Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Cavallo di troia Win32/Mebroot k

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Cavallo di troia Win32/Mebroot k

Messaggioda AndrewSpeed » mer dic 17, 2008 2:42 pm

Salve, il mio problema è il seguente:
mando in esecuzione il NOD 32 2.7 e subito l'antivirus mi dà il seguente messaggio "Il settore MBR di 2. Disco Fisso contiene un cavallo di troia Win32/Mebroot K."; si tratta dunque di un rootkit e come segnalato sul sito scarico il programma GMER mando in esecuzione ma non mi rileva il seguente rootkit che da quando capito dovrebbe essere segnalato in rosso ma solo "scritte nere" che da quando letto in giro su internet non dovrebbero destare preoccupazione.
C'è quindi da preoccuparsi?? come posso quindi eliminare questo virus??
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda ste_95 » mer dic 17, 2008 2:46 pm

Scarica mbr.exe e salvalo nella directory C:\
Dopo vai su Start>> Esegui e digita c:\mbr.exe
Mbr.exe metterà qualche secondo a fare la scansione. Fatto ciò postami qui il contenuto del log creato che troverai in c:\mbr.log
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » mer dic 17, 2008 6:35 pm

Questo è quanto c'è scritto nel file mbr.log

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x1ab !
copy of MBR has been found in sector 62 !
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia


Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda ste_95 » mer dic 17, 2008 6:48 pm

Perfetto, ora vai su Start>> Esegui e digita c:\mbr.exe -f
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » mer dic 17, 2008 7:25 pm

fatto e adesso??
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda ste_95 » mer dic 17, 2008 7:32 pm

Scarica mbr.exe e salvalo nella directory C:\
Dopo vai su Start>> Esegui e digita c:\mbr.exe
Mbr.exe metterà qualche secondo a fare la scansione. Fatto ciò postami qui il contenuto del log creato che troverai in c:\mbr.log
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » mer dic 17, 2008 8:48 pm

Ecco cosa mi compare nel file dopo la nuova scansione:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x1ab !
copy of MBR has been found in sector 62 !
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda ste_95 » mer dic 17, 2008 9:02 pm

Scarica GMER, poi segui i seguenti passaggi:

--- 1° passaggio ---
Avviamo gmer
Sempre nel programma appena scaricato (gmer),
clicchiamo su Rootkit
clicchiamo su Scan
al termine della scansione, clicchiamo su Copy
Apriamo il blocco note e premiamo CTRL+V (oppure clicchiamo su Modifica e poi su Incolla).
Salviamo il file e postastiamo sul forum il risultato facendo attenzione a queste regole.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » mer dic 17, 2008 9:37 pm

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-17 21:35:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spqy.sys ZwCreateKey [0xF74520E0]
SSDT spqy.sys ZwEnumerateKey [0xF746FCA2]
SSDT spqy.sys ZwEnumerateValueKey [0xF7470030]
SSDT spqy.sys ZwOpenKey [0xF74520C0]
SSDT spqy.sys ZwQueryKey [0xF7470108]
SSDT spqy.sys ZwQueryValueKey [0xF746FF88]
SSDT spqy.sys ZwSetValueKey [0xF747019A]

INT 0x62 ? 8576DBF8
INT 0x73 ? 857DCBF8
INT 0x82 ? 8576DBF8
INT 0xB4 ? 8544EBF8
INT 0xB4 ? 8544EBF8
INT 0xB4 ? 8544EBF8
INT 0xB4 ? 8544EBF8
INT 0xB4 ? 8544EBF8
INT 0xB4 ? 8544EBF8

---- Kernel code sections - GMER 1.0.14 ----

? spqy.sys Impossibile trovare il file specificato. !
.text USBPORT.SYS!DllUnload F719C62C 5 Bytes JMP 8544E1D8
.text askaxbtz.SYS F6CC0384 1 Byte [ 20 ]
.text askaxbtz.SYS F6CC0386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text askaxbtz.SYS F6CC03AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text askaxbtz.SYS F6CC03C4 3 Bytes [ 00, 00, 00 ]
.text askaxbtz.SYS F6CC03C9 1 Byte [ 00 ]
.text ...
? C:\DOCUME~1\ANDREW~1\IMPOST~1\Temp\mbr.sys Impossibile trovare il file specificato. !

---- User code sections - GMER 1.0.14 ----

.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 28001CC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!FindResourceExW 7C80AB10 4 Bytes JMP 28001B00 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!FindResourceExW + 5 7C80AB15 2 Bytes [ CC, CC ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 28001A80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 28001D80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!LockResource 7C80C6CF 5 Bytes JMP 28001DF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!FindResourceA 7C80C7B1 7 Bytes JMP 28001B90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 0056DBBD C:\Programmi\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 28001840 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!FindResourceExA 7C822C2D 7 Bytes JMP 28001C20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] kernel32.dll!OutputDebugStringW 7C85A215 5 Bytes JMP 28001E50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ADVAPI32.dll!CryptDeriveKey 77F5A685 7 Bytes JMP 28001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ADVAPI32.dll!CryptDecrypt 77F5A7B1 2 Bytes JMP 28001060 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ADVAPI32.dll!CryptDecrypt + 3 77F5A7B4 4 Bytes [ 0A, B0, CC, CC ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!PeekMessageW 77D19278 5 Bytes JMP 28004010 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!CreateWindowExW 77D21AD5 5 Bytes JMP 280037A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!SetWindowRgn 77D21DE0 7 Bytes JMP 28005900 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!LoadIconW 77D22174 5 Bytes JMP 28006210 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!LoadImageW 77D242A4 5 Bytes JMP 28006020 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!CreateDialogParamW 77D3629F 5 Bytes JMP 28005A20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!SetWindowPlacement 77D3FBEA 5 Bytes JMP 280057C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!MessageBoxIndirectW 77D660B7 5 Bytes JMP 28005C10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] USER32.dll!TrackPopupMenuEx 77D6CAFE 5 Bytes JMP 280048F0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WS2_32.dll!send 71A3428A 5 Bytes JMP 28009EE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 28009CC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WS2_32.dll!recv 71A3615A 5 Bytes JMP 28009B20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 2800A0C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 2800A300 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] SHELL32.dll!Shell_NotifyIconW 7CA47CE1 5 Bytes JMP 28002F50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ole32.dll!CoInitializeEx 774C42F3 5 Bytes JMP 28002100 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ole32.dll!CoRegisterClassObject 77511BFC 1 Byte [ E9 ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] ole32.dll!CoRegisterClassObject + 2 77511BFE 3 Bytes [ 05, AF, B0 ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WININET.dll!HttpOpenRequestA 77194AC5 5 Bytes JMP 280089A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WININET.dll!InternetCloseHandle 771961DC 1 Byte [ E9 ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WININET.dll!InternetCloseHandle + 2 771961DE 3 Bytes [ 2A, E7, B0 ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WININET.dll!HttpSendRequestA 771976B8 5 Bytes JMP 28008C10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[2792] WININET.dll!InternetReadFile 77199555 5 Bytes JMP 28008B30 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 857DC2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F748293C] spqy.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7482990] spqy.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7453040] spqy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F745313C] spqy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74530BE] spqy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74537FC] spqy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74536D2] spqy.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8544E2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7462D92] spqy.sys
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlInitUnicodeString] 9252D2DB
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!swprintf] [804FC5C0] \WINDOWS\system32\ntoskrnl.exe (Sistema e kernel NT/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeSetEvent] 8E44C8C9
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoCreateSymbolicLink] A475EBF6
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoGetConfigurationInformation] AA7EE6FF
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] B863F1E4
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmFreeMappingAddress] B668FCED
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 0CB1670A
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 02BA6A03
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmUnmapIoSpace] 10A77D18
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 1EAC7011
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IofCompleteRequest] 349D532E
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 3A965E27
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IofCallDriver] 288B493C
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 26804435
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 7CE90F42
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoConnectInterrupt] 72E2024B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoDetachDevice] 60FF1550
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeWaitForSingleObject] 6EF41859
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInitializeEvent] 44C53B66
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 4ACE366F
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlInitAnsiString] 58D32174
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 56D82C7D
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoQueueWorkItem] 377A0CA1
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmMapIoSpace] 397101A8
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2B6C16B3
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoReportDetectedDevice] 25671BBA
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0F563885
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 015D358C
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!NlsMbCodePageTag] 13402297
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!PoRequestPowerIrp] 1D4B2F9E
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 472264E9
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 492969E0
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!sprintf] 5B347EFB
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 553F73F2
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ObfDereferenceObject] 7F0E50CD
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 71055DC4
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 63184ADF
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ZwClose] 6D1347D6
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] D7CADC31
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] D9C1D138
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CBDCC623
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C5D7CB2A
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!PoCallDriver] EFE6E815
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoCreateDevice] E1EDE51C
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] F3F0F207
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlQueryRegistryValues] FDFBFF0E
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ZwOpenKey] A792B479
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlFreeUnicodeString] A999B970
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoStartTimer] BB84AE6B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInitializeTimer] B58FA362
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoInitializeTimer] 9FBE805D
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInitializeDpc] 91B58D54
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInitializeSpinLock] 83A89A4F
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoInitializeIrp] 8DA39746
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ZwCreateKey] 00000063
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 0000007C
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000077
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ZwSetValueKey] 0000007B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000F2
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 0000006B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoStartPacket] 0000006F
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000C5
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 00000030
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoFreeMdl] 00000001
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmUnlockPages] 00000067
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 0000002B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000FE
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 000000D7
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000AB
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000076
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoStartNextPacket] 000000CA
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeBugCheckEx] 00000082
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 000000C9
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeSetTimer] 0000007D
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeCancelTimer] 000000FA
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!_allmul] 00000059
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000047
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!_except_handler3] 000000F0
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!PoSetPowerState] 000000AD
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000D4
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000A2
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!_aulldiv] 000000AF
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!strstr] 0000009C
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!_strupr] 000000A4
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeQuerySystemTime] 00000072
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000C0
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!KeTickCount] 000000B7
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 000000FD
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoDeleteDevice] 00000093
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 00000026
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000036
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAllocateIrp] 0000003F
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoAllocateMdl] 000000F7
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000CC
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00000034
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000A5
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000E5
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F1
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoFreeIrp] 00000071
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000D8
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!InitSafeBootMode] 00000031
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlCompareMemory] 00000015
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 00000004
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!memmove] 000000C7
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000023
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\askaxbtz.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 857D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\Fastfat \FatCdrom 85253500
Device \Driver\USBSTOR \Device\0000008f 84DAF1F8
Device \Driver\PCI_PNP7788 \Device\00000043 spqy.sys
Device \Driver\usbuhci \Device\USBPDO-0 8544D500
Device \Driver\usbuhci \Device\USBPDO-1 8544D500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 857DA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 857DA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 857DA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 857DA1F8
Device \Driver\usbuhci \Device\USBPDO-2 8544D500
Device \Driver\usbuhci \Device\USBPDO-3 8544D500
Device \Driver\usbehci \Device\USBPDO-4 853311F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1FD8C9E2-4436-4BB1-BFE1-DF2067266ACD} 853D21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8576E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8576E1F8
Device \Driver\Cdrom \Device\CdRom0 854551F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8576E1F8
Device \Driver\Cdrom \Device\CdRom1 854551F8
Device \Driver\atapi \Device\Ide\IdePort0 8576D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8576D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8576D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8576D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 8576D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 8576D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8576E1F8
Device \Driver\Cdrom \Device\CdRom2 854551F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8576E1F8
Device \Driver\sptd \Device\1853907788 spqy.sys
Device \Driver\USBSTOR \Device\00000090 84DAF1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 853D21F8
Device \Driver\NetBT \Device\NetbiosSmb 853D21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A8E4646A-0284-4835-A054-E18A57CC8DBA} 853D21F8
Device \Driver\usbuhci \Device\USBFDO-0 8544D500
Device \Driver\usbuhci \Device\USBFDO-1 8544D500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 852C1500
Device \Driver\usbuhci \Device\USBFDO-2 8544D500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 852C1500
Device \Driver\usbuhci \Device\USBFDO-3 8544D500
Device \Driver\Ftdisk \Device\FtControl 8576E1F8
Device \Driver\usbehci \Device\USBFDO-4 853311F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4E0578DC-724A-46A0-818B-2BF8D43C27D7} 853D21F8
Device \Driver\askaxbtz \Device\Scsi\askaxbtz1 853181F8
Device \Driver\viamraid \Device\Scsi\viamraid1 857D91F8
Device \Driver\askaxbtz \Device\Scsi\askaxbtz1Port3Path0Target0Lun0 853181F8
Device \FileSystem\Fastfat \Fat 85253500

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

Device \FileSystem\Cdfs \Cdfs 85283500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Programmi\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAF 0xA0 0x06 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x9D 0x74 0x37 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xAC 0x2F 0x1C 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Programmi\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAF 0xA0 0x06 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x9D 0x74 0x37 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xAC 0x2F 0x1C 0xBE ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A402FD61-9972-2C81-8788-EC9EDD770B7F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A402FD61-9972-2C81-8788-EC9EDD770B7F}@iajjdlbpbcjcmdfapp 0x6A 0x61 0x6C 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A402FD61-9972-2C81-8788-EC9EDD770B7F}@hahjnfojkjbfcnoi 0x6A 0x61 0x6C 0x64 ...

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x25429800 size 0x1ab
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » ven dic 19, 2008 11:58 am

Ho inserito il risultato della scansione?? adesso che dovrei fare??
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda ste_95 » ven dic 19, 2008 2:13 pm

Quando hai dato il comando c:\mbr.exe -f dovrebbe averti generato un log in C:\mbr.log. Puoi postarlo?
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » ven dic 19, 2008 6:19 pm

Questo è il log generato dopo aver digitato il comando c:\mbr.exe -f

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x1ab !
copy of MBR has been found in sector 62 !
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda Amantide » ven dic 19, 2008 8:03 pm

Ho il sospetto che MBR.EXE non riesce a ripulire MBR a causa di malware che ricrea l'infezione all'istante [uhm]

Prova a fare così.
Fai la scansione completa del pc con Malwarebytes Anti-malware, riavvia il pc e subito dopo riesegui il comando c:\mbr.exe -f

Postami sia il report di Malwarebytes che quello nuovo di mbr.exe
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda AndrewSpeed » sab dic 20, 2008 8:16 pm

Questo è il log della scansione effettuata con Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.31
Versione del database: 1526
Windows 5.1.2600 Service Pack 2

20/12/2008 19.55.26
mbam-log-2008-12-20 (19-55-22).txt

Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi scansionati: 188715
Tempo trascorso: 57 minute(s), 9 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 4

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Programmi\WinRAR\patch.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{D9AFBD31-0D7F-491E-8CE3-F0DEE493DFAB}\RP137\A0025565.exe (Trojan.FakeAlert) -> No action taken.
E:\00-DOCUMENTI UNIVERSITA\sysreset_stci\mirc.exe (Backdoor.Bot) -> No action taken.
E:\System Volume Information\_restore{DB12A846-36CD-4FC0-86B3-0BDAD31BB27A}\RP1\A0001021.exe (Backdoor.Bot) -> No action taken.



Questo invece è il log generato dopo aver digitato il comando c:\mbr.exe -f dopo il riavvio del pc.Spero riuscite ad aiutarmi [cry]

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x1ab !
copy of MBR has been found in sector 62 !
Avatar utente
AndrewSpeed
Aficionado
Aficionado
 
Messaggi: 58
Iscritto il: lun gen 29, 2007 11:44 pm
Località: Italia

Re: Cavallo di tr**a Win32/Mebroot k

Messaggioda Amantide » sab dic 20, 2008 9:30 pm

Nulla di rilevante nel log di Malwarebytes e stranamente mbr.exe non riesce a risolvere la situazione.

Hai il CD d'installazione di XP?
Seguendo questi istruzioni sull'uso di console di ripristino, dovresti eseguire il comando FIXMBR
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 1 ospite

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising