Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus Removal

07 Feb 2010   #41
jimbo45

Linux CENTOS 7 / various Windows OS'es and servers
 
 

Hi there

In these sort of situations the BEST medicine is to WIPE the disk COMPLETELY and then do a 100% FRESH install.

If you've backed up critical data regularly this shouldn't cause you any problem.

You should also have a spare image of your OS wilh only CLEAN apps installed e.g Office, Photoshop etc etc.

If you have a CLEAN image then you'll save time by recovering from this image.

With really complex registry entries these days I doubt whether ANY piece of AV software is 100% effective in virus removal if the computer has got infected in the first place.

If this happened to me I'd re-install a CLEAN version again without even thinking about it.

Another good reason for ALWAYS having clean reliable backup of both OS and User Data.

The purpose IMO of AV software is to prevent infection in the FIRST PLACE. If you download something and a "nasty" in the download file(s) is detected that's OK as you won't have installed anything but if you do a scan and your computer finds something is actively in your system or anywhere in "Windows" libraries then stop using the computer IMMEDIATELY, Wipe the disk with a stand alone disk cleanser -usually a physical write of x'00' on every sector INCLUDING THE MBR and re-install the OS.

A basic re-format of a HDD doesn't erase previous data BTW. You need to physically overwrite EVERY SECTOR on the HDD to ensure 100% removal.

I don't 100% trust "Cleansing afterwards" no matter what the AV software says it can do.


BTW to JAV -- got a screen next to me with Chelsea vs Arsenal -- just before HT -- Chelsea 2 - 0 so far with fans singing "Who Let the Dogs out -- Woof Woof" as Drogba gets goal nr 2.


Two horse race now Man U and Chelsea.

Cheers

jimbo


My System SpecsSystem Spec
.
07 Feb 2010   #42
mjwilson94

Window 7 Home Premium 64-Bit
 
 

It has also picked up svchost.exe identified as Malware.
I shall do what you said Jacee and copy the log on when i have it.
My System SpecsSystem Spec
07 Feb 2010   #43
mjwilson94

Window 7 Home Premium 64-Bit
 
 

Here Is The Log File:

16:46:07:545 5792 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:46:07:545 5792 ================================================================================
16:46:07:546 5792 SystemInfo:

16:46:07:546 5792 OS Version: 6.1.7600 ServicePack: 0.0
16:46:07:546 5792 Product type: Workstation
16:46:07:546 5792 ComputerName: REMOVED-PC
16:46:07:607 5792 UserName: MarcusWilson
16:46:07:607 5792 Windows directory: C:\Windows
16:46:07:607 5792 Processor architecture: Intel x86
16:46:07:607 5792 Number of processors: 2
16:46:07:607 5792 Page size: 0x1000
16:46:07:610 5792 Boot type: Normal boot
16:46:07:610 5792 ================================================================================
16:46:07:812 5792 UnloadDriverW: NtUnloadDriver error 2
16:46:07:812 5792 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:46:07:849 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:47:50:051 5792 UtilityInit: KLMD drop and load success
16:47:50:052 5792 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:47:50:052 5792 UtilityInit: KLMD open success
16:47:50:052 5792 UtilityInit: Initialize success
16:47:50:052 5792
16:47:50:053 5792 Scanning Services ...
16:47:50:053 5792 CreateRegParser: Registry parser init started
16:47:50:053 5792 CreateRegParser: DisableWow64Redirection error
16:47:50:053 5792 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:47:50:265 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
16:47:50:265 5792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:47:50:265 5792 wfopen_ex: Trying to KLMD file open
16:47:50:265 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
16:47:50:265 5792 wfopen_ex: File opened ok (Flags 2)
16:47:50:309 5792 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 18A6D08
16:47:50:309 5792 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:47:50:430 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
16:47:50:431 5792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:47:50:431 5792 wfopen_ex: Trying to KLMD file open
16:47:50:431 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
16:47:50:431 5792 wfopen_ex: File opened ok (Flags 2)
16:47:50:466 5792 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 18A6D30
16:47:50:482 5792 CreateRegParser: EnableWow64Redirection error
16:47:50:482 5792 CreateRegParser: RegParser init completed
16:47:51:519 5792 GetAdvancedServicesInfo: Raw services enum returned 499 services
16:47:51:526 5792 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:47:51:586 5792 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:47:51:604 5792
16:47:51:605 5792 Scanning Kernel memory ...
16:47:51:606 5792 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:47:51:606 5792 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85743838
16:47:51:606 5792 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
16:47:51:606 5792
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 85744408
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85744408
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 8525B3E0
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8525B3E0
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 8523D908
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8523D908
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8523D908[0x38]
16:47:51:606 5792 DetectCureTDL3: DRIVER_OBJECT: 8596EF38
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8596EF38[0xA8]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8523B028[0x38]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x852163E0[0xA8]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x85215A98[0x1A]
16:47:51:607 5792 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:47:51:607 5792 DetectCureTDL3: IrpHandler (0) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (1) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (2) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (3) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (4) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (5) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (6) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (7) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (8) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (9) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (10) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (11) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (12) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (13) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (14) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (15) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (16) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (17) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (18) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (19) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (20) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (21) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (22) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (23) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (24) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (25) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (26) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: All IRP handlers pointed to one addr: 85625856
16:47:51:608 5792 KLMD_ReadMem: Trying to ReadMemory 0x85625856[0x400]
16:47:51:608 5792 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
16:47:51:608 5792 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:47:51:609 5792 KLMD_WriteMem: Trying to WriteMemory 0x856258CF[0xD]
16:47:51:609 5792 cured
16:47:51:609 5792 KLMD_ReadMem: Trying to ReadMemory 0x85625701[0x400]
16:47:51:609 5792 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
16:47:51:610 5792 Driver "atapi" StartIo handler infected by TDSS rootkit ... 16:47:51:610 5792 TDL3_StartIoHookCure: Number of patches 1
16:47:51:610 5792 KLMD_WriteMem: Trying to WriteMemory 0x8562580A[0x6]
16:47:51:610 5792 cured
16:47:51:611 5792 TDL3_FileDetect: Processing driver: atapi
16:47:51:612 5792 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:47:51:612 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
16:47:51:631 5792 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
16:47:51:631 5792 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:47:51:639 5792 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:47:53:058 5792 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:2158 4, checking..
16:47:53:147 5792 ValidateDriverFile: Stage 1 passed
16:47:53:163 5792 ValidateDriverFile: Stage 2 passed
16:47:54:152 5792 DigitalSignVerifyByHandle: Embedded DS result: 00000000
16:47:54:152 5792 ValidateDriverFile: Stage 3 passed
16:47:54:152 5792 FileCallback: File validated successfully, restore information prepared
16:47:56:503 5792 FindDriverFileBackup: Backup copy found in DriverStore
16:47:56:503 5792 TDL3_FileCure: Backup copy found, using it..
16:47:56:504 5792 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskA96B.tmp
16:47:56:950 5792 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskA96B.tmp, system32\drivers\atapi.sys)
16:47:56:950 5792 TDL3_FileCure: KLMD jobs schedule success
16:47:56:950 5792 will be cured on next reboot
16:47:56:952 5792 UtilityBootReinit: Reboot required for cure complete..
16:47:56:953 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
16:47:58:155 5792 UtilityBootReinit: KLMD drop success
16:47:58:156 5792 KLMD_ApplyPendList: Pending buffer(463B_7475, 616) dropped successfully
16:47:58:156 5792 UtilityBootReinit: Cure on reboot scheduled successfully
16:47:58:156 5792
16:47:58:156 5792 Completed
16:47:58:157 5792
16:47:58:158 5792 Results:
16:47:58:158 5792 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
16:47:58:159 5792 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:47:58:160 5792 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:47:58:160 5792
16:47:58:161 5792 UnloadDriverW: NtUnloadDriver error 1
16:47:58:161 5792 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:47:58:194 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:47:58:219 5792 UtilityDeinit: KLMD(ARK) unloaded successfully
My System SpecsSystem Spec
.

07 Feb 2010   #44
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Run the free scan by Kaspersky:
Kaspersky Online Scanner 7.0

1. click the "Accept" button to
accept the user agreement, install the ActiveX control, and download the
program.
2. When you get the Windows dialog asking if you want to install this
software, click the "Install" button.
3. When the "Update progress" line changes to "Ready" and the
"NEXT ->" button lights up with a
green arrow, click it.
4. Click on the "Scan Settings" button, and in the next window
select the "extended" database, and click Ok.
5. Under "Please select a target to scan:", click My Computer
to start the scan.
6. When the scan is finished, click the "Save as .txt" button, and
save the file as kavscan.txt to your Desktop, close the Kaspersky On-line
Scanner window, and post the text in kavscan.txt in your next reply.
Please restart your system, and post the log from
Kaspersky's on-line virus scan.
My System SpecsSystem Spec
07 Feb 2010   #45
jav

Windows 7 Ultimate x86 SP1
 
 

Jacee sorry for interrupting you,
Quick question, mjwilson94 what was the results of Hitman Pro?

second question to Jacee, shouldnt' he first reboot after TDSS killer?
Quote:
16:47:56:950 5792 will be cured on next reboot
16:47:56:952 5792 UtilityBootReinit: Reboot required for cure complete
....
16:47:58:156 5792 UtilityBootReinit: Cure on reboot scheduled successfully
My System SpecsSystem Spec
07 Feb 2010   #46
mjwilson94

Window 7 Home Premium 64-Bit
 
 

The Hitman pro found 3 things but one it wasnt sure if it was virus or not. I did what it told me to do anyway. And don't worry i have rebooted after the TDSS killer
My System SpecsSystem Spec
07 Feb 2010   #47
jav

Windows 7 Ultimate x86 SP1
 
 

Quote   Quote: Originally Posted by mjwilson94 View Post
The Hitman pro found 3 things but one it wasnt sure if it was virus or not. I did what it told me to do anyway. And don't worry i have rebooted after the TDSS killer
ok, now I can freely leave you on safe and professional hands of Jacee.
Good Luck both of you
My System SpecsSystem Spec
07 Feb 2010   #48
mjwilson94

Window 7 Home Premium 64-Bit
 
 

Thanks Alot Jav you never fail helping me out. REP
My System SpecsSystem Spec
07 Feb 2010   #49
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

To be perfectly honest with everyone, I don't like to mess with Rootkits. I agree with jimbo45. You can never be sure that the system is ever stable again, after cleaning up a rootkit.

I do, infact, suggest a wipe and clean install. This is, of course, totally up to the owner of the infected machine.
My System SpecsSystem Spec
07 Feb 2010   #50
mjwilson94

Window 7 Home Premium 64-Bit
 
 

Okk right I see where your coming from. How would I go about doing this baring in mind I have lots of Important work on here and alot of programs that would take ages to install all of them again.
My System SpecsSystem Spec
Reply

 Virus Removal




Thread Tools




Similar help and support threads
Thread Forum
Virus Removal Tool
Hi experts, Is there any tool that is compact in size and is able to detect and remove nearly all kinds of viruses and malicious programs...??? Thank You.
System Security
Virus Removal
Just bought a laptop pretty decently priced even with the virus problem. I am just having problems getting rid of this one. It has content explorer which sets up proxy so after disabling it i can not get on net to install removal sofware. It has wb.exe, pc health, a password viewer, scorpion...
System Security
Want ideas for Virus removal if virus shows up in safemode CMD
Hi, Looking for general ideas on how everyone else handles a strong virus. If the virus is showing up in Windows regular mode, it opens in safemode and opens in safmode with command prompt. Besides the usual such as boot to repair mode and use system restore, dock hard drive to another pc and...
System Security
Redirect Virus Removal
I (from instructions on Yahoo! Answers) found my 'specs' and have a Windows 7 Ultimate 64-bit (6.1, Build 7600) Toshiba Satellite L305 Intel(R) Pentium(R) Dual CPU T2390 @ 1.86GHz (2CPUs), ~1.9GHz 3072MB RAM 1403MB used, 4718MB available DirectX11
System Security
no internet after virus removal
I removed a virus from my friends e machine net book a week or so ago it was the system tool 2012 virus.it was removed fully and have checked this via AV and malwarebytes etc.but since then the internet always finds wifif points and connects but always says limited connection.problem is he lost his...
Network & Sharing
After Virus Removal
After virus removal, this message has been popping up every time I start the computer. What do I do to restore these two DLL files? Startup repair has done nothing and I don't want to system restore because I just installed tons of drivers.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:18.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App