-
Junior Member
- Вес репутации
- 52
Вирус Trojan-Downloader.Win32.Fraudload.wycp и нестабильная работа системы
Завелись вирусы. Сканировал с помощью Dr. Web CureIt! и AVPTool. Dr. Web CureIt! нашла несколько Троянов и удалила их. При повторном сканировании с помощью AVPTool было обнаружено большое количество вирусов и Троянов. Удалены все кроме Trojan-Downloader.Win32.Fraudload.wycp.
Помимо этого система работает нестабильно и часто подвисает при загрузке на экране «Приветствие». Восстановление системы отключилось само собой и при попытке зайти в меню выдает сообщение «Восстановление системы запрещено групповой политикой. Для включения восстановления системы свяжитесь с администратором домена». Периодически пропадает подключение к Интернету.
-
Будь в курсе!
Будь в курсе!
Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:
-
Закройте/выгрузите все программы кроме AVZ .
Отключите:
- ПК от интернета/локалки;
- антивирус и файрвол;
- выполните скрипт
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('zxjfilvl');
DeleteService('zvumrlkia');
DeleteService('zuwlqoiy');
DeleteService('zukbizmsi');
DeleteService('zrmunss');
DeleteService('zpwyu');
DeleteService('zprtgazf');
DeleteService('znsjoj');
DeleteService('znmzi');
DeleteService('zmvzypgv');
DeleteService('zmaavddvn');
DeleteService('zizomseuu');
DeleteService('ziuuvmt');
DeleteService('zisgmln');
DeleteService('zirgxix');
DeleteService('zidyhtl');
DeleteService('zhkmf');
DeleteService('zgyfw');
DeleteService('zcowwppl');
DeleteService('zcjvg');
DeleteService('zcavnwgwp');
DeleteService('zbozs');
DeleteService('zbfbtmgk');
DeleteService('zbajgvtfb');
DeleteService('yztzxok');
DeleteService('yzbfuxcvd');
DeleteService('yypbgsp');
DeleteService('ywsyhw');
DeleteService('yvhov');
DeleteService('yutvaeknb');
DeleteService('yuqya');
DeleteService('yupjuomhe');
DeleteService('yrutsvxtr');
DeleteService('yrbfrz');
DeleteService('ypxsga');
DeleteService('ypvugdtvx');
DeleteService('yobpmnu');
DeleteService('ynzxsb');
DeleteService('ynlnkcjm');
DeleteService('ymvqwt');
DeleteService('ymtfvxwrz');
DeleteService('ylzwsj');
DeleteService('ylqiuj');
DeleteService('yijosny');
DeleteService('yijjwfkf');
DeleteService('yhvjuq');
DeleteService('yeyha');
DeleteService('yalsguwo');
DeleteService('xzwbc');
DeleteService('xzqsfwwcl');
DeleteService('xyref');
DeleteService('xyjxob');
DeleteService('xxforyps');
DeleteService('xxapew');
DeleteService('xrfdfvrar');
DeleteService('xqhqfn');
DeleteService('xnwbodxcs');
DeleteService('xnkunukq');
DeleteService('xmebu');
DeleteService('xlanwetqx');
DeleteService('xlacyyc');
DeleteService('xkiofmgy');
DeleteService('xjpxr');
DeleteService('xjmgmfiy');
DeleteService('xhltauj');
DeleteService('xgvkuqn');
DeleteService('xgelujg');
DeleteService('xdmlwpbki');
DeleteService('xdjosjpb');
DeleteService('xdcpe');
DeleteService('xbrhh');
DeleteService('xblqgstkv');
DeleteService('xaylsxvmg');
DeleteService('wymlqzs');
DeleteService('wymkj');
DeleteService('wxqpv');
DeleteService('wxnyu');
DeleteService('wxbqm');
DeleteService('wuwmvcys');
DeleteService('wurmwprl');
DeleteService('wsscjmzzs');
DeleteService('wrrnct');
DeleteService('wrcigicvu');
DeleteService('wkkiq');
DeleteService('wkizenc');
DeleteService('wjrxvglax');
DeleteService('wjklyjkyf');
DeleteService('winvon');
DeleteService('wikhmc');
DeleteService('wigfqxeyr');
DeleteService('wibrtoepu');
DeleteService('wexxk');
DeleteService('wentdddw');
DeleteService('wcrdndj');
DeleteService('wcjjdbky');
DeleteService('wabome');
DeleteService('vzrpg');
DeleteService('vyzrhusp');
DeleteService('vvixkwins');
DeleteService('vvafojips');
DeleteService('vrtzi');
DeleteService('vpdfwnf');
DeleteService('vozjhkqgr');
DeleteService('voqjwi');
DeleteService('vmpouo');
DeleteService('vmiqgxtl');
DeleteService('vmcymof');
DeleteService('vlyxojhcq');
DeleteService('vlngsrmeb');
DeleteService('vlaikeh');
DeleteService('vkuqmf');
DeleteService('vkibsu');
DeleteService('vkewyjd');
DeleteService('vkdwbk');
DeleteService('vjhmu');
DeleteService('vbpmgpev');
DeleteService('uznised');
DeleteService('uypsiryvh');
DeleteService('uxomto');
DeleteService('uwpvove');
DeleteService('uvafvklcj');
DeleteService('uuqwom');
DeleteService('uswuirf');
DeleteService('uqqmmewy');
DeleteService('uqmkp');
DeleteService('uqcqzew');
DeleteService('uptouhjrk');
DeleteService('uppzv');
DeleteService('upgmnlw');
DeleteService('uozhfzh');
DeleteService('uoyaapxqq');
DeleteService('uotvo');
DeleteService('uorwnt');
DeleteService('unqqqikio');
DeleteService('unihevpex');
DeleteService('unebmtp');
DeleteService('ulevnw');
DeleteService('ukdgfila');
DeleteService('ujbzb');
DeleteService('uixbkd');
DeleteService('ufzjgxrwg');
DeleteService('ufwuchy');
DeleteService('uefrmq');
DeleteService('udllhkngt');
DeleteService('udjse');
DeleteService('tzzdddk');
DeleteService('tzkxrtpcz');
DeleteService('tyygbm');
DeleteService('tuyvk');
DeleteService('tusukrpaz');
DeleteService('ttypydfpc');
DeleteService('tsufjx');
DeleteService('trxolebck');
DeleteService('trqliao');
DeleteService('trnzex');
DeleteService('tqcghv');
DeleteService('tpubxl');
DeleteService('tmkkdeoj');
DeleteService('tlhnhm');
DeleteService('tissdeyjg');
DeleteService('tifpbobmp');
DeleteService('tfxak');
DeleteService('tfokgm');
DeleteService('tbvho');
DeleteService('tblstleye');
DeleteService('sxmtplzw');
DeleteService('swypeis');
DeleteService('swgmxfzj');
DeleteService('svtqrz');
DeleteService('sseigbgvk');
DeleteService('srvmku');
DeleteService('srnoaz');
DeleteService('sriqdkc');
DeleteService('srfvupve');
DeleteService('sqqbq');
DeleteService('sqfojstmj');
DeleteService('snbvwcdet');
DeleteService('smpumqpxc');
DeleteService('smkzcmap');
DeleteService('sjoeqlgdf');
DeleteService('sijyuj');
DeleteService('shwvpycbh');
DeleteService('sgryphpx');
DeleteService('sgqfo');
DeleteService('sfsmjuig');
DeleteService('scrchlad');
DeleteService('scratpynp');
DeleteService('sbiqzr');
DeleteService('rzuylnouf');
DeleteService('rzdqel');
DeleteService('rxfay');
DeleteService('rvjblqzbd');
DeleteService('rviqisn');
DeleteService('runphr');
DeleteService('rtxfegyw');
DeleteService('rslodl');
DeleteService('rsliifae');
DeleteService('rrqsm');
DeleteService('rpfxrym');
DeleteService('rnzzsaiu');
DeleteService('rkpfo');
DeleteService('rjxgcdeld');
DeleteService('riyffja');
DeleteService('rinudx');
DeleteService('rhwru');
DeleteService('rcwkiro');
DeleteService('rcvcagpkq');
DeleteService('rcdcppgd');
DeleteService('rbqdusgmn');
DeleteService('rbkvr');
DeleteService('raaknntt');
DeleteService('qzcuygr');
DeleteService('qyqnu');
DeleteService('qxxbd');
DeleteService('qwwaxe');
DeleteService('qwinyajj');
DeleteService('qvwuhszq');
DeleteService('qvnxyub');
DeleteService('qvfbfwp');
DeleteService('qvaok');
DeleteService('qtnnx');
DeleteService('qtjdlzn');
DeleteService('qrtbpl');
DeleteService('qqgywntt');
DeleteService('qqdkrlspb');
DeleteService('qqcpjib');
DeleteService('qmyslo');
DeleteService('qlnqojhu');
DeleteService('qjkhjyp');
DeleteService('qjeiebz');
DeleteService('qjagedisi');
DeleteService('qhscmwpw');
DeleteService('qctvnssql');
DeleteService('qcstmm');
DeleteService('qbolqeyck');
DeleteService('qaxtime');
DeleteService('qawirws');
DeleteService('pxchgzg');
DeleteService('pwqfoe');
DeleteService('pwfzcg');
DeleteService('pwahrfjya');
DeleteService('pupupjud');
DeleteService('pqiweg');
DeleteService('ppljfdngj');
DeleteService('ppiwxb');
DeleteService('pndstq');
DeleteService('pkwjr');
DeleteService('pismzewnc');
DeleteService('phgmcgjx');
DeleteService('pfdso');
DeleteService('pdpslq');
DeleteService('pdbnnnc');
DeleteService('pbjjuef');
DeleteService('pafxudpb');
DeleteService('ozhfzf');
DeleteService('owukbm');
DeleteService('otesi');
DeleteService('orsobzpu');
DeleteService('orsiwwk');
DeleteService('orgdj');
DeleteService('oqddurtgd');
DeleteService('ootcur');
DeleteService('ooepdp');
DeleteService('onwgfje');
DeleteService('olxypi');
DeleteService('okbmpii');
DeleteService('oiyvbl');
DeleteService('oirrrv');
DeleteService('oetukfda');
DeleteService('oaqzqtb');
DeleteService('nynpsctr');
DeleteService('nxxxddaz');
DeleteService('nuqmh');
DeleteService('nthte');
DeleteService('nsclo');
DeleteService('nqznpdefl');
DeleteService('nqyya');
DeleteService('npxyxb');
DeleteService('nnunwsno');
DeleteService('nmwhiquei');
DeleteService('nkbtg');
DeleteService('nieibprj');
DeleteService('neebtfe');
DeleteService('ndxdnyxmh');
DeleteService('nammu');
DeleteService('mysbz');
DeleteService('mwtffk');
DeleteService('mwefcb');
DeleteService('muyzjnrwx');
DeleteService('mssaup');
DeleteService('mrgngstp');
DeleteService('mreyqfu');
DeleteService('mpmami');
DeleteService('mmzdd');
DeleteService('mmvgrac');
DeleteService('mmvgqc');
DeleteService('mmsea');
DeleteService('mmaagrf');
DeleteService('mlkqtbom');
DeleteService('mkpzx');
DeleteService('mkgutcm');
DeleteService('mivdiix');
DeleteService('mhfxzzb');
DeleteService('mffdadt');
QuarantineFile('C:\WINDOWS\system32\drivers\elqtyvx.sys','');
DeleteService('mbfmddsfeanyv');
DeleteService('maufdk');
DeleteService('manrh');
DeleteService('lyddmaxf');
DeleteService('ltrvgkkmw');
DeleteService('lrtnnkj');
DeleteService('lqzhimlvr');
DeleteService('lqlgsvy');
DeleteService('lmkurr');
DeleteService('lmdzd');
DeleteService('llotjkj');
DeleteService('llbuo');
DeleteService('lkbijmo');
DeleteService('ljfnw');
DeleteService('livnmyibb');
DeleteService('liisuii');
DeleteService('lhnrsjnqp');
DeleteService('lgvdtm');
DeleteService('lfguwpvd');
DeleteService('lchvfoyn');
DeleteService('lbglucyj');
DeleteService('lbdbiapc');
DeleteService('laxwsn');
DeleteService('laklb');
DeleteService('laisy');
DeleteService('kyzmcx');
DeleteService('kuxthb');
DeleteService('kugmnkya');
DeleteService('kreghta');
DeleteService('kppicpoi');
DeleteService('konbjwl');
DeleteService('koigf');
DeleteService('klxuydfkh');
DeleteService('kjoen');
