Re: win32/Mebroot.K Trojan
Napsal: 05 kvě 2009 11:19
Rootkit je tam porad,vecer po 23 napisu dalsi postup.
stejne nechapu kde to tam vidis ..
))Stránka 2 z 7
Re: win32/Mebroot.K Trojan
Napsal: 05 kvě 2009 23:01
jujky .. netrpelive cekam .. pls nezapomen na me ..
stejne nechapu kde to tam vidis ..))
stejne nechapu kde to tam vidis ..
))Re: win32/Mebroot.K Trojan
Napsal: 06 kvě 2009 00:37
Pardon za pozdni reakci.
Stahnete a spustte ESET Mebroot Remover
Stahnete MBR ulozte ho na plochu-spustte - vytvori se log mbr.log, vlozte ho cely sem.
Stahnete a spustte ESET Mebroot RemoverStahnete MBR ulozte ho na plochu-spustte - vytvori se log mbr.log, vlozte ho cely sem.
Re: win32/Mebroot.K Trojan
Napsal: 06 kvě 2009 07:01
v pohode ... vecir to vyzkousim .. ))) a pak to sem hodim.
))) a pak to sem hodim.Re: win32/Mebroot.K Trojan
Napsal: 06 kvě 2009 08:28
Ok.
Re: win32/Mebroot.K Trojan
Napsal: 06 kvě 2009 16:11
Zdravim.. tak jsem provedl prvni cast .. Tedy pustil jsem z plochy v normalním režimu
ESET Mebroot Remover
ale nejak rychle to probehlo ... a napsalo to MBR rootkit (Win32/Mebroot) was not found on you system. hmm za chvilku sem hodim ten log z MBR
ESET Mebroot Remover
ale nejak rychle to probehlo ... a napsalo to MBR rootkit (Win32/Mebroot) was not found on you system. hmm za chvilku sem hodim ten log z MBR
Re: win32/Mebroot.K Trojan
Napsal: 06 kvě 2009 16:13
tak log z MBR:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
vypada stejne jak ten minulej
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
vypada stejne jak ten minulej
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 00:23
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 06:25
Provedeno... log z Fixmebroot:
FixMebroot v1.0.1
FixMebroot has finished scanning your MBR.
It contains no Mebroot infection.
log z MBR:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
...Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 09:08
jen jeste pro jistotu poznamku... ten Fixmebroot jsem spustil a po OK to hned udelalo log .. to je v poradku ??? )) nic jako scan u antiviraku to neprobihalo ....
)) nic jako scan u antiviraku to neprobihalo ....Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 09:49
Ano,je.ten Fixmebroot jsem spustil a po OK to hned udelalo log .. to je v poradku ???
Takze znovu zopakujeme tento postup:
stahnete MBR
presunte mbr.exe do adresare C:\Windows
dalsi postup jest nasledujici:
Start/Spustit a do chlivecku napiste cmd a stisk Enter.
vybafne na vas okenko prikazoveho radku; vy nadatlujte rucne prikaz:
mbr.exe -f
a stisknete Enter
Po provedeni operace restartujte a spustte mbr jeste jednou, jiz normalne a vlozte sem log.
