Rootkit Sinowal.E

Pompolus · 02-10-2009, 00:02

Salve a tutti,

Oggi stavo navigando quando ad un certo punto Avir mi avevrte che ha trovato un virus nei file temporanei di internet, gli dico di eliminarlo e sembra tutto ok, quando dopo pochi minuti mi si riavvia il pc.

La cosa mi puzza subito e riavvio immediatamente in modalità provvisoria e faccio una scansione del sistema con Avir, che mi trova il rootkit BOO/Sinowal.E.

Ho cercato un pò in rete ed ho trovato un pò di gente che ne è stata affetta ed ho seguito i consigli dati (tra i quali ci sono anche i vostri) ma qualcosa non mi torna.

Premetto che ho in dual boot Windows XP e Ubuntu, ovviamente quando ho preso il virus stavo su windows!

Ecco cosa ho fatto:

Ho scaricato Prevx, Gmer, MBR.exe e Norman_Sinowal_cleaner.

Questo è il log della scansione completa fatta con GMER:

Codice:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-10-01 23:31:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT            pxsec.sys (Prevx Realtime Analysis/Prevx)                                                                        ZwTerminateProcess [0xF7659680]

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDestroyKey                                                        77F59EBC 7 Bytes  JMP 00BE28E0 
.text           C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptDecrypt                                                           77F5A129 7 Bytes  JMP 00BE2890 
.text           C:\WINDOWS\Explorer.EXE[912] ADVAPI32.dll!CryptEncrypt                                                           77F5E360 7 Bytes  JMP 00BE2854 
.text           C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!closesocket                                                              71A33E2B 5 Bytes  JMP 00BE2839 
.text           C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!send                                                                     71A34C27 5 Bytes  JMP 00BE26C5 
.text           C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSARecv                                                                  71A34CB5 5 Bytes  JMP 00BE27B7 
.text           C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!recv                                                                     71A3676F 5 Bytes  JMP 00BE26FD 
.text           C:\WINDOWS\Explorer.EXE[912] WS2_32.dll!WSASend                                                                  71A368FA 5 Bytes  JMP 00BE2735 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDestroyKey                                   77F59EBC 7 Bytes  JMP 010728E0 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptDecrypt                                      77F5A129 7 Bytes  JMP 01072890 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] ADVAPI32.dll!CryptEncrypt                                      77F5E360 7 Bytes  JMP 01072854 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamW                                     7E3A47AB 5 Bytes  JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!CreateWindowExW                                     7E3AD0A3 5 Bytes  JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamW                             7E3B2072 5 Bytes  JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectA                                 7E3BA082 5 Bytes  JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxParamA                                     7E3BB144 5 Bytes  JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExW                                       7E3D0838 5 Bytes  JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxExA                                       7E3D085C 5 Bytes  JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!DialogBoxIndirectParamA                             7E3D6D7D 5 Bytes  JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] USER32.dll!MessageBoxIndirectW                                 7E3E64D5 5 Bytes  JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetReadFile                                   3F9E654B 5 Bytes  JMP 01072DE8 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetCloseHandle                                3F9E9088 5 Bytes  JMP 01072E42 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpOpenRequestA                                   3F9ED508 5 Bytes  JMP 01072B35 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!InternetConnectA                                   3F9EDEAE 5 Bytes  JMP 010728FB 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestW                                   3F9EFABE 5 Bytes  JMP 01073742 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] WININET.dll!HttpSendRequestA                                   3F9FEE81 5 Bytes  JMP 01072CA1 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertGetCertificateChain                            77A62F67 5 Bytes  JMP 0107331C 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1412] CRYPT32.dll!CertVerifyCertificateChainPolicy                   77A6B76F 5 Bytes  JMP 01073325 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDestroyKey                                   77F59EBC 7 Bytes  JMP 010828E0 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptDecrypt                                      77F5A129 7 Bytes  JMP 01082890 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] ADVAPI32.dll!CryptEncrypt                                      77F5E360 7 Bytes  JMP 01082854 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW                                     7E3A47AB 5 Bytes  JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW                                   7E3A820F 5 Bytes  JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx                                      7E3AB3C6 5 Bytes  JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW                                     7E3AD0A3 5 Bytes  JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx                                 7E3AD5F3 5 Bytes  JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW                             7E3B2072 5 Bytes  JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA                                 7E3BA082 5 Bytes  JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA                                     7E3BB144 5 Bytes  JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW                                       7E3D0838 5 Bytes  JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA                                       7E3D085C 5 Bytes  JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA                             7E3D6D7D 5 Bytes  JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW                                 7E3E64D5 5 Bytes  JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance                                     774D057E 5 Bytes  JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] ole32.dll!OleLoadFromStream                                    774F9C85 5 Bytes  JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetReadFile                                   3F9E654B 5 Bytes  JMP 01082DE8 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetCloseHandle                                3F9E9088 5 Bytes  JMP 01082E42 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpOpenRequestA                                   3F9ED508 5 Bytes  JMP 01082B35 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!InternetConnectA                                   3F9EDEAE 5 Bytes  JMP 010828FB 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestW                                   3F9EFABE 5 Bytes  JMP 01083742 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] WININET.dll!HttpSendRequestA                                   3F9FEE81 5 Bytes  JMP 01082CA1 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertGetCertificateChain                            77A62F67 5 Bytes  JMP 0108331C 
.text           C:\Programmi\Internet Explorer\iexplore.exe[1940] CRYPT32.dll!CertVerifyCertificateChainPolicy                   77A6B76F 5 Bytes  JMP 01083325 

