Табун троянов + ntos.exe

Сегодня Avast весь день находит всякую гадость на компе, вот выдержка из журнала за сегодня:

[CODE][SIZE=1]11.01.2008 10:11:12 SYSTEM 1468 Sign of "Win32:Lmir-BK [Trj]" has been found in "C:\WINDOWS\system32\undname.exe\[UPX]" file. [/SIZE]
[SIZE=1]11.01.2008 11:36:32 SYSTEM 1468 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEMod.dll"][SIZE=1]http://timoxin.cn/modules/IEMod.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 11:36:42 SYSTEM 1468 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEGrabber.dll"][SIZE=1]http://timoxin.cn/modules/IEGrabber.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 11:36:44 SYSTEM 1468 Sign of "Win32:Lmir-BK [Trj]" has been found in "C:\WINDOWS\system32\deviceemulator.exe\[UPX]" file. [/SIZE]
[SIZE=1]11.01.2008 11:37:18 SYSTEM 1468 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEMod.dll"][SIZE=1]http://timoxin.cn/modules/IEMod.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 11:37:21 SYSTEM 1468 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEGrabber.dll"][SIZE=1]http://timoxin.cn/modules/IEGrabber.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 11:37:25 SYSTEM 1468 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEFaker.dll"][SIZE=1]http://timoxin.cn/modules/IEFaker.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 11:38:18 SYSTEM 1468 Sign of "Win32:Agent-KDC [Trj]" has been found in "C:\WINDOWS\system32\DefLib.sys" file. [/SIZE]
[SIZE=1]11.01.2008 11:38:25 SYSTEM 1468 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\746710610.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 11:49:02 SYSTEM 1468 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\3487368314.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 12:09:56 User1 1272 Sign of "Win32:Obfuscated-BUO [Trj]" has been found in "c:\windows\system32\svchost.exe\ext.exe:$DATA" file. [/SIZE]
[SIZE=1]11.01.2008 12:10:03 User1 1272 Sign of "Win32:Agent-MLO [Trj]" has been found in "c:\windows\system32\sysfldr.dll" file. [/SIZE]
[SIZE=1]11.01.2008 12:11:19 User1 1340 Sign of "Win32:Obfuscated-BUO [Trj]" has been found in "c:\windows\system32\svchost.exe\ext.exe:$DATA" file. [/SIZE]
[SIZE=1]11.01.2008 12:11:43 User1 1340 Sign of "Win32:Agent-MLO [Trj]" has been found in "c:\windows\system32\sysfldr.dll" file. [/SIZE]
[SIZE=1]11.01.2008 12:13:36 User1 968 Sign of "Win32:Obfuscated-BUO [Trj]" has been found in "c:\windows\system32\svchost.exe\ext.exe:$DATA" file. [/SIZE]
[SIZE=1]11.01.2008 13:30:48 SYSTEM 1064 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\123952624.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 13:30:57 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEMod.dll"][SIZE=1]http://timoxin.cn/modules/IEMod.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:31:06 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEGrabber.dll"][SIZE=1]http://timoxin.cn/modules/IEGrabber.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:31:08 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEFaker.dll"][SIZE=1]http://timoxin.cn/modules/IEFaker.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:33:16 SYSTEM 1064 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\1605983874.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 13:36:57 SYSTEM 1064 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\3819265124.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 13:50:53 SYSTEM 1460 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEMod.dll"][SIZE=1]http://timoxin.cn/modules/IEMod.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:51:06 SYSTEM 1460 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\3693236782.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 13:51:08 SYSTEM 1460 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEGrabber.dll"][SIZE=1]http://timoxin.cn/modules/IEGrabber.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:51:18 SYSTEM 1460 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/IEFaker.dll"][SIZE=1]http://timoxin.cn/modules/IEFaker.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:51:21 SYSTEM 1460 Sign of "Win32:Graball [Trj]" has been found in "[/SIZE][URL="http://timoxin.cn/modules/CertGrabber.dll"][SIZE=1]http://timoxin.cn/modules/CertGrabber.dll[/SIZE][/URL][SIZE=1]" file. [/SIZE]
[SIZE=1]11.01.2008 13:51:56 SYSTEM 1460 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. [/SIZE]
[SIZE=1]11.01.2008 13:51:56 SYSTEM 1460 An error has occured while attempting to update. Please check the logs. [/SIZE]
[SIZE=1]11.01.2008 13:53:56 SYSTEM 1460 Sign of "Win32:Agent-BSU [Trj]" has been found in "C:\DOCUME~1\User1\LOCALS~1\Temp\1119050736.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 15:21:37 User1 3580 Sign of "Win32:Agent-BSU [Trj]" has been found in "c:\documents and settings\user1\local settings\temp\winsto.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 15:21:44 User1 3580 Sign of "Win32:Agent-BSU [Trj]" has been found in "c:\docume~1\user1\locals~1\temp\winsto.exe\[FSG]" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:18 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\yatool.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:26 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\rsh.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:30 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\iphelp.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:33 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\mscert.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:37 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\protect.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:40 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\psx.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:43 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\rcpdu.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:51 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\netd.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:23:54 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\credigui.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:24:04 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\gdid32.dll" file. [/SIZE]
[SIZE=1]11.01.2008 15:24:07 SYSTEM 1064 Sign of "Win32:Graball [Trj]" has been found in "C:\WINDOWS\system32\pxcrt.dll" file. [/SIZE][/CODE]

