www.MegaLab.it

da **andreaelmito** » mer ago 27, 2014 7:27 pm

Ho utilizzato il tool "MBR Rootkit Detector by gmer.net" per analizzare il mio PC (HP con Windows 7 Home) in quanto Avira mi ha segnalato una possibile presenza di rootkit nel sistema.

Ho ottenuto come log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read Handle non valido.
kernel: error reading MBR

ovverosia un log poco confortante in quanto conferma una possibile infezione da rootkit, come precisato in un articolo di MegaLab.it di qualche anno fa: http://www.MegaLab.it/6360/guida-alla-rimozione-dei-bootkit.

Ieri ho rimosso utilizzando l'utility "Ripristino configurazioni di sistema" un paio di malware che si erano gentilmente installati insieme ad un programma legittimo, tuttavia ho notato dei rallentamenti, durante l'avvio e anche durante il normale utilizzo del pc, e vorrei essere sicuro di non avere minacce per la sicurezza ancora nascoste (il dubbio mi sorge in quanto "Ripristino configurazioni di sistema" non credo ripristini anche un eventuale MBR sostituito da un bootkit in quanto quest'ultimo opera al di fuori del sistema operativo).

Avete dei suggerimenti per togliermi questo dubbio?

da **andreaelmito** » mer ago 27, 2014 8:23 pm

Ok, forse il motivo dell'errore del tool di gmer.net è che il mio è un sistema a 64 bit. Ho provato anche ad usare il tool AswMBR di Avast, tuttavia il programma crasha a metà scansione.

Posto comunque il LOG anche se, suppongo, incompleto:

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-08-27 17:56:46
-----------------------------
17:56:46.331 OS Version: Windows x64 5.1.2600 Service Pack 3
17:56:46.331 Number of processors: 4 586 0x2505
17:56:46.341 ComputerName: USER-HP UserName: utente
17:56:47.991 Initialize success
17:56:48.001 VM: initialized successfully
17:56:48.021 VM: Intel CPU BiosDisabled
17:56:50.211 VM: disk I/O iaStorA.sys
17:57:23.791 AVAST engine defs: 14082700
17:57:25.361 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007a
17:57:25.361 Disk 0 Vendor: Hitachi_ PC4O Size: 476940MB BusType: 11
17:57:25.381 Disk 0 MBR read successfully
17:57:25.381 Disk 0 MBR scan
17:57:25.391 Disk 0 unknown MBR code
17:57:25.401 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:57:25.411 Disk 0 Boot: NTFS code=1
17:57:25.451 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 455820 MB offset 409600
17:57:25.481 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 20816 MB offset 933928960
17:57:25.501 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
17:57:25.821 Disk 0 scanning C:\Windows\system32\drivers
17:57:45.261 Service scanning
17:58:23.521 Modules scanning
17:58:23.521 Disk 0 trace - called modules:
17:58:23.551 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStorF.sys >>UNKNOWN [0xfffffa8004e852c0]<<spzk.sys storport.sys hal.dll iaStorA.sys
17:58:23.551 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800755a060]
17:58:23.561 3 CLASSPNP.SYS[fffff88001e5143f] -> nt!IofCallDriver -> [0xfffffa80073fe950]
17:58:23.561 5 hpdskflt.sys[fffff88001ff7379] -> nt!IofCallDriver -> [0xfffffa80073fda90]
17:58:23.571 7 iaStorF.sys[fffff88001fe2f84] -> nt!IofCallDriver -> \Device\0000007a[0xfffffa80050785a0]
17:58:23.571 \Driver\iaStorA[0xfffffa800505dc10] -> IRP_MJ_CREATE -> 0xfffffa8004e852c0
17:58:26.781 AVAST engine scan C:\Windows
17:58:32.371 AVAST engine scan C:\Windows\system32
18:01:05.027 Disk 0 MBR has been saved successfully to "C:\Users\utente\Desktop\MBR.dat"
18:01:05.027 The log file has been saved successfully to "C:\Users\utente\Desktop\aswMBR.txt"

In particolare la seguente riga è colorata di rosso come a segnalare un'infezione (ma non so se è un falso positivo): \Driver\iaStorA[0xfffffa800505dc10] -> IRP_MJ_CREATE -> 0xfffffa8004e852c0

Dato che ci sono concludo con il report dello scan con il tool MbrScan:

MBRScan v1.1.1

OS : Windows 7 Service Pack 1 (64 bit)
PROCESSOR : Intel64 Family 6 Model 37 Stepping 5, GenuineIntel
BOOT : Normal Boot
DATE : 2014/08/27 (ISO 8601) at 16:12:10
________________________________________________________________________________

DISK : Device\Harddisk0\DR0 __Hitachi HTS725050A9A364 (PC4O)
BUS_TYPE : (0x0B) S-ATA
USE_PIO : YES
MAX_TRANSFER : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0 465.8 Go [Fixed] ==> HP Recovery Manager...

MBR_MD5 : 17928B04D890EEB1C329E75BF588F701
MBR_SHA1 : 6073E573FDDC3C242625428F3B8604CE483F1C1C

Device\Harddisk0\Partition1 199.0 Mo 0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2 445.1 Go 0x07 NTFS / HPFS
Device\Harddisk0\Partition3 20.33 Go 0x07 NTFS / HPFS
Device\Harddisk0\Partition4 103.0 Mo 0x0C FAT32 [LBA]
________________________________________________________________________________

############################### Additional scan ################################

DRIVER : C:\Windows\system32\hal.dll => Invisible on the disk
ADDRESS : 0x03601000
SIZE : 292.0 Ko

DRIVER : C:\Windows\system32\kdcom.dll => Invisible on the disk
ADDRESS : 0x00BD1000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\mcupdate_GenuineIntel.dll => Invisible on the disk
ADDRESS : 0x00C54000
SIZE : 316.0 Ko

DRIVER : C:\Windows\system32\CLFS.SYS => Invisible on the disk
ADDRESS : 0x00CB7000
SIZE : 376.0 Ko

DRIVER : C:\Windows\system32\CI.dll => Invisible on the disk
ADDRESS : 0x00D15000
SIZE : 768.0 Ko

DRIVER : C:\Windows\system32\drivers\Wdf01000.sys => Invisible on the disk
ADDRESS : 0x00E00000
SIZE : 776.0 Ko

DRIVER : C:\Windows\system32\drivers\WDFLDR.SYS => Invisible on the disk
ADDRESS : 0x00EC2000
SIZE : 64.0 Ko

DRIVER : C:\Windows\System32\Drivers\spzk.sys => Invisible on the disk
ADDRESS : 0x00ED2000
SIZE : 1.15 Mo

DRIVER : C:\Windows\System32\Drivers\WMILIB.SYS => Invisible on the disk
ADDRESS : 0x00DD5000
SIZE : 36.0 Ko

DRIVER : C:\Windows\System32\Drivers\SCSIPORT.SYS => Invisible on the disk
ADDRESS : 0x00C00000
SIZE : 188.0 Ko

DRIVER : C:\Windows\system32\drivers\ACPI.sys => Invisible on the disk
ADDRESS : 0x010FF000
SIZE : 348.0 Ko

DRIVER : C:\Windows\system32\drivers\msisadrv.sys => Invisible on the disk
ADDRESS : 0x01156000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\drivers\vdrvroot.sys => Invisible on the disk
ADDRESS : 0x01160000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\drivers\pci.sys => Invisible on the disk
ADDRESS : 0x0116D000
SIZE : 204.0 Ko

DRIVER : C:\Windows\System32\drivers\partmgr.sys => Invisible on the disk
ADDRESS : 0x011A0000
SIZE : 84.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\compbatt.sys => Invisible on the disk
ADDRESS : 0x011B5000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\BATTC.SYS => Invisible on the disk
ADDRESS : 0x011BE000
SIZE : 48.0 Ko

DRIVER : C:\Windows\system32\drivers\volmgr.sys => Invisible on the disk
ADDRESS : 0x011CA000
SIZE : 84.0 Ko

DRIVER : C:\Windows\System32\drivers\volmgrx.sys => Invisible on the disk
ADDRESS : 0x01000000
SIZE : 368.0 Ko

DRIVER : C:\Windows\System32\drivers\mountmgr.sys => Invisible on the disk
ADDRESS : 0x0105C000
SIZE : 104.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\iaStor.sys => Invisible on the disk
ADDRESS : 0x01242000
SIZE : 2.04 Mo

