Virus Removal

[jimbo45]

Hi there

In these sort of situations the BEST medicine is to WIPE the disk COMPLETELY and then do a 100% FRESH install.

If you've backed up critical data regularly this shouldn't cause you any problem.

You should also have a spare image of your OS wilh only CLEAN apps installed e.g Office, Photoshop etc etc.

If you have a CLEAN image then you'll save time by recovering from this image.

With really complex registry entries these days I doubt whether ANY piece of AV software is 100% effective in virus removal if the computer has got infected in the first place.

If this happened to me I'd re-install a CLEAN version again without even thinking about it.

Another good reason for ALWAYS having clean reliable backup of both OS and User Data.

The purpose IMO of AV software is to prevent infection in the FIRST PLACE. If you download something and a "nasty" in the download file(s) is detected that's OK as you won't have installed anything but if you do a scan and your computer finds something is actively in your system or anywhere in "Windows" libraries then stop using the computer IMMEDIATELY, Wipe the disk with a stand alone disk cleanser -usually a physical write of x'00' on every sector INCLUDING THE MBR and re-install the OS.

A basic re-format of a HDD doesn't erase previous data BTW. You need to physically overwrite EVERY SECTOR on the HDD to ensure 100% removal.

I don't 100% trust "Cleansing afterwards" no matter what the AV software says it can do.


BTW to JAV -- got a screen next to me with Chelsea vs Arsenal -- just before HT -- Chelsea 2 - 0 so far with fans singing "Who Let the Dogs out -- Woof Woof" as Drogba gets goal nr 2.


Two horse race now Man U and Chelsea.

Cheers

jimbo

 

[mjwilson94]

It has also picked up svchost.exe identified as Malware.
I shall do what you said Jacee and copy the log on when i have it.

 

[mjwilson94]

Here Is The Log File:

16:46:07:545 5792 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:46:07:545 5792 ================================================================================
16:46:07:546 5792 SystemInfo:

16:46:07:546 5792 OS Version: 6.1.7600 ServicePack: 0.0
16:46:07:546 5792 Product type: Workstation
16:46:07:546 5792 ComputerName: REMOVED-PC
16:46:07:607 5792 UserName: MarcusWilson
16:46:07:607 5792 Windows directory: C:\Windows
16:46:07:607 5792 Processor architecture: Intel x86
16:46:07:607 5792 Number of processors: 2
16:46:07:607 5792 Page size: 0x1000
16:46:07:610 5792 Boot type: Normal boot
16:46:07:610 5792 ================================================================================
16:46:07:812 5792 UnloadDriverW: NtUnloadDriver error 2
16:46:07:812 5792 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:46:07:849 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:47:50:051 5792 UtilityInit: KLMD drop and load success
16:47:50:052 5792 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:47:50:052 5792 UtilityInit: KLMD open success
16:47:50:052 5792 UtilityInit: Initialize success
16:47:50:052 5792
16:47:50:053 5792 Scanning Services ...
16:47:50:053 5792 CreateRegParser: Registry parser init started
16:47:50:053 5792 CreateRegParser: DisableWow64Redirection error
16:47:50:053 5792 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:47:50:265 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
16:47:50:265 5792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:47:50:265 5792 wfopen_ex: Trying to KLMD file open
16:47:50:265 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
16:47:50:265 5792 wfopen_ex: File opened ok (Flags 2)
16:47:50:309 5792 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 18A6D08
16:47:50:309 5792 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:47:50:430 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
16:47:50:431 5792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:47:50:431 5792 wfopen_ex: Trying to KLMD file open
16:47:50:431 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
16:47:50:431 5792 wfopen_ex: File opened ok (Flags 2)
16:47:50:466 5792 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 18A6D30
16:47:50:482 5792 CreateRegParser: EnableWow64Redirection error
16:47:50:482 5792 CreateRegParser: RegParser init completed
16:47:51:519 5792 GetAdvancedServicesInfo: Raw services enum returned 499 services
16:47:51:526 5792 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:47:51:586 5792 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:47:51:604 5792
16:47:51:605 5792 Scanning Kernel memory ...
16:47:51:606 5792 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:47:51:606 5792 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85743838
16:47:51:606 5792 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
16:47:51:606 5792
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 85744408
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85744408
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 8525B3E0
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8525B3E0
16:47:51:606 5792 DetectCureTDL3: DEVICE_OBJECT: 8523D908
16:47:51:606 5792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8523D908
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8523D908[0x38]
16:47:51:606 5792 DetectCureTDL3: DRIVER_OBJECT: 8596EF38
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8596EF38[0xA8]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x8523B028[0x38]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x852163E0[0xA8]
16:47:51:606 5792 KLMD_ReadMem: Trying to ReadMemory 0x85215A98[0x1A]
16:47:51:607 5792 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:47:51:607 5792 DetectCureTDL3: IrpHandler (0) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (1) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (2) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (3) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (4) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (5) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (6) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (7) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (8) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (9) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (10) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (11) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (12) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (13) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (14) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (15) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (16) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (17) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (18) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (19) addr: 85625856
16:47:51:607 5792 DetectCureTDL3: IrpHandler (20) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (21) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (22) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (23) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (24) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (25) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: IrpHandler (26) addr: 85625856
16:47:51:608 5792 DetectCureTDL3: All IRP handlers pointed to one addr: 85625856
16:47:51:608 5792 KLMD_ReadMem: Trying to ReadMemory 0x85625856[0x400]
16:47:51:608 5792 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
16:47:51:608 5792 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:47:51:609 5792 KLMD_WriteMem: Trying to WriteMemory 0x856258CF[0xD]
16:47:51:609 5792 cured
16:47:51:609 5792 KLMD_ReadMem: Trying to ReadMemory 0x85625701[0x400]
16:47:51:609 5792 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
16:47:51:610 5792 Driver "atapi" StartIo handler infected by TDSS rootkit ... 16:47:51:610 5792 TDL3_StartIoHookCure: Number of patches 1
16:47:51:610 5792 KLMD_WriteMem: Trying to WriteMemory 0x8562580A[0x6]
16:47:51:610 5792 cured
16:47:51:611 5792 TDL3_FileDetect: Processing driver: atapi
16:47:51:612 5792 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:47:51:612 5792 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
16:47:51:631 5792 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
16:47:51:631 5792 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:47:51:639 5792 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:47:53:058 5792 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:21584, checking..
16:47:53:147 5792 ValidateDriverFile: Stage 1 passed
16:47:53:163 5792 ValidateDriverFile: Stage 2 passed
16:47:54:152 5792 DigitalSignVerifyByHandle: Embedded DS result: 00000000
16:47:54:152 5792 ValidateDriverFile: Stage 3 passed
16:47:54:152 5792 FileCallback: File validated successfully, restore information prepared
16:47:56:503 5792 FindDriverFileBackup: Backup copy found in DriverStore
16:47:56:503 5792 TDL3_FileCure: Backup copy found, using it..
16:47:56:504 5792 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskA96B.tmp
16:47:56:950 5792 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskA96B.tmp, system32\drivers\atapi.sys)
16:47:56:950 5792 TDL3_FileCure: KLMD jobs schedule success
16:47:56:950 5792 will be cured on next reboot
16:47:56:952 5792 UtilityBootReinit: Reboot required for cure complete..
16:47:56:953 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
16:47:58:155 5792 UtilityBootReinit: KLMD drop success
16:47:58:156 5792 KLMD_ApplyPendList: Pending buffer(463B_7475, 616) dropped successfully
16:47:58:156 5792 UtilityBootReinit: Cure on reboot scheduled successfully
16:47:58:156 5792
16:47:58:156 5792 Completed
16:47:58:157 5792
16:47:58:158 5792 Results:
16:47:58:158 5792 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
16:47:58:159 5792 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:47:58:160 5792 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:47:58:160 5792
16:47:58:161 5792 UnloadDriverW: NtUnloadDriver error 1
16:47:58:161 5792 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:47:58:194 5792 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:47:58:219 5792 UtilityDeinit: KLMD(ARK) unloaded successfully

