MBRCheck

[DigRam 144]

Saudações!

 

Boa ferramenta na verificação da integridade da Master Boot Record,que pode estar infectada por "bootkits".

|- Baixe: | MBRCheck | ou | Aqui |

 

|- Salve-o no desktop!

|- Ps: Para windows Vista ou 7,clique direito em MBRCheck.exe e escolha executá-lo como administrador.

 

 

|- Surgirá,à seguir,o prompt de comando solicitando ação específica ao que foi detectado.

|- Neste exemplo,estando sem problemas,a recomendação solicitada,é apertar a tecla "Enter". ( Windows Xp MBR code detected )

 

 

|- Surgindo indicações: "Found non-standard" ou "infected MBR." ou "Mbr Code Faked",é porque temos a MBR comprometida.

 

 

|- Exemplo de relatório indicando infecção pelo "TDL4",que pode estabelecer e ocultar pequenos setores,nas unidades físicas.

|- Ps: Há que esclarecer,que não são todas as variantes do "TDL4",que criará esse setor oculto.

|- Para casos,em que temos infecção na MBR,aperte a tecla "N" para sair.

|- Poste seu relatório,que estará no desktop. ( MBRCheck,version 1.2.3 © 2010,AD )

 

///°°°///

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected! (Whistler / Black Internet)

SHA1: BB7AACF2A31824D3C6856A25F0F359BCB2133824

 

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

Done!

///°°°///

 

|- Detectado,também,por MBRCheck,o bootkit Whistler.

 

///°°°///

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 MBR Code Faked!

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

 

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

Options:

 

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

 

Enter your choice:

 

Done!

///°°°///

 

|- Resolvi colocar,aqui,a recomendação standard da ferramenta,estando infectada a MBR.

|- Mas...recomendo aos usuários,não utilizarem essas opções sem supervisão adequada.

 

///°°°///

[MBR] 332388ce8fe51b8a6a1f4dc5140c7661

[bSP] caf4a0199f16106bbd1f3f078014fbec : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1505 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3084480 | Size: 126080 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 261297225 | Size: 349350 Mo

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976768065 | Size: 2 Mo

 

Termine : << RKreport[1].txt >>

///°°°///

 

|- Ps: A verificação por "RogueKiller",também,pode informar problemas nesse setor.

 

#########

 

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[25] : NtClose @ 0x805BC530 -> HOOKED (Unknown @ 0xBA7D248C)

SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (Unknown @ 0xBA7D2446)

SSDT[50] : NtCreateSection @ 0x805AB3C8 -> HOOKED (Unknown @ 0xBA7D2496)

SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (Unknown @ 0xBA7D243C)

SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (Unknown @ 0xBA7D244B)

SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (Unknown @ 0xBA7D2455)

SSDT[68] : NtDuplicateObject @ 0x805BE008 -> HOOKED (Unknown @ 0xBA7D2487)

SSDT[98] : NtLoadKey @ 0x80626314 -> HOOKED (Unknown @ 0xBA7D245A)

SSDT[122] : NtOpenProcess @ 0x805CB440 -> HOOKED (Unknown @ 0xBA7D2428)

SSDT[128] : NtOpenThread @ 0x805CB6CC -> HOOKED (Unknown @ 0xBA7D242D)

SSDT[193] : NtReplaceKey @ 0x806261C4 -> HOOKED (Unknown @ 0xBA7D2464)

SSDT[204] : NtRestoreKey @ 0x80625AD0 -> HOOKED (Unknown @ 0xBA7D245F)

SSDT[213] : NtSetContextThread @ 0x805D173A -> HOOKED (Unknown @ 0xBA7D249B)

SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (Unknown @ 0xBA7D2450)

SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (Unknown @ 0xBA7D2437)

S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA7D24A0)

S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA7D24A5)

 

##########

 

|- Atualmente,estas detecções em "Driver" apontam para infecções por rootkit.

|- Provavelmente o "_max++",que pode infectar a MBR e comprometer o sistema.

 

Sem Mais!

DigRam

[Edvan 30]

Belo Tutorial!

 

Esse log indica algum problema?

 

 

 

MBRCheck, version 1.2.3

© 2010, AD

 

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0284800c

 

Kernel Drivers (total 127):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0B8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0C8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xBA0F8000 PxHelp20.sys

0xB9EC2000 KSecDD.sys

0xB9E35000 Ntfs.sys

0xBA108000 gbpkm.sys

0xB9E08000 NDIS.sys

0xB9D7B000 timntr.sys

0xB9CC5000 tdrpm273.sys

0xB9C9D000 snapman.sys

0xB9C83000 Mup.sys

0xB98FC000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xB98E8000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB98C0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB9894000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys

0xBA3F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9870000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA400000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xBA408000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA410000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA418000 \SystemRoot\system32\DRIVERS\fdc.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\serial.sys

0xB9C0F000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB985C000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA2C8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9839000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xBA699000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB9C07000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9822000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA118000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA420000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9811000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA128000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA428000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB97F4000 \SystemRoot\system32\DRIVERS\VBoxNetAdp.sys

0xBA138000 \SystemRoot\system32\DRIVERS\gbpndisrd.sys

0xB97C4000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA148000 \SystemRoot\system32\DRIVERS\termdd.sys

0xB97A5000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys

0xBA5C2000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB971F000 \SystemRoot\system32\DRIVERS\update.sys

0xB9AC9000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA85CA000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA85A6000 \SystemRoot\system32\drivers\portcls.sys