DeleteService('kjkwuamw');
DeleteService('kizoidxb');
DeleteService('khrlnrwoa');
DeleteService('kfueozmg');
DeleteService('kednydpyt');
DeleteService('kecsy');
DeleteService('jzcuclxpp');
DeleteService('jwhlli');
DeleteService('jugjweo');
DeleteService('jubatogwe');
DeleteService('jpvevck');
DeleteService('jplls');
DeleteService('jpbnnu');
DeleteService('joconjv');
DeleteService('jkjerbpu');
DeleteService('jkhdqp');
DeleteService('jjobdp');
DeleteService('jezlfpois');
DeleteService('jcuejd');
DeleteService('jcrczdob');
DeleteService('jcejokfz');
DeleteService('jccnf');
DeleteService('jbanly');
DeleteService('jatnffgi');
DeleteService('jaaxe');
DeleteService('izsyjtb');
DeleteService('iyxgs');
DeleteService('iywzgvt');
DeleteService('ixulsqwpw');
DeleteService('iwrtt');
DeleteService('iwahk');
DeleteService('ivqsk');
DeleteService('iurzunn');
DeleteService('itsifoug');
DeleteService('irbxo');
DeleteService('iqmyeu');
DeleteService('iqifwequ');
DeleteService('ipzamax');
DeleteService('imayplkjq');
DeleteService('ijeab');
DeleteService('iipatg');
DeleteService('ihxytlxr');
DeleteService('ihxtln');
DeleteService('ihuvlle');
DeleteService('ihbpefa');
DeleteService('igboews');
DeleteService('iezsndij');
DeleteService('ievlu');
DeleteService('icxprv');
DeleteService('icsjvtlb');
DeleteService('ibnciqqlw');
DeleteService('hzomixtzl');
DeleteService('hyxgtdbl');
DeleteService('hxkrzrzjt');
DeleteService('hwfpm');
DeleteService('hvbtl');
DeleteService('husszo');
DeleteService('huppoobx');
DeleteService('hrjuqqpei');
DeleteService('hqxlaito');
DeleteService('hpttwvlvg');
DeleteService('hpdlgvj');
DeleteService('hoilx');
DeleteService('hnschlpcb');
DeleteService('hkrfndlv');
DeleteService('hjzshw');
DeleteService('hjhmbm');
DeleteService('hignyabh');
DeleteService('hfywpk');
DeleteService('hdzkohftc');
DeleteService('hdtbrvq');
DeleteService('hbwrh');
DeleteService('hbmvglc');
DeleteService('gzzkiqan');
DeleteService('gzjyrmowk');
DeleteService('gzcly');
DeleteService('gydzqgrs');
DeleteService('gydvc');
DeleteService('gydmrk');
DeleteService('gxtmi');
DeleteService('gxafvoe');
DeleteService('gwzfleo');
DeleteService('gwanlvz');
DeleteService('gvcko');
DeleteService('gvabyssed');
DeleteService('guwvet');
DeleteService('gujzb');
DeleteService('gtvanm');
DeleteService('gspublha');
DeleteService('gspby');
DeleteService('gphekzqh');
DeleteService('gonggip');
DeleteService('gnthzz');
DeleteService('gmkeve');
DeleteService('gjxfpj');
DeleteService('gjahsbveq');
DeleteService('gitmxyq');
DeleteService('gidyw');
DeleteService('ghmpxlfs');
DeleteService('ggvpo');
DeleteService('gdedizir');
DeleteService('gcwocmafi');
DeleteService('gbxwaado');
DeleteService('gaszhkcab');
DeleteService('gamnvpa');
DeleteService('gaktcffl');
DeleteService('fzuthmxhf');
DeleteService('fxfwsil');
DeleteService('fwyzaehkn');
DeleteService('fwklx');
DeleteService('fvxzypdmo');
DeleteService('fvbaqlg');
DeleteService('fupxdh');
DeleteService('fttbjhxuo');
DeleteService('fsxfm');
DeleteService('frwnieh');
DeleteService('fqtynwut');
DeleteService('foingl');
DeleteService('focwsjt');
DeleteService('fliyq');
DeleteService('flgjxvdaz');
DeleteService('fkqtt');
DeleteService('fkkyddr');
DeleteService('fjrxfoc');
DeleteService('fijskr');
DeleteService('fhsuwvwm');
DeleteService('fhhknfjcm');
