Много вирусов

Printable View

29.04.2008, 07:24
Dunkelheit

Много вирусов

Система так и кишит.
Посмотрите пожалуста.
29.04.2008, 09:31
Bratez

п.2 правил выполняли? надо выполнить!
29.04.2008, 09:39
V_Bond

Восстановление системы: включено \ отключить ...
[URL="http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip"]скачайте [/URL]C:\WINDOWS\system32\WLCtrl32.dll, C:\WINDOWS\System32\Drivers\Eko84.sys и Ylq35.sys - force delete
віполните скрипт авз ...
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\pssb486.exe','');
QuarantineFile('C:\WINDOWS\Temp\codec.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\Tlc26.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\Mum52.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\Jxs64.sys','');
QuarantineFile('C:\Program Files\tmp31968.exe','');
QuarantineFile('C:\Program Files\iSecurity\Ultimate Defender\setup.exe','');
QuarantineFile('C:\Documents and Settings\123\Application Data\installer[1].exe','');
QuarantineFile('c:\windows\installer\{c414640a-2259-47a1-8b5d-08718f47cc8e}\unknownalrt.dll','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Beep.SYS','');
DelBHO('{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}');
DelBHO('{A8311E8F-E459-4D22-89B4-CB9DCF10A425}');
QuarantineFile('C:\WINDOWS\system32\wowfx.dll','');
QuarantineFile('C:\Program Files\SystemDefender\SystemDefender.exe','');
QuarantineFile('C:\Program Files\SanitarDiska\data\GDCW.exe','');
QuarantineFile('C:\Documents and Settings\123\cftmon.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\cftmon.exe','');
BC_DeleteSvc('hdport');
BC_DeleteSvc('Eko84');
BC_DeleteSvc('Schedule');
BC_DeleteSvc('CcEvtSvc');
BC_DeleteSvc('Google Online Services');
QuarantineFile('Ylq35.sys','');
QuarantineFile('C:\WINDOWS\system32\qtprot.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\Eko84.sys','');
QuarantineFile('C:\WINDOWS\titac.dll','');
QuarantineFile('C:\WINDOWS\system32\xlibgfl254.dll','');
QuarantineFile('C:\WINDOWS\system32\WLCtrl32.dll','');
QuarantineFile('C:\WINDOWS\system32\mstmdm.dll','');
QuarantineFile('C:\WINDOWS\system32\drivers\spools.exe','');
QuarantineFile('C:\WINDOWS\system32\dllgh8jkd1q7.exe','');
QuarantineFile('C:\WINDOWS\system32\dllgh8jkd1q6.exe','');
QuarantineFile('C:\WINDOWS\Installer\{c414640a-2259-47a1-8b5d-08718f47cc8e}\UnknownAlrt.dll','');
QuarantineFile('C:\WINDOWS\Installer\{bc25d2f4-2e5d-45ee-9083-ce170451546c}\zip.dll','');
QuarantineFile('C:\Program Files\Ultimate Defender\UltimateDefender.exe','');
QuarantineFile('C:\Program Files\Internet Explorer\SETUPAPI.dll','');
QuarantineFile('C:\Program Files\IE Extensions\cj.v2.dll','');
QuarantineFile('C:\Program Files\Common Files\SanitarDiska\stm.exe','');
QuarantineFile('C:\Documents and Settings\123\ie_updates3r.exe','');
QuarantineFile('c:\autoex.dll','');
QuarantineFile('c:\program files\ultimate defender\ultimatedefender.exe','');
QuarantineFile('c:\program files\common files\sanitardiska\stm.exe','');
QuarantineFile('c:\windows\system32\drivers\spools.exe','');
QuarantineFile('C:\WINDOWS\system32\qtplugin.exe','');
QuarantineFile('c:\documents and settings\123\ie_updates3r.exe','');
QuarantineFile('c:\windows\system32\dllgh8jkd1q7.exe','');
QuarantineFile('c:\windows\system32\dllgh8jkd1q6.exe','');
QuarantineFile('c:\windows\aromis.exe','');
DeleteFile('c:\windows\aromis.exe');
DeleteFile('c:\windows\system32\dllgh8jkd1q6.exe');
DeleteFile('c:\windows\system32\dllgh8jkd1q7.exe');
DeleteFile('c:\documents and settings\123\ie_updates3r.exe');
DeleteFile('C:\WINDOWS\system32\qtplugin.exe');
DeleteFile('c:\windows\system32\drivers\spools.exe');
DeleteFile('c:\program files\common files\sanitardiska\stm.exe');
DeleteFile('c:\program files\ultimate defender\ultimatedefender.exe');
DeleteFile('c:\autoex.dll');
DeleteFile('C:\Documents and Settings\123\ie_updates3r.exe');
DeleteFile('C:\Program Files\Common Files\SanitarDiska\stm.exe');
DeleteFile('C:\Program Files\IE Extensions\cj.v2.dll');
DeleteFile('C:\Program Files\Internet Explorer\SETUPAPI.dll');
DeleteFile('C:\Program Files\Ultimate Defender\UltimateDefender.exe');
DeleteFile('C:\WINDOWS\system32\dllgh8jkd1q6.exe');
DeleteFile('C:\WINDOWS\system32\dllgh8jkd1q7.exe');
DeleteFile('C:\WINDOWS\system32\drivers\spools.exe');
DeleteFile('C:\WINDOWS\system32\mstmdm.dll');
DeleteFile('C:\WINDOWS\system32\WLCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\xlibgfl254.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\Eko84.sys');
DeleteFile('C:\WINDOWS\system32\qtprot.sys');
DeleteFile('Ylq35.sys');
DeleteFile('C:\WINDOWS\system32\hdport.sys');
DeleteFile('C:\Documents and Settings\LocalService\cftmon.exe');
DeleteFile('C:\Documents and Settings\123\cftmon.exe');
DeleteFile('C:\Program Files\SanitarDiska\data\GDCW.exe');
DeleteFile('C:\Program Files\SystemDefender\SystemDefender.exe');
DeleteFile('C:\WINDOWS\system32\wowfx.dll');
DeleteFile('WLCtrl32.dll');
DeleteFile('kdmld.exe');
DeleteFile('c:\windows\installer\{c414640a-2259-47a1-8b5d-08718f47cc8e}\unknownalrt.dll');
DeleteFile('C:\Program Files\iSecurity\Ultimate Defender\setup.exe');
DeleteFile('C:\Program Files\tmp31968.exe');
DeleteFile('C:\WINDOWS\system32\drivers\Jxs64.sys');
DeleteFile('C:\WINDOWS\system32\drivers\Qsow70.sys');
DeleteFile('C:\WINDOWS\system32\drivers\Tlc26.sys');
DeleteFile('C:\WINDOWS\Temp\codec.exe');
DeleteFile('C:\WINDOWS\system32\pssb486.exe');
BC_ImportDeletedList;
ExecuteRepair(1);
ExecuteRepair(11);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(16);
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ...
повторите логи ...
29.04.2008, 10:32
Dunkelheit

карантин закачал - virus.zip
новые логи прилагаю
29.04.2008, 10:39
V_Bond

выполните скрипт ....
[code]
begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('E:\autorun.inf','');
QuarantineFile('C:\WINDOWS\Temp\BN1E.tmp','');
QuarantineFile('C:\WINDOWS\Temp\BN1D.tmp','');
QuarantineFile('C:\WINDOWS\Temp\BN16.tmp','');
QuarantineFile('C:\WINDOWS\Temp\BN14.tmp','');
QuarantineFile('C:\WINDOWS\Temp\BN13.tmp','');
QuarantineFile('C:\WINDOWS\system32\drivers\Wdja22.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\Mum52.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\grande48.sys','');
QuarantineFile('C:\Staroe\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FVKCPHFJ\loader[1].exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe','');
QuarantineFile('C:\Documents and Settings\123\Рабочий стол\!!!Antivirus\jeefogui.com','');
QuarantineFile('C:\Documents and Settings\123\Local Settings\Temp\27.tmp','');
QuarantineFile('C:\Documents and Settings\123\Application Data\installer[1].exe','');
QuarantineFile('C:\WINDOWS\Installer\{bc25d2f4-2e5d-45ee-9083-ce170451546c}\zip.dll','');
QuarantineFile('C:\WINDOWS\system32\iSecurity.cpl','');
DeleteFile('C:\WINDOWS\system32\iSecurity.cpl');
DeleteFile('wowfx.dll');
DeleteFile('xlibgfl254.dll');
DeleteFile('C:\Documents and Settings\123\Application Data\installer[1].exe');
DeleteFile('C:\Staroe\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FVKCPHFJ\loader[1].exe');
DeleteFile('C:\WINDOWS\system32\drivers\grande48.sys');
DeleteFile('C:\WINDOWS\system32\drivers\Mum52.sys');
DeleteFile('C:\WINDOWS\system32\drivers\Wdja22.sys');
DeleteFile('C:\WINDOWS\Temp\BN13.tmp');
DeleteFile('C:\WINDOWS\Temp\BN16.tmp');
DeleteFile('C:\WINDOWS\Temp\BN1D.tmp');
DeleteFile('C:\WINDOWS\Temp\BN20.tmp');
DeleteFile('C:\WINDOWS\Temp\BN21.tmp');
DeleteFile('C:\WINDOWS\Temp\BN23.tmp');
DeleteFile('C:\WINDOWS\Temp\BN6.tmp');
DeleteFile('C:\WINDOWS\Temp\BN7.tmp');
DeleteFile('C:\WINDOWS\Temp\BN8.tmp');
DeleteFile('C:\WINDOWS\Temp\BN9.tmp');
DeleteFile('C:\WINDOWS\Temp\BNB.tmp');
DeleteFile('C:\WINDOWS\Temp\BNC.tmp');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ...
повторите логи ....
29.04.2008, 11:24
Dunkelheit

