trojan horse: clicker.AEYB

[Bout]

(Gesponsorde links- (Wat is dit?))

Beste nunica beveiligings-experts

sinds enkele dagen geeft AVG free iedere 5 minuten een melding van een trojan horse in het bestand

C:\windows\Temp\mnvb.tmp\svchost.exe
of eenzelfde pad met een ande map in C:\Windows\Temp\....... .temp\svchost.exe

het betrokken proces is

C:\Windows\System32\svchost.exe
met proces-id: 752

zie ook de bijlage

Ik heb toe de volgende dingen gedaan:
1: Avg geupdate en een volledige scan gedaan. deze vond niks
2: Zoals jullie vertelden heb ik eerst Malwarebytes' Anti-Malware (MBAM) gedaan. Deze vond wel enkele infecties, maar toen ik deze had verwijdert en mijn computer opnieuw had opgestart, kreeg ik al gauw weer dezelfde melding.
3: daarna probeerde ik de kaspersk online scanner. Deze scanner kon ik echter niet bereiken. Ik heb java gewoon geinstalleerd, dus ik snapte niet waarom. Ik denk dat het komt omdat ze het tijdelijk offline hebben gehaald, om later dit jaar met een verbeterde versie te komen.
zie http://www.kaspersky.com/virusscanner
waar ze je aanraden een trial van internetsecurity te proberen

4: ik heb een log gemaakt met hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:14, on 27-1-2010
Platform: Unknown Windows (WinNT 6.01.3164)
MSIE: Internet Explorer v8.00 (8.00.7260.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.295.0\npchrome_frame.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\Windows\TEMP\E_S930B.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to AMV/AVI Video Converter... - C:\Program Files\Media Player Utilities 4.21\AMVConverter\grab.html
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - http://srtest-cdn.systemrequirements...qlabdetect.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_18) - http://javadl-esd.sun.com/update/1.3...l-13-win32.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E}
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 9412 bytes


Ik hoop dat ik niet vervelend ben, en dat jullie me willen helpen.

hartelijke groeten,
bastian van den bout

[smeenk]

Ga naar het Configuratiescherm - Software - Programma's wijzigen en verwijderen, en deïnstalleer indien aanwezig de volgende programma's:
- Alcohol 120% and 52%
- AstroBurn
- Daemon Tools and Daemon Tools Lite

Download deze tool: http://www.duplexsecure.com/download...t-v162-x86.exe
Dubbelklik er op om de tool te starten. In het scherm dat verschijnt klik je op de uninstall knop.
Herstart de computer.

Download TDSSKiller.zip, unzip het en plaats het op je bureaublad: http://support.kaspersky.com/downloa...tdsskiller.zip

Open een kladblokbestand.
Kopieer onderstaande code in dit kladblokbestand.
Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: de map waarin TDSSKiller.exe staat.
Bij "Bestandsnaam" zet je: start.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Code:

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0

Dubbelklik op start.bat
Dit zal de TDSSKiller.exe starten en een logfile (report.txt) maken in dezelfde map.
Wanneer TDSSKiller.exe klaar is post je de inhoud van report.txt

[Bout]

beste Nucia expert
bedankt voor je snelle reactie
ik heb gedaan wat je hebt gepost,
en hier is de desbetreffende log:

17:01:55:712 2720 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
17:01:55:712 2720 ================================================================================
17:01:55:712 2720 SystemInfo:

