И снова z-connect

**aHTucllaM** · 01.06.2009, 22:21

Тема уже не новая, но я так понял решение индивидуально для каждого. Прошу помочь.

Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

**V_Bond** · 01.06.2009, 22:37

выполните скрипт

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DelBHO('{D88E1558-7C2D-407A-953A-C044F5607CEA}');
 DelBHO('{B200799F-9538-403d-9A6E-36F5942EC540}');
 DelBHO('{92860A02-4D69-48c1-82D7-EF6B2C609502}');
 DelBHO('{6D7B211A-88EA-490c-BAB9-3600D8D7C503}');
 DelBHO('{6C517674-DE1C-4493-977C-34A1BFAB35BA}');
 DeleteService('Winyx34');
 DeleteService('Winys56');
 DeleteService('Winys08');
 DeleteService('Winyb34');
 DeleteService('Winxw12');
 DeleteService('Winwv67');
 DeleteService('Winwq67');
 DeleteService('Winwn80');
 DeleteService('Winwf78');
 DeleteService('Winvx80');
 DeleteService('Winvj12');
 DeleteService('Winvb45');
 DeleteService('Winuw36');
 DeleteService('Wintn12');
 DeleteService('Winsp67');
 DeleteService('Winqs60');
 DeleteService('Winqs56');
 DeleteService('Winqp78');
 DeleteService('Winqm12');
 DeleteService('Winoy03');
 DeleteService('Winot80');
 DeleteService('Winoi12');
 DeleteService('Winoc21');
 DeleteService('Winnp78');
 DeleteService('Winmu78');
 DeleteService('Winmu01');
 DeleteService('Winmd67');
 DeleteService('Winmd45');
 DeleteService('Winly87');
 DeleteService('Winlt45');
 DeleteService('Winlc71');
 DeleteService('Winlc01');
 DeleteService('Winja45');
 DeleteService('Winic23');
 DeleteService('Winhx67');
 DeleteService('Winhp67');
 DeleteService('Wingl23');
 DeleteService('Wingi12');
 DeleteService('Wineu60');
 DeleteService('Winer67');
 DeleteService('Winer23');
 DeleteService('Winej67');
 DeleteService('Wineg38');
 DeleteService('Wined78');
 DeleteService('Windy43');
 DeleteService('Windh03');
 DeleteService('Wincv01');
 DeleteService('Wincp56');
 DeleteService('Winch67');
 DeleteService('Winbr27');
 DeleteService('Winay47');
 DeleteService('Winay25');
 DeleteService('Winat56');
 DeleteService('Winat12');
 QuarantineFile('E:\WINDOWS\System32\Drivers\Winac23.sys','');
 DeleteService('Winac23');
 DeleteService('aswArKrn');
 QuarantineFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys','');
 DeleteService('wscsvcCryptSvc');
 DeleteService('WMPNetworkSvcdmserver');
 DeleteService('WmdmPmSNDhcp');
 DeleteService('WebClientServiceLayer');
 DeleteService('W32Timeclr_optimization_v2.0.50727_32');
 DeleteService('upnphostSSDPSRVRasMan');
 DeleteService('upnphostSSDPSRV');
 DeleteService('ThemesupnphostSSDPSRVRasManShellHWDetection');
 DeleteService('ThemesupnphostSSDPSRVRasMan');
 DeleteService('TapiSrvWmdmPmSNDhcp');
 DeleteService('TermServiceEventSystem');
 DeleteService('SwPrvClipSrv');
 DeleteService('srserviceSysmonLog');
 DeleteService('RpcSsW32Timeclr_optimization_v2.0.50727_32WmdmPmSNDhcp');
 DeleteService('RpcSsW32Timeclr_optimization_v2.0.50727_32');
 DeleteService('RDSessMgrRDSessMgr');
 DeleteService('ProtectedStorageNMIndexingServiceSwPrv');
 DeleteService('ProtectedStorageNMIndexingService');
 DeleteService('NtmsSvcAudioSrv');
 DeleteService('NetDDEWmiTlntSvr');
 DeleteService('NetDDEWmi');
 DeleteService('NetDDEWmdmPmSNPolicyAgent');
 DeleteService('NetDDEWmdmPmSN');
 DeleteService('NetDDEdsdmSQLAgent$SONY_MEDIAMGR');
 DeleteService('MSSQLServerADHelperMSDTC');
 DeleteService('mnmsrvcNetDDEdsdmPlugPlay');
 DeleteService('mnmsrvcNetDDEdsdm');
 DeleteService('COMSysAppNtLmSsp');
 DeleteService('COMSysAppFastUserSwitchingCompatibility');
 DeleteService('clr_optimization_v2.0.50727_32WmdmPmSNDhcp');
 DeleteService('ClipSrvclr_optimization_v2.0.50727_32');
 DeleteService('CiSvcTapiSrv');
 DeleteService('ATKKeyboardServiceNetDDE');
 DeleteService('ATKKeyboardServicelanmanworkstation');
 DeleteService('AlerterWMPNetworkSvc');
 QuarantineFile('srv.exe','');
 QuarantineFile('E:\WINDOWS\System32\atkosdmini.dll','');
 QuarantineFile('E:\WINDOWS\system32\drivers\RegCs.exe','');
 QuarantineFile('E:\WINDOWS\system32\drivers\DegCs.exe','');
 QuarantineFile('e:\windows\system32\drivers\degcs.exe','');
 DeleteFile('e:\windows\system32\drivers\degcs.exe');
 DeleteFile('E:\WINDOWS\system32\drivers\DegCs.exe');
 DeleteFile('E:\WINDOWS\system32\drivers\RegCs.exe');
 DeleteFile('srv.exe');
 DeleteFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winac23.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winat12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winat56.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winay25.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winay47.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winbr27.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winch67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wincp56.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wincv01.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Windh03.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Windy43.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wined78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wineg38.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winej67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winer23.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winer67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wineu60.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wingi12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wingl23.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winhp67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winhx67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winic23.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winja45.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winlc01.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winln08.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winlt45.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winly87.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winmd45.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winmd67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winmu01.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winmu78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winnp78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winoc21.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winoi12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winot80.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winoy03.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winqm12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winqp78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winqs56.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winqs60.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winsp67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Wintn12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winuw36.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winuw78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winvb45.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winvj12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winvx80.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winwf78.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winwn80.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winwq67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winwv67.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winxw12.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winyb34.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winys08.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winys56.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winyx34.sys');
 DeleteFile('WinCtrl32.dll');
 DeleteFile('msansspc.dll');
 DeleteFile('sysfldr.dll');
ExecuteRepair(11);
ExecuteRepair(17);
ExecuteRepair(16);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

пришлите карантин согласно приложения 3 правил
повторите логи

**aHTucllaM** · 02.06.2009, 02:50

Спасибо, проблема исчезла, отослал карантин, вот логи:

**aHTucllaM** · 02.06.2009, 19:40

Прошу посмотреть логи, т.к. после отправления вам автоматического сбора файлов, получил ответ:
Внимание, в архиве обнаружены опасные или вредоносные объекты:
E:\WINDOWS\system32\drivers\RegCs.exe: Trojan.Win32.Agent.ckeq
E:\WINDOWS\system32\drivers\DegCs.exe: Backdoor.Win32.SdBot.mpv

**V_Bond** · 02.06.2009, 20:29

выполните скрипт

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('E:\Documents and Settings\NrJa\Application Data\Facegame\Facegame.exe','');
 DeleteService('Winlc71');
 DeleteService('aswArKrn');
 QuarantineFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys','');
 DeleteFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys');
 DeleteFile('E:\WINDOWS\System32\Drivers\Winlc71.sys');
 DeleteFile('E:\Documents and Settings\NrJa\Application Data\Facegame\Facegame.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

пришлите крантин согласно приложения 3 правил
повторите логи

**aHTucllaM** · 03.06.2009, 02:24

Скрипт выполнил, в карантине ничего нет, сделал логи:

**CyberHelper** · 04.06.2009, 02:24

Статистика проведенного лечения:

Получено карантинов: 1
Обработано файлов: 3
В ходе лечения обнаружены вредоносные программы:
1. e:\windows\system32\drivers\degcs.exe - Backdoor.Win32.SdBot.mpv ( DrWEB: BackDoor.IRC.Sdbot.4876, BitDefender: Gen:Trojan.Packed.Heur.F3A393ADAD )
2. e:\windows\system32\drivers\regcs.exe - Trojan.Win32.Agent.ckeq ( DrWEB: BackDoor.IRC.Sdbot.4874, BitDefender: Trojan.Loader.BR )

И снова z-connect (заявка № 46997)

Опции темы

И снова z-connect

Итог лечения

Похожие темы

z-connect снова

снова z-connect

Снова z-connect

Помогите!!! Снова z-connect!

И снова i-connect

Ваши права в разделе