XP Internet Security

Chris4You · 05.02.2010, 16:17

Hi,

probiere das von Argus mal aus...
Die atapi.sys scheint nicht ok zu sein...

TDSS-Killer
Download und Anweisung unter: http://www.trojaner-board.de/82358-t...tml#post640150
Entpacke alle Dateien! Kopiere die tdsskiller.exe auch auf tdsskiller.com...

Start.bat erstellen:
Start->alle Programme->Zubehör->Editor und kopiere folgenden Text rein:

Code:

ATTFilter

@ECHO OFF
TDSSKiller.com -l report.txt -v
DEL %0

Speichern als: start.bat

abspeichern unter : Dateityp: alle Dateien

speichere die Datei im Ordner wo auch TDSSKiller.com steht

Doppelklick start.bat

TDSSKiller.com wird gestartet und ein Log erzeugen(report.txt).
Wenn TDSSKiller fertig ist poste den Inhalt der report.txt.

chris

ave · 05.02.2010, 16:48

Jaa, die Anleitung von Argus hat geklappt. Man, es wär es echt nur die Umbennung nötig gewesen. Super. Danke! Hier nochmal die Report.datei

16:46:40:828 1276 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:46:40:828 1276 ================================================================================
16:46:40:828 1276 SystemInfo:

16:46:40:828 1276 OS Version: 5.1.2600 ServicePack: 3.0
16:46:40:828 1276 Product type: Workstation
16:46:40:828 1276 ComputerName: ***
16:46:40:828 1276 UserName: ***
16:46:40:828 1276 Windows directory: C:\WINDOWS
16:46:40:828 1276 Processor architecture: Intel x86
16:46:40:828 1276 Number of processors: 1
16:46:40:828 1276 Page size: 0x1000
16:46:40:828 1276 Boot type: Normal boot
16:46:40:828 1276 ================================================================================
16:46:40:828 1276 UnloadDriverW: NtUnloadDriver error 2
16:46:40:828 1276 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:46:40:843 1276 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:46:40:859 1276 UtilityInit: KLMD drop and load success
16:46:40:859 1276 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:46:40:859 1276 UtilityInit: KLMD open success
16:46:40:859 1276 UtilityInit: Initialize success
16:46:40:859 1276
16:46:40:859 1276 Scanning Services ...
16:46:40:859 1276 CreateRegParser: Registry parser init started
16:46:40:859 1276 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:46:40:859 1276 CreateRegParser: DisableWow64Redirection error
16:46:40:859 1276 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:46:40:859 1276 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:46:40:859 1276 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:46:40:859 1276 wfopen_ex: Trying to KLMD file open
16:46:40:859 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:46:40:859 1276 wfopen_ex: File opened ok (Flags 2)
16:46:40:859 1276 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384910
16:46:40:859 1276 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:46:40:859 1276 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:46:40:859 1276 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:46:40:859 1276 wfopen_ex: Trying to KLMD file open
16:46:40:859 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:46:40:859 1276 wfopen_ex: File opened ok (Flags 2)
16:46:40:859 1276 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3849B8
16:46:40:859 1276 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:46:40:859 1276 CreateRegParser: EnableWow64Redirection error
16:46:40:859 1276 CreateRegParser: RegParser init completed
16:46:41:281 1276 GetAdvancedServicesInfo: Raw services enum returned 352 services
16:46:41:281 1276 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:46:41:281 1276 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:46:41:281 1276
16:46:41:281 1276 Scanning Kernel memory ...
16:46:41:281 1276 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:46:41:281 1276 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F3CA08
16:46:41:281 1276 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
16:46:41:281 1276
16:46:41:281 1276 DetectCureTDL3: DEVICE_OBJECT: 86C4C030
16:46:41:281 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C4C030
16:46:41:281 1276 KLMD_ReadMem: Trying to ReadMemory 0x86C4C030[0x38]
16:46:41:281 1276 DetectCureTDL3: DRIVER_OBJECT: 86F3CA08
16:46:41:281 1276 KLMD_ReadMem: Trying to ReadMemory 0x86F3CA08[0xA8]
16:46:41:281 1276 KLMD_ReadMem: Trying to ReadMemory 0xE1686ED8[0x18]
16:46:41:281 1276 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:46:41:281 1276 DetectCureTDL3: IrpHandler (0) addr: F769ABB0
16:46:41:281 1276 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:46:41:281 1276 DetectCureTDL3: IrpHandler (2) addr: F769ABB0
16:46:41:296 1276 DetectCureTDL3: IrpHandler (3) addr: F7694D1F
16:46:41:296 1276 DetectCureTDL3: IrpHandler (4) addr: F7694D1F
16:46:41:296 1276 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (9) addr: F76952E2
16:46:41:296 1276 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (14) addr: F76953BB
16:46:41:296 1276 DetectCureTDL3: IrpHandler (15) addr: F7698F28
16:46:41:296 1276 DetectCureTDL3: IrpHandler (16) addr: F76952E2
16:46:41:296 1276 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (22) addr: F7696C82
16:46:41:296 1276 DetectCureTDL3: IrpHandler (23) addr: F769B99E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:46:41:296 1276 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:46:41:296 1276 TDL3_FileDetect: Processing driver: Disk
16:46:41:296 1276 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:46:41:296 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:46:41:312 1276 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:46:41:312 1276
16:46:41:312 1276 DetectCureTDL3: DEVICE_OBJECT: 86C58770
16:46:41:312 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C58770
16:46:41:312 1276 DetectCureTDL3: DEVICE_OBJECT: 86C07030
16:46:41:312 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C07030
16:46:41:312 1276 KLMD_ReadMem: Trying to ReadMemory 0x86C07030[0x38]