Пытался вычистить, но чувствуется, что далеко не всё удалось поймать. Отключал сеть, сканировал, удалял, перезагружался. Пока сеть отключена, вроде всё тихо, как только подключаюсь - начинается поток: то с наружи кто-то ломится, то на диске просыпается. А ntos.exe в system.ini: UserInit появляется постоянно совершенно самостоятельно после перезагрузки, хотя самого файла найти не удалось. Прошу помощи.

выполните скрипт ....
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('protect');
StopService('Bkfo60');
QuarantineFile('C:\WINDOWS\system32\winload.dll','');
QuarantineFile('C:\WINDOWS\system32\ntos.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\protect.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\Bkfo60.sys','');
QuarantineFile('C:\WINDOWS\system32\hg543fdg.dll','');
DelBHO('{B2AC49A2-94F3-42BD-F434-2604812C897D}');
DeleteFile('C:\WINDOWS\system32\drivers\protect.sys');
DeleteFile('C:\WINDOWS\system32\drivers\Bkfo60.sys');
DeleteFile('C:\WINDOWS\system32\ntos.exe');
DeleteFile('C:\WINDOWS\system32\hg543fdg.dll');
DeleteFile('C:\WINDOWS\system32\winload.dll');
BC_DeleteSvc('Bkfo60');
BC_DeleteSvc('protect');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения правил ...
повторите логи ...

Вложений: 2

Скрипт выполнился, комп перезагрузиться сам не смог: в течении ~5 мин. висело "Закрытие сетевых подключений..." Пришлось помочь...
При повторении скрипта лечения/сбора информации AVZ при первой попытке отвалился по-английски, не прощаясь, успел заметить "Invalid pointer" что-то про Google Toolbar. Со второго раза всё прошло нормально. Вот логи, карантин не умещается, прислать через ссылку наверху страницы?

[quote]прислать через ссылку наверху страницы?
[/quote]
Именно так и не иначе ;)

[size="1"][color="#666686"][B][I]Добавлено через 47 секунд[/I][/B][/color][/size]

virusinfo_cure.zip - это и есть карантин, а вы его сюда прилепили!

Закачал virus.zip.

[size="1"][color="#666686"][B][I]Добавлено через 4 минуты[/I][/B][/color][/size]

Тогда пардон, AVZ эти два файла сам создаёт, наивно полагал, что это лишь логи, ибо по команде "Архивировать" при просмотре карантина он создаёт файл "virus.zip", который я залил через ссылку наверху... Ещё что-нибудь требуется прислать?

C:\16.tmp TR/Dropper.Gen
C:\WINDOWS\system32\hg543fdg.dll HEUR/Malware
C:\WINDOWS\system32\ntos.exe Zbot.AM
C:\WINDOWS\system32\winload.dll Generic Packed.f

выполните скрипт ....
[code]
begin
DeleteFile('C:\16.tmp');
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.
[/code]
какие то проблемы остались ....

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]4[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\\windows\\system32\\hg543fdg.dll - [B]Trojan-Downloader.Win32.Bensorty.fu[/B] (DrWEB: Trojan.DownLoader.38509)[*] c:\\windows\\system32\\ntos.exe - [B]Trojan-Spy.Win32.Zbot.aaz[/B] (DrWEB: Trojan.Proxy.2507)[*] c:\\windows\\system32\\winload.dll - [B]Trojan.Win32.Small.yp[/B] (DrWEB: Trojan.PWS.Grabber.30)[*] c:\\16.tmp - [B]Trojan-Downloader.Win32.Agent.hft[/B] (DrWEB: Trojan.MulDrop.10022)[/LIST][/LIST]