DeleteService('fgxpltem');
DeleteService('ffnvbmh');
DeleteService('feeyrumaw');
DeleteService('fdjavwmw');
DeleteService('fcsgvjm');
DeleteService('fcayjcy');
DeleteService('fayvboygu');
DeleteService('exqzqi');
DeleteService('ewsdg');
DeleteService('ewsbvngtp');
DeleteService('evqds');
DeleteService('evoymcxui');
DeleteService('evbeaksw');
DeleteService('etvryrch');
DeleteService('erjrbfz');
DeleteService('erfphkc');
DeleteService('equano');
DeleteService('eoqgukuep');
DeleteService('enzhrp');
DeleteService('enjuobaz');
DeleteService('emvxzf');
DeleteService('elgkiwhs');
DeleteService('eimfday');
DeleteService('ekzzmaria');
DeleteService('ehrzowykz');
DeleteService('ehoeb');
DeleteService('ehiexg');
DeleteService('eguhnc');
DeleteService('eeshlies');
DeleteService('ecxrtgqyl');
DeleteService('ebwoxsmzp');
DeleteService('ebtsqi');
DeleteService('ebptmpqab');
DeleteService('ebnmmc');
DeleteService('dzwenrndy');
DeleteService('dwnqtku');
DeleteService('dwimhf');
DeleteService('dwhpi');
DeleteService('dveyaamz');
DeleteService('dsxbzs');
DeleteService('drybllrxt');
DeleteService('dorvtp');
DeleteService('dnrsknxof');
DeleteService('dmyaxbnc');
DeleteService('dmgtnkx');
DeleteService('dltiuswt');
DeleteService('dkvgmnt');
DeleteService('dkuyxx');
DeleteService('direk');
DeleteService('dhfjile');
DeleteService('dgqmgz');
DeleteService('dfumxspgq');
DeleteService('dfizxf');
DeleteService('dezvkc');
DeleteService('dewlesycw');
DeleteService('ddctykp');
DeleteService('dcvirsv');
DeleteService('dckvr');
DeleteService('dbbnmbsml');
DeleteService('cykher');
DeleteService('cxhoetn');
DeleteService('cwwhbfo');
DeleteService('cwalwssbh');
DeleteService('cvqrkgca');
DeleteService('cvpaxql');
DeleteService('cvowil');
DeleteService('cqpafhgos');
DeleteService('cpkyzchow');
DeleteService('cpgafs');
DeleteService('cnxajuft');
DeleteService('cjtha');
DeleteService('chkdo');
DeleteService('cfpdxlgi');
DeleteService('cdqgzgp');
DeleteService('cbwkvu');
DeleteService('cazdcwxs');
DeleteService('bxtnhtdh');
DeleteService('buyep');
DeleteService('brmwmls');
DeleteService('blfbsw');
DeleteService('bknbggyog');
DeleteService('bjpsbl');
DeleteService('biyto');
DeleteService('bhydvlb');
DeleteService('bgorbyawb');
DeleteService('bfzkxk');
DeleteService('bftuzhjwq');
DeleteService('bbrzw');
DeleteService('azopmafs');
DeleteService('aygybnqql');
DeleteService('axzdvqf');
DeleteService('awvdvkv');
DeleteService('avvqtkgn');
DeleteService('avehcvipx');
DeleteService('atotdzbw');
DeleteService('aqsqk');
DeleteService('aqjcqsa');
DeleteService('aqbve');
DeleteService('apsgcvnp');
DeleteService('apmqni');
DeleteService('apaxp');
DeleteService('aomyqkids');
DeleteService('anxgki');
DeleteService('anpwtfss');
DeleteService('alqaj');
DeleteService('akpzfm');
DeleteService('aiorx');
DeleteService('aiadjfwv');
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteService('aglyvb');
DeleteService('agkzrml');
DeleteService('aggoidn');
DeleteService('afbtwvj');
DeleteService('aekqr');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
DeleteService('abjqde');
QuarantineFile('C:\RECYCLER\S-1-5-21-7026561162-5736816891-843969590-6903\wmfcgr.exe','');
TerminateProcessByName('c:\windows\acp.exe');
QuarantineFile('c:\windows\acp.exe','');
QuarantineFile('c:\windows\gf.exe','');
