TSR.BOOT virus

[rey_619]

ten druhy dump hdd1 oznacil eset ako virus (pravdepodobne neznamy TSR.BOOT) a zmazal, tak som vypol ochranu a znova dal scan.
http://leteckaposta.cz/276054085

[vyosek]

Spustte MBRScan

• Pokud pouzivate Win Vista ci W7, kliknete na MBRScan pravym a dejte Run As Administrator ci Spustit jako spravce
• Kliknete na Report
• Po chvilce se objevi log do souboru MBRScan.txt, ten sem vlozte

[rey_619]

Kód: Vybrat vše

MBRScan v1.1.1

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 2 Stepping 9, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/03/20 (ISO 8601) at 22:58:24
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __ST340014A (3.06)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR13 __Flash 2.0 Disk (5.00)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0	37.27 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 68C937B657301C3BF1A6E3FDD0A2BCFA
MBR_SHA1  : 50617F6D34E0C978247ADB9100F7E7CD7139AD50

Device\Harddisk0\Partition1	9.77 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	27.50 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR13	973.5 Mo  [Removable] ==> Unknown MBR Code

MBR_MD5   : 17C826E2205772D7AF638DEE4537FE38
MBR_SHA1  : 249C42E07D07FEE6A2E6C9ABFC59E6BF424AAC8D

Device\Harddisk1\Partition1	964.8 Mo __ BOOTABLE __
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\WINDOWS\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0xEEAEB000
SIZE    : 96.0 Ko

DRIVER  : C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xF7C22000
SIZE    : 8.0 Ko

DRIVER  : C:\DOCUME~1\Lenka\LOCALS~1\Temp\aswMBR.sys => Invisible on the disk
ADDRESS : 0xEDDC0000
SIZE    : 48.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2ä.V.Í.ëÖaùÃInva
0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta
0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin
0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera
0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 44 63 96 C4 96 C4 00 00 80 01   .....,Dc.Ä.Ä....
0x000001C0   01 00 07 EF FF FF 3F 00 00 00 71 9D 38 01 00 EF   ...ï..?...q.8..ï
0x000001D0   FF FF 0F EF FF FF B0 9D 38 01 60 F0 6F 03 00 00   ...ï..°.8.`ðo...
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

_______MBR   \Device\Harddisk1\DR13  

0x00000000   EB 3C 90 4D 53 44 4F 53 35 2E 30 00 02 20 4A 00   ë<.MSDOS5.0.. J.
0x00000010   02 00 02 00 00 F0 F2 00 3F 00 FF 00 00 00 00 00   .....ðò.?.......
0x00000020   BB 26 1E 00 00 00 29 5E 7F 36 F9 46 36 55 53 42   »&....)^.6ùF6USB
0x00000030   58 50 49 4E 53 54 46 41 54 31 36 20 20 20 FA 31   XPINSTFAT16   ú1
0x00000040   C0 8E D8 B4 10 8E D0 BC FE FF FB E8 95 00 57 B2   À.Ø´..мþ.ûè..W²
0x00000050   80 E8 8F 00 57 80 E2 7F E8 88 00 57 80 C2 81 80   .è..W.â.è..W.Â..
0x00000060   FA 84 75 ED BE 47 7D E8 20 00 B9 09 00 58 E8 09   ú.uí¾G}è .¹..Xè.
0x00000070   00 E2 FA E8 14 00 FB F4 EB FC 24 07 0C 30 1E 60   .âúè..ûôëü$..0.`
0x00000080   BB 07 00 B4 0E CD 10 61 1F C3 FC AC 3C 00 74 52   »..´.Í.a.Ãü¬<.tR
0x00000090   E8 EB FF EB F5 1E 60 66 0F B6 04 48 BE 00 7E 66   èë.ëõ.`f.¶.H¾.~f
0x000000A0   C7 04 10 00 01 00 89 5C 04 8C 54 06 66 89 44 08   Ç......\..T.f.D.
0x000000B0   B0 00 66 89 44 0C B4 42 CD 13 61 1F 72 1C 83 CF   °.f.D.´BÍ.a.r..Ï
0x000000C0   02 EB 33 1E 60 0F B6 0C B6 00 16 07 B8 01 02 CD   .ë3.`.¶.¶...¸..Í
0x000000D0   13 61 1F 72 05 83 CF 04 EB 1C 1E 60 B4 00 CD 13   .a.r..Ï.ë..`´.Í.
0x000000E0   61 1F C3 31 FF 31 DB BE AE 7D B9 03 00 E8 A5 FF   a.Ã1.1Û¾®}¹..è¥.
0x000000F0   E8 D0 FF E2 F8 C3 59 80 C7 02 46 80 FF 14 72 EA   èÐ.âøÃY.Ç.F...rê
0x00000100   47 66 BE 0D 66 19 00 66 B9 5F F3 6E 3C 66 A1 B8   Gf¾.f..f¹_ón<f¡¸
0x00000110   7D 52 53 66 F7 E6 66 01 C8 36 30 67 FF 4B 75 F3   }RSf÷æf.È60g.Kuó
0x00000120   5D 66 31 C0 66 99 66 03 46 F8 66 13 56 FC 83 ED   ]f1Àf.f.Føf.Vü.í
0x00000130   08 75 F3 66 09 D0 5A 75 A9 66 81 7E 00 46 4C 42   .uóf.ÐZu©f.~.FLB
0x00000140   54 75 9F 16 6A 40 CB 42 6F 6F 74 20 66 72 6F 6D   Tu..j@ËBoot from
0x00000150   20 55 53 42 20 64 69 73 6B 20 66 61 69 6C 65 64    USB disk failed
0x00000160   2C 20 73 74 61 74 75 73 20 3C 00 3E 2E 0D 0A 50   , status <.>...P
0x00000170   72 65 73 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65   ress Ctrl+Alt+De
0x00000180   6C 20 74 6F 20 72 65 62 6F 6F 74 2E 0D 0A 00 00   l to reboot.....
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 03   ................
0x000001B0   04 05 06 07 08 09 0A 0B B9 E3 C9 D7 00 00 80 01   ........¹ãÉ×....
0x000001C0   01 00 07 FE 3F 7A 3F 00 00 00 7C 26 1E 00 00 00   ...þ?z?...|&....
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