17:01:55:712 2720 OS Version: 6.1.7260 ServicePack: 0.0
17:01:55:712 2720 Product type: Workstation
17:01:55:712 2720 ComputerName: PC
17:01:55:713 2720 UserName: BAS (tian)
17:01:55:713 2720 Windows directory: C:\Windows
17:01:55:713 2720 Processor architecture: Intel x86
17:01:55:713 2720 Number of processors: 4
17:01:55:713 2720 Page size: 0x1000
17:01:55:717 2720 Boot type: Normal boot
17:01:55:717 2720 ================================================================================
17:01:55:719 2720 UnloadDriverW: NtUnloadDriver error 2
17:01:55:719 2720 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:01:55:719 2720 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
17:01:55:785 2720 UtilityInit: KLMD drop and load success
17:01:55:785 2720 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
17:01:55:785 2720 UtilityInit: KLMD open success
17:01:55:785 2720 UtilityInit: Initialize success
17:01:55:785 2720
17:01:55:787 2720 Scanning Services ...
17:01:55:787 2720 CreateRegParser: Registry parser init started
17:01:55:787 2720 CreateRegParser: DisableWow64Redirection error
17:01:55:787 2720 wfopen_ex: Trying to open file C:\Windows\system32\config\system
17:01:55:860 2720 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
17:01:55:860 2720 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:01:55:860 2720 wfopen_ex: Trying to KLMD file open
17:01:55:860 2720 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
17:01:55:860 2720 wfopen_ex: File opened ok (Flags 2)
17:01:55:868 2720 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1516F98
17:01:55:868 2720 wfopen_ex: Trying to open file C:\Windows\system32\config\software
17:01:55:913 2720 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
17:01:55:913 2720 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:01:55:914 2720 wfopen_ex: Trying to KLMD file open
17:01:55:914 2720 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
17:01:55:914 2720 wfopen_ex: File opened ok (Flags 2)
17:01:55:950 2720 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1516FC0
17:01:55:950 2720 CreateRegParser: EnableWow64Redirection error
17:01:55:950 2720 CreateRegParser: RegParser init completed
17:02:00:229 2720 GetAdvancedServicesInfo: Raw services enum returned 485 services
17:02:00:236 2720 fclose_ex: Trying to close file C:\Windows\system32\config\system
17:02:00:236 2720 fclose_ex: Trying to close file C:\Windows\system32\config\software
17:02:00:237 2720
17:02:00:237 2720 Scanning Kernel memory ...
17:02:00:237 2720 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:02:00:237 2720 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85B276C8
17:02:00:237 2720 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:02:00:237 2720
17:02:00:237 2720 DetectCureTDL3: DEVICE_OBJECT: 863EAAC8
17:02:00:237 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 863EAAC8
17:02:00:237 2720 DetectCureTDL3: DEVICE_OBJECT: 85D7CCB8
17:02:00:237 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85D7CCB8
17:02:00:238 2720 KLMD_ReadMem: Trying to ReadMemory 0x85D7CCB8[0x38]
17:02:00:238 2720 DetectCureTDL3: DRIVER_OBJECT: 85D465F0
17:02:00:238 2720 KLMD_ReadMem: Trying to ReadMemory 0x85D465F0[0xA8]
17:02:00:238 2720 KLMD_ReadMem: Trying to ReadMemory 0x85D7D2A8[0x1E]
17:02:00:238 2720 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:02:00:238 2720 DetectCureTDL3: IrpHandler (0) addr: 904E2A02
17:02:00:238 2720 DetectCureTDL3: IrpHandler (1) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (2) addr: 904E2A7A
17:02:00:238 2720 DetectCureTDL3: IrpHandler (3) addr: 904E2AF2
17:02:00:238 2720 DetectCureTDL3: IrpHandler (4) addr: 904E2AF2
17:02:00:238 2720 DetectCureTDL3: IrpHandler (5) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (6) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (7) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (8) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (9) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (10) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (11) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (12) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (13) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (14) addr: 904E25FE
17:02:00:238 2720 DetectCureTDL3: IrpHandler (15) addr: 904D5656
17:02:00:238 2720 DetectCureTDL3: IrpHandler (16) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (17) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (18) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (19) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (20) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (21) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (22) addr: 904E09BA
17:02:00:238 2720 DetectCureTDL3: IrpHandler (23) addr: 904DD88E
17:02:00:238 2720 DetectCureTDL3: IrpHandler (24) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (25) addr: 82AB5437
17:02:00:238 2720 DetectCureTDL3: IrpHandler (26) addr: 82AB5437
17:02:00:238 2720 KLMD_ReadMem: Trying to ReadMemory 0x904D7EA2[0x400]
17:02:00:238 2720 TDL3_StartIoHookDetect: CheckParameters: 4, 904DC000, 0
17:02:00:238 2720 TDL3_FileDetect: Processing driver: USBSTOR
17:02:00:238 2720 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:02:00:239 2720 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:02:00:248 2720 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:02:00:248 2720
17:02:00:248 2720 DetectCureTDL3: DEVICE_OBJECT: 85B29030
17:02:00:248 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85B29030
17:02:00:248 2720 DetectCureTDL3: DEVICE_OBJECT: 84C99358
17:02:00:248 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C99358
17:02:00:248 2720 DetectCureTDL3: DEVICE_OBJECT: 8559D030
17:02:00:248 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8559D030
17:02:00:248 2720 KLMD_ReadMem: Trying to ReadMemory 0x8559D030[0x38]
17:02:00:248 2720 DetectCureTDL3: DRIVER_OBJECT: 84C98A08
17:02:00:249 2720 KLMD_ReadMem: Trying to ReadMemory 0x84C98A08[0xA8]
17:02:00:249 2720 KLMD_ReadMem: Trying to ReadMemory 0x84C989B8[0x1A]
17:02:00:249 2720 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:02:00:249 2720 DetectCureTDL3: IrpHandler (0) addr: 837D48C4
17:02:00:249 2720 DetectCureTDL3: IrpHandler (1) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (2) addr: 837D48C4
17:02:00:249 2720 DetectCureTDL3: IrpHandler (3) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (4) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (5) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (6) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (7) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (8) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (9) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (10) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (11) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (12) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (13) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (14) addr: 837C047C