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Programmi\Internet Explorer\iexplore.exe[1940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]  [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device          \Driver\Cdrom \Device\CdRom0                                                                                     89D46428
Device          \Driver\Cdrom \Device\CdRom1                                                                                     89D46428
Device          \Driver\iaStor \Device\Ide\iaStor0                                                                               8951ABD0
Device          \Driver\atapi \Device\Ide\IdePort0                                                                               89D468D8
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                      89D468D8
Device          \Driver\atapi \Device\Ide\IdePort1                                                                               89D468D8
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                      89D468D8
Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-0                                                                    8951ABD0
Device          \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0                                                     89D09F00
Device          \Driver\sojuscsi \Device\Scsi\sojuscsi1                                                                          89D09F00

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                         fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module          _________                                                                                                        F747B000-F7493000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

a prima vista mi sembrerebbe pulita.
Poi ho fatto partire Prevx, il quale fa subito la scansione di eventuali rootkit prima del file system e nel bootsector non trova nulla, ho quindi abolito la restante scansione.

Con Norman_Sinowal_cleaner il risultato è leggermente diverso, questo è il log iniziale:

Codice:

Norman SinowalMBR Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/13 16:21:18

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/13 16:21:18, Variants: 0

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 3
Logged on user: POMPOCOMPUTER\Pompolus


Scan started: 01/10/2009 23:50:09

Scanning bootsectors...

Unable to scan for SinowalMBR hooks

Number of sectors found: 0
Number of sectors scanned: 0
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 16ms

Dice "Unable to scan for SinowalMBR hooks", che diavolo vuol dire? Non riesce a leggere us hard disk?

Comunque provo anche con MBR.exe e ottengo quetso risultato:

Codice:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89d468d8
\Driver\iaStor -> 0x8951abd0
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x89556df0
Warning: possible MBR rootkit infection !
user & kernel MBR OK 
Use "Recovery Console" command "fixmbr" to clear infection !

almeno questo mi dice "Warning: possible MBR rootkit infection !", così provo ad eseguire "C:\mbr.exe -f" ma il log che mi riporta è lo stesso identico.

Inutile dire che il pc è rallentato e ogni tanto mi viene la schermatona blu della morte!

Che faccio?

**Chill-Out** · 02-10-2009, 00:06

Utilizza il 3D dedicato http://www.hwupgrade.it/forum/showthread.php?t=1715546 ed allega i log inerenti la prima fase della Guida

Chiudo onde evitare doppione

02-10-2009, 00:06	#2
Chill-Out Moderatore Iscritto dal: Jun 2007 Città: 127.0.0.1 Messaggi: 25885	Utilizza il 3D dedicato http://www.hwupgrade.it/forum/showthread.php?t=1715546 ed allega i log inerenti la prima fase della Guida Chiudo onde evitare doppione __________________ Regole di Sezione ▪ Guida alla Disinfezione ▪ Attenzione: Thread importanti Try again and you will be luckier.

Strumenti
Mostra una versione stampabile Invia questa pagina per email