Pompolus
01-10-2009, 23:02
Salve a tutti,
Oggi stavo navigando quando ad un certo punto Avir mi avevrte che ha trovato un virus nei file temporanei di internet, gli dico di eliminarlo e sembra tutto ok, quando dopo pochi minuti mi si riavvia il pc.
La cosa mi puzza subito e riavvio immediatamente in modalità provvisoria e faccio una scansione del sistema con Avir, che mi trova il rootkit BOO/Sinowal.E.
Ho cercato un pò in rete ed ho trovato un pò di gente che ne è stata affetta ed ho seguito i consigli dati (tra i quali ci sono anche i vostri) ma qualcosa non mi torna.
Premetto che ho in dual boot Windows XP e Ubuntu, ovviamente quando ho preso il virus stavo su windows!
Ecco cosa ho fatto:
Ho scaricato Prevx, Gmer, MBR.exe e Norman_Sinowal_cleaner.
Questo è il log della scansione completa fatta con GMER:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-10-01 23:31:31
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT pxsec.sys (Prevx Realtime Analysis/Prevx) ZwTerminateProcess [0xF7659680]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00BE28E0
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00BE2890
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00BE2854
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00BE2839
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!send 71A34C27 5 Bytes JMP 00BE26C5
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00BE27B7
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00BE26FD
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00BE2735
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010728E0
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01072890
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01072854
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 01072DE8
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 01072E42
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpOpenRequestA 3F9ED508 5 Bytes JMP 01072B35
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 010728FB
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 01073742
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestA 3F9FEE81 5 Bytes JMP 01072CA1
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertGetCertificateChain 77A62F67 5 Bytes JMP 0107331C
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A6B76F 5 Bytes JMP 01073325
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010828E0
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01082890
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01082854
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 01082DE8
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 01082E42
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpOpenRequestA 3F9ED508 5 Bytes JMP 01082B35
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 010828FB
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 01083742
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestA 3F9FEE81 5 Bytes JMP 01082CA1
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertGetCertificateChain 77A62F67 5 Bytes JMP 0108331C
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A6B76F 5 Bytes JMP 01083325
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programmi\Internet Explorer\iexplore.exe[1940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\Cdrom \Device\CdRom0 89D46428
Device \Driver\Cdrom \Device\CdRom1 89D46428
Device \Driver\iaStor \Device\Ide\iaStor0 8951ABD0
Device \Driver\atapi \Device\Ide\IdePort0 89D468D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89D468D8
Device \Driver\atapi \Device\Ide\IdePort1 89D468D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89D468D8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8951ABD0
Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 89D09F00
Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 89D09F00
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module _________ F747B000-F7493000 (98304 bytes)
---- EOF - GMER 1.0.15 ----
a prima vista mi sembrerebbe pulita.
Poi ho fatto partire Prevx, il quale fa subito la scansione di eventuali rootkit prima del file system e nel bootsector non trova nulla, ho quindi abolito la restante scansione.
Con Norman_Sinowal_cleaner il risultato è leggermente diverso, questo è il log iniziale:
Norman SinowalMBR Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/13 16:21:18
Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/13 16:21:18, Variants: 0
Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 3
Logged on user: POMPOCOMPUTER\Pompolus
Scan started: 01/10/2009 23:50:09
Scanning bootsectors...
Unable to scan for SinowalMBR hooks
Number of sectors found: 0
Number of sectors scanned: 0
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 16ms
Dice "Unable to scan for SinowalMBR hooks", che diavolo vuol dire? Non riesce a leggere us hard disk?
Comunque provo anche con MBR.exe e ottengo quetso risultato:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89d468d8
\Driver\iaStor -> 0x8951abd0
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x89556df0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
almeno questo mi dice "Warning: possible MBR rootkit infection !", così provo ad eseguire "C:\mbr.exe -f" ma il log che mi riporta è lo stesso identico.
Inutile dire che il pc è rallentato e ogni tanto mi viene la schermatona blu della morte!
Che faccio?
Oggi stavo navigando quando ad un certo punto Avir mi avevrte che ha trovato un virus nei file temporanei di internet, gli dico di eliminarlo e sembra tutto ok, quando dopo pochi minuti mi si riavvia il pc.
La cosa mi puzza subito e riavvio immediatamente in modalità provvisoria e faccio una scansione del sistema con Avir, che mi trova il rootkit BOO/Sinowal.E.
Ho cercato un pò in rete ed ho trovato un pò di gente che ne è stata affetta ed ho seguito i consigli dati (tra i quali ci sono anche i vostri) ma qualcosa non mi torna.
Premetto che ho in dual boot Windows XP e Ubuntu, ovviamente quando ho preso il virus stavo su windows!
Ecco cosa ho fatto:
Ho scaricato Prevx, Gmer, MBR.exe e Norman_Sinowal_cleaner.
Questo è il log della scansione completa fatta con GMER:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-10-01 23:31:31
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT pxsec.sys (Prevx Realtime Analysis/Prevx) ZwTerminateProcess [0xF7659680]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00BE28E0
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00BE2890
.text C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00BE2854
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00BE2839
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!send 71A34C27 5 Bytes JMP 00BE26C5
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00BE27B7
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00BE26FD
.text C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00BE2735
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010728E0
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01072890
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01072854
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 01072DE8
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 01072E42
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpOpenRequestA 3F9ED508 5 Bytes JMP 01072B35
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 010728FB
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 01073742
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestA 3F9FEE81 5 Bytes JMP 01072CA1
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertGetCertificateChain 77A62F67 5 Bytes JMP 0107331C
.text C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A6B76F 5 Bytes JMP 01073325
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010828E0
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01082890
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01082854
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetReadFile 3F9E654B 5 Bytes JMP 01082DE8
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetCloseHandle 3F9E9088 5 Bytes JMP 01082E42
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpOpenRequestA 3F9ED508 5 Bytes JMP 01082B35
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetConnectA 3F9EDEAE 5 Bytes JMP 010828FB
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 01083742
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestA 3F9FEE81 5 Bytes JMP 01082CA1
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertGetCertificateChain 77A62F67 5 Bytes JMP 0108331C
.text C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A6B76F 5 Bytes JMP 01083325
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programmi\Internet Explorer\iexplore.exe[1940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\Cdrom \Device\CdRom0 89D46428
Device \Driver\Cdrom \Device\CdRom1 89D46428
Device \Driver\iaStor \Device\Ide\iaStor0 8951ABD0
Device \Driver\atapi \Device\Ide\IdePort0 89D468D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89D468D8
Device \Driver\atapi \Device\Ide\IdePort1 89D468D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89D468D8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8951ABD0
Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 89D09F00
Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 89D09F00
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module _________ F747B000-F7493000 (98304 bytes)
---- EOF - GMER 1.0.15 ----
a prima vista mi sembrerebbe pulita.
Poi ho fatto partire Prevx, il quale fa subito la scansione di eventuali rootkit prima del file system e nel bootsector non trova nulla, ho quindi abolito la restante scansione.
Con Norman_Sinowal_cleaner il risultato è leggermente diverso, questo è il log iniziale:
Norman SinowalMBR Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/13 16:21:18
Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/13 16:21:18, Variants: 0
Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 3
Logged on user: POMPOCOMPUTER\Pompolus
Scan started: 01/10/2009 23:50:09
Scanning bootsectors...
Unable to scan for SinowalMBR hooks
Number of sectors found: 0
Number of sectors scanned: 0
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 16ms
Dice "Unable to scan for SinowalMBR hooks", che diavolo vuol dire? Non riesce a leggere us hard disk?
Comunque provo anche con MBR.exe e ottengo quetso risultato:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89d468d8
\Driver\iaStor -> 0x8951abd0
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x89556df0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
almeno questo mi dice "Warning: possible MBR rootkit infection !", così provo ad eseguire "C:\mbr.exe -f" ma il log che mi riporta è lo stesso identico.
Inutile dire che il pc è rallentato e ogni tanto mi viene la schermatona blu della morte!
Che faccio?