DRIVER : C:\Windows\system32\drivers\atapi.sys => Invisible on the disk
ADDRESS : 0x0144C000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\drivers\ataport.SYS => Invisible on the disk
ADDRESS : 0x01455000
SIZE : 168.0 Ko

DRIVER : C:\Windows\system32\drivers\msahci.sys => Invisible on the disk
ADDRESS : 0x0147F000
SIZE : 44.0 Ko

DRIVER : C:\Windows\system32\drivers\PCIIDEX.SYS => Invisible on the disk
ADDRESS : 0x0148A000
SIZE : 64.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\iaStorA.sys => Invisible on the disk
ADDRESS : 0x0161D000
SIZE : 2.71 Mo

DRIVER : C:\Windows\system32\DRIVERS\storport.sys => Invisible on the disk
ADDRESS : 0x018D3000
SIZE : 396.0 Ko

DRIVER : C:\Windows\system32\drivers\amdxata.sys => Invisible on the disk
ADDRESS : 0x01936000
SIZE : 44.0 Ko

DRIVER : C:\Windows\system32\drivers\fltmgr.sys => Invisible on the disk
ADDRESS : 0x01941000
SIZE : 304.0 Ko

DRIVER : C:\Windows\system32\drivers\fileinfo.sys => Invisible on the disk
ADDRESS : 0x0198D000
SIZE : 80.0 Ko

DRIVER : C:\Windows\System32\Drivers\Ntfs.sys => Invisible on the disk
ADDRESS : 0x01A55000
SIZE : 1.63 Mo

DRIVER : C:\Windows\System32\Drivers\msrpc.sys => Invisible on the disk
ADDRESS : 0x019A1000
SIZE : 376.0 Ko

DRIVER : C:\Windows\System32\Drivers\ksecdd.sys => Invisible on the disk
ADDRESS : 0x01A00000
SIZE : 108.0 Ko

DRIVER : C:\Windows\System32\Drivers\cng.sys => Invisible on the disk
ADDRESS : 0x0149A000
SIZE : 456.0 Ko

DRIVER : C:\Windows\System32\drivers\pcw.sys => Invisible on the disk
ADDRESS : 0x01A1B000
SIZE : 68.0 Ko

DRIVER : C:\Windows\System32\Drivers\Fs_Rec.sys => Invisible on the disk
ADDRESS : 0x01A2C000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\drivers\ndis.sys => Invisible on the disk
ADDRESS : 0x0150C000
SIZE : 972.0 Ko

DRIVER : C:\Windows\system32\drivers\NETIO.SYS => Invisible on the disk
ADDRESS : 0x01076000
SIZE : 384.0 Ko

DRIVER : C:\Windows\System32\Drivers\ksecpkg.sys => Invisible on the disk
ADDRESS : 0x01200000
SIZE : 168.0 Ko

DRIVER : C:\Windows\System32\drivers\tcpip.sys => Invisible on the disk
ADDRESS : 0x01C00000
SIZE : 2.00 Mo

DRIVER : C:\Windows\System32\drivers\fwpkclnt.sys => Invisible on the disk
ADDRESS : 0x01EE8000
SIZE : 292.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\wd.sys => Invisible on the disk
ADDRESS : 0x01F31000
SIZE : 32.0 Ko

DRIVER : C:\Windows\system32\drivers\volsnap.sys => Invisible on the disk
ADDRESS : 0x01F39000
SIZE : 304.0 Ko

DRIVER : C:\Windows\System32\Drivers\spldr.sys => Invisible on the disk
ADDRESS : 0x01F85000
SIZE : 32.0 Ko

DRIVER : C:\Windows\System32\Drivers\SmartDefragDriver.sys => Invisible on the disk
ADDRESS : 0x01F8D000
SIZE : 32.0 Ko

DRIVER : C:\Windows\System32\drivers\rdyboost.sys => Invisible on the disk
ADDRESS : 0x01F95000
SIZE : 232.0 Ko

DRIVER : C:\Windows\System32\Drivers\mup.sys => Invisible on the disk
ADDRESS : 0x01FCF000
SIZE : 72.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\iaStorF.sys => Invisible on the disk
ADDRESS : 0x01FE1000
SIZE : 44.0 Ko

