[Solved] 91.212.226.182/e8.exe Win32 Heur

snotkwal · 01-02-2010, 23:09

(Gesponsorde links- (Wat is dit?))

Beste mensen,

Bovenstaande melding duikt sinds vanmiddag met regelmaat op. Geen idee waarom. Niets raars gedaan of geinstalleerd. AVG blokt de boel, maar er zit schijnbaar iets in mijn svchost.exe dat die toegang probeert te maken om de betreffende malware te installeren. Lees enge verhalen, maar alles doet het nog. Er werd me aangeraden hier mijn Hijacklog te plaatsen dus hopelijk kunnen jullie er wat mee.

Alvast ontzettend bedankt voor de moeite,

Cor

----
HJT
----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00:45, on 2/1/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\SoundMAX.exe
C:\Program Files\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.295.0\npchrome_frame.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: >> Download This Youtube Video - UnlockForUs - C:\Users\Cor\AppData\Local\Temp\Rar$EX00.345\YoutubeFile15\lawrence.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E}
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - (no file)
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 5216 bytes

snotkwal · 01-02-2010, 23:12

Erg leuk is ook dat HJT tijdens het scannen het volgende zegt:

"For some reason your system denied write acces to the Hosts file. If any hijacked domains are in this file,HijackThis may not be able to fix this.

blaba"

snotkwal · 01-02-2010, 23:28

Geen enkel idee. Heb wat scans gedraaid, niets raars, maar AVG blijft bokken. Verwijst elke keer naar een PID van svchost.exe

Ik heb niets om aan te nemen dat dit Virut zou zijn. Overigens zie ik daar Removal Tools van, maar gezien hetgeen ik erover lees lijkt me dit sterk.

**smeenk** · 02-02-2010, 08:49

Ga naar het Configuratiescherm - Software - Programma's wijzigen en verwijderen, en deïnstalleer indien aanwezig de volgende programma's:
- Alcohol 120% and 52%
- AstroBurn
- Daemon Tools and Daemon Tools Lite

Herstart de computer.

Download TDSSKiller.zip, unzip het en plaats het op je bureaublad:
Open een kladblokbestand.
Kopieer onderstaande code in dit kladblokbestand.
Ga naar Bestand - Opslaan als.
Bij 'Opslaan in' kies je: de map waarin TDSSKiller.exe staat.
Bij 'Bestandsnaam' zet je: start.bat
Bij 'Opslaan als type' selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Code:

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0

Dubbelklik op start.bat
Dit zal de TDSSKiller.exe starten en een logfile (report.txt) maken in dezelfde map.
Wanneer TDSSKiller.exe klaar is post je de inhoud van report.txt

Herstart daarna je computer.

Start en update MBAM (Malwarebytes' Anti-Malware)

Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".
Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.
Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.
Het scannen kan een tijdje duren, dus wees geduldig.
Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder)
De log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in MBAM.
Kopieer en plak de inhoud van het logje in je volgend antwoord.

Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken.
Daarna zal het vragen om de Computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

snotkwal · 02-02-2010, 12:10

Thnk, Smeenk!

---

12:08:52:459 4416 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
12:08:52:459 4416 ================================================================================
12:08:52:459 4416 SystemInfo:

