Junior Member
Вес репутации
60
Windows Warning Message (рабочий стол)
Аналогчная проблема, уже встречавшаяся в этом разделе, с вирусом, меняющим рабочий стол на картинку с текстом:
Warining! Spyware detected on your computer!
-Warning! Win32/Adware.Virtumonde
Detected on your computer
-Warning! Win32/PrivacyRemover.M64
Detected on your computer
+ подозрение на парочку другую червяков и троянов..
гляньте, пожалуйста, логи прилагаются
Заранее спасибо!
Вложения
Будь в курсе!
Будь в курсе!
Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:
скачайте C:\WINDOWS\System32\drivers\Winan40.sys - force delete
выполните скрипт ...
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Documents and Settings\nastya\Local Settings\Temp\uninst.exe','');
QuarantineFile('C:\Documents and Settings\nastya\Local Settings\Temporary Internet Files\Content.IE5\SZXZIY3T\Install[1].exe','');
QuarantineFile('C:\WINDOWS\system32\winivstr.exe','');
QuarantineFile('C:\WINDOWS\system32\amvo1.dll','');
QuarantineFile('C:\WINDOWS\system32\karina.dat','');
QuarantineFile('C:\WINDOWS\system32\buritos.exe','');
QuarantineFile('C:\WINDOWS\system32\amvo.exe','');
QuarantineFile('C:\DOCUME~1\nastya\taskmgr.exe','');
BC_DeleteSvc('Winkq12');
BC_DeleteSvc('WmiApSrvDnscachewinmgmtWZCSVC');
BC_DeleteSvc('WmdmPmSNDnscache');
BC_DeleteSvc('winmgmtWZCSVC');
BC_DeleteSvc('winmgmtThemesRpcLocatorSCardSvrWebClient');
BC_DeleteSvc('W32TimeShellHWDetectionoseATIRasManSharedAccessERSvc');
BC_DeleteSvc('W32TimeShellHWDetectionose');
BC_DeleteSvc('W32TimeShellHWDetection');
BC_DeleteSvc('VSSiPodService');
BC_DeleteSvc('VSSALGPolicyAgenthelpsvcShellHWDetectionNetmanRDSessMgrCOMSysAppSysmonLog');
BC_DeleteSvc('VSSALGPolicyAgenthelpsvcShellHWDetectionNetman');
BC_DeleteSvc('ThemesRpcLocatorSCardSvrWebClient');
BC_DeleteSvc('ThemesRpcLocatorSCardSvr');
BC_DeleteSvc('TermServicewuauserv');
BC_DeleteSvc('TermServicestisvc');
BC_DeleteSvc('TermServiceAutodeskSysmonLog');
BC_DeleteSvc('TapiSrvSwPrvHidServSSDPSRV');
BC_DeleteSvc('TapiSrvSwPrv');
BC_DeleteSvc('TapiSrvClipSrv');
BC_DeleteSvc('SysmonLogRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('SysmonLogNtLmSsplanmanworkstation');
BC_DeleteSvc('SysmonLogNtLmSsp');
BC_DeleteSvc('SysmonLogEventlogSSDPSRV');
BC_DeleteSvc('SysmonLogAppMgmt');
BC_DeleteSvc('SwPrvRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('stisvcDnscacheCiSvc');
BC_DeleteSvc('SSDPSRVSENSRasAutoRpcSs');
BC_DeleteSvc('srserviceIDriverT');
BC_DeleteSvc('srserviceClipSrv');
BC_DeleteSvc('ShellHWDetectionNetmanRpcLocator');
BC_DeleteSvc('ShellHWDetectionNetman');
BC_DeleteSvc('SharedAccessose');
BC_DeleteSvc('SharedAccessIDriverT');
BC_DeleteSvc('SENSRasAutoRpcSs');
BC_DeleteSvc('SENSIDriverTSCardSvr');
BC_DeleteSvc('ScheduleImapiServiceIDriverTSCardSvrNetmanNetDDEIDriverTRSVPPolicyAgenthelpsvcHidServSSDPSRV');
