anitvirus programs wont run!

**graf** · 02-02-2010 02:32 PM

don't know the path. just what i see in the task manager window

**graf** · 02-02-2010 02:33 PM

yep it crashed going to try it again

**evilfantasy** · 02-02-2010 02:35 PM

If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

**graf** · 02-02-2010 02:53 PM

yes GMER crashed twice.

**graf** · 02-02-2010 02:56 PM

Ican't run anything in safe mode, it just crashes.

**evilfantasy** · 02-02-2010 03:02 PM

Well this has gotten interesting...

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

**graf** · 02-02-2010 03:39 PM

ok will do

**graf** · 02-02-2010 04:00 PM

MBAM, run's a little and then crashes,

**evilfantasy** · 02-02-2010 04:02 PM

Please run TDSSKiller per the below steps:

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any sub-folder of the Desktop.
* Click Start > Run and copy/paste the following Red text into Run box and hit Enter on your keyboard.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called 'TDSSKiller.txt' please add this log to your next reply.

**graf** · 02-02-2010 04:56 PM

16:49:59:706 1624 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:49:59:706 1624 ================================================================================
16:49:59:706 1624 SystemInfo:

16:49:59:706 1624 OS Version: 5.1.2600 ServicePack: 3.0
16:49:59:706 1624 Product type: Workstation
16:49:59:706 1624 ComputerName: BIGPOPPA
16:49:59:706 1624 UserName: Chris N
16:49:59:706 1624 Windows directory: C:\WINDOWS
16:49:59:706 1624 Processor architecture: Intel x86
16:49:59:706 1624 Number of processors: 1
16:49:59:706 1624 Page size: 0x1000
16:49:59:706 1624 Boot type: Normal boot
16:49:59:706 1624 ================================================================================
16:49:59:716 1624 UnloadDriverW: NtUnloadDriver error 2
16:49:59:716 1624 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:49:59:716 1624 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:49:59:726 1624 UtilityInit: KLMD drop and load success
16:49:59:726 1624 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:49:59:726 1624 UtilityInit: KLMD open success
16:49:59:726 1624 UtilityInit: Initialize success
16:49:59:726 1624
16:49:59:726 1624 Scanning Services ...
16:49:59:726 1624 CreateRegParser: Registry parser init started
16:49:59:726 1624 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:49:59:726 1624 CreateRegParser: DisableWow64Redirection error
16:49:59:726 1624 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:49:59:726 1624 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:49:59:726 1624 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:59:726 1624 wfopen_ex: Trying to KLMD file open
16:49:59:726 1624 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:49:59:726 1624 wfopen_ex: File opened ok (Flags 2)
16:49:59:726 1624 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3848B0
16:49:59:726 1624 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:49:59:726 1624 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:49:59:726 1624 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:59:736 1624 wfopen_ex: Trying to KLMD file open
16:49:59:736 1624 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:49:59:736 1624 wfopen_ex: File opened ok (Flags 2)
16:49:59:736 1624 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384958
16:49:59:736 1624 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:49:59:736 1624 CreateRegParser: EnableWow64Redirection error
16:49:59:736 1624 CreateRegParser: RegParser init completed
16:50:00:167 1624 GetAdvancedServicesInfo: Raw services enum returned 384 services
16:50:00:177 1624 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:50:00:177 1624 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:50:00:177 1624
16:50:00:177 1624 Scanning Kernel memory ...
16:50:00:177 1624 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:50:00:177 1624 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84F5DAE8
16:50:00:177 1624 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
16:50:00:177 1624
16:50:00:177 1624 DetectCureTDL3: DEVICE_OBJECT: 84F6A030
16:50:00:177 1624 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F6A030
16:50:00:177 1624 KLMD_ReadMem: Trying to ReadMemory 0x84F6A030[0x38]
16:50:00:177 1624 DetectCureTDL3: DRIVER_OBJECT: 84F5DAE8
16:50:00:177 1624 KLMD_ReadMem: Trying to ReadMemory 0x84F5DAE8[0xA8]
16:50:00:177 1624 KLMD_ReadMem: Trying to ReadMemory 0xE18E5258[0x18]
16:50:00:177 1624 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:50:00:177 1624 DetectCureTDL3: IrpHandler (0) addr: F750DBB0
16:50:00:177 1624 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (2) addr: F750DBB0
16:50:00:177 1624 DetectCureTDL3: IrpHandler (3) addr: F7507D1F
16:50:00:177 1624 DetectCureTDL3: IrpHandler (4) addr: F7507D1F
16:50:00:177 1624 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (9) addr: F75082E2
16:50:00:177 1624 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (14) addr: F75083BB
16:50:00:177 1624 DetectCureTDL3: IrpHandler (15) addr: F750BF28
16:50:00:177 1624 DetectCureTDL3: IrpHandler (16) addr: F75082E2
16:50:00:177 1624 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (22) addr: F7509C82
16:50:00:177 1624 DetectCureTDL3: IrpHandler (23) addr: F750E99E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:50:00:177 1624 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:50:00:177 1624 TDL3_FileDetect: Processing driver: Disk
16:50:00:177 1624 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:50:00:177 1624 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:50:00:197 1624 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:50:00:197 1624
16:50:00:197 1624 DetectCureTDL3: DEVICE_OBJECT: 84F5E578
16:50:00:197 1624 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F5E578
16:50:00:197 1624 DetectCureTDL3: DEVICE_OBJECT: 84F96458
16:50:00:197 1624 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F96458
16:50:00:197 1624 DetectCureTDL3: DEVICE_OBJECT: 84F5F030
16:50:00:197 1624 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F5F030
16:50:00:197 1624 KLMD_ReadMem: Trying to ReadMemory 0x84F5F030[0x38]
16:50:00:197 1624 DetectCureTDL3: DRIVER_OBJECT: 84F96B10
16:50:00:197 1624 KLMD_ReadMem: Trying to ReadMemory 0x84F96B10[0xA8]
16:50:00:197 1624 KLMD_ReadMem: Trying to ReadMemory 0xE18E4FE0[0x1A]
16:50:00:197 1624 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:50:00:197 1624 DetectCureTDL3: IrpHandler (0) addr: F73FC6F2
16:50:00:197 1624 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (2) addr: F73FC6F2
16:50:00:197 1624 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (14) addr: F73FC712
16:50:00:197 1624 DetectCureTDL3: IrpHandler (15) addr: F73F8852
16:50:00:197 1624 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (22) addr: F73FC73C
16:50:00:197 1624 DetectCureTDL3: IrpHandler (23) addr: F7403336
16:50:00:197 1624 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:50:00:197 1624 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:50:00:197 1624 KLMD_ReadMem: Trying to ReadMemory 0xF73F9864[0x400]
16:50:00:197 1624 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:50:00:197 1624 TDL3_FileDetect: Processing driver: atapi
16:50:00:197 1624 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:50:00:197 1624 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:50:00:207 1624 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:50:00:207 1624
16:50:00:217 1624 Completed
16:50:00:217 1624
16:50:00:217 1624 Results:
16:50:00:217 1624 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:50:00:217 1624 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:50:00:217 1624 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:50:00:217 1624
16:50:00:217 1624 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:50:00:217 1624 UtilityDeinit: KLMD(ARK) unloaded successfully

Thread: anitvirus programs wont run!

LinkBack

Thread Tools