Dobrý den,
prosím o pomoc s odvirováním
log z Nodu MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Mám dva disky a jeden je rozdělen ještě na dva logické disky a všechny mají v bootsektoru tuto havěť.
Předem díky.
Ještě jsem podle návodu vygeneroval log z RSIT:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-03-05 13:08:48
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 19 GB (54%) free of 35 GB
Total RAM: 1535 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:08:54, on 5.3.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Plocha\RSIT.exe
E:\Instal\Antivir\HijackThis\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MagicKey] C:\PROGRA~1\MEDIAK~1\MagicKey.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: WikiKomentáře Google... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{888D5BBD-AF14-4C54-8474-85C53CE992F1}: NameServer = 81.90.173.1,81.90.168.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7165 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1957994488-682003330-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1957994488-682003330-500UA.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{BE28AA0B-9EC9-446A-B2AD-AAA61E0F4FC8}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-06-08 976424]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-09 263280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-12-08 764912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-12-06 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-12-06 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-09 263280]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-11-17 577536]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2007-12-05 8523776]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\System32\NvMcTray.dll [2007-12-05 81920]
"MagicKey"=C:\PROGRA~1\MEDIAK~1\MagicKey.exe [2004-03-15 45056]
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe [2005-12-05 691200]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-12-06 149280]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-03-11 49152]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-10-07 1461080]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2007-06-08 23233576]
"ICQ"=C:\Program Files\ICQ6.5\ICQ.exe [2009-03-01 172792]
"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2005-02-10 1937408]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-12-06 39408]
"Google Update"=C:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe [2010-03-05 135664]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe [2009-07-18 257440]
C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Instal\StrongDC\StrongDC.exe"="E:\Instal\StrongDC\StrongDC.exe:*:Enabled:StrongDC++"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Java\jre1.5.0_03\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_03\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2010-03-05 12:37:30 ----D---- C:\WINDOWS\LastGood
2010-03-05 12:37:18 ----SHD---- C:\Config.Msi
======List of files/folders modified in the last 1 months======
2010-03-05 13:08:03 ----D---- C:\WINDOWS\Temp
2010-03-05 12:57:33 ----D---- C:\WINDOWS\Prefetch
2010-03-05 12:55:50 ----SD---- C:\WINDOWS\Tasks
2010-03-05 12:47:55 ----HD---- C:\WINDOWS\inf
2010-03-05 12:42:51 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-05 12:42:51 ----D---- C:\WINDOWS
2010-03-05 12:39:23 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-05 12:39:00 ----A---- C:\WINDOWS\DVDRegionFree.INI
2010-03-05 12:38:47 ----SHD---- C:\WINDOWS\Installer
2010-03-05 12:38:36 ----D---- C:\WINDOWS\system32\drivers
2010-03-05 12:37:22 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-05 12:36:35 ----D---- C:\Documents and Settings\Administrator\Data aplikací\Skype
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [2005-03-09 42496]
R1 easdrv;easdrv; C:\WINDOWS\System32\DRIVERS\easdrv.sys [2009-10-07 54184]
R1 epfwtdi;epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [2009-10-07 55256]
R2 epfw;epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [2009-10-07 73760]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-03-08 4027840]
R3 dvd43llh;dvd43llh; C:\WINDOWS\System32\DRIVERS\dvd43llh.sys [2009-10-23 18816]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [2009-10-07 32072]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2007-04-17 42496]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2009-10-23 9856]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 eamon;EAMON; C:\WINDOWS\System32\DRIVERS\eamon.sys [2009-10-07 40824]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-03-08 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-03-08 21568]
S3 mbr;mbr; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys []
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBCM;Scientific-Atlanta USB Cable Modem Driver; C:\WINDOWS\system32\DRIVERS\Sacm2A.sys [2004-06-10 15429]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-10-07 472280]
R2 hpqddsvc;Služba HP CUE DeviceDiscovery; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-06 153376]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2007-12-05 155716]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-10-07 20680]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-06 182768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
-----------------EOF-----------------
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Ale sorry,
onehdá jsem začal tento problém řešit až když už jsem neměl čas a musel jsem pryč od pc.
Nečekal jsem totiž komplikovanější postupy,moje chyba.
onehdá jsem začal tento problém řešit až když už jsem neměl čas a musel jsem pryč od pc.
Nečekal jsem totiž komplikovanější postupy,moje chyba.
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Mimochodem nešel by ten vir zlikvidovat kompletním resetem všech HDD?
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
ComboFix 10-03-04.05 - Administrator 05.03.2010 13:33:25.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1535.1073 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-05 do 2010-03-05 )))))))))))))))))))))))))))))))
.