 

[Jacee]

Run the free scan by Kaspersky:
Kaspersky Online Scanner 7.0

1. click the "Accept" button to
accept the user agreement, install the ActiveX control, and download the
program.
2. When you get the Windows dialog asking if you want to install this
software, click the "Install" button.
3. When the "Update progress" line changes to "Ready" and the
"NEXT ->" button lights up with a
green arrow, click it.
4. Click on the "Scan Settings" button, and in the next window
select the "extended" database, and click Ok.
5. Under "Please select a target to scan:", click My Computer
to start the scan.
6. When the scan is finished, click the "Save as .txt" button, and
save the file as kavscan.txt to your Desktop, close the Kaspersky On-line
Scanner window, and post the text in kavscan.txt in your next reply.
Please restart your system, and post the log from
Kaspersky's on-line virus scan.

 

[jav]

Jacee sorry for interrupting you,
Quick question, mjwilson94 what was the results of Hitman Pro?

second question to Jacee, shouldnt' he first reboot after TDSS killer?

16:47:56:950 5792 will be cured on next reboot
16:47:56:952 5792 UtilityBootReinit: Reboot required for cure complete
....
16:47:58:156 5792 UtilityBootReinit: Cure on reboot scheduled successfully

 

[mjwilson94]

The Hitman pro found 3 things but one it wasnt sure if it was virus or not. I did what it told me to do anyway. And don't worry i have rebooted after the TDSS killer

 

[jav]

The Hitman pro found 3 things but one it wasnt sure if it was virus or not. I did what it told me to do anyway. And don't worry i have rebooted after the TDSS killer

ok, now I can freely leave you on safe and professional hands of Jacee.
Good Luck both of you

 

[mjwilson94]

Thanks Alot Jav you never fail helping me out. REP

 

[Jacee]

To be perfectly honest with everyone, I don't like to mess with Rootkits. I agree with jimbo45. You can never be sure that the system is ever stable again, after cleaning up a rootkit.

I do, infact, suggest a wipe and clean install. This is, of course, totally up to the owner of the infected machine.

 

[mjwilson94]

Okk right I see where your coming from. How would I go about doing this baring in mind I have lots of Important work on here and alot of programs that would take ages to install all of them again.

 

[Jacee]

You can copy your work files and pictures to a CD. Programs will need to be installed again.

Don't try to save anything that you downloaded using a Torrent program that you know you didn't pay for.

 

[mjwilson94]

Don't worry I dont download illegal programs

 

[jimbo45]

Hi there
Once you get everything up and running again take a CLEAN backup so if this happens again it's only around 15 - 30 mins work to restore everything again.

Cheers
jimbo

 

[av8orinnd]

I have not tried THOSE particular ones. I tried SpeedyPCPro to no avail. Are those free removal tools?'