17:02:00:249 2720 DetectCureTDL3: IrpHandler (15) addr: 837C044E
17:02:00:249 2720 DetectCureTDL3: IrpHandler (16) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (17) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (18) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (19) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (20) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (21) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (22) addr: 837C04AA
17:02:00:249 2720 DetectCureTDL3: IrpHandler (23) addr: 837CFDB2
17:02:00:249 2720 DetectCureTDL3: IrpHandler (24) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (25) addr: 82AB5437
17:02:00:249 2720 DetectCureTDL3: IrpHandler (26) addr: 82AB5437
17:02:00:249 2720 KLMD_ReadMem: Trying to ReadMemory 0x859936D1[0x400]
17:02:00:249 2720 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
17:02:00:249 2720 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:02:00:251 2720 TDL3_StartIoHookCure: Number of patches 1
17:02:00:251 2720 KLMD_WriteMem: Trying to WriteMemory 0x859937DA[0x6]
17:02:00:251 2720 cured
17:02:00:251 2720 TDL3_FileDetect: Processing driver: atapi
17:02:00:251 2720 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
17:02:00:251 2720 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
17:02:00:252 2720 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Clean
17:02:00:253 2720
17:02:00:253 2720 DetectCureTDL3: DEVICE_OBJECT: 85B28638
17:02:00:253 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85B28638
17:02:00:253 2720 DetectCureTDL3: DEVICE_OBJECT: 855E28C0
17:02:00:253 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 855E28C0
17:02:00:253 2720 DetectCureTDL3: DEVICE_OBJECT: 84C31908
17:02:00:253 2720 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C31908
17:02:00:253 2720 KLMD_ReadMem: Trying to ReadMemory 0x84C31908[0x38]
17:02:00:253 2720 DetectCureTDL3: DRIVER_OBJECT: 85BF5140
17:02:00:253 2720 KLMD_ReadMem: Trying to ReadMemory 0x85BF5140[0xA8]
17:02:00:253 2720 KLMD_ReadMem: Trying to ReadMemory 0x84CCB028[0x38]
17:02:00:253 2720 KLMD_ReadMem: Trying to ReadMemory 0x84C98A08[0xA8]
17:02:00:253 2720 KLMD_ReadMem: Trying to ReadMemory 0x84C989B8[0x1A]
17:02:00:253 2720 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:02:00:253 2720 DetectCureTDL3: IrpHandler (0) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (1) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (2) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (3) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (4) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (5) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (6) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (7) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (8) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (9) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (10) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (11) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (12) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (13) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (14) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (15) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (16) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (17) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (18) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (19) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (20) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (21) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (22) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (23) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (24) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (25) addr: 85993826
17:02:00:253 2720 DetectCureTDL3: IrpHandler (26) addr: 85993826
17:02:00:254 2720 DetectCureTDL3: All IRP handlers pointed to one addr: 85993826
17:02:00:254 2720 KLMD_ReadMem: Trying to ReadMemory 0x85993826[0x400]
17:02:00:254 2720 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
17:02:00:254 2720 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:02:00:254 2720 KLMD_WriteMem: Trying to WriteMemory 0x8599389F[0xD]
17:02:00:254 2720 cured
17:02:00:254 2720 KLMD_ReadMem: Trying to ReadMemory 0x859936D1[0x400]
17:02:00:254 2720 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
17:02:00:254 2720 TDL3_FileDetect: Processing driver: atapi
17:02:00:254 2720 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
17:02:00:254 2720 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
17:02:00:273 2720 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
17:02:00:273 2720 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:02:00:274 2720 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
17:02:00:827 2720 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_330a45316bb06b94\atapi.sys:21568, checking..
17:02:00:844 2720 ValidateDriverFile: Stage 1 passed
17:02:00:846 2720 ValidateDriverFile: Stage 2 passed
17:02:00:908 2720 DigitalSignVerifyByHandle: Embedded DS result: 00000000
17:02:00:908 2720 ValidateDriverFile: Stage 3 passed
17:02:00:908 2720 FileCallback: File validated successfully, restore information prepared
17:02:02:287 2720 FindDriverFileBackup: Backup copy found in DriverStore
17:02:02:287 2720 TDL3_FileCure: Backup copy found, using it..
17:02:02:294 2720 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk8583.tmp
17:02:02:439 2720 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk8583.tmp, system32\drivers\atapi.sys)
17:02:02:441 2720 TDL3_FileCure: KLMD jobs schedule success
17:02:02:441 2720 will be cured on next reboot
17:02:02:441 2720 UtilityBootReinit: Reboot required for cure complete..
17:02:02:441 2720 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
17:02:02:444 2720 UtilityBootReinit: KLMD drop success
17:02:02:444 2720 KLMD_ApplyPendList: Pending buffer(223E_3E1C, 616) dropped successfully
17:02:02:444 2720 UtilityBootReinit: Cure on reboot scheduled successfully
17:02:02:444 2720
17:02:02:446 2720 Completed
17:02:02:446 2720
17:02:02:446 2720 Results:
17:02:02:446 2720 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
17:02:02:447 2720 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:02:02:447 2720 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:02:02:447 2720
17:02:02:448 2720 UnloadDriverW: NtUnloadDriver error 1
17:02:02:448 2720 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:02:02:448 2720 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
17:02:02:449 2720 UtilityDeinit: KLMD(ARK) unloaded successfully