DRIVER : C:\Windows\System32\drivers\hwpolicy.sys => Invisible on the disk
ADDRESS : 0x01FEC000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\hpdskflt.sys => Invisible on the disk
ADDRESS : 0x01FF5000
SIZE : 40.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\fvevol.sys => Invisible on the disk
ADDRESS : 0x01E00000
SIZE : 232.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\disk.sys => Invisible on the disk
ADDRESS : 0x01E3A000
SIZE : 88.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\CLASSPNP.SYS => Invisible on the disk
ADDRESS : 0x01E50000
SIZE : 192.0 Ko

DRIVER : C:\Windows\system32\drivers\cdrom.sys => Invisible on the disk
ADDRESS : 0x0472A000
SIZE : 168.0 Ko

DRIVER : C:\Windows\System32\Drivers\Null.SYS => Invisible on the disk
ADDRESS : 0x04754000
SIZE : 36.0 Ko

DRIVER : C:\Windows\System32\Drivers\Beep.SYS => Invisible on the disk
ADDRESS : 0x0475D000
SIZE : 28.0 Ko

DRIVER : C:\Windows\System32\drivers\vga.sys => Invisible on the disk
ADDRESS : 0x04764000
SIZE : 56.0 Ko

DRIVER : C:\Windows\System32\drivers\VIDEOPRT.SYS => Invisible on the disk
ADDRESS : 0x04772000
SIZE : 148.0 Ko

DRIVER : C:\Windows\System32\drivers\watchdog.sys => Invisible on the disk
ADDRESS : 0x04797000
SIZE : 64.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\RDPCDD.sys => Invisible on the disk
ADDRESS : 0x047A7000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\drivers\rdpencdd.sys => Invisible on the disk
ADDRESS : 0x047B0000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\drivers\rdprefmp.sys => Invisible on the disk
ADDRESS : 0x047B9000
SIZE : 36.0 Ko

DRIVER : C:\Windows\System32\Drivers\Msfs.SYS => Invisible on the disk
ADDRESS : 0x047C2000
SIZE : 44.0 Ko

DRIVER : C:\Windows\System32\Drivers\Npfs.SYS => Invisible on the disk
ADDRESS : 0x047CD000
SIZE : 68.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\tdx.sys => Invisible on the disk
ADDRESS : 0x047DE000
SIZE : 136.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\TDI.SYS => Invisible on the disk
ADDRESS : 0x04400000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\drivers\afd.sys => Invisible on the disk
ADDRESS : 0x0326C000
SIZE : 548.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\netbt.sys => Invisible on the disk
ADDRESS : 0x032F5000
SIZE : 276.0 Ko

DRIVER : C:\Windows\system32\drivers\ws2ifsl.sys => Invisible on the disk
ADDRESS : 0x0333A000
SIZE : 44.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\wfplwf.sys => Invisible on the disk
ADDRESS : 0x03345000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\pacer.sys => Invisible on the disk
ADDRESS : 0x0334E000
SIZE : 152.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\vwififlt.sys => Invisible on the disk
ADDRESS : 0x03374000
SIZE : 88.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\cnnctfy3.sys => Invisible on the disk
ADDRESS : 0x0338A000
SIZE : 48.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\netbios.sys => Invisible on the disk
ADDRESS : 0x03396000
SIZE : 60.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\wanarp.sys => Invisible on the disk
ADDRESS : 0x033A5000
SIZE : 108.0 Ko

DRIVER : C:\Windows\system32\drivers\termdd.sys => Invisible on the disk
ADDRESS : 0x033C0000
SIZE : 80.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\rdbss.sys => Invisible on the disk
ADDRESS : 0x03200000
SIZE : 324.0 Ko

DRIVER : C:\Windows\system32\drivers\nsiproxy.sys => Invisible on the disk
ADDRESS : 0x03251000
SIZE : 48.0 Ko

DRIVER : C:\Windows\system32\drivers\mssmbios.sys => Invisible on the disk
ADDRESS : 0x0325D000
SIZE : 44.0 Ko

DRIVER : C:\Windows\System32\drivers\discache.sys => Invisible on the disk
ADDRESS : 0x033E2000
SIZE : 60.0 Ko