2010-03-05 11:37 . 2010-03-05 11:38 -------- d-----w- c:\windows\LastGood
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 12:56 . 2001-10-25 12:00 62138 ----a-w- c:\windows\system32\perfc005.dat
2009-12-10 12:56 . 2001-10-25 12:00 379568 ----a-w- c:\windows\system32\perfh005.dat
2009-12-06 13:24 . 2009-12-06 13:25 411368 ----a-w- c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-06 39408]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-03-05 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-04 81920]
"MagicKey"="c:\progra~1\MEDIAK~1\MagicKey.exe" [2004-03-15 45056]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-06 149280]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Instal\\StrongDC\\StrongDC.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [23.10.2009 20:07 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [23.10.2009 20:07 5248]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.10.2009 9:16 472280]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - EKRN
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Obsah adresáře 'Naplánované úlohy'
2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{BE28AA0B-9EC9-446A-B2AD-AAA61E0F4FC8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: WikiKomentáře Google... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {888D5BBD-AF14-4C54-8474-85C53CE992F1} = 81.90.173.1,81.90.168.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 13:40
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89410918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba759cb8
\Driver\atapi -> 0x89410918
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba5c5bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5d2a21
SendHandler -> NDIS.sys @ 0xba5b087b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1801674531-1957994488-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,c9,83,80,8a,2c,c8,46,aa,91,e6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,c9,83,80,8a,2c,c8,46,aa,91,e6,\
.
Celkový čas: 2010-03-05 13:42:14
ComboFix-quarantined-files.txt 2010-03-05 12:41
Před spuštěním: Volných bajtů: 19 665 354 752
Po spuštění: Volných bajtů: 20 050 939 904
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 2B74B5DF13FA393E80D122F370A94147
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1535.1073 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-05 do 2010-03-05 )))))))))))))))))))))))))))))))
.
2010-03-05 11:37 . 2010-03-05 11:38 -------- d-----w- c:\windows\LastGood
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 12:56 . 2001-10-25 12:00 62138 ----a-w- c:\windows\system32\perfc005.dat
2009-12-10 12:56 . 2001-10-25 12:00 379568 ----a-w- c:\windows\system32\perfh005.dat
2009-12-06 13:24 . 2009-12-06 13:25 411368 ----a-w- c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-06 39408]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-03-05 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-04 81920]
"MagicKey"="c:\progra~1\MEDIAK~1\MagicKey.exe" [2004-03-15 45056]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-06 149280]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Instal\\StrongDC\\StrongDC.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [23.10.2009 20:07 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [23.10.2009 20:07 5248]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.10.2009 9:16 472280]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - EKRN
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Obsah adresáře 'Naplánované úlohy'
2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{BE28AA0B-9EC9-446A-B2AD-AAA61E0F4FC8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: WikiKomentáře Google... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {888D5BBD-AF14-4C54-8474-85C53CE992F1} = 81.90.173.1,81.90.168.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 13:40
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89410918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba759cb8
\Driver\atapi -> 0x89410918
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba5c5bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5d2a21
SendHandler -> NDIS.sys @ 0xba5b087b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1801674531-1957994488-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,c9,83,80,8a,2c,c8,46,aa,91,e6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,c9,83,80,8a,2c,c8,46,aa,91,e6,\
.
Celkový čas: 2010-03-05 13:42:14
ComboFix-quarantined-files.txt 2010-03-05 12:41
Před spuštěním: Volných bajtů: 19 665 354 752
Po spuštění: Volných bajtů: 20 050 939 904
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 2B74B5DF13FA393E80D122F370A94147
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
sorry myslel jsem formátem hdd
jo krok 3 také proveden a z toho mám někde taky log a nebo to se mělo jen nechat proběhnout?
a gmer bude za chvilku
jo krok 3 také proveden a z toho mám někde taky log a nebo to se mělo jen nechat proběhnout?
a gmer bude za chvilku
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
tak ten gmer mi blbne protože v průběhu toho krátkého skenu mi to hodí klasickou windowsackou chybu,kterou to chce odeslat a tak dále
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89410918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89410918
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Use "Recovery Console" command "fixmbr" to clear infection !