карантин закачал - virus2.zip
новые логи прилагаю
29.04.2008, 11:40
V_Bond

пофиксите ...
[code]
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - Startup: .protected
O4 - Global Startup: .protected
O17 - HKLM\System\CCS\Services\Tcpip\..\{45F92935-AF2B-4426-9674-DD2FB1C504A6}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\..\{45F92935-AF2B-4426-9674-DD2FB1C504A6}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CS2\Services\Tcpip\..\{45F92935-AF2B-4426-9674-DD2FB1C504A6}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\
O21 - SSODL: UnknownAlrt - {c414640a-2259-47a1-8b5d-08718f47cc8e} - (no file)
O21 - SSODL: zip - {bc25d2f4-2e5d-45ee-9083-ce170451546c} - C:\WINDOWS\Installer\{bc25d2f4-2e5d-45ee-9083-ce170451546c}\zip.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL (file missing)
O21 - SSODL: UpdateCheck - {17E2A4C1-3F4C-42BE-B00B-25D8EACAA4D0} - C:\WINDOWS\system32\mstmdm.dll
[/code]
выполните скрипт ...
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\Installer\{bc25d2f4-2e5d-45ee-9083-ce170451546c}\zip.dll');
DeleteFile('C:\WINDOWS\system32\mstmdm.dll');
DeleteFile('iSecurity.cpl');
DeleteFile('C:\WINDOWS\system32\ISECUR~1.CPL');
DeleteFile('E:\autorun.inf');
DeleteFile('C:\Documents and Settings\123\Local Settings\Temp\27.tmp');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe');
DeleteFile('C:\WINDOWS\Temp\BN14.tmp');
DeleteFile('C:\WINDOWS\Temp\BN1E.tmp');
BC_ImportDeletedList;
ClearHostsFile;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
повторите логи ...
29.04.2008, 12:20
Dunkelheit

повторяю логи
29.04.2008, 12:25
V_Bond

зловредного ничего не видно ...
осталось установить антивирус и фаерволл ...
29.04.2008, 12:31
Dunkelheit

огромное вам спасибо
этим сейчас и займусь
29.04.2008, 13:59
PavelA

То, что было удалено:

27.tmp_ - Trojan-Downloader.Win32.Mutant.cj,
autorun.inf - Worm.Win32.AutoRun.j,
BN13.tmp_, BN14.tmp_, BN16.tmp_, BN1D.tmp_, BN1E.tmp_ - Trojan-Downloader.Win32.Agent.mkb,
cftmon.exe_ - Trojan-Downloader.Win32.Agent.lab,
grande48.sys, Mum52.sys, Wdja22.sys - Rootkit.Win32.Agent.aih,
loader[1].exe_ - Trojan.Win32.Buzus.dpu,
zip.dll - Trojan-Dropper.Win32.Agent.qfy

installer[1].exe_ - not-a-virus:Downloader.Win32.WinFixer.cq