12:08:52:459 4416 OS Version: 6.1.7600 ServicePack: 0.0
12:08:52:459 4416 Product type: Workstation
12:08:52:460 4416 ComputerName: PCCOR1
12:08:52:463 4416 UserName: Cor
12:08:52:463 4416 Windows directory: C:\Windows
12:08:52:463 4416 Processor architecture: Intel x86
12:08:52:463 4416 Number of processors: 1
12:08:52:463 4416 Page size: 0x1000
12:08:52:468 4416 Boot type: Normal boot
12:08:52:468 4416 ================================================================================
12:08:52:473 4416 UnloadDriverW: NtUnloadDriver error 2
12:08:52:473 4416 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:08:52:475 4416 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
12:09:03:944 4416 UtilityInit: KLMD drop and load success
12:09:03:944 4416 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
12:09:03:944 4416 UtilityInit: KLMD open success
12:09:03:944 4416 UtilityInit: Initialize success
12:09:03:944 4416
12:09:03:944 4416 Scanning Services ...
12:09:03:944 4416 CreateRegParser: Registry parser init started
12:09:03:944 4416 CreateRegParser: DisableWow64Redirection error
12:09:03:944 4416 wfopen_ex: Trying to open file C:\Windows\system32\config\system
12:09:03:988 4416 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
12:09:03:988 4416 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:09:03:988 4416 wfopen_ex: Trying to KLMD file open
12:09:03:988 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
12:09:03:989 4416 wfopen_ex: File opened ok (Flags 2)
12:09:04:073 4416 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 18FD648
12:09:04:073 4416 wfopen_ex: Trying to open file C:\Windows\system32\config\software
12:09:04:150 4416 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
12:09:04:150 4416 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:09:04:150 4416 wfopen_ex: Trying to KLMD file open
12:09:04:150 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
12:09:04:150 4416 wfopen_ex: File opened ok (Flags 2)
12:09:04:169 4416 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 18F1298
12:09:04:169 4416 CreateRegParser: EnableWow64Redirection error
12:09:04:169 4416 CreateRegParser: RegParser init completed
12:09:10:837 4416 GetAdvancedServicesInfo: Raw services enum returned 469 services
12:09:10:841 4416 fclose_ex: Trying to close file C:\Windows\system32\config\system
12:09:10:842 4416 fclose_ex: Trying to close file C:\Windows\system32\config\software
12:09:10:842 4416
12:09:10:842 4416 Scanning Kernel memory ...
12:09:10:842 4416 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:09:10:842 4416 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85CE14A8
12:09:10:842 4416 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects
12:09:10:842 4416
12:09:10:842 4416 DetectCureTDL3: DEVICE_OBJECT: 868B6030
12:09:10:843 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868B6030
12:09:10:843 4416 DetectCureTDL3: DEVICE_OBJECT: 868AD030
12:09:10:843 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868AD030
12:09:10:843 4416 KLMD_ReadMem: Trying to ReadMemory 0x868AD030[0x38]
12:09:10:843 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:843 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:843 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:843 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:843 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:843 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:843 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:844 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:844 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:844 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:844 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:844 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:844 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:844 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:857 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:857 4416
12:09:10:858 4416 DetectCureTDL3: DEVICE_OBJECT: 8677E560
12:09:10:858 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8677E560
12:09:10:858 4416 DetectCureTDL3: DEVICE_OBJECT: 8677E030
12:09:10:858 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8677E030
12:09:10:858 4416 KLMD_ReadMem: Trying to ReadMemory 0x8677E030[0x38]
12:09:10:858 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:858 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:858 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:858 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:858 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:858 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:858 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:858 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:859 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:859 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:859 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:859 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:861 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:861 4416
12:09:10:861 4416 DetectCureTDL3: DEVICE_OBJECT: 8677A030
12:09:10:862 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8677A030
12:09:10:862 4416 DetectCureTDL3: DEVICE_OBJECT: 86781030
12:09:10:862 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86781030
12:09:10:862 4416 KLMD_ReadMem: Trying to ReadMemory 0x86781030[0x38]
12:09:10:862 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:862 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:862 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:862 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:862 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:862 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:862 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:862 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:862 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:862 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:863 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:863 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:865 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:865 4416