DRIVER : C:\Windows\System32\Drivers\dfsc.sys => Invisible on the disk
ADDRESS : 0x0440D000
SIZE : 120.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\blbdrive.sys => Invisible on the disk
ADDRESS : 0x0442B000
SIZE : 68.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\avkmgr.sys => Invisible on the disk
ADDRESS : 0x033F1000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\avipbb.sys => Invisible on the disk
ADDRESS : 0x0443C000
SIZE : 148.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\tunnel.sys => Invisible on the disk
ADDRESS : 0x01E98000
SIZE : 152.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\atikmpag.sys => Invisible on the disk
ADDRESS : 0x04821000
SIZE : 296.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\atikmdag.sys => Invisible on the disk
ADDRESS : 0x04E05000
SIZE : 7.73 Mo

DRIVER : C:\Windows\system32\DRIVERS\igdpmd64.sys => Invisible on the disk
ADDRESS : 0x05C81000
SIZE : 10.12 Mo

DRIVER : C:\Windows\System32\drivers\dxgkrnl.sys => Invisible on the disk
ADDRESS : 0x066A0000
SIZE : 976.0 Ko

DRIVER : C:\Windows\System32\drivers\dxgmms1.sys => Invisible on the disk
ADDRESS : 0x06794000
SIZE : 280.0 Ko

DRIVER : C:\Windows\system32\drivers\HDAudBus.sys => Invisible on the disk
ADDRESS : 0x067DA000
SIZE : 144.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\HECIx64.sys => Invisible on the disk
ADDRESS : 0x05C00000
SIZE : 68.0 Ko

DRIVER : C:\Windows\system32\drivers\usbehci.sys => Invisible on the disk
ADDRESS : 0x05C11000
SIZE : 68.0 Ko

DRIVER : C:\Windows\system32\drivers\USBPORT.SYS => Invisible on the disk
ADDRESS : 0x05C22000
SIZE : 344.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\athrx.sys => Invisible on the disk
ADDRESS : 0x06AC8000
SIZE : 4.02 Mo

DRIVER : C:\Windows\system32\DRIVERS\vwifibus.sys => Invisible on the disk
ADDRESS : 0x06ECE000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Rt64win7.sys => Invisible on the disk
ADDRESS : 0x06EDB000
SIZE : 924.0 Ko

DRIVER : C:\Windows\system32\drivers\i8042prt.sys => Invisible on the disk
ADDRESS : 0x06FC2000
SIZE : 120.0 Ko

DRIVER : C:\Windows\system32\drivers\kbdclass.sys => Invisible on the disk
ADDRESS : 0x06FE0000
SIZE : 60.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\SynTP.sys => Invisible on the disk
ADDRESS : 0x06A00000
SIZE : 412.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\USBD.SYS => Invisible on the disk
ADDRESS : 0x06A67000
SIZE : 8.0 Ko

DRIVER : C:\Windows\system32\drivers\mouclass.sys => Invisible on the disk
ADDRESS : 0x06A69000
SIZE : 60.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys => Invisible on the disk
ADDRESS : 0x06A78000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Impcd.sys => Invisible on the disk
ADDRESS : 0x06A85000
SIZE : 156.0 Ko

DRIVER : C:\Windows\System32\Drivers\ad1xwu1u.SYS => Invisible on the disk
ADDRESS : 0x0486B000
SIZE : 276.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Accelerometer.sys => Invisible on the disk
ADDRESS : 0x06AAC000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\CmBatt.sys => Invisible on the disk
ADDRESS : 0x06AB9000
SIZE : 20.0 Ko

DRIVER : C:\Windows\system32\drivers\wmiacpi.sys => Invisible on the disk
ADDRESS : 0x06ABE000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\intelppm.sys => Invisible on the disk
ADDRESS : 0x055C0000
SIZE : 88.0 Ko

DRIVER : C:\Windows\system32\drivers\CompositeBus.sys => Invisible on the disk
ADDRESS : 0x06FEF000
SIZE : 64.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\clwvd.sys => Invisible on the disk
ADDRESS : 0x05C78000
SIZE : 28.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\ks.sys => Invisible on the disk
ADDRESS : 0x048B0000
SIZE : 268.0 Ko

