HB inject

[Bib]

Троян завелся.
в процессах висит system.exe, при перезагрузке вылезает заново, удалить этот файл из system32 не удается.
Куча dll'ек в system32, начинающиеся на HB*.dll

Победить не удается. Прошу помощи.

[V_Bond]

пофиксите

Код:

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dll,HBQJSJ.dll

выполните скрипт

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\RECYCLER\S-1-5-18\Dc5239.dll','');
 QuarantineFile('C:\ARKA3.tmp','');
 DelBHO('{97421D0D-E07F-40DF-8F07-99597B9585AD}');
 QuarantineFile('C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll','');
 QuarantineFile('C:\WINDOWS\system32\upnpsrv.dll','');
 QuarantineFile('C:\WINDOWS\system32\SYSTEM.EXE','');
 QuarantineFile('C:\WINDOWS\sysocmgr.dll','');
 DeleteService('nvmini');
 DeleteService('eth8023');
 QuarantineFile('C:\WINDOWS\system32\drivers\eth8023.sys','');
 DeleteService('cdralw');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\nvmini.sys','');
 DeleteService('aecff9');
 QuarantineFile('C:\WINDOWS\system32\aecff9.sys','');
 SetServiceStart('HBKernel32', 4);
 DeleteService('HBKernel32');
 QuarantineFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys','');
 QuarantineFile('C:\WINDOWS\system32\HBZG.dll','');
 QuarantineFile('C:\WINDOWS\system32\HBQQFFO.dll','');
 QuarantineFile('C:\WINDOWS\system32\HBmhly.dll','');
 QuarantineFile('C:\WINDOWS\system32\HBBO.dll','');
 DeleteFile('C:\WINDOWS\system32\HBBO.dll');
 DeleteFile('C:\WINDOWS\system32\HBmhly.dll');
 DeleteFile('C:\WINDOWS\system32\HBQQFFO.dll');
 DeleteFile('C:\WINDOWS\system32\HBZG.dll');
 DeleteFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys');
 DeleteFile('C:\WINDOWS\system32\aecff9.sys');
 DeleteFile('C:\WINDOWS\system32\DRIVERS\nvmini.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\eth8023.sys');
 DeleteFile('C:\WINDOWS\sysocmgr.dll');
 DeleteFile('C:\WINDOWS\system32\HBCHIBI.dll');
 DeleteFile('C:\WINDOWS\system32\HBZHUXIAN.dll');
 DeleteFile('C:\WINDOWS\system32\SYSTEM.EXE');
 DeleteFile('C:\WINDOWS\system32\upnpsrv.dll');
 DeleteFile('C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll');
 DeleteFile('C:\ARKA3.tmp');
 DeleteFile('C:\RECYCLER\S-1-5-18\Dc5239.dll');
 DeleteFile('C:\RECYCLER\S-1-5-18\Dc5240.dll');
 DeleteFile('C:\RECYCLER\S-1-5-18\Dc5242.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

пришлите карантин согласно приложения 3 правил
повторите логи

[Bib]

Карантин выслал.
Логи прикладываю.

[Гриша]

Скачать,,меню,File,появится аналог проводника,найти:

Код:

C:\WINDOWS\system32\Drivers\HBKernel32.sys

правая кнопка мыши Force Delete на запрос о перезагрузке ответьте положительно.

Пофиксить

Код:

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dll,HBQJSJ.dll

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".

Код:

begin
ClearQuarantine;    
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DeleteService('HBKernel32');
 DeleteFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys');
 DeleteFile('HB1000Y.dll');
 DeleteFile('HBASKTAO.dll');
 DeleteFile('HBBO.dll');
 DeleteFile('HBCHD.dll');
 DeleteFile('HBCHIBI.dll');
 DeleteFile('HBCONQUER.dll');
 DeleteFile('HBCT.dll');
 DeleteFile('HBDNF.dll');
 DeleteFile('HBFHZL.dll');
 DeleteFile('HBFS2.dll');
 DeleteFile('HBFY.dll');
 DeleteFile('HBGC.dll');
 DeleteFile('HBHM.dll');
 DeleteFile('HBJTLQ.dll');
 DeleteFile('HBJXSJ.dll');
 DeleteFile('HBKDXY.dll');
 DeleteFile('HBLYFX.dll');
 DeleteFile('HBMIR2.dll');
 DeleteFile('HBMXD.dll');
 DeleteFile('HBPPBL.dll');
 DeleteFile('HBQJSJ.dll');
 DeleteFile('HBQQFFO.dll');
 DeleteFile('HBQQHX.dll');
 DeleteFile('HBQQSG.dll');
 DeleteFile('HBQQXX.dll');
 DeleteFile('HBRXJH.dll');
 DeleteFile('HBSHQ.dll');
 DeleteFile('HBSO2.dll');
 DeleteFile('HBSOUL.dll');
 DeleteFile('HBTJ.dll');
 DeleteFile('HBSQ.dll');
 DeleteFile('HBTL.dll');
 DeleteFile('HBTW2.dll');
 DeleteFile('HBTZ.dll');
 DeleteFile('HBW2I.dll');
 DeleteFile('HBWARLORDS.dll');
 DeleteFile('HBWD.dll');
 DeleteFile('HBWLQX.dll');
 DeleteFile('HBWOOOL.dll');
 DeleteFile('HBWORLD2.dll');
 DeleteFile('HBWOW.dll');
 DeleteFile('HBWULIN2.dll');
 DeleteFile('HBXMJ.dll');
 DeleteFile('HBXY2.dll');
 DeleteFile('HBXY3.dll');
 DeleteFile('HBYY.dll');
 DeleteFile('HBZERO.dll');
 DeleteFile('HBZG.dll');
 DeleteFile('HBZHUXIAN.dll');
 DeleteFile('HBZT.dll');
 DeleteFile('HBmhly.dll');
 DeleteFile('SYSTEM.EXE');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Повторите логи...