BC_DeleteSvc('ScheduleImapiServiceIDriverTSCardSvrNetmanNetDDEIDriverTRSVPPolicyAgenthelpsvc');
BC_DeleteSvc('ScheduleImapiService');
BC_DeleteSvc('ScheduleEventSystemSCardSvrTermService');
BC_DeleteSvc('Schedule Licensing Service');
BC_DeleteSvc('SCardSvrAppMgmtAudioSrv');
BC_DeleteSvc('SamSsW32Time');
BC_DeleteSvc('RSVPPolicyAgenthelpsvc');
BC_DeleteSvc('RpcLocatorSCardSvr');
BC_DeleteSvc('RpcLocatorEventlog');
BC_DeleteSvc('RpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('RemoteAccessIDriverTSCardSvr');
BC_DeleteSvc('RDSessMgrSharedAccessose');
BC_DeleteSvc('RDSessMgrCOMSysAppSysmonLog');
BC_DeleteSvc('RDSessMgrCOMSysApp');
BC_DeleteSvc('RDSessMgrATIRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('RasManwscsvcThemesRpcLocatorSCardSvr');
BC_DeleteSvc('RasManNOD32krn');
BC_DeleteSvc('RasManNla');
BC_DeleteSvc('RasAutoRpcSs');
BC_DeleteSvc('ProtectedStorageTermServiceSwPrv');
BC_DeleteSvc('ProtectedStorageTermServiceRDSessMgrATIRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('ProtectedStorageTermServiceDnscachewinmgmtWZCSVC');
BC_DeleteSvc('ProtectedStorageTermService');
BC_DeleteSvc('ProtectedStorageRSVPPolicyAgenthelpsvc');
BC_DeleteSvc('ProtectedStorageRDSessMgrCOMSysAppRpcSslanmanserver');
BC_DeleteSvc('ProtectedStorageRDSessMgrCOMSysAppRpcSs');
BC_DeleteSvc('ProtectedStorageRDSessMgrCOMSysApp');
BC_DeleteSvc('PolicyAgentSysmonLogEventlogSSDPSRV');
BC_DeleteSvc('PolicyAgenthelpsvc');
BC_DeleteSvc('NtLmSspAudioSrvBITSDhcpstisvc');
BC_DeleteSvc('NtLmSspaspnet_statemnmsrvcDhcpRasAutoRpcSs');
BC_DeleteSvc('NtLmSspaspnet_statemnmsrvc');
BC_DeleteSvc('NOD32krnVSSiPodService');
BC_DeleteSvc('NetmanTrkWks');
BC_DeleteSvc('NetmanNetDDEIDriverTRSVPPolicyAgenthelpsvc');
BC_DeleteSvc('NetmanNetDDEIDriverT');
BC_DeleteSvc('NetmanCryptSvcRasAuto');
BC_DeleteSvc('NetmanCryptSvciPodService');
BC_DeleteSvc('NetmanCryptSvchelpsvc');
BC_DeleteSvc('NetmanCryptSvc');
BC_DeleteSvc('MSIServerose');
BC_DeleteSvc('MSDTCNetDDENla');
BC_DeleteSvc('MSDTCNetDDEaspnet_statemnmsrvc');
BC_DeleteSvc('MSDTCNetDDE');
BC_DeleteSvc('MSDTCLmHosts');
BC_DeleteSvc('Messengerclr_optimization_v2.0.50727_32UPS');
BC_DeleteSvc('Messengerclr_optimization_v2.0.50727_32');
BC_DeleteSvc('LmHostsProtectedStorageRDSessMgrCOMSysApp');
BC_DeleteSvc('ImapiServiceNetDDE');
BC_DeleteSvc('IDriverTSCardSvrNetmanNetDDEIDriverTRSVPPolicyAgenthelpsvc');
BC_DeleteSvc('IDriverTSCardSvr');
BC_DeleteSvc('HTTPFilterERSvc');
BC_DeleteSvc('HidServSSDPSRV');
BC_DeleteSvc('HidServProtectedStorageRDSessMgrCOMSysAppRpcSs');
BC_DeleteSvc('EventSystemSSDPSRV');
BC_DeleteSvc('EventSystemSCardSvrTermService');
BC_DeleteSvc('EventSystemSCardSvrBrowserPlugPlayBrowser');
BC_DeleteSvc('EventSystemSCardSvrBrowserPlugPlay');
BC_DeleteSvc('EventSystemSCardSvrATIRasManMSIServerose');
BC_DeleteSvc('EventSystemSCardSvrATIRasMan');
BC_DeleteSvc('EventSystemSCardSvr');
BC_DeleteSvc('EventlogSwPrv');
BC_DeleteSvc('EventlogSSDPSRV');
BC_DeleteSvc('ERSvcATIRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('EPSONStatusAgent2VSSALGPolicyAgenthelpsvcShellHWDetectionNetman');
BC_DeleteSvc('DnscachewinmgmtWZCSVCATIRasManSharedAccessERSvc');
BC_DeleteSvc('DnscachewinmgmtWZCSVC');
BC_DeleteSvc('DnscacheTapiSrvClipSrv');
BC_DeleteSvc('DnscacheSpoolerNetmanTrkWks');
BC_DeleteSvc('DnscacheSpooler');
BC_DeleteSvc('DnscacheCiSvc');
BC_DeleteSvc('DhcpstisvcTapiSrvClipSrv');
BC_DeleteSvc('Dhcpstisvc');
BC_DeleteSvc('DhcpRasAutoRpcSs');
BC_DeleteSvc('DhcpMessengerTapiSrv');
BC_DeleteSvc('DhcpMessenger');
BC_DeleteSvc('DcomLaunchSENSIDriverTSCardSvr');
BC_DeleteSvc('DcomLaunchAudioSrv');
BC_DeleteSvc('DcomLaunchAppMgmt');
BC_DeleteSvc('CryptSvcSysmonLogAppMgmt');
BC_DeleteSvc('clr_optimization_v2.0.50727_32IDriverTSCardSvrDhcpRasAutoRpcSs');
BC_DeleteSvc('clr_optimization_v2.0.50727_32IDriverTSCardSvr');
BC_DeleteSvc('clr_optimization_v2.0.50727_32ClipSrv');
BC_DeleteSvc('CiSvcShellHWDetection');
BC_DeleteSvc('BrowserPlugPlay');
BC_DeleteSvc('BrowserNetmanCryptSvcDcomLaunchAppMgmt');
BC_DeleteSvc('BrowserNetmanCryptSvc');
BC_DeleteSvc('ATIRasManSharedAccess');
BC_DeleteSvc('ATIRasManSharedAccessDhcpMessenger');
BC_DeleteSvc('ATIRasManSharedAccessDhcpMessengerTermServicewuauserv');
BC_DeleteSvc('ATIRasManSharedAccessERSvc');
BC_DeleteSvc('ATIRasManSharedAccessERSvcAlerter');
BC_DeleteSvc('ATIRpcLocatorDcomLaunchAppMgmt');
BC_DeleteSvc('AudioSrvBITS');
BC_DeleteSvc('ATIRasMan');
BC_DeleteSvc('ATINetmanaspnet_statemnmsrvc');
BC_DeleteSvc('ATINetman');
BC_DeleteSvc('ALGPolicyAgenthelpsvc');
BC_DeleteSvc('ALGPolicyAgenthelpsvcEventlogSSDPSRV');
BC_DeleteSvc('ALGPolicyAgenthelpsvcEventlogSSDPSRVMessengerclr_optimization_v2.0.50727_32');
BC_DeleteSvc('ALGPolicyAgenthelpsvcShellHWDetectionNetman');
BC_DeleteSvc('AppMgmtAudioSrv');
BC_DeleteSvc('AppMgmtWZCSVC');
BC_DeleteSvc('aspnet_statemnmsrvc');
BC_DeleteSvc('aspnet_statemnmsrvcVSSiPodService');
BC_DeleteSvc('aspnet_stateRDSessMgrCOMSysApp');
QuarantineFile('C:\WINDOWS\System32\drivers\Winan40.sys','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\System32\drivers\Winan40.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winkq12.sys');
DeleteFile('C:\WINDOWS\system32\amvo.exe');
DeleteFile('C:\WINDOWS\system32\blphc311j0ee1e.scr');
DeleteFile('C:\WINDOWS\system32\buritos.exe');
DeleteFile('C:\WINDOWS\system32\karina.dat');
DeleteFile('WinCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\amvo1.dll');
DeleteFile('C:\WINDOWS\system32\winivstr.exe');
DeleteFile('C:\Documents and Settings\nastya\Local Settings\Temporary Internet Files\Content.IE5\SZXZIY3T\Install[1].exe');
DeleteFile('C:\Documents and Settings\nastya\Local Settings\Temp\uninst.exe');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
BC_Activate;
RebootWindows(true);
end.