DRIVER : C:\Windows\system32\drivers\ksthunk.sys => Invisible on the disk
ADDRESS : 0x055D6000
SIZE : 24.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\AgileVpn.sys => Invisible on the disk
ADDRESS : 0x055DC000
SIZE : 88.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\rasl2tp.sys => Invisible on the disk
ADDRESS : 0x048F3000
SIZE : 144.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\ndistapi.sys => Invisible on the disk
ADDRESS : 0x055F2000
SIZE : 48.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\ndiswan.sys => Invisible on the disk
ADDRESS : 0x04917000
SIZE : 188.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\raspppoe.sys => Invisible on the disk
ADDRESS : 0x04946000
SIZE : 108.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\raspptp.sys => Invisible on the disk
ADDRESS : 0x04961000
SIZE : 132.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\rassstp.sys => Invisible on the disk
ADDRESS : 0x04982000
SIZE : 104.0 Ko

DRIVER : C:\Windows\system32\drivers\swenum.sys => Invisible on the disk
ADDRESS : 0x05C7F000
SIZE : 8.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\circlass.sys => Invisible on the disk
ADDRESS : 0x0499C000
SIZE : 72.0 Ko

DRIVER : C:\Windows\system32\drivers\umbus.sys => Invisible on the disk
ADDRESS : 0x049AE000
SIZE : 72.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\usbhub.sys => Invisible on the disk
ADDRESS : 0x05857000
SIZE : 360.0 Ko

DRIVER : C:\Windows\System32\Drivers\NDProxy.SYS => Invisible on the disk
ADDRESS : 0x058B1000
SIZE : 84.0 Ko

DRIVER : C:\Windows\system32\drivers\AtihdW76.sys => Invisible on the disk
ADDRESS : 0x058C6000
SIZE : 108.0 Ko

DRIVER : C:\Windows\system32\drivers\portcls.sys => Invisible on the disk
ADDRESS : 0x058E1000
SIZE : 244.0 Ko

DRIVER : C:\Windows\system32\drivers\drmk.sys => Invisible on the disk
ADDRESS : 0x0591E000
SIZE : 136.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\stwrt64.sys => Invisible on the disk
ADDRESS : 0x05940000
SIZE : 556.0 Ko

DRIVER : C:\Windows\System32\Drivers\fastfat.SYS => Invisible on the disk
ADDRESS : 0x05800000
SIZE : 216.0 Ko

DRIVER : C:\Windows\system32\drivers\hidusb.sys => Invisible on the disk
ADDRESS : 0x05836000
SIZE : 56.0 Ko

DRIVER : C:\Windows\system32\drivers\HIDCLASS.SYS => Invisible on the disk
ADDRESS : 0x059CB000
SIZE : 100.0 Ko

DRIVER : C:\Windows\system32\drivers\HIDPARSE.SYS => Invisible on the disk
ADDRESS : 0x059E4000
SIZE : 36.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\mouhid.sys => Invisible on the disk
ADDRESS : 0x059ED000
SIZE : 52.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\usbccgp.sys => Invisible on the disk
ADDRESS : 0x049C0000
SIZE : 116.0 Ko

DRIVER : C:\Windows\System32\Drivers\usbvideo.sys => Invisible on the disk
ADDRESS : 0x04461000
SIZE : 184.0 Ko

DRIVER : C:\Windows\System32\Drivers\crashdmp.sys => Invisible on the disk
ADDRESS : 0x05844000
SIZE : 56.0 Ko

DRIVER : C:\Windows\System32\Drivers\dump_diskdump.sys => Invisible on the disk
ADDRESS : 0x049DD000
SIZE : 40.0 Ko

DRIVER : C:\Windows\System32\Drivers\dump_iaStorA.sys => Invisible on the disk
ADDRESS : 0x07A3A000
SIZE : 2.71 Mo

DRIVER : C:\Windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk
ADDRESS : 0x07CF0000
SIZE : 76.0 Ko

DRIVER : C:\Windows\System32\win32k.sys => Invisible on the disk
ADDRESS : 0x000E0000
SIZE : 3.09 Mo

DRIVER : C:\Windows\System32\drivers\Dxapi.sys => Invisible on the disk
ADDRESS : 0x07D03000
SIZE : 48.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\monitor.sys => Invisible on the disk
ADDRESS : 0x07D0F000
SIZE : 56.0 Ko

DRIVER : C:\Windows\System32\TSDDD.dll => Invisible on the disk
ADDRESS : 0x005E0000
SIZE : 40.0 Ko

DRIVER : C:\Windows\System32\cdd.dll => Invisible on the disk
ADDRESS : 0x00680000
SIZE : 156.0 Ko

DRIVER : C:\Windows\system32\drivers\luafv.sys => Invisible on the disk
ADDRESS : 0x07D1D000
SIZE : 140.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\avgntflt.sys => Invisible on the disk
ADDRESS : 0x07D40000
SIZE : 140.0 Ko

DRIVER : C:\Windows\system32\drivers\mbam.sys => Invisible on the disk
ADDRESS : 0x07D63000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Sftvollh.sys => Invisible on the disk
ADDRESS : 0x07D95000
SIZE : 44.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\lltdio.sys => Invisible on the disk
ADDRESS : 0x07DA0000
SIZE : 84.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\nwifi.sys => Invisible on the disk
ADDRESS : 0x0448F000
SIZE : 332.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\ndisuio.sys => Invisible on the disk
ADDRESS : 0x07DB5000
SIZE : 76.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\rspndr.sys => Invisible on the disk
ADDRESS : 0x07DC8000
SIZE : 96.0 Ko

DRIVER : C:\Windows\system32\drivers\HTTP.sys => Invisible on the disk
ADDRESS : 0x044E2000
SIZE : 804.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\vwifimp.sys => Invisible on the disk
ADDRESS : 0x07DE0000
SIZE : 40.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\bowser.sys => Invisible on the disk
ADDRESS : 0x07A00000
SIZE : 120.0 Ko

DRIVER : C:\Windows\System32\drivers\mpsdrv.sys => Invisible on the disk
ADDRESS : 0x07A1E000
SIZE : 96.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\mrxsmb.sys => Invisible on the disk
ADDRESS : 0x045AB000
SIZE : 180.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\mrxsmb10.sys => Invisible on the disk
ADDRESS : 0x045D8000
SIZE : 312.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\mrxsmb20.sys => Invisible on the disk
ADDRESS : 0x04626000
SIZE : 144.0 Ko

DRIVER : C:\Windows\system32\drivers\peauth.sys => Invisible on the disk
ADDRESS : 0x0466C000
SIZE : 664.0 Ko

DRIVER : C:\Windows\System32\Drivers\secdrv.SYS => Invisible on the disk
ADDRESS : 0x07DEA000
SIZE : 44.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Sftfslh.sys => Invisible on the disk
ADDRESS : 0x08EC0000
SIZE : 776.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Sftplaylh.sys => Invisible on the disk
ADDRESS : 0x08F82000
SIZE : 312.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\srvnet.sys => Invisible on the disk
ADDRESS : 0x08E00000
SIZE : 196.0 Ko

DRIVER : C:\Windows\System32\drivers\tcpipreg.sys => Invisible on the disk
ADDRESS : 0x08E31000
SIZE : 72.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\srv2.sys => Invisible on the disk
ADDRESS : 0x08E43000
SIZE : 420.0 Ko

DRIVER : C:\Windows\System32\DRIVERS\srv.sys => Invisible on the disk
ADDRESS : 0x096C0000
SIZE : 608.0 Ko

DRIVER : C:\Windows\system32\DRIVERS\Sftredirlh.sys => Invisible on the disk
ADDRESS : 0x09758000
SIZE : 48.0 Ko

DRIVER : C:\Windows\System32\drivers\ipnat.sys => Invisible on the disk
ADDRESS : 0x09764000
SIZE : 188.0 Ko

DRIVER : C:\Windows\system32\drivers\MBAMSwissArmy.sys => Invisible on the disk
ADDRESS : 0x09692000
SIZE : 132.0 Ko

DRIVER : C:\Windows\System32\smss.exe => Invisible on the disk
ADDRESS : 0x484C0000
SIZE : 128.0 Ko

BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020)

SystemStartOptions : NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR \Device\Harddisk0\DR0