12:09:10:865 4416 DetectCureTDL3: DEVICE_OBJECT: 867787B0
12:09:10:865 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867787B0
12:09:10:865 4416 DetectCureTDL3: DEVICE_OBJECT: 867804A8
12:09:10:865 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867804A8
12:09:10:865 4416 KLMD_ReadMem: Trying to ReadMemory 0x867804A8[0x38]
12:09:10:865 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:865 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:866 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:866 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:866 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:866 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:866 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:866 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:866 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:866 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:867 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:867 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:869 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:869 4416
12:09:10:869 4416 DetectCureTDL3: DEVICE_OBJECT: 8677EAC8
12:09:10:869 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8677EAC8
12:09:10:870 4416 DetectCureTDL3: DEVICE_OBJECT: 8676F670
12:09:10:870 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8676F670
12:09:10:870 4416 KLMD_ReadMem: Trying to ReadMemory 0x8676F670[0x38]
12:09:10:870 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:870 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:870 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:870 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:870 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:870 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:870 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:870 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:871 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:871 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:871 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:871 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:873 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:873 4416
12:09:10:873 4416 DetectCureTDL3: DEVICE_OBJECT: 865CE030
12:09:10:874 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865CE030
12:09:10:874 4416 DetectCureTDL3: DEVICE_OBJECT: 865C05F0
12:09:10:874 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865C05F0
12:09:10:874 4416 KLMD_ReadMem: Trying to ReadMemory 0x865C05F0[0x38]
12:09:10:874 4416 DetectCureTDL3: DRIVER_OBJECT: 864A8BE8
12:09:10:874 4416 KLMD_ReadMem: Trying to ReadMemory 0x864A8BE8[0xA8]
12:09:10:874 4416 KLMD_ReadMem: Trying to ReadMemory 0x86370410[0x1E]
12:09:10:874 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:09:10:874 4416 DetectCureTDL3: IrpHandler (0) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (2) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (3) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (4) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (14) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (15) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (22) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (23) addr: 85ECD1F8
12:09:10:874 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:874 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:874 4416 KLMD_ReadMem: Trying to ReadMemory 0x8F765EA2[0x400]
12:09:10:874 4416 TDL3_StartIoHookDetect: CheckParameters: 4, 8F76A000, 0
12:09:10:875 4416 TDL3_FileDetect: Processing driver: USBSTOR
12:09:10:875 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:875 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:09:10:877 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:09:10:877 4416
12:09:10:877 4416 DetectCureTDL3: DEVICE_OBJECT: 85CE3030
12:09:10:877 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85CE3030
12:09:10:877 4416 DetectCureTDL3: DEVICE_OBJECT: 85BA1940
12:09:10:877 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85BA1940
12:09:10:877 4416 DetectCureTDL3: DEVICE_OBJECT: 85C34030
12:09:10:877 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85C34030
12:09:10:877 4416 KLMD_ReadMem: Trying to ReadMemory 0x85C34030[0x38]
12:09:10:877 4416 DetectCureTDL3: DRIVER_OBJECT: 85B9D158
12:09:10:877 4416 KLMD_ReadMem: Trying to ReadMemory 0x85B9D158[0xA8]
12:09:10:877 4416 KLMD_ReadMem: Trying to ReadMemory 0x84E7D9E8[0x1A]
12:09:10:877 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:09:10:877 4416 DetectCureTDL3: IrpHandler (0) addr: 84E721F8
12:09:10:877 4416 DetectCureTDL3: IrpHandler (1) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (2) addr: 84E721F8
12:09:10:877 4416 DetectCureTDL3: IrpHandler (3) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (4) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (5) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (6) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (7) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (8) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (9) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (10) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (11) addr: 82AC3437
12:09:10:877 4416 DetectCureTDL3: IrpHandler (12) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (13) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (14) addr: 88CB247C
12:09:10:878 4416 DetectCureTDL3: IrpHandler (15) addr: 84E721F8
12:09:10:878 4416 DetectCureTDL3: IrpHandler (16) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (17) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (18) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (19) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (20) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (21) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (22) addr: 84E721F8
12:09:10:878 4416 DetectCureTDL3: IrpHandler (23) addr: 84E721F8
