win32/Mebroot.K Trojan

[earl]

Rootkit je tam porad,vecer po 23 napisu dalsi postup.

[Brucoun]

jujky .. netrpelive cekam .. pls nezapomen na me ..

stejne nechapu kde to tam vidis .. ))

[earl]

Pardon za pozdni reakci.

Stahnete a spustte ESET Mebroot Remover

Stahnete MBR ulozte ho na plochu-spustte - vytvori se log mbr.log, vlozte ho cely sem.

[Brucoun]

v pohode ... vecir to vyzkousim .. ))) a pak to sem hodim.

[earl]

Ok.

[Brucoun]

Zdravim.. tak jsem provedl prvni cast .. Tedy pustil jsem z plochy v normalním režimu

ESET Mebroot Remover

ale nejak rychle to probehlo ... a napsalo to MBR rootkit (Win32/Mebroot) was not found on you system. hmm za chvilku sem hodim ten log z MBR

[Brucoun]

tak log z MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !


vypada stejne jak ten minulej

[earl]

Stahnete a pouzijte Fixmebroot
Pak spustte opet MBR.
Z obou vlozte log.

[Brucoun]

Stahnete a pouzijte Fixmebroot
Pak spustte opet MBR.
Z obou vlozte log.

Provedeno... log z Fixmebroot:

FixMebroot v1.0.1

FixMebroot has finished scanning your MBR.
It contains no Mebroot infection.

log z MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !

...

[Brucoun]

jen jeste pro jistotu poznamku... ten Fixmebroot jsem spustil a po OK to hned udelalo log .. to je v poradku ??? )) nic jako scan u antiviraku to neprobihalo ....

[earl]

ten Fixmebroot jsem spustil a po OK to hned udelalo log .. to je v poradku ???

Ano,je.

Takze znovu zopakujeme tento postup:

stahnete MBR

presunte mbr.exe do adresare C:\Windows

dalsi postup jest nasledujici:

Start/Spustit a do chlivecku napiste cmd a stisk Enter.

vybafne na vas okenko prikazoveho radku; vy nadatlujte rucne prikaz:

mbr.exe -f

a stisknete Enter

Po provedeni operace restartujte a spustte mbr jeste jednou, jiz normalne a vlozte sem log.

[Brucoun]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !

[earl]

1. Připravím si instalační CD Windows XP
2. Pokud používám speciální SCSI, nebo RAID ovladače, tak si najdu též disketu s ovladačem
3. Vzpomenu si na heslo uživatele administrator *)
4. V BIOSu si zařídím aby se systém zavedl (boot) z CD
5. Restartem PC a zavedením z CD se spustí instalace
6. Pokud používám nějaké speciální ovladač SCSI, nebo RAID, tak stihnu F6 jejich zavedení z diskety
7. Zvolením R přejdu do konzoly pro zotavení (ve znakovém režimu)
8. Konzola ohledá připojené disky a nabídne seznam nalezených instalací. např:

   Kód: Vybrat vše

   1. C:\WINDOWS

9. Po výzvě

   Kód: Vybrat vše

   Ke které instalaci Windows se chcete přihlásit:

   odpovím číslem zvolené instalace, třeba: 1
   POZOR: NumLock na klávesnici nesvítí!
10. Zadám heslo uživatele administrator a octnu se v adresáři %WINDIR% (obvykle C:\WINDOWS)
11. V příkazovém řádku zadám příkaz

    Kód: Vybrat vše

    fixmbr

12. Zadám příkaz

    Kód: Vybrat vše

    EXIT

    pro restart PC

Pak znovu spustit mbr a log dat sem.

[earl]

Pokud jste jeste nepouzil tu Konzoli pro zotaveni s prikazem fixmbr,tak udelejte misto toho tuto akci:

Upozorneni toto dela uzivatel na vlastni riziko,Mebroot je Master Boot Record Rootkit,ktery je zavrtan v 62 sektoru pevneho disku.V pokrocile fazi infekce nepomohou utility na odstraneni a je nutne prepsat infikovane sektory rucne.Beznym formatem neni mozne tuto infiltraci odstranit,jak by se nekomu mohlo zdat.

Navod si klidne vytisknete,at mate pevne voditko.

A postupujte PRESNE dle navodu.

1:Vypni Firewall>spust program HXD<klikni hore na ikonku pevneho disku>na karte ktora sa objavi>pod Fyzicke disky>Klik >oznac PEVNY DISK>vyber fajku >otvor len na citanie>klik>ok a este raz OK>


2:V pravo hore >je napisane >sector>a okienko + sipky>budes nastavovat a hladat sectory so sipkamy>sector 0>je MBR>a sector -63 je BOOT>Nebabrat>sector 1-62 maju byt Nulove>000000000000.

3:Program HXD otvor na plnu obrazovku>nastav so sipkou sector napriklad-1>ak cely sector 1-je nulova stlac lavu mysku oznac ho> pravy klik kopirovat presne cely nulovy sector>ale presne od ciary po ciaru

4:Skontroluj zo sipkamy sectory 1-62 a kde nie je cely sector nulovy stlac lavu mysku oznac presne cely sector>pravy klik>PREPISAT.

5:prepisu sa ti na cerveno>na 0000000-ly>ak toto budes mat klik v pravom hornom rohu na krizik a zatvor program HXD,objavi sa ti okno ci chces zmenu ulozit suhlasis.Zatvoris program HXD>restartnes >PC< a po restarte spust mbr.exe a vloz sem log.
Nepomyl sa nie ze zacnes prepisovat logicke disky



Sectory 1 az 62 maju vyzerat takto:
Kód:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Pak spustte opet mbr a vlozte log.

[Brucoun]

jujky .. udelal jsem to prvni

tedy pres konzolu zotaveni, ale nic se nezmenilo .. tady je log :

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !


predpokladam ze ted muzu udelat to druhe ... projistotu mi to potvrdte ...

A kde stahnu ten HXD ?? .. stahnul jsem ho na

http://www.stahuj.centrum.cz/vyvojove_n ... itory/hxd/

doufam ze je to ono .. ))