16:31:37:218 3128 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:31:37:218 3128 ================================================================================
16:31:37:218 3128 SystemInfo:
16:31:37:218 3128 OS Version: 5.1.2600 ServicePack: 3.0
16:31:37:218 3128 Product type: Workstation
16:31:37:218 3128 ComputerName: BOOBOO
16:31:37:218 3128 UserName: tony
16:31:37:218 3128 Windows directory: C:\WINDOWS
16:31:37:218 3128 Processor architecture: Intel x86
16:31:37:218 3128 Number of processors: 2
16:31:37:218 3128 Page size: 0x1000
16:31:37:218 3128 Boot type: Normal boot
16:31:37:218 3128 ================================================================================
16:31:37:234 3128 UnloadDriverW: NtUnloadDriver error 2
16:31:37:234 3128 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:234 3128 UtilityInit: KLMD drop and load success
16:31:37:234 3128 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:31:37:234 3128 UtilityInit: KLMD open success
16:31:37:234 3128 UtilityInit: Initialize success
16:31:37:234 3128
16:31:37:234 3128 Scanning Services ...
16:31:37:234 3128 CreateRegParser: Registry parser init started
16:31:37:234 3128 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:31:37:234 3128 CreateRegParser: DisableWow64Redirection error
16:31:37:234 3128 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:31:37:234 3128 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128 wfopen_ex: Trying to KLMD file open
16:31:37:234 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128 wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394970
16:31:37:234 3128 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:31:37:234 3128 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128 wfopen_ex: Trying to KLMD file open
16:31:37:234 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128 wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394A18
16:31:37:234 3128 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:31:37:234 3128 CreateRegParser: EnableWow64Redirection error
16:31:37:234 3128 CreateRegParser: RegParser init completed
16:31:37:671 3128 GetAdvancedServicesInfo: Raw services enum returned 376 services
16:31:37:687 3128 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:31:37:687 3128 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:31:37:687 3128
16:31:37:687 3128 Scanning Kernel memory ...
16:31:37:687 3128 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:31:37:687 3128 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8714C348
16:31:37:687 3128 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
16:31:37:687 3128
16:31:37:687 3128 DetectCureTDL3: DEVICE_OBJECT: 871DF958
16:31:37:687 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871DF958
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0x871DF958[0x38]
16:31:37:687 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:687 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:687 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:687 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:687 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:687 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:687 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (
addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:687 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:687 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:687 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:687 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:687 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:687 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:687 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:687 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:687 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 87148C68
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148C68
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x87148C68[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (
addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 871E76F8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871E76F8
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x871E76F8[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (
addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 870D9AB8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870D9AB8
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 870EC9E8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870EC9E8
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 87148940
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148940
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x87148940[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714BF38
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714BF38[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18B6968[0x1A]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F73C96F2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F73C96F2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (
addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F73C9712
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F73C5852
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F73C973C
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F73D0336
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xF73C6864[0x400]
16:31:37:703 3128 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:31:37:703 3128 TDL3_FileDetect: Processing driver: atapi
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:734 3128 TDL3_FileDetect: C:\WINDOWS\system32\drivers\atapi.sys - Verdict: Clean
16:31:37:734 3128
16:31:37:734 3128 Completed
16:31:37:734 3128
16:31:37:734 3128 Results:
16:31:37:734 3128 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128
16:31:37:734 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:734 3128 UtilityDeinit: KLMD(ARK) unloaded successfully