12:09:10:878 4416 DetectCureTDL3: IrpHandler (24) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (25) addr: 82AC3437
12:09:10:878 4416 DetectCureTDL3: IrpHandler (26) addr: 82AC3437
12:09:10:878 4416 KLMD_ReadMem: Trying to ReadMemory 0x85BC9701[0x400]
12:09:10:878 4416 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
12:09:10:878 4416 Driver "atapi" StartIo handler infected by TDSS rootkit ... 12:09:10:878 4416 TDL3_StartIoHookCure: Number of patches 1
12:09:10:878 4416 KLMD_WriteMem: Trying to WriteMemory 0x85BC980A[0x6]
12:09:10:878 4416 cured
12:09:10:878 4416 TDL3_FileDetect: Processing driver: atapi
12:09:10:879 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
12:09:10:879 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
12:09:10:880 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Clean
12:09:10:880 4416
12:09:10:880 4416 DetectCureTDL3: DEVICE_OBJECT: 85CE27C8
12:09:10:880 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85CE27C8
12:09:10:880 4416 DetectCureTDL3: DEVICE_OBJECT: 85BB2918
12:09:10:880 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85BB2918
12:09:10:880 4416 DetectCureTDL3: DEVICE_OBJECT: 85BB9340
12:09:10:880 4416 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85BB9340
12:09:10:880 4416 KLMD_ReadMem: Trying to ReadMemory 0x85BB9340[0x38]
12:09:10:880 4416 DetectCureTDL3: DRIVER_OBJECT: 85F3F428
12:09:10:880 4416 KLMD_ReadMem: Trying to ReadMemory 0x85F3F428[0xA8]
12:09:10:880 4416 KLMD_ReadMem: Trying to ReadMemory 0x84EA8908[0x38]
12:09:10:880 4416 KLMD_ReadMem: Trying to ReadMemory 0x85B9D158[0xA8]
12:09:10:880 4416 KLMD_ReadMem: Trying to ReadMemory 0x84E7D9E8[0x1A]
12:09:10:880 4416 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:09:10:880 4416 DetectCureTDL3: IrpHandler (0) addr: 85BC9856
12:09:10:880 4416 DetectCureTDL3: IrpHandler (1) addr: 85BC9856
12:09:10:880 4416 DetectCureTDL3: IrpHandler (2) addr: 85BC9856
12:09:10:880 4416 DetectCureTDL3: IrpHandler (3) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (4) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (5) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (6) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (7) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (8) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (9) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (10) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (11) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (12) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (13) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (14) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (15) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (16) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (17) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (18) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (19) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (20) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (21) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (22) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (23) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (24) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (25) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: IrpHandler (26) addr: 85BC9856
12:09:10:881 4416 DetectCureTDL3: All IRP handlers pointed to one addr: 85BC9856
12:09:10:881 4416 KLMD_ReadMem: Trying to ReadMemory 0x85BC9856[0x400]
12:09:10:881 4416 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
12:09:10:881 4416 Driver "atapi" Irp handler infected by TDSS rootkit ... 12:09:10:881 4416 KLMD_WriteMem: Trying to WriteMemory 0x85BC98CF[0xD]
12:09:10:882 4416 cured
12:09:10:882 4416 KLMD_ReadMem: Trying to ReadMemory 0x85BC9701[0x400]
12:09:10:882 4416 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
12:09:10:882 4416 TDL3_FileDetect: Processing driver: atapi
12:09:10:882 4416 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
12:09:10:882 4416 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
12:09:10:893 4416 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
12:09:10:893 4416 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 12:09:10:893 4416 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
12:09:11:651 4416 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:21584, checking..
12:09:11:660 4416 ValidateDriverFile: Stage 1 passed
12:09:11:661 4416 ValidateDriverFile: Stage 2 passed
12:09:11:706 4416 DigitalSignVerifyByHandle: Embedded DS result: 00000000
12:09:11:706 4416 ValidateDriverFile: Stage 3 passed
12:09:11:706 4416 FileCallback: File validated successfully, restore information prepared
12:09:13:852 4416 FindDriverFileBackup: Backup copy found in DriverStore
12:09:13:852 4416 TDL3_FileCure: Backup copy found, using it..
12:09:13:852 4416 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk30FF.tmp
12:09:14:369 4416 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk30FF.tmp, system32\drivers\atapi.sys)
12:09:14:370 4416 TDL3_FileCure: KLMD jobs schedule success
12:09:14:370 4416 will be cured on next reboot
12:09:14:374 4416 UtilityBootReinit: Reboot required for cure complete..
12:09:14:374 4416 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
12:09:14:378 4416 UtilityBootReinit: KLMD drop success
12:09:14:379 4416 KLMD_ApplyPendList: Pending buffer(7AC4_36E0, 616) dropped successfully
12:09:14:379 4416 UtilityBootReinit: Cure on reboot scheduled successfully
12:09:14:379 4416
12:09:14:385 4416 Completed
12:09:14:385 4416
12:09:14:386 4416 Results:
12:09:14:387 4416 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
12:09:14:388 4416 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:09:14:388 4416 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:09:14:388 4416
12:09:14:388 4416 UnloadDriverW: NtUnloadDriver error 1
12:09:14:388 4416 KLMD_Unload: UnloadDriverW(klmd21) error 1
12:09:14:389 4416 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
12:09:14:389 4416 UtilityDeinit: KLMD(ARK) unloaded successfully

