Rootkit.Win32.TDSS.d läßt sich mit TDSSKiller.exe nicht löschen !

asterix2005 · 09.04.2010, 08:07

Hallo zusammen,

ich gestern bei einer Intensitsuche mit KasperskyInternetSecurity die Malware "Rootkit.Win32.TDSS.d" gefunden. Kaspersky gibt die Auswahl "spezieller Desinfektionsvorgang mit anschließendem Neustart des Computers" vor. Nach dem Neustart besteht der Fehler immer noch.

Ich bin im Forum auf das Programm TDSSKiller.exe gestoßen. Auch nach Ausführung des Programmes wird der Virus trotzdem gefunden.

Ich habe heute morgen nochmals den TDSSKiller.exe laufen lassen. Komischerweise gibt es jetzt in dem Prog keinen Hinweis mehr auf einen Neustart, was gestern noch der Fall war.

Folgende Log-Datei wird ausgegeben:

-------------------------------------------------------------------------

08:51:22:828 3156 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
08:51:22:828 3156 ================================================================================
08:51:22:828 3156 SystemInfo:

08:51:22:828 3156 OS Version: 5.1.2600 ServicePack: 3.0
08:51:22:828 3156 Product type: Workstation
08:51:22:828 3156 ComputerName: BUERO-PC
08:51:22:828 3156 UserName: xxxxxxxx xxxxxxxxxxx
08:51:22:828 3156 Windows directory: C:\WINDOWS
08:51:22:828 3156 Processor architecture: Intel x86
08:51:22:828 3156 Number of processors: 2
08:51:22:828 3156 Page size: 0x1000
08:51:22:828 3156 Boot type: Normal boot
08:51:22:828 3156 ================================================================================
08:51:22:843 3156 UnloadDriverW: NtUnloadDriver error 1
08:51:22:843 3156 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
08:51:22:906 3156 LoadDriverW: Driver already loaded
08:51:22:906 3156 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:51:22:906 3156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:51:22:906 3156 wfopen_ex: Trying to KLMD file open
08:51:22:906 3156 wfopen_ex: File opened ok (Flags 2)
08:51:22:906 3156 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:51:22:906 3156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:51:22:906 3156 wfopen_ex: Trying to KLMD file open
08:51:22:906 3156 wfopen_ex: File opened ok (Flags 2)
08:51:22:906 3156 Initialize success
08:51:22:906 3156
08:51:22:906 3156 Scanning Services ...
08:51:23:218 3156 Raw services enum returned 346 services
08:51:23:218 3156
08:51:23:218 3156 Scanning Kernel memory ...
08:51:23:218 3156 Devices to scan: 7
08:51:23:218 3156
08:51:23:218 3156 Driver Name: Disk
08:51:23:218 3156 IRP_MJ_CREATE : F763DBB0
08:51:23:218 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:218 3156 IRP_MJ_CLOSE : F763DBB0
08:51:23:218 3156 IRP_MJ_READ : F7637D1F
08:51:23:218 3156 IRP_MJ_WRITE : F7637D1F
08:51:23:218 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:218 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:218 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:218 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:218 3156 IRP_MJ_FLUSH_BUFFERS : F76382E2
08:51:23:218 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:218 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:218 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:218 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:218 3156 IRP_MJ_DEVICE_CONTROL : F76383BB
08:51:23:218 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
08:51:23:218 3156 IRP_MJ_SHUTDOWN : F76382E2
08:51:23:218 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:218 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:218 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:218 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:218 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:218 3156 IRP_MJ_POWER : F7639C82
08:51:23:218 3156 IRP_MJ_SYSTEM_CONTROL : F763E99E
08:51:23:218 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:218 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:218 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:250 3156 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:51:23:250 3156