0x00000000 33 C0 8E D0 BC 00 7C FB 8E C0 8E D8 8B F4 BF 00 3À.Ð¼.|û.À.Ø.ô¿.
0x00000010 06 B9 00 02 FC F3 A4 EA 60 06 00 00 00 00 00 00 .¹..üó¤ê`.......
0x00000020 52 65 63 6F 76 65 72 79 4D 67 72 20 00 A0 AA 37 RecoveryMgr ..ª7
0x00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 0A ................
0x00000050 00 00 00 00 57 00 00 00 FF FF FF FF FF FF FF FF ....W...........
0x00000060 86 4C BD BE 30 06 AC B4 0E 33 DB CD 10 0A C0 75 .L½¾0.¬´.3ÛÍ..Àu
0x00000070 F5 E3 0B FE 06 13 06 53 53 E8 6D 00 EB 36 B8 12 õã.þ...SSèm.ë6¸.
0x00000080 5F 66 BA 51 50 48 5F CD 15 80 E3 01 74 20 EB 24 _fºQPH_Í..ã.t ë$
0x00000090 8B 16 6C 04 FA 66 A1 1C 06 BF 54 06 B1 03 F2 66 ..l.úf¡..¿T.±.òf
0x000000A0 AF FB 74 0A A1 3D 00 00 C2 83 F8 24 76 E6 B0 01 ¯ût.¡=..Â.ø$væ°.
0x000000B0 84 C0 75 1C BB C6 7D 66 8B 37 66 8B 3E 2C 06 66 .Àu.»Æ}f.7f.>,.f
0x000000C0 3B F7 74 07 80 C3 10 73 EE EB 05 BB 28 06 EB 10 ;÷t..Ã.sîë.»(.ë.
0x000000D0 BB C2 7D 80 7F FC 00 78 07 80 C3 10 73 F5 EB FE »Â}..ü.x..Ã.sõëþ
0x000000E0 66 FF 77 04 E8 02 00 FF E4 C8 10 00 00 B4 08 B2 f.w.è...äÈ...´.²
0x000000F0 80 CD 13 8A C1 24 3F FE C6 8A D8 F6 E6 C0 E9 06 .Í..Á$?þÆ.ØöæÀé.
0x00000100 86 CD 41 91 F7 E1 39 56 06 8B 56 06 8B 46 04 73 .ÍA.÷á9V..V..F.s
0x00000110 1C F7 F1 91 92 F6 F3 86 CD C0 E1 06 02 CC 41 8A .÷ñ..öó.ÍÀá..ÌA.
0x00000120 F0 B8 01 02 BB 00 7C 86 26 13 06 EB 14 83 C4 10 ð¸..».|.&..ë..Ä.
0x00000130 0E 0E 52 50 0E 68 00 7C 6A 01 6A 10 8B F4 B8 00 ..RP.h.|j.j..ô¸.
0x00000140 42 B2 80 CD 13 C9 C2 04 00 1E 50 53 0E 1F BB 1B B².Í.ÉÂ...PS..».
0x00000150 06 A0 17 04 24 0F 88 47 04 E4 60 3C E0 74 1A 3C ....$..G.ä`<àt.<
0x00000160 1D 74 10 3C 2A 74 0C 3C 36 74 08 3C 38 74 04 84 .t.<*t.<6t.<8t..
0x00000170 C0 79 06 66 83 27 00 EB 06 FE 07 02 1F 88 07 5B Ày.f.'.ë.þ.....[
0x00000180 58 1F EA 00 00 00 00 00 00 00 00 00 00 00 00 00 X.ê.............
0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 00 00 00 7C B5 EA 00 00 00 80 20 ........|µê....
0x000001C0 21 00 07 7E 25 19 00 08 00 00 00 38 06 00 00 7E !..~%......8...~
0x000001D0 26 19 07 FE FF FF 00 40 06 00 00 60 A4 37 00 FE &..þ...@...`¤7.þ
0x000001E0 FF FF 07 FE FF FF 00 A0 AA 37 00 80 8A 02 00 FE ...þ....ª7.....þ
0x000001F0 FF FF 0C FE FF FF 00 20 35 3A 30 38 03 00 55 AA ...þ... 5:08..Uª

www.MegaLab.it

MBR Rootkit Detector rileva errore lettura MBR. Infezione?

MBR Rootkit Detector rileva errore lettura MBR. Infezione?

Re: MBR Rootkit Detector rileva errore lettura MBR. Infezion

Chi c’è in linea