Есть два одинаковых ноута. оба заражены одинаково( с одной флешки) симптомы все налицо.
Обе системы были обновлены. 1-я Cureit! лечилась, а вторая AVP.
готовлю логи со второго.
Вот с первого.
Благодарю вперед.
Будь в курсе!Будь в курсе!
Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:
Заражённые процессы в памяти:
c:\documents and settings\Admin\serv.exe (Trojan.Downloader) -> 3424 -> No action taken.
c:\WINDOWS\ggdrive32.exe (Worm.Palevo) -> 2724 -> No action taken.
Заражённые ключи в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\StimulProfit (Adware.Agent) -> No action taken.
Заражённые параметры в реестре:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tnaww (Trojan.Downloader) -> Value: Tnaww -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12CFG214-K641-12SF-N85P (Trojan.Downloader) -> Value: 12CFG214-K641-12SF-N85P -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced HTTPL Enable (Trojan.Downloader) -> Value: Advanced HTTPL Enable -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo) -> Value: Taskman -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Worm.Palevo) -> Value: Microsoft Driver Setup -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Palevo) -> Value: Shell -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Worm.Palevo) -> Value: Microsoft Driver Setup -> No action taken.
Объекты реестра заражены:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe,Explorer.exe) Good: (Explorer.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo.Gen) -> Bad: (c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe) Good: () -> No action taken.
Заражённые папки:
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> No action taken.
Заражённые файлы:
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\HCRT02KD\rtfynhr[1].png (Extension.Mismatch) -> No action taken.
c:\WINDOWS\nigzss.txt (Malware.Trace) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\dq[1].exe (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\dq.exe (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\syitm.exe (Spyware.Passwords.XGen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\syitm__0.exe (Spyware.Passwords.XGen) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\ggdrive32.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\53.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\65.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\28.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\77.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\02.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\41.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\83.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\Admin\dq.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\CEIAQWT1\dq[1].exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\VOGD3ZSN\bnet[1].exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\serv.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\bnet.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\serv___0.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\5NWJRXI9\serv8[1].exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\serv.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\serv8[1].exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\avz00004.dta (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\jwgkvsq.vmx (Worm.Conficker) -> No action taken.
c:\documents and settings\Admin\ms.exe (Worm.Palevo) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\3JEF8V5P\ms[1].exe (Worm.Palevo) -> No action taken.
c:\WINDOWS\ggdrive32.exe (Worm.Palevo) -> No action taken.
c:\xdx.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\GI54H1GY\udv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\6FCOCLK0\xudv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\VOGD3ZSN\udv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\bcqr00020.dat (Worm.Palevo.Gen) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\avz00003.dta (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\acleaner.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\CEIAQWT1\xudv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\HCRT02KD\m96[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\acleane0.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\YZL6CYAM\x39[1].exe (Worm.Palevo.Gen) -> No action taken.
e:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\avz00001.dta (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\avz00002.dta (Worm.Palevo.Gen) -> No action taken.
c:\WINDOWS\system32\66.exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\рабочий стол\avz4\quarantine\2011-02-19\bcqr00019.dat (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\doctorweb\quarantine\udv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\6FCOCLK0\udv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\3JEF8V5P\udv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\3JEF8V5P\xudv[1].exe (Worm.Palevo.Gen) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\HCRT02KD\m39[1].exe (Worm.Palevo.Gen) -> No action taken.
Microsoft MVP 2012-2016 Consumer Security Microsoft MVP 2016 Reconnect
Чтобы всегда быть в курсе актуальных угроз в области информационной безопасности и сохранять свой компьютер защищенным, рекомендуем следить за последними новостями ИТ-сферы портала Anti-Malware.ru: