- Выполните скрипт в AVZ
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*.*', true);
QuarantineFile('C:\Documents and Settings\Cmex\hddd.exe','');
QuarantineFile('C:\Documents and Settings\Cmex\bnt.exe','');
QuarantineFile('C:\WINDOWS\system32\86.exe','');
QuarantineFile('C:\WINDOWS\system32\71.exe','');
QuarantineFile('C:\WINDOWS\system32\60.exe','');
QuarantineFile('C:\WINDOWS\system32\56.exe','');
QuarantineFile('C:\WINDOWS\system32\52.exe','');
QuarantineFile('C:\WINDOWS\system32\37.exe','');
QuarantineFile('C:\WINDOWS\system32\36.exe','');
QuarantineFile('C:\WINDOWS\system32\11.exe','');
QuarantineFile('C:\WINDOWS\system32\13.exe','');
QuarantineFile('C:\WINDOWS\system32\26.exe','');
QuarantineFile('C:\WINDOWS\system32\35.exe','');
QuarantineFile('C:\WINDOWS\wjdrive32.exe','');
QuarantineFile('C:\WINDOWS\system32\vyre32.exe','');
QuarantineFile('C:\WINDOWS\ggdrive32.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe','');
TerminateProcessByName('c:\windows\wjdrive32.exe');
QuarantineFile('c:\windows\wjdrive32.exe','');
QuarantineFile('c:\documents and settings\cmex\hddd.exe','');
DeleteFile('c:\documents and settings\cmex\hddd.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Advanced HTTPL Enable');
DeleteFile('C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Tnaww');
DeleteFile('C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','12CFG214-K641-12SF-N85P');
DeleteFile('C:\WINDOWS\ggdrive32.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Driver Setup');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','Microsoft Driver Setup');
DeleteFile('C:\WINDOWS\system32\vyre32.exe');
DeleteFile('C:\WINDOWS\wjdrive32.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','Microsoft Config Setup');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Config Setup');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','vyre32');
DeleteFile('C:\WINDOWS\system32\11.exe');
DeleteFile('C:\WINDOWS\system32\13.exe');
DeleteFile('C:\WINDOWS\system32\26.exe');
DeleteFile('C:\WINDOWS\system32\35.exe');
DeleteFile('C:\WINDOWS\system32\36.exe');
DeleteFile('C:\WINDOWS\system32\37.exe');
DeleteFile('C:\WINDOWS\system32\52.exe');
DeleteFile('C:\WINDOWS\system32\56.exe');
DeleteFile('C:\WINDOWS\system32\60.exe');
DeleteFile('C:\WINDOWS\system32\71.exe');
DeleteFile('C:\WINDOWS\system32\86.exe');
DeleteFile('C:\Documents and Settings\Cmex\bnt.exe');
DeleteFile('C:\Documents and Settings\Cmex\hddd.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon','Taskman ');
DeleteFileMask('C:\Documents and Settings\Cmex\Local Settings\Temporary Internet Files\Content.IE5', '*.*', true);
DeleteDirectory('C:\Documents and Settings\Cmex\Local Settings\Temporary Internet Files\Content.IE5');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(11);
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
BC_Activate;
RebootWindows(true);
end.
После перезагрузки:
- выполните такой скрипт
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
- Файл quarantine.zip из папки AVZ загрузите по ссылке Прислать запрошенный карантин вверху темы
- удалите в MBAM что останется из этого
Код:
Заражённые процессы в памяти:
c:\documents and settings\Cmex\hddd.exe (Malware.Generic) -> 1896 -> No action taken.
c:\WINDOWS\wjdrive32.exe (Trojan.Agent) -> 1532 -> No action taken.
Заражённые параметры в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced HTTPL Enable (Malware.Generic) -> Value: Advanced HTTPL Enable -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vyre32 (Malware.VB.Gen) -> Value: vyre32 -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tnaww (Malware.Generic) -> Value: Tnaww -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup (Trojan.Agent) -> Value: Microsoft Config Setup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup (Trojan.Agent) -> Value: Microsoft Config Setup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Backdoor.IRCBot) -> Value: Microsoft Driver Setup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Backdoor.IRCBot) -> Value: Microsoft Driver Setup -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Palevo) -> Value: Shell -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12CFG214-K641-12SF-N85P (Worm.AutoRun.Gen) -> Value: 12CFG214-K641-12SF-N85P -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo) -> Value: Taskman -> No action taken.
Объекты реестра заражены:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Malware.Generic) -> Bad: (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) Good: () -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe,Explorer.exe) Good: (Explorer.exe) -> No action taken.
Заражённые папки:
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> No action taken.
Заражённые файлы:
c:\documents and settings\Cmex\hddd.exe (Malware.Generic) -> No action taken.
c:\WINDOWS\system32\vyre32.exe (Malware.VB.Gen) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe (Malware.Generic) -> No action taken.
c:\documents and settings\Cmex\hdcd.exe (Malware.Generic) -> No action taken.
c:\documents and settings\Cmex\local settings\temporary internet files\Content.IE5\06YM1NS8\cut[1].gif (Extension.Mismatch) -> No action taken.
c:\documents and settings\Cmex\local settings\temporary internet files\Content.IE5\BIXJ7CR8\serv8[1].exe (Malware.Generic) -> No action taken.
c:\Vir\Avz\Infected\2011-03-29\avz00001.dta (Worm.Palevo) -> No action taken.
c:\Vir\Avz\Infected\2011-03-29\avz00002.dta (Worm.Palevo) -> No action taken.
c:\Vir\Avz\quarantine\2011-03-30\avz00001.dta (Malware.Generic) -> No action taken.
c:\Vir\Avz\quarantine\2011-03-30\avz00013.dta (Malware.VB.Gen) -> No action taken.
c:\Vir\Avz\quarantine\2011-03-30\avz00017.dta (Malware.Generic) -> No action taken.
c:\WINDOWS\wjdrive32.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\ggdrive32.exe (Backdoor.IRCBot) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Worm.AutoRun.Gen) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Worm.AutoRun.Gen) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\winfixer.exe (Worm.AutoRun.Gen) -> No action taken.
- Сделайте повторные логи по правилам п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip;hijackthis.log)
- Сделайте лог MBAM