Rootkit - XP and Vista dual boot

MegaShark · 23-10-2008, 12:48

Hi guys,

first of all, my apologies for posting in English, but I'm afraid my Italian isn’t that good

Plus, your forum looks loaded with great information and while googling around for help I found it to be the most comprehensive one. I'm from Portugal and even though I can't write in Italian I guess I can figure out most of what's written. If by any chance posting in English is not adequate here, please tell me and I'll make an effort to translate this.

My PC is now dual booting XP SP2 (with McAfee Enterprise) and Vista (with Avast). Starting this weekend, Internet Explorer 6 on XP SP2 crashes on opening (roughly 95% of the times; the other 5% it works OK for about 5 minutes and then crashes) without even accessing my homepage. The internet connection is OK (all other web applications work just fine and Firefox accesses the web with no problems). On Vista, everything is fine, including Internet Explorer 7. This appears to be something similar to what someone has experienced and posted here http://www.hwupgrade.it/forum/showthread.php?t=1745198

On XP SP2, I've tried installing IE 7, IE 8 beta2, IE 6 standalone, but the result is always the same: IE crashes on opening.

On XP, McAfee never showed up anything suspicious, nor did MalwareBytes. Nevertheless, Avast on Vista tells me I have some rootkit virus on the MBR (and apparently hiberfil.sys is infected).

Following your guide, I’ve extracted both Prevx and Gmer logs. I’ve truncated them in order to keep the attachment file size under 24,4kB.

_________________________________________

Prevx:
Last Scan: Thu 2008-10-23 10:37:21 GMT Standard Time. Number of Scans: 2
[R<R00000010>] (ACTIVE) \\.\PhysicalDrive0\MBR [PX5: 0000000000000000000000000000000000000002] Malware Group: Rootkit.MBR

_________________________________________

Gmer:
---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x950e4c1 size 0x1b6
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

_________________________________________

Can you help me out?

Thanks in advance!!

xcdegasp · 23-10-2008, 15:35

you are welcome, you can see this thread:
http://www.hwupgrade.it/forum/showthread.php?t=1715546

Stealth MBR rootkit detector -> download
start -> run..: -> c:\mbr.exe
now: start -> run..: -> c:\mbr.exe -f
reboot pc
start -> run..: -> c:\mbr.exe
ymantec Trojan.Mebroot Removal Tool -> download
click on "I accept" and click on start and read the istructions on screen

I'm await for read the report results

MegaShark · 23-10-2008, 19:01

Grazie!

All is well now

_________________________________________

MBR1:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x950e4c1 size 0x1b6 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

_________________________________________

MBR2:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x950e4c1 size 0x1b6 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

_________________________________________

MBR3:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

_________________________________________

FixMebroot:
Symantec Trojan.Mebroot Removal Tool 1.0.2
Found drive \\.\PhysicalDrive0, analyzing MBR...
Creating FixMebroot service driver
Running driver...
Trojan.Mebroot has not been found active on your computer.
Delete service driver
Delete driver file
End

The tool initiated a system reboot.

_________________________________________

The question is... where do these virus come from and why doesn't McAfee do nothing to stop them?

Ciao!

**Chill-Out** · 23-10-2008, 21:46

Probably from infected site, for your safety i suggest you to use DrWeb CureIt

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Ciao

23-10-2008, 15:35	#2
xcdegasp Senior Member Iscritto dal: Nov 2001 Città: Fidenza(pr) da Trento Messaggi: 27479	you are welcome, you can see this thread: http://www.hwupgrade.it/forum/showthread.php?t=1715546 Stealth MBR rootkit detector -> download start -> run..: -> c:\mbr.exe now: start -> run..: -> c:\mbr.exe -f reboot pc start -> run..: -> c:\mbr.exe ymantec Trojan.Mebroot Removal Tool -> download click on "I accept" and click on start and read the istructions on screen I'm await for read the report results __________________ "Visti da vicino siamo tutti strani..." ~\|~ What Defines a Community? ~\|~ Thread eMule Ufficiale ~\|~ Online Armor in Italiano ~\|~ Regole di Sezione ~\|► Guida a PrivateFirewall quinto potere ~\|~ Le illusioni della TV Ultima modifica di xcdegasp : 23-10-2008 alle 15:38.

23-10-2008, 21:46	#4
Chill-Out Moderatore Iscritto dal: Jun 2007 Città: 127.0.0.1 Messaggi: 25885	Probably from infected site, for your safety i suggest you to use DrWeb CureIt ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe Ciao __________________ Regole di Sezione ▪ Guida alla Disinfezione ▪ Attenzione: Thread importanti Try again and you will be luckier.

23-10-2008, 19:01	#3
MegaShark Junior Member Iscritto dal: Oct 2008 Messaggi: 2	Grazie! All is well now _________________________________________ MBR1: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully MBR rootkit code detected ! malicious code @ sector 0x950e4c1 size 0x1b6 ! copy of MBR has been found in sector 62 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. _________________________________________ MBR2: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully MBR rootkit code detected ! malicious code @ sector 0x950e4c1 size 0x1b6 ! copy of MBR has been found in sector 62 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. original MBR restored successfully ! _________________________________________ MBR3: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK _________________________________________ FixMebroot: Symantec Trojan.Mebroot Removal Tool 1.0.2 Found drive \\.\PhysicalDrive0, analyzing MBR... Creating FixMebroot service driver Running driver... Trojan.Mebroot has not been found active on your computer. Delete service driver Delete driver file End The tool initiated a system reboot. _________________________________________ The question is... where do these virus come from and why doesn't McAfee do nothing to stop them? Ciao!

Strumenti
Mostra una versione stampabile Invia questa pagina per email