TerminateProcessByName('c:\windows\gf.exe');
DeleteFile('c:\windows\acp.exe');
DeleteFile('c:\windows\gf.exe');
DeleteFile('C:\RECYCLER\S-1-5-21-7026561162-5736816891-843969590-6903\wmfcgr.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Windows Data Serivce');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Windows System Info Serivce');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\01.tmp');
DeleteFile('C:\WINDOWS\system32\drivers\elqtyvx.sys');
BC_ImportAll;
ExecuteSysClean;
Executerepair(6);
Executerepair(11);
RegKeyIntParamWrite('HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum', '{BDEADF00-C265-11D0-BCED-00A0C90AB50F}', 1);
RegKeyParamDel('HKEY_LOCAL_MACHINE',' Software\Microsoft\Windows NT\CurrentVersion\Winlogon',' Taskman');
ExecuteWizard('TSW', 2, 2, true);
BC_Activate;
RebootWindows(true);
end.
После выполнить:
- включите антивирус и файрволл;
- подключите ПК к интернету/локалке;
- закачайте карантин по ссылке Прислать запрошенный карантин в шапке Вашей темы (Приложение 3 правил).
Повторите действия, описанные в п. 1 - 3 Диагностики и новые логи прикрепите к новому сообщению.
-
-
Junior Member
- Вес репутации
- 52
Скрипт выполнен без ошибок. Карантин загрузил. Вот новые логи:
-
Выполните скрипт
Код:
begin
DeleteFileMask(GetAVZDirectory+'Quarantine','*.*',true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MN4VY50B\021010d501ne[1].exe','');
QuarantineFile('C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4ZMBQDQX\021010d501ne[1].exe','');
QuarantineFile('zysunpedpqfwnut.sys','');
DeleteService('zysunpedpqfwnut');
DeleteService('ynzxsb');
DeleteService('uixbkd');
DeleteService('tfxak');
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteService('kednydpyt');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
DeleteService('apsgcvnp');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\01.tmp');
DeleteFile('zysunpedpqfwnut.sys');
DeleteFilemask('C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5','*.*',true);
BC_ImportAll;
BC_DeleteFile('zysunpedpqfwnut.sys');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
закачайте карантин по ссылке Прислать запрошенный карантин в шапке Вашей темы (Приложение 3 правил).
Сделайте новый лог virusinfo_syscheck.zip
Последний раз редактировалось Шапельский Александр; 17.02.2010 в 23:39.
Причина: Скрипт поправил
-
-
Junior Member
- Вес репутации
- 52
При попытке выполнить скрипт выдает ошибку: ')' expected в позиции 5:16
-
Сообщение от
P_Bevs
При попытке выполнить скрипт выдает ошибку: ')' expected в позиции 5:16
Скрипт поправил
-
-
Junior Member
- Вес репутации
- 52
Карантин закачал. Вот новый лог:
-
Выполните скрипт
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('ynzxsb');
DeleteService('vozjhkqgr');
DeleteService('uixbkd');
DeleteService('tfxak');
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteService('kednydpyt');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
DeleteService('apsgcvnp');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\01.tmp');
BC_ImportAll;
BC_DeleteSvc('ynzxsb');
BC_DeleteSvc('vozjhkqgr');
BC_DeleteSvc('uixbkd');
BC_DeleteSvc('tfxak');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
закачайте карантин по ссылке Прислать запрошенный карантин в шапке Вашей темы (Приложение 3 правил).