0xBA1B8000 \SystemRoot\system32\drivers\drmk.sys

0xBA1C8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA5CC000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA5D0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA6C6000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5D2000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA450000 \SystemRoot\System32\drivers\vga.sys

0xBA5D4000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5D6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA458000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA460000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB9C23000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA8273000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA821A000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xBA1E8000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xA81F4000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA81CC000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA81AA000 \SystemRoot\System32\drivers\afd.sys

0xBA1F8000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA8190000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys

0xBA208000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA8165000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys

0xA8112000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA80A2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA218000 \SystemRoot\System32\Drivers\Fips.SYS

0xA807B000 \SystemRoot\System32\Drivers\aswSP.SYS

0xBA478000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xBA288000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA8063000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA5EA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA82C2000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA498000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA794000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF069000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\FSVID.dll

0xBF03C000 \SystemRoot\System32\fskutil.dll

0xBF057000 \SystemRoot\System32\dcmc0d0.dll

0xBF0A3000 \SystemRoot\System32\igxpdv32.DLL

0xBF367000 \SystemRoot\System32\igxpdx32.DLL

0xA7FA3000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xB9C2F000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA7DA4000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xA7B1F000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA63C000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xA7B0A000 \SystemRoot\System32\Drivers\SENTINEL.SYS

0xA7A18000 \SystemRoot\system32\DRIVERS\srv.sys

0xA76BB000 \SystemRoot\system32\drivers\wdmaud.sys

0xA79C0000 \SystemRoot\system32\drivers\sysaudio.sys

0xA748B000 \SystemRoot\system32\DRIVERS\afcdp.sys

0xBA360000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xA7242000 \SystemRoot\System32\Drivers\HTTP.sys

0xA67FA000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0x7C900000 \WINDOWS\system32\ntdll.dll

 

Processes (total 46):

0 System Idle Process

4 System

1468 C:\WINDOWS\system32\smss.exe

1564 C:\WINDOWS\system32\csrss.exe

1588 C:\WINDOWS\system32\winlogon.exe

1632 C:\WINDOWS\system32\services.exe

1644 C:\WINDOWS\system32\lsass.exe

1860 C:\ARQUIV~1\GbPlugin\gbpsv.exe

1924 C:\WINDOWS\system32\svchost.exe

2020 C:\WINDOWS\system32\svchost.exe

1252 C:\WINDOWS\system32\svchost.exe

1360 C:\WINDOWS\system32\svchost.exe

1968 C:\WINDOWS\system32\svchost.exe

388 C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

1208 C:\WINDOWS\system32\spoolsv.exe

1460 C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe

1496 C:\Arquivos de programas\Arquivos comuns\Acronis\CDP\afcdpsrv.exe

1508 C:\ARQUIV~1\ESRI\License\arcgis9x\lmgrd.exe

1784 C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe

228 C:\ARQUIV~1\ESRI\License\arcgis9x\ARCGIS.EXE

420 C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

996 C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

1868 C:\WINDOWS\system32\svchost.exe

952 C:\WINDOWS\system32\wdfmgr.exe

3392 C:\WINDOWS\explorer.exe

1288 C:\WINDOWS\system32\alg.exe

4080 C:\WINDOWS\RTHDCPL.EXE

4092 C:\WINDOWS\system32\igfxtray.exe

1952 C:\WINDOWS\system32\hkcmd.exe

328 C:\WINDOWS\system32\igfxpers.exe

1980 C:\ARQUIV~1\ALWILS~1\Avast5\AvastUI.exe

1024 C:\WINDOWS\system32\igfxsrvc.exe

2632 C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

3028 C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

912 C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe

2912 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

2680 C:\Arquivos de programas\TAY\TAY.exe

2724 C:\WINDOWS\system32\ctfmon.exe

1312 C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

1908 C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

2344 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe

3268 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\agent.exe

2620 C:\Arquivos de programas\Mozilla Firefox\firefox.exe

5908 C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

5036 C:\Sigap\Funpec.exe

1044 C:\Documents and Settings\f003589\Meus documentos\Downloads\MBRCheck.exe

 

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

 

PhysicalDrive0 Model Number: MAXTORSTM3250820AS, Rev: 3.AAE

 

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: 2C6D77F4F50AA9DE10FCE2024558166E9012FC6F

 

 

Done!

[DigRam 144]

Boa Tarde! Edvan

 

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: 2C6D77F4F50AA9DE10FCE2024558166E9012FC6F

|- Como ao final do relatório,temos a condição: "Windows XP MBR code detected"

|- Portanto,não existe(m) problemas com a "Master Boot Record".

|- Ou seja...sua máquina não apresenta infecção por 'bootkits'.

---------

---------

|- Em tempo!

 

2680 C:\Arquivos de programas\TAY\TAY.exe

|- Você conhece o processo em destaque?

 

/////////

Object: Hidden Module [Name: UACoprmhixhcd.dll]

Process: LVCOMS.EXE (PID: 2680) Address: 0x089f0000 Size: 49152

 

Object: Hidden Module [Name: SKYNETultfqhrq.dll]

Process: LVCOMS.EXE (PID: 2680) Address: 0x10000000 Size: 32768

-----

-----

2680 C:\Arquivos de programas\TAY\TAY.exe

/////////

 

|- Interessante! Possui a mesma identificação do LVCOMS.EXE.

|- Acredito que para não ser identificado por programas de proteção,adotou esse PID. (2680)

 

Abraços!