[smeenk]

Herstart je computer.

Download: combofix.
Zet hem op je bureaublad.
Info: http://www.bleepingcomputer.com/comb...uikt-te-worden.

ComboFix zal wanneer de Recovery Console niet geïnstalleerd is, voorstellen om deze te downloaden en te installeren. Sta dit toe.
Wanneer de Recovery Console geïnstalleerd is, laat je ComboFix de computer scannen.
Wanneer ComboFix start, kan het zijn dat je een Error melding krijgt dat de "contents of the ComboFix package has been compromised".
Ga niet verder met de instructies, maar download ComboFix opnieuw. Deze melding kan verschijnen wanneer een file-infector (Virut) actief is op de computer.
Krijg je deze melding dan meld je dit.
Wanneer ComboFix klaar is met scannen, dit kan eventueel na een reboot zijn, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje in je volgende bericht.

Groeten smeenk

[Bout]

beste smeenk

sinds ik je vorige post heb uitgevoerd heb ik al geen last meer van meldingen, dus heel erg bedankt

Ik heb toch maar combofix gedownload, alleen ik krijg een melding dat mij os niet geschikt is ( zie de bijlage )

indien jij van mening bent dat het virus nog op mijn pc staat, hoor ik graag wat nu te doen,

indien jij van mening bent dat het virus al weg is, hartelijk bedankt voor jullie hulp

en in beide gevallen verdienen jullie een lintje

Bastian van den Bout

[smeenk]

Quote:

Platform: Unknown Windows (WinNT 6.01.3164)

Klopt, jij hebt de onbekende Windows volgens HijackThis en Combofix werkt niet op Windows 7
Had ik overheen gekeken

Doe dit maar: zet je systeemherstel uit, herstart je computer en zet na de herstart je systeemherstel weer aan.
Lees hier hoe en waarom je dit moet doen: http://users.telenet.be/marcvn/spyware/1852808.htm
Ik denk zelf dat systeemherstel uitzetten bij het onbekende Windows net zo werkt als bij Vista

Groeten smeenk