Сделайте новый лог virusinfo_syscheck.zip
Добавлено через 1 минуту
Сделайте лог Gmer
Последний раз редактировалось Шапельский Александр; 18.02.2010 в 00:19.
Причина: Добавлено
-
-
Junior Member
- Вес репутации
- 52
Карантин закачал. Новые логи:
-
Проверьтесь http://support.kaspersky.ru/kis2009/error?qid=208636215
Пофиксите в HiJack
Код:
O20 - AppInit_DLLs: winmm.dll
Выполните скрипт в AVZ
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteService('kednydpyt');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
DeleteService('apsgcvnp');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\01.tmp');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Компьютер перезагрузится.
Пришлите карантин согласно Приложения 3 правил по красной ссылке Прислать запрошенный карантин вверху темы
Сделайте новые логи
Microsoft MVP 2012-2016 Consumer Security
Microsoft MVP 2016 Reconnect
-
-
Junior Member
- Вес репутации
- 52
При проверке утилитой KK.exe ничего не найдено. Карантин загрузил. И новые логи:
-
Выполните скрипт
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteService('kednydpyt');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
DeleteService('apsgcvnp');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\01.tmp');
BC_ImportAll;
BC_DeleteFile('C:\WINDOWS\system32\01.tmp');
BC_DeleteFile('C:\WINDOWS\system32\02.tmp');
BC_DeleteSvc('apsgcvnp');
BC_DeleteSvc('kednydpyt');
ExecuteSysClean;
BC_Activate;
Sleep(180);
RebootWindows(true);
end.
ПК перезагрузится через 3 мин.!
закачайте карантин по ссылке Прислать запрошенный карантин в шапке Вашей темы (Приложение 3 правил).
Повторите действия, описанные в п. 1 - 3 Диагностики и новые логи прикрепите к новому сообщению.
Сделайте лог virusinfo_syscheck.zip, лог MBAM и Gmer
-
-
Junior Member
- Вес репутации
- 52
Карантин закачал. Вот новые логи:
-
Удалите в MBAM
Код:
Заражено ключей реестра:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyCentria (Adware.MyCentria) -> No action taken.
Заражено значений реестра:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
Заражено параметров реестра:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
Заражено папок:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.
C:\Program Files\MyCentria (Adware.MyCentria) -> No action taken.
C:\Program Files\MyCentria\Firefox (Adware.MyCentria) -> No action taken.
C:\Program Files\MyCentria\InfoBar (Adware.MyCentria) -> No action taken.
Заражено файлов:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\logfile32.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\user\nigzss.txt (Malware.Trace) -> No action taken.
Сделайте новый лог MBAM
P.S. Когда делали лог Gmer, кнопку Scan нажимали?
-
-
Junior Member
- Вес репутации
- 52
Лог gmer делал четко по инструкции и кнопку Scan нажимал. Удалил указанные файлы в MBAM. Что делать если не сохранил лог после удаления файлов? Повторную проверку?
-
Junior Member
- Вес репутации
- 52
-
В логе чисто, что с проблемой?
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
Рекомендую обновить, +установить последние обновления на ОС
-
-
Junior Member
- Вес репутации
- 52
Сообщение от
shapel
В логе чисто, что с проблемой?
Рекомендую обновить, +установить последние обновления на ОС
На первый взгляд все работает нормально. Сейчас займусь обновлениями. Спасибо огромное!
-
-
-
Итог лечения
Статистика проведенного лечения:
- Получено карантинов: 6
- Обработано файлов: 53
- В ходе лечения обнаружены вредоносные программы:
- c:\recycler\s-1-5-21-7026561162-5736816891-843969590-6903\wmfcgr.exe - Trojan-Downloader.Win32.FraudLoad.wycp ( DrWEB: Trojan.DownLoad.35732, BitDefender: Trojan.Downloader.FraudLoad.S, AVAST4: Win32:Wmit [Trj] )
-