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 10:13
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 10:18
Pak znovu spustit mbr a log dat sem.kozan píše:
- Připravím si instalační CD Windows XP
- Pokud používám speciální SCSI, nebo RAID ovladače, tak si najdu též disketu s ovladačem
- Vzpomenu si na heslo uživatele administrator *)
- V BIOSu si zařídím aby se systém zavedl (boot) z CD
- Restartem PC a zavedením z CD se spustí instalace
- Pokud používám nějaké speciální ovladač SCSI, nebo RAID, tak stihnu F6 jejich zavedení z diskety
- Zvolením R přejdu do konzoly pro zotavení (ve znakovém režimu)
- Konzola ohledá připojené disky a nabídne seznam nalezených instalací. např:
Kód: Vybrat vše
1. C:\WINDOWS- Po výzvě
odpovím číslem zvolené instalace, třeba: 1Kód: Vybrat vše
Ke které instalaci Windows se chcete přihlásit:
POZOR: NumLock na klávesnici nesvítí!- Zadám heslo uživatele administrator a octnu se v adresáři %WINDIR% (obvykle C:\WINDOWS)
- V příkazovém řádku zadám příkaz
Kód: Vybrat vše
fixmbr- Zadám příkaz
pro restart PCKód: Vybrat vše
EXIT
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 10:36
Pokud jste jeste nepouzil tu Konzoli pro zotaveni s prikazem fixmbr,tak udelejte misto toho tuto akci:
Upozorneni toto dela uzivatel na vlastni riziko,Mebroot je Master Boot Record Rootkit,ktery je zavrtan v 62 sektoru pevneho disku.V pokrocile fazi infekce nepomohou utility na odstraneni a je nutne prepsat infikovane sektory rucne.Beznym formatem neni mozne tuto infiltraci odstranit,jak by se nekomu mohlo zdat.
Navod si klidne vytisknete,at mate pevne voditko.
A postupujte PRESNE dle navodu.
Upozorneni toto dela uzivatel na vlastni riziko,Mebroot je Master Boot Record Rootkit,ktery je zavrtan v 62 sektoru pevneho disku.V pokrocile fazi infekce nepomohou utility na odstraneni a je nutne prepsat infikovane sektory rucne.Beznym formatem neni mozne tuto infiltraci odstranit,jak by se nekomu mohlo zdat.
Navod si klidne vytisknete,at mate pevne voditko.
A postupujte PRESNE dle navodu.
Pak spustte opet mbr a vlozte log.stell píše:
1:Vypni Firewall>spust program HXD<klikni hore na ikonku pevneho disku>na karte ktora sa objavi>pod Fyzicke disky>Klik >oznac PEVNY DISK>vyber fajku >otvor len na citanie>klik>ok a este raz OK>
2:V pravo hore >je napisane >sector>a okienko + sipky>budes nastavovat a hladat sectory so sipkamy>sector 0>je MBR>a sector -63 je BOOT>Nebabrat>sector 1-62 maju byt Nulove>000000000000.
3:Program HXD otvor na plnu obrazovku>nastav so sipkou sector napriklad-1>ak cely sector 1-je nulova stlac lavu mysku oznac ho> pravy klik kopirovat presne cely nulovy sector>ale presne od ciary po ciaru
4:Skontroluj zo sipkamy sectory 1-62 a kde nie je cely sector nulovy stlac lavu mysku oznac presne cely sector>pravy klik>PREPISAT.
5:prepisu sa ti na cerveno>na 0000000-ly>ak toto budes mat klik v pravom hornom rohu na krizik a zatvor program HXD,objavi sa ti okno ci chces zmenu ulozit suhlasis.Zatvoris program HXD>restartnes >PC< a po restarte spust mbr.exe a vloz sem log.
Nepomyl sa nie ze zacnes prepisovat logicke disky
Sectory 1 az 62 maju vyzerat takto:
Kód:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Re: win32/Mebroot.K Trojan
Napsal: 07 kvě 2009 12:18
jujky .. udelal jsem to prvni
tedy pres konzolu zotaveni, ale nic se nezmenilo .. tady je log :
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
predpokladam ze ted muzu udelat to druhe ... projistotu mi to potvrdte ...
A kde stahnu ten HXD ?? .. stahnul jsem ho na
http://www.stahuj.centrum.cz/vyvojove_n ... itory/hxd/
doufam ze je to ono ..))
tedy pres konzolu zotaveni, ale nic se nezmenilo .. tady je log :
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !
predpokladam ze ted muzu udelat to druhe ... projistotu mi to potvrdte ...
A kde stahnu ten HXD ?? .. stahnul jsem ho na
http://www.stahuj.centrum.cz/vyvojove_n ... itory/hxd/
doufam ze je to ono ..
))