08:51:23:250 3156 Driver Name: usbstor
08:51:23:250 3156 IRP_MJ_CREATE : F77AC218
08:51:23:250 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:250 3156 IRP_MJ_CLOSE : F77AC218
08:51:23:250 3156 IRP_MJ_READ : F77AC23C
08:51:23:250 3156 IRP_MJ_WRITE : F77AC23C
08:51:23:250 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:250 3156 IRP_MJ_FLUSH_BUFFERS : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_DEVICE_CONTROL : F77AC180
08:51:23:250 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A79E6
08:51:23:250 3156 IRP_MJ_SHUTDOWN : 804F9759
08:51:23:250 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:250 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_POWER : F77AB5F0
08:51:23:250 3156 IRP_MJ_SYSTEM_CONTROL : F77A9A6E
08:51:23:250 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:250 3156 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:51:23:250 3156
08:51:23:250 3156 Driver Name: Disk
08:51:23:250 3156 IRP_MJ_CREATE : F763DBB0
08:51:23:250 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:250 3156 IRP_MJ_CLOSE : F763DBB0
08:51:23:250 3156 IRP_MJ_READ : F7637D1F
08:51:23:250 3156 IRP_MJ_WRITE : F7637D1F
08:51:23:250 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:250 3156 IRP_MJ_FLUSH_BUFFERS : F76382E2
08:51:23:250 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_DEVICE_CONTROL : F76383BB
08:51:23:250 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
08:51:23:250 3156 IRP_MJ_SHUTDOWN : F76382E2
08:51:23:250 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:250 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_POWER : F7639C82
08:51:23:250 3156 IRP_MJ_SYSTEM_CONTROL : F763E99E
08:51:23:250 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:250 3156 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:51:23:250 3156
08:51:23:250 3156 Driver Name: usbstor
08:51:23:250 3156 IRP_MJ_CREATE : F77AC218
08:51:23:250 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:250 3156 IRP_MJ_CLOSE : F77AC218
08:51:23:250 3156 IRP_MJ_READ : F77AC23C
08:51:23:250 3156 IRP_MJ_WRITE : F77AC23C
08:51:23:250 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:250 3156 IRP_MJ_FLUSH_BUFFERS : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_DEVICE_CONTROL : F77AC180
08:51:23:250 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A79E6
08:51:23:250 3156 IRP_MJ_SHUTDOWN : 804F9759
08:51:23:250 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:250 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_POWER : F77AB5F0
08:51:23:250 3156 IRP_MJ_SYSTEM_CONTROL : F77A9A6E
08:51:23:250 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:250 3156 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:51:23:250 3156
08:51:23:250 3156 Driver Name: Disk
08:51:23:250 3156 IRP_MJ_CREATE : F763DBB0
08:51:23:250 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:250 3156 IRP_MJ_CLOSE : F763DBB0
08:51:23:250 3156 IRP_MJ_READ : F7637D1F
08:51:23:250 3156 IRP_MJ_WRITE : F7637D1F
08:51:23:250 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:250 3156 IRP_MJ_FLUSH_BUFFERS : F76382E2
08:51:23:250 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:250 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_DEVICE_CONTROL : F76383BB
08:51:23:250 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
08:51:23:250 3156 IRP_MJ_SHUTDOWN : F76382E2
08:51:23:250 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:250 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:250 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:250 3156 IRP_MJ_POWER : F7639C82
08:51:23:250 3156 IRP_MJ_SYSTEM_CONTROL : F763E99E
08:51:23:250 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:250 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:250 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:265 3156 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:51:23:265 3156
08:51:23:265 3156 Driver Name: Disk
08:51:23:265 3156 IRP_MJ_CREATE : F763DBB0
