pocitac nemuze najit po startu ntndis.exe a nejde sdileni

[JaRon]

vloz kolegovi link - priklad: http://www.virustotal.com/analisis/4901 ... 1278054440

[ok]

Tady je prvni:
http://www.virustotal.com/cs/analisis/b ... 1278057739

[ok]

tento C:\WINDOWS\system32\drivers\atapi.sys mi nejde zkontrolovat pise to toto:


0 bytes size received / Se ha recibido un archivo vacio

[ok]

Zdravim,

posilam prvni log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-09 15:16:49
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\SUPERV~1\LOCALS~1\Temp\pwldypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- EOF - GMER 1.0.15 ----

[ok]

Druhy log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-09 15:21:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\SUPERV~1\LOCALS~1\Temp\pwldypow.sys


---- System - GMER 1.0.15 ----

SSDT 89CBE580 ZwAssignProcessToJobObject
SSDT 89CBF100 ZwDebugActiveProcess
SSDT 89CBEB30 ZwDuplicateObject
SSDT 89CBDCC0 ZwOpenProcess
SSDT 89CBDFC0 ZwOpenThread
SSDT 89CBE9C0 ZwProtectVirtualMemory
SSDT 89CBE860 ZwSetContextThread
SSDT 89CBE6E0 ZwSetInformationThread
SSDT 89CBB700 ZwSetSecurityObject
SSDT 89CBE420 ZwSuspendProcess
SSDT 89CBE2C0 ZwSuspendThread
SSDT 89CBDE50 ZwTerminateProcess
SSDT 89CBE150 ZwTerminateThread
SSDT 89CBEF50 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272d1fb08
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272d1fb08@0012eefd4de6 0x34 0xE5 0xE0 0xF2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272d1fb08@001d9806ff23 0x88 0x48 0xBC 0x09 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272d1fb08 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272d1fb08@0012eefd4de6 0x34 0xE5 0xE0 0xF2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272d1fb08@001d9806ff23 0x88 0x48 0xBC 0x09 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

[ok]

tady je vypis z virustotal:

http://www.virustotal.com/cs/analisis/b ... 1278682144

[ok]

Posledni log:

C:\Documents and Settings\supervisor\Plocha\HAMeb_check.exe
pá 09.07.2010 at 15:32:16,79

éźet je aktivnˇ Ne

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll Si3132r5.sys
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"=1700:TCP:*:Enabled:MioNet Remote Drive Access 0
"1701:TCP"=1701:TCP:*:Enabled:MioNet Remote Drive Access 1
"1702:TCP"=1702:TCP:*:Enabled:MioNet Remote Drive Access 2
"1703:TCP"=1703:TCP:*:Enabled:MioNet Remote Drive Access 3
"1704:TCP"=1704:TCP:*:Enabled:MioNet Remote Drive Access 4
"1705:TCP"=1705:TCP:*:Enabled:MioNet Remote Drive Access 5
"1706:TCP"=1706:TCP:*:Enabled:MioNet Remote Drive Access 6
"1707:TCP"=1707:TCP:*:Enabled:MioNet Remote Drive Access 7
"1708:TCP"=1708:TCP:*:Enabled:MioNet Remote Drive Access 8
"1709:TCP"=1709:TCP:*:Enabled:MioNet Remote Drive Access 9
"1641:TCP"=1641:TCP:*:Enabled:MioNet Remote Drive Verification


~~ EOF ~~

[ok]

Ahoj,

snad jsem to udelal dobre,

je to v priloze.

[ok]

Ahoj,

tady to je, ntldr je v sektoru 63

a tady je log.

OK

[Caroprd111]

Dobrý den,
zaskočím za kolegu.

Pro jistotu, pokud nemáte, si udělejte zálohu důležitých dat

Pořádně si přečtěte návod, pokud něčemu nerozumíte, tak se ptejte.

spustis HxD http://mh-nexus.de/en/downloads.php?product=HxD
- kliknes otevrit pevny disk (fyzicky disk 1), ale tentokrat odkliknes ze ctverecku fajku "Jen pro cteni"
- program se otevre v edit mode
- najdi sektory 1-62
- oznac mysanem sektory 1-62
- zvol moznost vypln vyber (3 moznost od spodu mezi dvema carami - mam slovenskou verzi) otevre se ti prednastavene hodnoty (mely by tam byt hex 00) das Ok.
- zavres program, pri zavirani potvrdis zmenu.
- restart pc
- kouknes, zda se skutecne prepsaly sektory