16:46:41:312 1276 DetectCureTDL3: DRIVER_OBJECT: 86EFB240
16:46:41:312 1276 KLMD_ReadMem: Trying to ReadMemory 0x86EFB240[0xA8]
16:46:41:312 1276 KLMD_ReadMem: Trying to ReadMemory 0xE1677060[0x1E]
16:46:41:312 1276 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
16:46:41:312 1276 DetectCureTDL3: IrpHandler (0) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (2) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (3) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (4) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (14) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (15) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (22) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (23) addr: 8672D1F8
16:46:41:312 1276 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:46:41:312 1276 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:46:41:312 1276 KLMD_ReadMem: Trying to ReadMemory 0xF78D5F26[0x400]
16:46:41:312 1276 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:46:41:312 1276 TDL3_FileDetect: Processing driver: USBSTOR
16:46:41:312 1276 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:46:41:312 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:46:41:328 1276 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:46:41:328 1276
16:46:41:328 1276 DetectCureTDL3: DEVICE_OBJECT: 86E8E9F0
16:46:41:328 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86E8E9F0
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0x86E8E9F0[0x38]
16:46:41:328 1276 DetectCureTDL3: DRIVER_OBJECT: 86F3CA08
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0x86F3CA08[0xA8]
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0xE1686ED8[0x18]
16:46:41:328 1276 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:46:41:328 1276 DetectCureTDL3: IrpHandler (0) addr: F769ABB0
16:46:41:328 1276 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (2) addr: F769ABB0
16:46:41:328 1276 DetectCureTDL3: IrpHandler (3) addr: F7694D1F
16:46:41:328 1276 DetectCureTDL3: IrpHandler (4) addr: F7694D1F
16:46:41:328 1276 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (9) addr: F76952E2
16:46:41:328 1276 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (14) addr: F76953BB
16:46:41:328 1276 DetectCureTDL3: IrpHandler (15) addr: F7698F28
16:46:41:328 1276 DetectCureTDL3: IrpHandler (16) addr: F76952E2
16:46:41:328 1276 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (22) addr: F7696C82
16:46:41:328 1276 DetectCureTDL3: IrpHandler (23) addr: F769B99E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:46:41:328 1276 TDL3_FileDetect: Processing driver: Disk
16:46:41:328 1276 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:46:41:328 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:46:41:328 1276 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:46:41:328 1276
16:46:41:328 1276 DetectCureTDL3: DEVICE_OBJECT: 86EF5AB8
16:46:41:328 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EF5AB8
16:46:41:328 1276 DetectCureTDL3: DEVICE_OBJECT: 86F3D9E8
16:46:41:328 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F3D9E8
16:46:41:328 1276 DetectCureTDL3: DEVICE_OBJECT: 86F3DD98
16:46:41:328 1276 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F3DD98
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0x86F3DD98[0x38]
16:46:41:328 1276 DetectCureTDL3: DRIVER_OBJECT: 86FCA400
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0x86FCA400[0xA8]
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0xE167C5F0[0x1A]
16:46:41:328 1276 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:46:41:328 1276 DetectCureTDL3: IrpHandler (0) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (2) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (14) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (15) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (22) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (23) addr: F746CB40
16:46:41:328 1276 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
16:46:41:328 1276 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
16:46:41:328 1276 KLMD_ReadMem: Trying to ReadMemory 0xF746A864[0x400]
16:46:41:328 1276 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:46:41:328 1276 TDL3_FileDetect: Processing driver: atapi
16:46:41:328 1276 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:46:41:328 1276 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:46:41:328 1276 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:46:41:328 1276
16:46:41:328 1276 Completed
16:46:41:328 1276
16:46:41:328 1276 Results:
16:46:41:328 1276 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:46:41:328 1276 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:46:41:328 1276 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:46:41:343 1276
16:46:41:343 1276 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:46:41:343 1276 UtilityDeinit: KLMD(ARK) unloaded successfully

Chris4You · 05.02.2010, 16:58

Hi,

gut, dann lass MAM mal laufen und poste das Log...

chris

Chris4You · 05.02.2010, 20:57

Hi,

was hat mam gefunden?

Ansonsten hier nochmal ein Reg-Script, das die restlichen REgKeys zurückbiegt...
Wie immer in das notepad kopieren unter exe2.reg speichern und per doppelklick ausführen und zusammenführen. Browser sollten jetzt wieder laufen...

Code:

ATTFilter

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]

[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="C:\\Programme\\Mozilla Firefox\\firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="C:\\Programme\\Mozilla Firefox\\firefox.exe" -safe-mode

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Programme\\Internet Explorer\\iexplore.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = dword:0x00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 "FirewallOverride" = dword:0x00

chris

XP Internet Security

Log-Analyse und Auswertung: XP Internet Security