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89410918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89410918
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Use "Recovery Console" command "fixmbr" to clear infection !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:31 on 05/03/2010 (Administrator)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
d347prt -> Disabled (Service running -> reboot required)
d347bus -> Disabled (Service running -> reboot required)
-=E.O.F=-
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spfg.sys >>UNKNOWN [0x89A8E938]<<
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Log created at 14:31 on 05/03/2010 (Administrator)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
d347prt -> Disabled (Service running -> reboot required)
d347bus -> Disabled (Service running -> reboot required)
-=E.O.F=-
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spfg.sys >>UNKNOWN [0x89A8E938]<<
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
sektor 0
13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60
6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A
01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B
32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61
6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61
62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E
67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74
65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61
74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00
00 00 00 00 00 2C 44 63 59 25 5A 25 00 00 80 01
01 00 07 FE FF FF 3F 00 00 00 AF C7 45 04 00 00
C1 FF 0F FE FF FF EE C7 45 04 12 DE 0A 05 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 10
28 96 C4 17 00 00 00 00 00 00 00 00 00 00 00 00
sektor 60
8B F0 85 C0 9C 75 05 83 44 24 04 00 60 FC 8B 7C
24 24 81 E7 00 00 F0 FF B0 C7 AE 75 FD 81 3F 46
34 00 40 75 F5 B0 A1 AE 75 FD 8B 37 8B 36 8B 36
8B 5E 18 8B EB 43 81 3B 6A 4B 6A 19 75 F7 80 7B
04 89 75 03 83 C3 06 80 7B 04 E8 75 E8 8D 7B 09
B0 E8 AE 75 FD 66 81 7F 04 84 C0 75 D8 8B 17 8D
54 3A 04 E8 00 00 00 00 58 66 0D FF 01 40 89 50
04 89 68 0C 57 8B 75 3C 8B 74 35 50 03 F5 4E 81
CE FF 0F 00 00 81 EE FF 01 00 00 8B FE 96 B9 80
00 00 00 F3 A5 5F 2B C7 83 E8 04 AB 61 9D C3 00
sektor 61
8B 14 24 68 78 56 34 12 8B 0C 24 68 78 56 34 12
0F 20 C0 50 25 FF FF FE FF 0F 22 C0 2B CA 58 0F
22 C0 FF 34 24 68 62 E0 07 37 E8 3B 00 00 00 59
59 68 AB 01 00 00 6A 00 FF D0 60 E8 00 00 00 00
5E 83 C6 15 8B F8 6A 6A 59 F3 A5 B1 80 8D BE 00
FE FF FF FF E0 33 C0 61 FF 74 24 0C FF 54 24 08
59 5A 60 87 CD E8 52 00 00 00 60 8B 6C 24 28 8B
45 3C 8B 54 05 78 03 D5 8B 4A 18 8B 5A 20 03 DD
E3 32 49 8B 34 8B 03 F5 33 FF FC 33 C0 AC 3A C4
74 07 C1 CF 0D 03 F8 EB F2 3B 7C 24 24 75 E1 8B
5A 24 03 DD 66 8B 0C 4B 8B 5A 1C 03 DD 8B 04 8B
03 C5 EB 02 33 C0 89 44 24 1C 61 C3 5B 55 68 B8
74 29 85 FF D3 33 D2 52 52 8B F4 52 8B FC E8 26
00 00 00 5C 00 3F 00 3F 00 5C 00 50 00 68 00 79
00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69
00 76 00 65 00 30 00 00 00 68 24 00 26 00 8B CC
52 52 6A 40 51 52 6A 18 8B CC 6A 20 6A 03 56 51
68 00 00 10 80 57 FF D0 55 68 62 E0 07 37 FF D3
97 55 68 16 D5 FC 84 FF D3 89 06 68 12 00 00 00
68 00 00 4C A1 8B CC 6A 00 51 B9 00 50 03 00 51
51 6A 00 FF D7 50 56 8B CE 96 33 D2 52 52 52 FF
74 24 58 FF 11 55 68 5F 4C D4 DC FF D3 FF 74 24
40 FF D0 8B 46 3C 03 C6 50 8B 50 50 52 52 6A 00
FF D7 97 59 57 32 C0 F3 AA 5F 58 60 8B 48 54 F3
A4 61 2B C6 03 C7 0F B7 48 06 8D 90 F8 00 00 00
60 03 72 14 03 7A 0C 8B 4A 10 E3 02 F3 A4 61 83
C2 28 E2 EC 50 60 8B FE 91 B9 00 D4 00 00 F3 AB
61 55 68 1F 9D 48 9D FF D3 95 56 FF D5 8B 74 24
08 FF B4 24 84 00 00 00 57 8B 46 28 03 C7 FF D0
0B C0 7D 0E 8B 4E 50 E3 09 32 C0 57 F3 AA 5F 57
FF D5 83 C4 60 33 C0 8B FB 83 EF 15 B9 9C 01 00
00 F3 AA 61 C2 04 00 00 00 00 00 00 00 00 00 00
sektor 62
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C
BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04
38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5
83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B
F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88
4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B
80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83
46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB
BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0
B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56
00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC
43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56
0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C
8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A
56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD
13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60
6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A
01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B
32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C
61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64
A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61
9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68
6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F
6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65
7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 2C 44 6A 59 25 5A 25 00 00 80 01
01 00 07 FE FF FF 3F 00 00 00 AF C7 45 04 00 00
C1 FF 0F FE FF FF EE C7 45 04 12 DE 0A 05 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 63
EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00
00 00 00 00 80 00 80 00 AE C7 45 04 00 00 00 00
00 00 0C 00 00 00 00 00 7A 5C 44 00 00 00 00 00