-----
Nu ff rebooten

snotkwal · 02-02-2010, 12:23

MBAM vertelt mij goed nieuws.
Ik kijk het nog een uurtje of wat aan of er nog iets opduikt en zoniet
dan heb je de boel opgelost, toch? Thnx, Smeenk.
Dan moet ik de boel dus naar 'Opgelost' slepen, I assume?

-------
Malwarebytes' Anti-Malware 1.44
Database version: 3677
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/2/2010 12:21:01
mbam-log-2010-02-02 (12-21-01).txt

Scan type: Quick Scan
Objects scanned: 99606
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**smeenk** · 02-02-2010, 12:35

Ik denk ook dat het schoon is

Zet je systeemherstel uit, herstart de computer en zet na de herstart je systeemherstel weer aan.
Lees hier hoe en waarom je dat moet doen: http://users.telenet.be/marcvn/spyware/1852808.htm

Groeten smeenk

01-02-2010, 23:09	#1
snotkwal Wished level of difficulty at answer: 4. Operating System: Windows 7 Professional Antivirus: AVG Firewall: AVG Posts: 5	91.212.226.182/e8.exe Win32 Heur (Gesponsorde links- (Wat is dit?)) Beste mensen, Bovenstaande melding duikt sinds vanmiddag met regelmaat op. Geen idee waarom. Niets raars gedaan of geinstalleerd. AVG blokt de boel, maar er zit schijnbaar iets in mijn svchost.exe dat die toegang probeert te maken om de betreffende malware te installeren. Lees enge verhalen, maar alles doet het nog. Er werd me aangeraden hier mijn Hijacklog te plaatsen dus hopelijk kunnen jullie er wat mee. Alvast ontzettend bedankt voor de moeite, Cor ---- HJT ---- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:00:45, on 2/1/2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\SoundMAX.exe C:\Program Files\AVG9\avgtray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe C:\Windows\system32\conhost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG9\avgssie.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.295.0\npchrome_frame.dll O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG9\avgtray.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O8 - Extra context menu item: >> Download This Youtube Video - UnlockForUs - C:\Users\Cor\AppData\Local\Temp\Rar$EX00.345\YoutubeFile15\lawrence.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG9\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - (no file) O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgemc.exe O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgwdsvc.exe O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\avgfws9.exe O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- End of file - 5216 bytes

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Virus gevonden Win32/Heur	Dennisdw14	Geïnfecteerd?	12	04-12-2009 15:37
Win32/Heur virus	Mulan	Opgeloste / inactieve HJT-logs	4	15-11-2009 12:34
Win32/heur virus komt steeds terug	vjetaa	Opgeloste / inactieve HJT-logs	24	28-09-2009 17:21
Win32/heur vrus komt steeds terug	vjetaa	Geïnfecteerd?	12	19-09-2009 00:25
Ik kan de volgende visussen niet verwijderen: Heur/Mailware, Heur/Exploit.html, Lazy/mail.dll Help!!	Tom Boudewijns	Prullenmand	1	27-01-2007 11:54

01-02-2010, 23:12	#2
snotkwal Wished level of difficulty at answer: 4. Operating System: Windows 7 Professional Antivirus: AVG Firewall: AVG Posts: 5	Erg leuk is ook dat HJT tijdens het scannen het volgende zegt: "For some reason your system denied write acces to the Hosts file. If any hijacked domains are in this file,HijackThis may not be able to fix this. blaba"

01-02-2010, 23:28	#3
snotkwal Wished level of difficulty at answer: 4. Operating System: Windows 7 Professional Antivirus: AVG Firewall: AVG Posts: 5	Geen enkel idee. Heb wat scans gedraaid, niets raars, maar AVG blijft bokken. Verwijst elke keer naar een PID van svchost.exe Ik heb niets om aan te nemen dat dit Virut zou zijn. Overigens zie ik daar Removal Tools van, maar gezien hetgeen ik erover lees lijkt me dit sterk.

02-02-2010, 12:23	#6
snotkwal Wished level of difficulty at answer: 4. Operating System: Windows 7 Professional Antivirus: AVG Firewall: AVG Posts: 5	MBAM vertelt mij goed nieuws. Ik kijk het nog een uurtje of wat aan of er nog iets opduikt en zoniet dan heb je de boel opgelost, toch? Thnx, Smeenk. Dan moet ik de boel dus naar 'Opgelost' slepen, I assume? ------- Malwarebytes' Anti-Malware 1.44 Database version: 3677 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 2/2/2010 12:21:01 mbam-log-2010-02-02 (12-21-01).txt Scan type: Quick Scan Objects scanned: 99606 Time elapsed: 5 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)