Словил руткит (necsort.sys), AVZ вроде все выловил, но подозрения остались

Не посмотрите логи?
sptd - это от алкоголя
а вот [COLOR=black]mssrv32.exe - это что такое? AVZ пишет что имя подозрительное.[/COLOR]

Карантин прислал.

Выполните скрипт в АВЗ

[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\qgzx.dll','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\F7C87_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\F7A10_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\DF1A0_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\4168B_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\40F94_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2D358_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2871FD_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\25A31_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\24D3E_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\22B86_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2137B6_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21361B_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21348B_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2132E6_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\213123_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212D12_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212B09_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21295B_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2127CA_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2124E5_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212354_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2121BA_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211FCF_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211E3E_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211B59_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211979_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211658_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2114D1_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21117E_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210EAD_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210CB8_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210BAA_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210A2D_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21075C_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2105B7_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210413_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20FE5D_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20F6EE_0.DLL','');
QuarantineFile('C:\WINDOWS\system32\KB_963491.exe','');
QuarantineFile('C:\WINDOWS\system32\necsort.sys','');
QuarantineFile('C:\WINDOWS\system32\mssrv32.exe','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20F63A_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206B14_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206A60_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206998_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206894_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20673F_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20664F_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206540_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206428_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206283_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20612F_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20600C_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\205D95_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\183CFA_0.DLL','');
QuarantineFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\183472_0.DLL','');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\183472_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\183CFA_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\205D95_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20600C_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20612F_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206283_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206428_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206540_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20664F_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20673F_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206894_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206998_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206A60_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\206B14_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20F63A_0.DLL');
DeleteFile('C:\WINDOWS\system32\mssrv32.exe');
DeleteFile('C:\WINDOWS\system32\necsort.sys');
DeleteFile('C:\WINDOWS\system32\KB_963491.exe');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20F6EE_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\20FE5D_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210413_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2105B7_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21075C_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210A2D_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210BAA_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210CB8_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\210EAD_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21117E_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2114D1_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211658_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211979_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211B59_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211E3E_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\211FCF_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2121BA_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212354_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2124E5_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2127CA_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21295B_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212B09_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\212D12_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\213123_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2132E6_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21348B_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\21361B_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2137B6_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\22B86_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\24D3E_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\25A31_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2871FD_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\2D358_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\40F94_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\4168B_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\DF1A0_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\F7A10_0.DLL');
DeleteFile('C:\DOCUME~1\6133~1.RIV\LOCALS~1\Temp\F7C87_0.DLL');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/code]

Загрузите карантин согласно п.3 правил по ссылке [url]http://virusinfo.info/upload_virus.php?tid=17211[/url]

и еще ...
выполните скрипт ...
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('F:\DOWNLO~1\KillCopy\kcresume.exe','');
QuarantineFile('c:\program files\180solutions\sais.exe','');
QuarantineFile('C:\WINDOWS\system32\qgzx.dll','');
DeleteFile('C:\WINDOWS\system32\qgzx.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ...
повторите логи ...

[size="1"][color="#666686"][B][I]Добавлено через 47 минут[/I][/B][/color][/size]

в карантине ...
C:\WINDOWS\system32\necsort.sys [B]Rootkit.Win32.Agent.vl[/B]
C:\WINDOWS\system32\mssrv32.exe [B]Trojan-Downloader.Win32.Small.hzt[/B]

Скрипты выполнил.
этих фалов в системе не было видимо только ключики в реестре остались:
c:\program files\180solutions\sais.exe
C:\WINDOWS\system32\qgzx.dll
C:\WINDOWS\system32\KB_963491.exe

карантин выслал с файлами, помещенными по результатам последней проверки

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]2[/B][*]Обработано файлов: [B]64[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\\documents and settings\\админ.rivex-1\\doctorweb\\quarantine\\a0118928.exe - [B]not-a-virus:AdWare.Win32.EZula.z[/B] (DrWEB: Adware.Ezula)[*] c:\\windows\\system32\\mssrv32.exe - [B]Trojan-Downloader.Win32.Small.hzt[/B] (DrWEB: Trojan.DownLoader.35134)[*] c:\\windows\\system32\\necsort.sys - [B]Rootkit.Win32.Agent.vl[/B] (DrWEB: Trojan.NtRootKit.767)[/LIST][/LIST]