08:51:23:265 3156 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
08:51:23:265 3156 IRP_MJ_CLOSE : F763DBB0
08:51:23:265 3156 IRP_MJ_READ : F7637D1F
08:51:23:265 3156 IRP_MJ_WRITE : F7637D1F
08:51:23:265 3156 IRP_MJ_QUERY_INFORMATION : 804F9759
08:51:23:265 3156 IRP_MJ_SET_INFORMATION : 804F9759
08:51:23:265 3156 IRP_MJ_QUERY_EA : 804F9759
08:51:23:265 3156 IRP_MJ_SET_EA : 804F9759
08:51:23:265 3156 IRP_MJ_FLUSH_BUFFERS : F76382E2
08:51:23:265 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
08:51:23:265 3156 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
08:51:23:265 3156 IRP_MJ_DIRECTORY_CONTROL : 804F9759
08:51:23:265 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
08:51:23:265 3156 IRP_MJ_DEVICE_CONTROL : F76383BB
08:51:23:265 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
08:51:23:265 3156 IRP_MJ_SHUTDOWN : F76382E2
08:51:23:265 3156 IRP_MJ_LOCK_CONTROL : 804F9759
08:51:23:265 3156 IRP_MJ_CLEANUP : 804F9759
08:51:23:265 3156 IRP_MJ_CREATE_MAILSLOT : 804F9759
08:51:23:265 3156 IRP_MJ_QUERY_SECURITY : 804F9759
08:51:23:265 3156 IRP_MJ_SET_SECURITY : 804F9759
08:51:23:265 3156 IRP_MJ_POWER : F7639C82
08:51:23:265 3156 IRP_MJ_SYSTEM_CONTROL : F763E99E
08:51:23:265 3156 IRP_MJ_DEVICE_CHANGE : 804F9759
08:51:23:265 3156 IRP_MJ_QUERY_QUOTA : 804F9759
08:51:23:265 3156 IRP_MJ_SET_QUOTA : 804F9759
08:51:23:265 3156 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:51:23:265 3156
08:51:23:265 3156 Driver Name: atapi
08:51:23:265 3156 IRP_MJ_CREATE : 89895AC8
08:51:23:265 3156 IRP_MJ_CREATE_NAMED_PIPE : 89895AC8
08:51:23:265 3156 IRP_MJ_CLOSE : 89895AC8
08:51:23:265 3156 IRP_MJ_READ : 89895AC8
08:51:23:265 3156 IRP_MJ_WRITE : 89895AC8
08:51:23:265 3156 IRP_MJ_QUERY_INFORMATION : 89895AC8
08:51:23:265 3156 IRP_MJ_SET_INFORMATION : 89895AC8
08:51:23:265 3156 IRP_MJ_QUERY_EA : 89895AC8
08:51:23:265 3156 IRP_MJ_SET_EA : 89895AC8
08:51:23:265 3156 IRP_MJ_FLUSH_BUFFERS : 89895AC8
08:51:23:265 3156 IRP_MJ_QUERY_VOLUME_INFORMATION : 89895AC8
08:51:23:265 3156 IRP_MJ_SET_VOLUME_INFORMATION : 89895AC8
08:51:23:265 3156 IRP_MJ_DIRECTORY_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_FILE_SYSTEM_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_DEVICE_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_SHUTDOWN : 89895AC8
08:51:23:265 3156 IRP_MJ_LOCK_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_CLEANUP : 89895AC8
08:51:23:265 3156 IRP_MJ_CREATE_MAILSLOT : 89895AC8
08:51:23:265 3156 IRP_MJ_QUERY_SECURITY : 89895AC8
08:51:23:265 3156 IRP_MJ_SET_SECURITY : 89895AC8
08:51:23:265 3156 IRP_MJ_POWER : 89895AC8
08:51:23:265 3156 IRP_MJ_SYSTEM_CONTROL : 89895AC8
08:51:23:265 3156 IRP_MJ_DEVICE_CHANGE : 89895AC8
08:51:23:265 3156 IRP_MJ_QUERY_QUOTA : 89895AC8
08:51:23:265 3156 IRP_MJ_SET_QUOTA : 89895AC8
08:51:23:265 3156 Driver "atapi" infected by TDSS rootkit!
08:51:23:265 3156 C:\WINDOWS\system32\drivers\tsk2D.tmp - Verdict: 3
08:51:23:265 3156
08:51:23:265 3156 Completed
08:51:23:265 3156
08:51:23:265 3156 Results:
08:51:23:265 3156 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
08:51:23:265 3156 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:51:23:265 3156 File objects infected / cured / cured on reboot: 0 / 0 / 0
08:51:23:265 3156
08:51:23:265 3156 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:51:23:265 3156 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:51:23:265 3156 UnloadDriverW: NtUnloadDriver error 1
08:51:23:265 3156 KLMD(ARK) unloaded successfully

--------------------------------------------------------------------------

Kann mir jemand einen Tipp geben, was ich noch machen kann ?

ThanX

asterix2005

Rootkit.Win32.TDSS.d läßt sich mit TDSSKiller.exe nicht löschen !

Plagegeister aller Art und deren Bekämpfung: Rootkit.Win32.TDSS.d läßt sich mit TDSSKiller.exe nicht löschen !

Rootkit.Win32.TDSS.d läßt sich mit TDSSKiller.exe nicht löschen !

Ähnliche Themen: Rootkit.Win32.TDSS.d läßt sich mit TDSSKiller.exe nicht löschen !