F6 00 00 00 01 00 00 00 DA 6F AA 04 7B AA 04 C4
00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07
8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00
10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4
08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66
0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F
B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A
16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01
74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66
03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A
00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00
0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00
B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07
66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00
66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36
1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8
01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66
FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61
C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE
B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10
EB F2 C3 0D 0A 43 68 79 62 61 20 9F 74 65 6E A1
20 64 69 73 6B 75 00 0D 0A 4E 54 4C 44 52 20 6E
65 6E 61 6C 65 7A 65 6E 00 0D 0A 4E 54 4C 44 52
20 6B 6F 6D 70 72 69 6D 6F 76 A0 6E 2E 00 0D 0A
52 65 73 74 61 72 74 75 6A 74 65 20 73 74 69 73
6B 6E 75 74 A1 6D 20 6B 6C A0 76 65 73 20 43 74
72 6C 2B 41 6C 74 2B 44 65 6C 2E 0D 0A 00 00 00
00 00 00 00 00 00 00 00 83 97 A9 BE 00 00 55 AA
sektor 64
05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00 ..N.T.L.D.R...$
49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00
00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0
04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F
B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00
80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66
D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02
66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02
E8 0D 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E
52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A
02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02
66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02
E8 EC 08 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8
A0 00 00 00 66 8B 0E 26 02 E8 D3 08 66 A3 32 02
66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 C1 08 66 A3
36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78
08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67
66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66
89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33
D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E
02 66 A3 46 02 66 83 3E 32 02 00 0F 84 19 00 66
83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07
66 8B 3E 46 02 E8 92 01 66 0F B7 0E 00 02 66 B8
02 02 00 00 E8 96 07 66 0B C0 0F 84 0A 09 67 66
8B 00 1E 07 66 8B 3E 3A 02 E8 CE 05 66 A1 3A 02
66 BB 80 00 00 00 66 B9 00 00 00 00 66 BA 00 00
00 00 E8 AC 00 66 0B C0 0F 85 3E 00 66 B9 80 00
00 00 66 A1 3A 02 E8 59 08 66 0B C0 0F 84 C8 08
tak toto je tedy na zblbnutí,bolí mi malíček od ctrl c a ctrl c
jinak u toho zadávání čísla drive jsem šel až na dvojku (jako že dva logické plus jeden fyzický navíc)
13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60
6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A
01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B
32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61
6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61
62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E
67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74
65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61
74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00
00 00 00 00 00 2C 44 63 59 25 5A 25 00 00 80 01
01 00 07 FE FF FF 3F 00 00 00 AF C7 45 04 00 00
C1 FF 0F FE FF FF EE C7 45 04 12 DE 0A 05 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 10
28 96 C4 17 00 00 00 00 00 00 00 00 00 00 00 00
sektor 60
8B F0 85 C0 9C 75 05 83 44 24 04 00 60 FC 8B 7C
24 24 81 E7 00 00 F0 FF B0 C7 AE 75 FD 81 3F 46
34 00 40 75 F5 B0 A1 AE 75 FD 8B 37 8B 36 8B 36
8B 5E 18 8B EB 43 81 3B 6A 4B 6A 19 75 F7 80 7B
04 89 75 03 83 C3 06 80 7B 04 E8 75 E8 8D 7B 09
B0 E8 AE 75 FD 66 81 7F 04 84 C0 75 D8 8B 17 8D
54 3A 04 E8 00 00 00 00 58 66 0D FF 01 40 89 50
04 89 68 0C 57 8B 75 3C 8B 74 35 50 03 F5 4E 81
CE FF 0F 00 00 81 EE FF 01 00 00 8B FE 96 B9 80
00 00 00 F3 A5 5F 2B C7 83 E8 04 AB 61 9D C3 00
sektor 61
8B 14 24 68 78 56 34 12 8B 0C 24 68 78 56 34 12
0F 20 C0 50 25 FF FF FE FF 0F 22 C0 2B CA 58 0F
22 C0 FF 34 24 68 62 E0 07 37 E8 3B 00 00 00 59
59 68 AB 01 00 00 6A 00 FF D0 60 E8 00 00 00 00
5E 83 C6 15 8B F8 6A 6A 59 F3 A5 B1 80 8D BE 00
FE FF FF FF E0 33 C0 61 FF 74 24 0C FF 54 24 08
59 5A 60 87 CD E8 52 00 00 00 60 8B 6C 24 28 8B
45 3C 8B 54 05 78 03 D5 8B 4A 18 8B 5A 20 03 DD
E3 32 49 8B 34 8B 03 F5 33 FF FC 33 C0 AC 3A C4
74 07 C1 CF 0D 03 F8 EB F2 3B 7C 24 24 75 E1 8B
5A 24 03 DD 66 8B 0C 4B 8B 5A 1C 03 DD 8B 04 8B
03 C5 EB 02 33 C0 89 44 24 1C 61 C3 5B 55 68 B8
74 29 85 FF D3 33 D2 52 52 8B F4 52 8B FC E8 26
00 00 00 5C 00 3F 00 3F 00 5C 00 50 00 68 00 79
00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69
00 76 00 65 00 30 00 00 00 68 24 00 26 00 8B CC
52 52 6A 40 51 52 6A 18 8B CC 6A 20 6A 03 56 51
68 00 00 10 80 57 FF D0 55 68 62 E0 07 37 FF D3
97 55 68 16 D5 FC 84 FF D3 89 06 68 12 00 00 00
68 00 00 4C A1 8B CC 6A 00 51 B9 00 50 03 00 51
51 6A 00 FF D7 50 56 8B CE 96 33 D2 52 52 52 FF
74 24 58 FF 11 55 68 5F 4C D4 DC FF D3 FF 74 24
40 FF D0 8B 46 3C 03 C6 50 8B 50 50 52 52 6A 00
FF D7 97 59 57 32 C0 F3 AA 5F 58 60 8B 48 54 F3
A4 61 2B C6 03 C7 0F B7 48 06 8D 90 F8 00 00 00
60 03 72 14 03 7A 0C 8B 4A 10 E3 02 F3 A4 61 83
C2 28 E2 EC 50 60 8B FE 91 B9 00 D4 00 00 F3 AB
61 55 68 1F 9D 48 9D FF D3 95 56 FF D5 8B 74 24
08 FF B4 24 84 00 00 00 57 8B 46 28 03 C7 FF D0
0B C0 7D 0E 8B 4E 50 E3 09 32 C0 57 F3 AA 5F 57
FF D5 83 C4 60 33 C0 8B FB 83 EF 15 B9 9C 01 00
00 F3 AA 61 C2 04 00 00 00 00 00 00 00 00 00 00
sektor 62
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C
BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04
38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5
83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B
F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88
4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B
80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83
46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB
BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0
B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56
00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC
43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56
0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C
8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A
56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD
13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60
6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A
01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B
32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C
61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64
A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61
9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68
6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F
6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65
7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 2C 44 6A 59 25 5A 25 00 00 80 01
01 00 07 FE FF FF 3F 00 00 00 AF C7 45 04 00 00
C1 FF 0F FE FF FF EE C7 45 04 12 DE 0A 05 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 63
EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00
00 00 00 00 80 00 80 00 AE C7 45 04 00 00 00 00
00 00 0C 00 00 00 00 00 7A 5C 44 00 00 00 00 00
F6 00 00 00 01 00 00 00 DA 6F AA 04 7B AA 04 C4
00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07
8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00
10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4
08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66
0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F
B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A
16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01
74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66
03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A
00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00
0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00
B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07
66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00
66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36
1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8
01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66
FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61
C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE
B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10
EB F2 C3 0D 0A 43 68 79 62 61 20 9F 74 65 6E A1
20 64 69 73 6B 75 00 0D 0A 4E 54 4C 44 52 20 6E
65 6E 61 6C 65 7A 65 6E 00 0D 0A 4E 54 4C 44 52
20 6B 6F 6D 70 72 69 6D 6F 76 A0 6E 2E 00 0D 0A
52 65 73 74 61 72 74 75 6A 74 65 20 73 74 69 73
6B 6E 75 74 A1 6D 20 6B 6C A0 76 65 73 20 43 74
72 6C 2B 41 6C 74 2B 44 65 6C 2E 0D 0A 00 00 00
00 00 00 00 00 00 00 00 83 97 A9 BE 00 00 55 AA
sektor 64
05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00 ..N.T.L.D.R...$
49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00
00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0
04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F
B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00
80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66
D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02
66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02
E8 0D 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E
52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A
02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02
66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02
E8 EC 08 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8
A0 00 00 00 66 8B 0E 26 02 E8 D3 08 66 A3 32 02
66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 C1 08 66 A3
36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78
08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67
66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66
89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33
D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E
02 66 A3 46 02 66 83 3E 32 02 00 0F 84 19 00 66
83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07
66 8B 3E 46 02 E8 92 01 66 0F B7 0E 00 02 66 B8
02 02 00 00 E8 96 07 66 0B C0 0F 84 0A 09 67 66
8B 00 1E 07 66 8B 3E 3A 02 E8 CE 05 66 A1 3A 02
66 BB 80 00 00 00 66 B9 00 00 00 00 66 BA 00 00
00 00 E8 AC 00 66 0B C0 0F 85 3E 00 66 B9 80 00
00 00 66 A1 3A 02 E8 59 08 66 0B C0 0F 84 C8 08
tak toto je tedy na zblbnutí,bolí mi malíček od ctrl c a ctrl c
jinak u toho zadávání čísla drive jsem šel až na dvojku (jako že dva logické plus jeden fyzický navíc)
Naposledy upravil(a) FunTomason dne 05 bře 2010 16:03, celkem upraveno 1 x.
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
takže log po restartu je:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950A600 !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
jo a ještě tedy ten druhý disk:
sektor 0:
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 44 63 D4 44 D5 44 00 00 00 01 01 00 07 FE FF FF 3F 00 00 00 C1 4B A1 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 60:
8B F0 85 C0 9C 75 05 83 44 24 04 00 60 FC 8B 7C 24 24 81 E7 00 00 F0 FF B0 C7 AE 75 FD 81 3F 46 34 00 40 75 F5 B0 A1 AE 75 FD 8B 37 8B 36 8B 36 8B 5E 18 8B EB 43 81 3B 6A 4B 6A 19 75 F7 80 7B 04 89 75 03 83 C3 06 80 7B 04 E8 75 E8 8D 7B 09 B0 E8 AE 75 FD 66 81 7F 04 84 C0 75 D8 8B 17 8D 54 3A 04 E8 00 00 00 00 58 66 0D FF 01 40 89 50 04 89 68 0C 57 8B 75 3C 8B 74 35 50 03 F5 4E 81 CE FF 0F 00 00 81 EE FF 01 00 00 8B FE 96 B9 80 00 00 00 F3 A5 5F 2B C7 83 E8 04 AB 61 9D C3 00
sektor 61:
8B 14 24 68 78 56 34 12 8B 0C 24 68 78 56 34 12 0F 20 C0 50 25 FF FF FE FF 0F 22 C0 2B CA 58 0F 22 C0 FF 34 24 68 62 E0 07 37 E8 3B 00 00 00 59 59 68 AB 01 00 00 6A 00 FF D0 60 E8 00 00 00 00 5E 83 C6 15 8B F8 6A 6A 59 F3 A5 B1 80 8D BE 00 FE FF FF FF E0 33 C0 61 FF 74 24 0C FF 54 24 08 59 5A 60 87 CD E8 52 00 00 00 60 8B 6C 24 28 8B 45 3C 8B 54 05 78 03 D5 8B 4A 18 8B 5A 20 03 DD E3 32 49 8B 34 8B 03 F5 33 FF FC 33 C0 AC 3A C4 74 07 C1 CF 0D 03 F8 EB F2 3B 7C 24 24 75 E1 8B 5A 24 03 DD 66 8B 0C 4B 8B 5A 1C 03 DD 8B 04 8B 03 C5 EB 02 33 C0 89 44 24 1C 61 C3 5B 55 68 B8 74 29 85 FF D3 33 D2 52 52 8B F4 52 8B FC E8 26 00 00 00 5C 00 3F 00 3F 00 5C 00 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 31 00 00 00 68 24 00 26 00 8B CC 52 52 6A 40 51 52 6A 18 8B CC 6A 20 6A 03 56 51 68 00 00 10 80 57 FF D0 55 68 62 E0 07 37 FF D3 97 55 68 16 D5 FC 84 FF D3 89 06 68 25 00 00 00 68 00 00 98 42 8B CC 6A 00 51 B9 00 50 03 00 51 51 6A 00 FF D7 50 56 8B CE 96 33 D2 52 52 52 FF 74 24 58 FF 11 55 68 5F 4C D4 DC FF D3 FF 74 24 40 FF D0 8B 46 3C 03 C6 50 8B 50 50 52 52 6A 00 FF D7 97 59 57 32 C0 F3 AA 5F 58 60 8B 48 54 F3 A4 61 2B C6 03 C7 0F B7 48 06 8D 90 F8 00 00 00 60 03 72 14 03 7A 0C 8B 4A 10 E3 02 F3 A4 61 83 C2 28 E2 EC 50 60 8B FE 91 B9 00 D4 00 00 F3 AB 61 55 68 1F 9D 48 9D FF D3 95 56 FF D5 8B 74 24 08 FF B4 24 84 00 00 00 57 8B 46 28 03 C7 FF D0 0B C0 7D 0E 8B 4E 50 E3 09 32 C0 57 F3 AA 5F 57 FF D5 83 C4 60 33 C0 8B FB 83 EF 15 B9 9C 01 00 00 F3 AA 61 C2 04 00 00 00 00 00 00 00 00 00 00
sektor 62:
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C 61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64 A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61 9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68 6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F 6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65 7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 44 6A D4 44 D5 44 00 00 00 01 01 00 07 FE FF FF 3F 00 00 00 C1 4B A1 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 63:
EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 00 00 00 00 80 00 80 00 C0 4B A1 12 00 00 00 00 00 00 0C 00 00 00 00 00 BC 14 2A 01 00 00 00 00 F6 00 00 00 01 00 00 00 DB 01 27 1C 27 27 1C D6 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 43 68 79 62 61 20 9F 74 65 6E A1 20 64 69 73 6B 75 00 0D 0A 4E 54 4C 44 52 20 6E 65 6E 61 6C 65 7A 65 6E 00 0D 0A 4E 54 4C 44 52 20 6B 6F 6D 70 72 69 6D 6F 76 A0 6E 00 0D 0A 52 65 73 74 61 72 74 75 6A 74 65 20 73 74 69 73 6B 6E 75 74 A1 6D 20 6B 6C A0 76 65 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 83 97 A9 BD 00 00 55 AA
sektor 64:
05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00 ..N.T.L.D.R...$.
49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0 04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00 80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66 D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02 66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02 E8 71 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E 52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A 02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02 66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02 E8 5F 09 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8 A0 00 00 00 66 8B 0E 26 02 E8 46 09 66 A3 32 02 66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 34 09 66 A3 36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78 08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67 66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66 89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33 D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E 02 66 A3 46 02 66 83 3E 32 02 00 0F 84 1D 00 66 83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07 66 8B 3E 46 02 66 A1 2A 02 E8 BC 01 66 0F B7 0E 00 02 66 B8 02 02 00 00 E8 FE 07 66 0B C0 0F 84 A8 09 67 66 8B 00 1E 07 66 8B 3E 3A 02 E8 31 06 66 A1 3A 02 66 BB 20 00 00 00 66 B9 00 00 00 00 66 BA 00 00 00 00 E8 D6 00 66 85 C0 0F 85 23 00 66 A1 3A 02 66 BB 80 00 00 00 66 B9 00 00 00 00
sektor 0:
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 44 63 D4 44 D5 44 00 00 00 01 01 00 07 FE FF FF 3F 00 00 00 C1 4B A1 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 60:
8B F0 85 C0 9C 75 05 83 44 24 04 00 60 FC 8B 7C 24 24 81 E7 00 00 F0 FF B0 C7 AE 75 FD 81 3F 46 34 00 40 75 F5 B0 A1 AE 75 FD 8B 37 8B 36 8B 36 8B 5E 18 8B EB 43 81 3B 6A 4B 6A 19 75 F7 80 7B 04 89 75 03 83 C3 06 80 7B 04 E8 75 E8 8D 7B 09 B0 E8 AE 75 FD 66 81 7F 04 84 C0 75 D8 8B 17 8D 54 3A 04 E8 00 00 00 00 58 66 0D FF 01 40 89 50 04 89 68 0C 57 8B 75 3C 8B 74 35 50 03 F5 4E 81 CE FF 0F 00 00 81 EE FF 01 00 00 8B FE 96 B9 80 00 00 00 F3 A5 5F 2B C7 83 E8 04 AB 61 9D C3 00
sektor 61:
8B 14 24 68 78 56 34 12 8B 0C 24 68 78 56 34 12 0F 20 C0 50 25 FF FF FE FF 0F 22 C0 2B CA 58 0F 22 C0 FF 34 24 68 62 E0 07 37 E8 3B 00 00 00 59 59 68 AB 01 00 00 6A 00 FF D0 60 E8 00 00 00 00 5E 83 C6 15 8B F8 6A 6A 59 F3 A5 B1 80 8D BE 00 FE FF FF FF E0 33 C0 61 FF 74 24 0C FF 54 24 08 59 5A 60 87 CD E8 52 00 00 00 60 8B 6C 24 28 8B 45 3C 8B 54 05 78 03 D5 8B 4A 18 8B 5A 20 03 DD E3 32 49 8B 34 8B 03 F5 33 FF FC 33 C0 AC 3A C4 74 07 C1 CF 0D 03 F8 EB F2 3B 7C 24 24 75 E1 8B 5A 24 03 DD 66 8B 0C 4B 8B 5A 1C 03 DD 8B 04 8B 03 C5 EB 02 33 C0 89 44 24 1C 61 C3 5B 55 68 B8 74 29 85 FF D3 33 D2 52 52 8B F4 52 8B FC E8 26 00 00 00 5C 00 3F 00 3F 00 5C 00 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 31 00 00 00 68 24 00 26 00 8B CC 52 52 6A 40 51 52 6A 18 8B CC 6A 20 6A 03 56 51 68 00 00 10 80 57 FF D0 55 68 62 E0 07 37 FF D3 97 55 68 16 D5 FC 84 FF D3 89 06 68 25 00 00 00 68 00 00 98 42 8B CC 6A 00 51 B9 00 50 03 00 51 51 6A 00 FF D7 50 56 8B CE 96 33 D2 52 52 52 FF 74 24 58 FF 11 55 68 5F 4C D4 DC FF D3 FF 74 24 40 FF D0 8B 46 3C 03 C6 50 8B 50 50 52 52 6A 00 FF D7 97 59 57 32 C0 F3 AA 5F 58 60 8B 48 54 F3 A4 61 2B C6 03 C7 0F B7 48 06 8D 90 F8 00 00 00 60 03 72 14 03 7A 0C 8B 4A 10 E3 02 F3 A4 61 83 C2 28 E2 EC 50 60 8B FE 91 B9 00 D4 00 00 F3 AB 61 55 68 1F 9D 48 9D FF D3 95 56 FF D5 8B 74 24 08 FF B4 24 84 00 00 00 57 8B 46 28 03 C7 FF D0 0B C0 7D 0E 8B 4E 50 E3 09 32 C0 57 F3 AA 5F 57 FF D5 83 C4 60 33 C0 8B FB 83 EF 15 B9 9C 01 00 00 F3 AA 61 C2 04 00 00 00 00 00 00 00 00 00 00
sektor 62:
33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C 61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64 A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61 9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68 6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F 6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65 7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 44 6A D4 44 D5 44 00 00 00 01 01 00 07 FE FF FF 3F 00 00 00 C1 4B A1 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
sektor 63:
EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 00 00 00 00 80 00 80 00 C0 4B A1 12 00 00 00 00 00 00 0C 00 00 00 00 00 BC 14 2A 01 00 00 00 00 F6 00 00 00 01 00 00 00 DB 01 27 1C 27 27 1C D6 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 43 68 79 62 61 20 9F 74 65 6E A1 20 64 69 73 6B 75 00 0D 0A 4E 54 4C 44 52 20 6E 65 6E 61 6C 65 7A 65 6E 00 0D 0A 4E 54 4C 44 52 20 6B 6F 6D 70 72 69 6D 6F 76 A0 6E 00 0D 0A 52 65 73 74 61 72 74 75 6A 74 65 20 73 74 69 73 6B 6E 75 74 A1 6D 20 6B 6C A0 76 65 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 83 97 A9 BD 00 00 55 AA
sektor 64:
05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00 ..N.T.L.D.R...$.
49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0 04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00 80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66 D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02 66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02 E8 71 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E 52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A 02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02 66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02 E8 5F 09 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8 A0 00 00 00 66 8B 0E 26 02 E8 46 09 66 A3 32 02 66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 34 09 66 A3 36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78 08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67 66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66 89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33 D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E 02 66 A3 46 02 66 83 3E 32 02 00 0F 84 1D 00 66 83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07 66 8B 3E 46 02 66 A1 2A 02 E8 BC 01 66 0F B7 0E 00 02 66 B8 02 02 00 00 E8 FE 07 66 0B C0 0F 84 A8 09 67 66 8B 00 1E 07 66 8B 3E 3A 02 E8 31 06 66 A1 3A 02 66 BB 20 00 00 00 66 B9 00 00 00 00 66 BA 00 00 00 00 E8 D6 00 66 85 C0 0F 85 23 00 66 A1 3A 02 66 BB 80 00 00 00 66 B9 00 00 00 00
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
log
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
log -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
log -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
tak a tady mám tedy ještě finální log po předělání obou fyzických disků
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
-
FunTomason
- Návštěvník
- Příspěvky: 33
- Registrován: 24 říj 2009 11:14
Re: MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spzi.sys >>UNKNOWN [0x89A8E938]<<
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
Jinak Eset SS v.3 mi už nehlásí nic
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spzi.sys >>UNKNOWN [0x89A8E938]<<
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0950A600 !
Jinak Eset SS v.3 mi už nehlásí nic
Přispějete na provoz fóra?