пришлите карантин согласно приложения 3 правил
повторите логи
Junior Member
Вес репутации
60
Сообщение от
V_Bond
скачайте C:\WINDOWS\System32\drivers\Winan40.sys - force delete
скачал, но при попытке открыть архив выдаёт ошибку - "отказано в доступе к указанному устройству, пути или файлу..."
с помощью проводника распаковал архив с IceSword122en и вложенный архив Cooperator.zip, но не найти там exe-шника, чтобы запустить (или он не нужен?..)
без айсСорда выполнять скрипт в AVZ?
без IceSword лечение неэффективно ...
Junior Member
Вес репутации
60
может быть, можно скачать его с другого ресурса?
Junior Member
Вес репутации
60
Сообщение от
V_Bond
скачайте C:\WINDOWS\System32\drivers\Winan40.sys - force delete
выполните скрипт ...
пришлите карантин согласно приложения 3 правил
повторите логи
бывают к ночи переклины... включённый авз-гвард блочил запуск ))
всё выполнено, все симптомы сняты, работает отлично, огромное Спасибо!!
вот логи
Вложения
выполните скрипт ...
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
BC_DeleteSvc('VSSSchedule');
BC_DeleteSvc('upnphostUPS');
BC_DeleteSvc('RpcLocatorSwPrv');
BC_DeleteSvc('RasManwscsvc');
BC_DeleteSvc('RasManMSDTC');
BC_DeleteSvc('ProtectedStorageRDSessMgrCOMSysAppVSSALGPolicyAgenthelpsvcShellHWDetectionNetmanRDSessMgrCOMSysAppSysmonLog');
BC_DeleteSvc('NtLmSspAudioSrvBITS');
BC_DeleteSvc('NetDDEIDriverT');
BC_DeleteSvc('Messengerclr_optimization_v2.0.50727_32UPSDcomLaunch');
BC_DeleteSvc('CryptSvcTrkWks');
BC_DeleteSvc('AutodeskSysmonLog');
DeleteFile('karina.dat');
DeleteFile('C:\WINDOWS\system32\_scui.cpl');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
повторите логи ...
Итог лечения
Статистика проведенного лечения:
Получено карантинов: 1 Обработано файлов: 4 В ходе лечения обнаружены вредоносные программы:
c:\\windows\\system32\\amvo1.dll - Trojan-GameThief.Win32.OnLineGames.nsd (DrWEB: Trojan.PWS.Wsgame.2387) c:\\windows\\system32\\buritos.exe - Hoax.Win32.Bravia.ir (DrWEB: Trojan.Packed.612) c:\\windows\\system32\\karina.dat - Backdoor.Win32.Small.eug (DrWEB: Trojan.Proxy.1739) c:\\windows\\system32\\winctrl32.dll - Trojan-Downloader.Win32.Mutant.bgz (DrWEB: BackDoor.Bulknet.23