[vyosek]

Zajimave, ze na virustotalu je ten dump OK i ze strany NODu https://www.virustotal.com/file/3f019bb ... 332281411/

Predpokladam, ze ESET hlasil nalez v tom Dump_Hdd1_DR13.mbr, je tak

Nicmene jej zaslu kolegum z ESETu aby jej prozkoumali...

[rey_619]

ano tak ako pisete, poznate nejaky program, co vymaze mbr z flash disku? inaksi sposob nevidim, lebo z mbr sektoru nod ten virus nevie zmazar, ale akonahle je na ploche v dump uz ho vie zmazat

[vyosek]

Ale on tam neni, je to dle meho falesny poplach...jelikoz i ten mbr sektor kdyz jsme si ulozili, tak je cisty...

Predam kolegum z ESETu do interni sekce, at na to mrknou...

A ja neco o tom ESETu a jeho pouzivani psal, ne

[rey_619]

ano psali ste mi o esete, ale zatial kym to nevyriesim tak mi je napomocny, lebo iny AV mi ten virus nehlasi. este skusim nieco pohladat nejake utility na mazanie mbr.
a inak dakujem za ochotu

[vyosek]

Asi takhle, pokud si hodlate hledat a zkouset, fajn, ale toho se ucastnit nebudu a zde to ukoncim....

Znovu opakuji, na 99% se jedna o falesny poplach, proto ani ten mbr nefixuju, ac samozrejme znam utility a prikazy jak na to...

Jiny antivir jej nehlasi, cim to asi bude, ze by ESET byl nejdokonalejsi a zadny jiny tuhle mrchu nemel v databazi

[rey_619]

pokial viete ako to fixnut prosim este s tymto mi pomozte. ze je to falosny poplach viete len vy a ja, ale ked niekomu vlozim usb kluc do PC a nabehne hlasenie o viruse, tak jemu nevysvetlim, ze to je iba fake. viem ako som sa blbo naposledy citil, ked mi veduci v labaku daval nieco na usb a vyhodilo mu tam tento virus. bolo to neprijemne pre mna a tiez aj pre neho a urcite uz nema doveru, aby si do PC odo mna nieco vkladal

[vyosek]

Ono je tam chyba jen v dane virove databazi zrejme, pripadne u vas, jelikoz i nod na vt mlci

Zatim nema cenu tam nic fixovat a davat tam nejaky standardni zavadec nejakeho OS - pockam na vyjadreni kolegu z ESETu proc dochazi k teto detekci a pak pripadne udelame opravu daneho mbr

[rey_619]

v poriadku a dakujem velmi pekne

[vyosek]

Prosim tedy o strpeni nez to kolegove proberou i treba se svym viruslabem...

Jinak neni zac

[vyosek]

Jeste se zeptam, jakou mate verzi virove databaze

[rey_619]

vsak najnovsiu, kazdy den sa akualizuje. teraz konkretne 6986 (20120321)

[vyosek]

Dobra diky, ja jen pro kolegy...