1. удалите в MBAM
Код:
Зараженные процессы в памяти:
C:\WINDOWS.1\system32\t\E001.exe (Malware.Packer) -> No action taken.
Зараженные ключи в реестре:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopsrv (Malware.Packer) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsd (Malware.Packer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6d125299-c2a9-4dbc-bec3-6f7124e39a41} (Adware.FieryAds) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d125299-c2a9-4dbc-bec3-6f7124e39a41} (Adware.FieryAds) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{00000000-dcff-d000-f399-837c709a807c} (Spyware.Zbot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{0c050000-dcff-d000-f399-837c709a807c} (Spyware.Zbot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{00000000-dcff-d000-f399-837c709a807c} (Spyware.Zbot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{0c050000-dcff-d000-f399-837c709a807c} (Spyware.Zbot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ba (Trojan.Scar) -> No action taken.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Vkontakte (Trojan.Fkantakte) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Comersvc70 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FieryAds (Adware.FieryAds) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SQLDEBUGER (Trojan.Downloader) -> No action taken.
Зараженные параметры в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
Зараженные папки:
C:\Documents and Settings\Maxim\Application Data\FieryAds (Adware.FieryAds) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> No action taken.
C:\WINDOWS.1\system32\sysproc64 (Trojan.Agent) -> No action taken.
Зараженные файлы:
C:\WINDOWS.1\system32\t\E001.exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\A11[1].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\A13[1].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\A13[2].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JV9LJUDR\A13[1].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JV9LJUDR\A13[2].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NREPK9HJ\A11[1].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RL66Q2U5\A13[1].exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D907ZT01\ajdt[1].gif (Extension.Mismatch) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D907ZT01\mepco[1].bmp (Extension.Mismatch) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W5ST6F8F\eoyxx[1].jpg (Extension.Mismatch) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W5ST6F8F\obduvw[1].jpg (Extension.Mismatch) -> No action taken.
C:\Temp\Service.exe (Trojan.Scar) -> No action taken.
C:\WINDOWS.1\system32\stpasclib.dll (Malware.Packer) -> No action taken.
C:\WINDOWS.1\system32\stpasvstart.dll (Malware.Packer) -> No action taken.
C:\Documents and Settings\Maxim\Application Data\fieryads.dat (Adware.FieryAds) -> No action taken.
2. Профиксите в HijackThis как "профиксить в HiJackThis"
Код:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
3. Закройте все открытые приложения, кроме АVZ и Internet Explorer.
Отключите
- ПК от интернета/локалки
- Обязательно!!! Системное восстановление!!! как- посмотреть можно тут
- Выгрузите антивирус и/или Файрвол
- Закройте все программы
- Выполните скрипт в AVZ
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*.*', true);
QuarantineFile('C:\WINDOWS.1\system32\SRGBUATX\A13.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\C002[1].exe ','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\C002[2].exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JV9LJUDR\P001[2].exe ','');
DeleteFile('C:\WINDOWS.1\system32\SRGBUATX\A13.exe');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\C002[1].exe ');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E9QZ143K\C002[2].exe');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JV9LJUDR\P001[2].exe ');
QuarantineFile('c:\documents and settings\all users\drm\Console\bofup.cc3','');
QuarantineFile('C:\WINDOWS.1\system32\sopasclib.dll','');
QuarantineFile('c:\WINDOWS.1\system32\sopasvstart.dll','');
DeleteFile('c:\WINDOWS.1\system32\sopasvstart.dll');
DeleteFile('C:\WINDOWS.1\system32\sopasclib.dll');
QuarantineFile('C:\thumbs.db','');
DeleteService('WinHees32');
QuarantineFile('C:\WINDOWS.1\system32\WinHees32.exe','');
QuarantineFile('C:\WINDOWS.1\system32\Service.exe','');
DeleteService('ba');
QuarantineFile('C:\WINDOWS.1\system32\VH3Z4460\P001.exe','');
DeleteService('gstr');
QuarantineFile('c:\windows.1\system32\vh3z4460\p001.exe','');
TerminateProcessByName('c:\windows.1\system32\vh3z4460\p001.exe');
DeleteFile('c:\windows.1\system32\vh3z4460\p001.exe');
DeleteFile('C:\WINDOWS.1\system32\VH3Z4460\P001.exe');
DeleteFile('C:\WINDOWS.1\system32\Service.exe');
DeleteFile('C:\WINDOWS.1\system32\WinHees32.exe');
DeleteFile('C:\thumbs.db');
QuarantineFile('C:\WINDOWS.1\system32\VH3Z4460\P001.exe','');
QuarantineFile('C:\WINDOWS.1\system32\YZL5PS4I\C002.exe','');
DeleteFile('C:\WINDOWS.1\system32\YZL5PS4I\C002.exe');
DeleteFile('C:\WINDOWS.1\system32\VH3Z4460\P001.exe');
QuarantineFile('C:\Temp\FengYun.dll ','');
DeleteFileMask('C:\WINDOWS.1\system32\YZL5PS4I', '*.*', true);
DeleteDirectory('C:\WINDOWS.1\system32\YZL5PS4I');
QuarantineFile('C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys','');
DeleteFile('C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys');
QuarantineFile('C:\WINDOWS.1\5171609.tmp ','');
QuarantineFile('C:\WINDOWS.1\5171453.tmp','');
QuarantineFile('C:\Temp\Server.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NREPK9HJ\H001[1].exe','');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NREPK9HJ\H001[1].exe');
DeleteFile('C:\WINDOWS.1\5171453.tmp');
DeleteFile('C:\WINDOWS.1\5171609.tmp ');
DeleteFile('C:\Temp\Server.exe');
QuarantineFile('C:\WINDOWS.1\system32\sysproc64\sysproc86.sys','');
QuarantineFile('C:\WINDOWS.1\system32\sysproc64\sysproc32.sys.cla','');
QuarantineFile('C:\WINDOWS.1\system32\sysproc64\sysproc32.sys','');
DeleteFile('C:\WINDOWS.1\system32\sysproc64\sysproc32.sys');
DeleteFile('C:\WINDOWS.1\system32\sysproc64\sysproc32.sys.cla');
DeleteFile('C:\WINDOWS.1\system32\sysproc64\sysproc86.sys');
DeleteFile('C:\Temp\FengYun.dll');
DeleteFileMask('C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5', '*.*', true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
После перезагрузки:
- выполните такой скрипт
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
- Файл quarantine.zip из папки AVZ загрузите по ссылке Прислать запрошенный карантин вверху темы
- Сделайте повторные логи по правилам п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip; hijackthis.log)
- сделайте лог Combofix