry parser init started
21:53:39:203 1584 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
21:53:39:203 1584 CreateRegParser: DisableWow64Redirection error
21:53:39:203 1584 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
21:53:39:203 1584 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:53:39:203 1584 wfopen_ex: Trying to KLMD file open
21:53:39:203 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
21:53:39:203 1584 wfopen_ex: File opened ok (Flags 2)
21:53:39:203 1584 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 2749F0
21:53:39:203 1584 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:53:39:203 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
21:53:39:203 1584 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:53:39:203 1584 wfopen_ex: Trying to KLMD file open
21:53:39:203 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
21:53:39:203 1584 wfopen_ex: File opened ok (Flags 2)
21:53:39:203 1584 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274A98
21:53:39:203 1584 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
21:53:39:203 1584 CreateRegParser: EnableWow64Redirection error
21:53:39:203 1584 CreateRegParser: RegParser init completed
21:53:39:640 1584 GetAdvancedServicesInfo: Raw services enum returned 388 services
21:53:39:640 1584 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:53:39:640 1584 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:53:39:640 1584
21:53:39:640 1584 Scanning Kernel memory ...
21:53:39:640 1584 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:53:39:640 1584 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89B51910
21:53:39:640 1584 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
21:53:39:640 1584
21:53:39:640 1584 DetectCureTDL3: DEVICE_OBJECT: 8999A2D0
21:53:39:640 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8999A2D0
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0x8999A2D0[0x38]
21:53:39:640 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:640 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:640 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:640 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:640 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:640 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:640 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:640 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:656 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:656 1584
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 89975948
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89975948
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 89961ED0
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89961ED0
21:53:39:656 1584 DetectCureTDL3: DEVICE_OBJECT: 899BEEA0
21:53:39:656 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 899BEEA0
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0x899BEEA0[0x38]
21:53:39:656 1584 DetectCureTDL3: DRIVER_OBJECT: 89945DA0
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0x89945DA0[0xA8]
21:53:39:656 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1AA6828[0x1E]
21:53:39:656 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE : B7547218
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CLOSE : B7547218
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_READ : B754723C
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_WRITE : B754723C
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B7547180
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B75429E6
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_POWER : B75465F0
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B7544A6E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:656 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:656 1584 TDL3_FileDetect: Processing driver: USBSTOR
21:53:39:656 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:656 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xB7543F26[0x400]
21:53:39:671 1584 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
21:53:39:671 1584 TDL3_FileDetect: Processing driver: USBSTOR
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:53:39:671 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
21:53:39:671 1584
21:53:39:671 1584 DetectCureTDL3: DEVICE_OBJECT: 89B83C68
21:53:39:671 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B83C68
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B83C68[0x38]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:671 1584
21:53:39:671 1584 DetectCureTDL3: DEVICE_OBJECT: 89B239F0
21:53:39:671 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B239F0
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B239F0[0x38]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT: 89B51910
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B51910[0xA8]
21:53:39:671 1584 KLMD_ReadMem: Trying to ReadMemory 0xE1017860[0x18]
21:53:39:671 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLOSE : BA90EBB0
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_READ : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_WRITE : BA908D1F
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA9093BB
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA9092E2
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_POWER : BA90AC82
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
21:53:39:671 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
21:53:39:671 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:671 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:671 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 TDL3_FileDetect: Processing driver: Disk
21:53:39:687 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
21:53:39:687 1584 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
21:53:39:687 1584
21:53:39:687 1584 DetectCureTDL3: DEVICE_OBJECT: 89B50AB8
21:53:39:687 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B50AB8
21:53:39:687 1584 DetectCureTDL3: DEVICE_OBJECT: 89B87B00
21:53:39:687 1584 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B87B00
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B87B00[0x38]
21:53:39:687 1584 DetectCureTDL3: DRIVER_OBJECT: 89AF8F38
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89AF8F38[0xA8]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B27030[0x38]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B574A8[0xA8]
21:53:39:687 1584 KLMD_ReadMem: Trying to ReadMemory 0xE19543F0[0x1A]
21:53:39:687 1584 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CLOSE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_READ : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_WRITE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_EA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_EA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SHUTDOWN : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CLEANUP : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_SECURITY : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_POWER : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 89B2B618
21:53:39:687 1584 DetectCureTDL3: IRP_MJ_SET_QUOTA : 89B2B618
21:53:39:687 1584 TDL3_FileDetect: Processing driver: atapi
21:53:39:687 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:687 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 DetectCureTDL3: All IRP handlers pointed to one addr: 89B2B618
21:53:39:703 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B2B618[0x400]
21:53:39:703 1584 TDL3_IrpHookDetect: TDL3 is already cured
21:53:39:703 1584 KLMD_ReadMem: Trying to ReadMemory 0x89B2B4BF[0x400]
21:53:39:703 1584 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
21:53:39:703 1584 TDL3_FileDetect: Processing driver: atapi
21:53:39:703 1584 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk26.tmp
21:53:39:703 1584 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk26.tmp - Verdict: Clean
21:53:39:703 1584
21:53:39:703 1584 Completed
21:53:39:703 1584
21:53:39:703 1584 Results:
21:53:39:703 1584 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:53:39:703 1584
21:53:39:703 1584 UnloadDriverW: NtUnloadDriver error 1
21:53:39:703 1584 KLMD_Unload: UnloadDriverW(klmd21) error 1
21:53:39:703 1584 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
21:53:39:703 1584 UtilityDeinit: KLMD(ARK) unloaded successfully


I was able to get this running in normal mode.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Please download Rooter and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 13 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:55 Go - Free:2 Go )
D:\ [CD_Rom]
.
Scan : 09:59.57
Path : C:\Documents and Settings\Henry\Desktop\Rooter.exe
User : Henry ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (508)
______ \??\C:\WINDOWS\system32\csrss.exe (568)
______ \??\C:\WINDOWS\system32\winlogon.exe (604)
______ C:\WINDOWS\system32\services.exe (648)
______ C:\WINDOWS\system32\lsass.exe (660)
______ C:\WINDOWS\system32\Ati2evxx.exe (832)
______ C:\WINDOWS\system32\svchost.exe (848)
______ C:\WINDOWS\system32\svchost.exe (928)
______ C:\WINDOWS\System32\svchost.exe (968)
______ C:\WINDOWS\system32\svchost.exe (1004)
______ C:\WINDOWS\system32\svchost.exe (1256)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1444)
______ C:\WINDOWS\system32\spoolsv.exe (1824)
______ C:\WINDOWS\system32\acs.exe (1868)
______ C:\WINDOWS\system32\svchost.exe (1924)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (912)
______ C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (1084)
______ C:\WINDOWS\system32\CSHelper.exe (1164)
______ C:\WINDOWS\system32\DVDRAMSV.exe (1220)
______ C:\WINDOWS\system32\svchost.exe (1328)
______ C:\WINDOWS\System32\svchost.exe (1368)
______ C:\WINDOWS\System32\svchost.exe (1384)
______ C:\WINDOWS\system32\RioMSC.exe (1408)
______ C:\WINDOWS\system32\svchost.exe (1628)
______ c:\TOSHIBA\IVP\swupdate\swupdtmr.exe (1696)
______ C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (1712)
______ C:\WINDOWS\system32\wuauclt.exe (276)
______ C:\WINDOWS\System32\alg.exe (1200)
______ C:\WINDOWS\system32\Ati2evxx.exe (1624)
______ C:\WINDOWS\system32\wscntfy.exe (2252)
______ C:\WINDOWS\Explorer.EXE (4032)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2372)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2412)
______ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (2784)
______ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (2808)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2848)
______ C:\WINDOWS\system32\rundll32.exe (3324)
______ C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe (2896)
______ C:\WINDOWS\system32\wuauclt.exe (2968)
______ C:\Program Files\Toshiba\Tvs\TvsTray.exe (2996)
______ C:\Program Files\ltmoh\Ltmoh.exe (3052)
______ C:\WINDOWS\System32\DLA\DLACTRLW.EXE (2020)
______ C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (3228)
______ C:\toshiba\ivp\ism\pinger.exe (3252)
______ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (2628)
______ C:\toshiba\ivp\ism\ivpsvmgr.exe (3292)
______ C:\WINDOWS\system32\TPSBattM.exe (3348)
______ C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe (3380)
______ C:\WINDOWS\system32\ctfmon.exe (3432)
______ C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (3440)
______ C:\Program Files\Messenger\msmsgs.exe (3512)
______ C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe (3520)
______ C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe (3568)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (3972)
______ C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe (4064)
______ C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (4076)
______ C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (1532)
______ C:\Documents and Settings\Henry\Desktop\Rooter.exe (3388)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (3400)
______ C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (3484)
______ C:\WINDOWS\system32\msiexec.exe (3648)
______ C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe (3952)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:59748401664)
\Device\Harddisk0\Partition2 (Start_Offset:59748433920 | Length:263208960)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\DriverCure.job
C:\WINDOWS\Tasks\Pareto UNS.job
C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job
C:\WINDOWS\Tasks\ParetoLogic Registration.job
C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
C:\WINDOWS\Tasks\ParetoLogic Update.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:00.23
.
C:\Rooter$\Rooter_1.txt - (20/02/2010 | 10:00.23)


rooter log as requested.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
How is Paretologic products working for you?

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
it stinks!

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Good. Because, their products are not recommended.

Care to remove them, and get something else?

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Antivirus
``````````````````````````````
Anti-malware/Other Utilities Check:

ParetoLogic Anti-Spyware
CCleaner (remove only)
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
i did notice that security check tried to update avast, but that failed.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
I asked about ParetoLogic:
Care to remove them, and get something else?

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
sorry. yes. absoƖute.

descriptionI think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!! - Page 2 EmptyRe: I think that i've got the Sasser worm and Essledev trojan, plus others. HELP!!!

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum