Проверьте, пожалуйста, логи (вирусы из самого Новороссийска)))

Printable View

06.05.2008, 12:26
Marygold

Вложений: 3

Проверьте, пожалуйста, логи (вирусы из самого Новороссийска)))

Проверьте пожалуйста логи.
Со слов хозяина компа - на машине много вирусов. Подробней не знаю, потому не могу ничего конкретно сказать.
06.05.2008, 12:50
Гриша

Отключите Антивирус и интернет!

[URL="http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip"]Скачать[/URL],меню,File,появится аналог проводника,найти:qandr.sys,taskmon.sys,WLCtrl32.dll,WinNt32.dll,правая кнопка мыши Force Delete.

[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]

[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\windows\system32\dllgh8jkd1q6.exe');
TerminateProcessByName('c:\windows\system32\wxtf473.exe');
TerminateProcessByName('c:\windows\system32\drivers\spools.exe');
TerminateProcessByName('c:\windows\system32\secrsvqf.exe');
TerminateProcessByName('c:\windows\system32\dllgh8jkd1q7.exe');
TerminateProcessByName('c:\windows\winlogon.exe');
TerminateProcessByName('c:\windows\temp\2382.tmp');
TerminateProcessByName('c:\windows\system32\wind32.exe');
QuarantineFile('C:\WINDOWS\System32\Drivers\Beep.SYS','');
QuarantineFile('c:\autoex.dll','');
QuarantineFile('C:\WINDOWS\system32\actvtalk.dll','');
QuarantineFile('C:\WINDOWS\system\hnqtse32.dll','');
DelBHO('{67B020BC-3762-4C3F-92B0-F553EEB0D65D}');
QuarantineFile('C:\WINDOWS\gndarmblpne.dll','');
DelBHO('{2782DD1A-7F56-CACD-B700-602A8436709B}');
QuarantineFile('C:\WINDOWS\system\wlcstd32.dll','');
QuarantineFile('kdhwt.exe','');
QuarantineFile('crypts.dll','');
QuarantineFile('WinNt32.dll','');
QuarantineFile('WLCtrl32.dll','');
QuarantineFile('C:\WINDOWS\winlogon.exe','');
QuarantineFile('C:\WINDOWS\SYSTEM32\WLCtrl32.dll','');
QuarantineFile('C:\WINDOWS\twain_32.exe','');
QuarantineFile('C:\WINDOWS\system\smss.exe','');
QuarantineFile('C:\WINDOWS\system32\wxtf473.exe','');
QuarantineFile('C:\WINDOWS\system32\userinit.exe','');
QuarantineFile('C:\WINDOWS\system32\spoolvs.exe','');
QuarantineFile('C:\WINDOWS\system32\secrsvqf.exe','');
QuarantineFile('C:\WINDOWS\system32\printer.exe','');
QuarantineFile('C:\WINDOWS\system32\maxpaynow1.exe','');
QuarantineFile('C:\WINDOWS\system32\head2.exe','');
QuarantineFile('C:\WINDOWS\system32\hdxjd4g.dll','');
QuarantineFile('C:\WINDOWS\system32\djki397g.dll','');
QuarantineFile('C:\WINDOWS\system32\alt12.exe.exe','');
QuarantineFile('C:\WINDOWS\kavir.exe','');
QuarantineFile('C:\WINDOWS\bdkpfxqw.dll','');
QuarantineFile('C:\WINDOWS\TEMP\winlagon.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\cftmon.exe','');
QuarantineFile('C:\Documents and Settings\1\cftmon.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\csrssc.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\Rar$EX00.625\Christmas.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\69C.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\3FCD.exe','');
QuarantineFile('C:\WINDOWS\Help\oqtxde.chm','');
QuarantineFile('C:\WINDOWS\system32\drivers\kbd.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Ekq30.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Bio30.sys','');
QuarantineFile('C:\WINDOWS\system32\1037h.exe','');
QuarantineFile('C:\WINDOWS\ctfmon.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\qandr.sys','');
QuarantineFile('C:\WINDOWS\TEMP\taskmon.sys','');
QuarantineFile('C:\WINDOWS\system32\crypts.dll','');
QuarantineFile('C:\WINDOWS\qadovnel.dll','');
QuarantineFile('c:\windows\system32\wxtf473.exe','');
QuarantineFile('c:\windows\winlogon.exe','');
QuarantineFile('c:\windows\system32\wind32.exe','');
QuarantineFile('c:\windows\system32\drivers\spools.exe','');
QuarantineFile('c:\windows\system32\secrsvqf.exe','');
QuarantineFile('c:\windows\system32\dllgh8jkd1q7.exe','');
QuarantineFile('c:\windows\system32\dllgh8jkd1q6.exe','');
QuarantineFile('c:\windows\temp\2382.tmp','');
DeleteService('Task Monitoring Driver');
DeleteService('qandr');
DeleteService('LPTRDCsrv');
DeleteService('kbd');
DeleteService('oqtxde');
DeleteService('Bio30');
DeleteService('Ekq30');
DeleteService('Schedule');
DeleteService('MSDTCCOMSysApp');
DeleteFile('c:\windows\temp\2382.tmp');
DeleteFile('c:\windows\system32\dllgh8jkd1q6.exe');
DeleteFile('C:\WINDOWS\SYSTEM32\WLCtrl32.dll');
DeleteFile('c:\windows\system32\dllgh8jkd1q7.exe');
DeleteFile('c:\windows\system32\drivers\spools.exe');
DeleteFile('c:\windows\system32\wind32.exe');
DeleteFile('c:\windows\winlogon.exe');
DeleteFile('c:\windows\system32\wxtf473.exe');
DeleteFile('C:\WINDOWS\qadovnel.dll');
DeleteFile('C:\WINDOWS\system32\crypts.dll');
DeleteFile('C:\WINDOWS\TEMP\taskmon.sys');
DeleteFile('C:\WINDOWS\system32\drivers\qandr.sys');
DeleteFile('C:\WINDOWS\ctfmon.exe');
DeleteFile('C:\WINDOWS\system32\1037h.exe');
DeleteFile('C:\WINDOWS\System32\Drivers\Bio30.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Ekq30.sys');
DeleteFile('C:\WINDOWS\system32\drivers\kbd.sys');
DeleteFile('C:\WINDOWS\Help\oqtxde.chm');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\3FCD.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\69C.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\Rar$EX00.625\Christmas.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\csrssc.exe');
DeleteFile('C:\Documents and Settings\1\cftmon.exe');
DeleteFile('C:\Documents and Settings\LocalService\cftmon.exe');
DeleteFile('C:\WINDOWS\TEMP\winlagon.exe');
DeleteFile('C:\WINDOWS\bdkpfxqw.dll');
DeleteFile('C:\WINDOWS\kavir.exe');
DeleteFile('C:\WINDOWS\system32\alt12.exe.exe');
DeleteFile('C:\WINDOWS\system32\djki397g.dll');
DeleteFile('C:\WINDOWS\system32\hdxjd4g.dll');
DeleteFile('C:\WINDOWS\system32\head2.exe');
DeleteFile('C:\WINDOWS\system32\maxpaynow1.exe');
DeleteFile('C:\WINDOWS\system32\printer.exe');
DeleteFile('C:\WINDOWS\system32\secrsvqf.exe');
DeleteFile('C:\WINDOWS\system32\spoolvs.exe');
DeleteFile('C:\WINDOWS\system32\wxtf473.exe');
DeleteFile('C:\WINDOWS\system\smss.exe');
DeleteFile('C:\WINDOWS\twain_32.exe');
DeleteFile('C:\WINDOWS\winlogon.exe');
DeleteFile('WLCtrl32.dll');
DeleteFile('WinNt32.dll');
DeleteFile('crypts.dll');
DeleteFile('kdhwt.exe');
DeleteFile('C:\WINDOWS\system\wlcstd32.dll');
DeleteFile('C:\WINDOWS\gndarmblpne.dll');
DeleteFile('C:\WINDOWS\system\hnqtse32.dll');
DeleteFile('C:\WINDOWS\system32\actvtalk.dll');
DeleteFile('c:\autoex.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Beep.SYS');
DelBHO('{F2F2A4CB-DAAD-4D0C-BDFC-E945647202C2}');
DelBHO('{CF26FAC0-7D4E-46D8-AE64-B277B11443AC}');
DelBHO('{CADB5E0F-0223-A58F-D6EF-326223BC90CA}');
DelBHO('{B5AF0562-94F3-42BD-F434-2604812C797D}');
DelBHO('{B5AC49A2-94F2-42BD-F434-2604812C897D}');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]

После выполнения скрипта компьютер перезагрузится.
Прислать карантин согласно приложения 3 правил .
Загружать по ссылке:[url]http://virusinfo.info/upload_virus.php?tid=22499[/url]

Скачайте новую версию AVZ(4.30),обновите базы и повторите логи
08.05.2008, 19:25
Marygold

Вложений: 3

Карантин чуть позже, вот пока логи
08.05.2008, 19:25
Marygold

и спасибо большое!
08.05.2008, 21:32
V_Bond

выполните скрипт ....
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{F2F2A4CB-DAAD-4D0C-BDFC-E945647202C2}');
DelBHO('{CF26FAC0-7D4E-46D8-AE64-B277B11443AC}');
DelBHO('{CADB5E0F-0223-A58F-D6EF-326223BC90CA}');
DelBHO('{B5AF0562-94F3-42BD-F434-2604812C797D}');
DelBHO('{B5AC49A2-94F2-42BD-F434-2604812C897D}');
DelBHO('{2782DD1A-7F56-CACD-B700-602A8436709B}');
QuarantineFile('C:\WINDOWS\winlogon.exe','');
QuarantineFile('C:\WINDOWS\twain_32.exe','');
QuarantineFile('C:\WINDOWS\system\smss.exe','');
QuarantineFile('C:\WINDOWS\system32\userinit.exe','');
QuarantineFile('C:\WINDOWS\system32\spoolvs.exe','');
QuarantineFile('C:\WINDOWS\system32\printer.exe','');
QuarantineFile('C:\WINDOWS\system32\maxpaynow1.exe','');
QuarantineFile('C:\WINDOWS\system32\head2.exe','');
QuarantineFile('C:\WINDOWS\system32\hdxjd4g.dll','');
QuarantineFile('C:\WINDOWS\system32\djki397g.dll','');
QuarantineFile('C:\WINDOWS\system32\alt12.exe.exe','');
QuarantineFile('C:\WINDOWS\qadovnel.dll','');
QuarantineFile('C:\WINDOWS\kavir.exe','');
QuarantineFile('C:\WINDOWS\bdkpfxqw.dll','');
QuarantineFile('C:\WINDOWS\TEMP\winlagon.exe','');
QuarantineFile('C:\WINDOWS\Installer\{f583e7f2-3b94-4fe8-91c8-d074e1e39c53}\zip.dll','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\csrssc.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\Rar$EX00.625\Christmas.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\69C.exe','');
QuarantineFile('C:\DOCUME~1\1\LOCALS~1\Temp\3FCD.exe','');
BC_DeleteSvc('Task Monitoring Driver');
QuarantineFile('C:\WINDOWS\TEMP\taskmon.sys','');
BC_DeleteSvc('qandr');
QuarantineFile('C:\WINDOWS\system32\drivers\qandr.sys','');
BC_DeleteSvc('oqtxde');
QuarantineFile('C:\WINDOWS\Help\oqtxde.chm','');
BC_DeleteSvc('Ekq30');
QuarantineFile('C:\WINDOWS\System32\Drivers\Ekq30.sys','');
BC_DeleteSvc('Bio30');
QuarantineFile('C:\WINDOWS\System32\Drivers\Bio30.sys','');
BC_DeleteSvc('asc3550p');
QuarantineFile('C:\WINDOWS\system32\Drivers\asc3550p.sys','');
BC_DeleteSvc('asc3550f');
QuarantineFile('asc3550f.sys','');
BC_DeleteSvc('jqvm465hmygebkpp6');
QuarantineFile('C:\WINDOWS\system32\lcss.exe','');
BC_DeleteSvc('LPTRDCsrv');
QuarantineFile('C:\WINDOWS\ctfmon.exe','');
DeleteFile('C:\WINDOWS\system32\crypts.dll');
DeleteFile('C:\WINDOWS\ctfmon.exe');
DeleteFile('C:\WINDOWS\system32\lcss.exe');
DeleteFile('asc3550f.sys');
DeleteFile('C:\WINDOWS\system32\Drivers\asc3550p.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Bio30.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Ekq30.sys');
DeleteFile('C:\WINDOWS\system32\drivers\qandr.sys');
DeleteFile('C:\WINDOWS\TEMP\taskmon.sys');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\3FCD.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\69C.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\Rar$EX00.625\Christmas.exe');
DeleteFile('C:\DOCUME~1\1\LOCALS~1\Temp\csrssc.exe');
DeleteFile('C:\WINDOWS\Installer\{f583e7f2-3b94-4fe8-91c8-d074e1e39c53}\zip.dll');
DeleteFile('C:\WINDOWS\TEMP\winlagon.exe');
DeleteFile('C:\WINDOWS\bdkpfxqw.dll');
DeleteFile('C:\WINDOWS\kavir.exe');
DeleteFile('C:\WINDOWS\qadovnel.dll');
DeleteFile('C:\WINDOWS\system32\alt12.exe.exe');
DeleteFile('C:\WINDOWS\system32\djki397g.dll');
DeleteFile('C:\WINDOWS\system32\hdxjd4g.dll');
DeleteFile('C:\WINDOWS\system32\head2.exe');
DeleteFile('C:\WINDOWS\system32\maxpaynow1.exe');
DeleteFile('C:\WINDOWS\system32\printer.exe');
DeleteFile('C:\WINDOWS\system32\spoolvs.exe');
DeleteFile('C:\WINDOWS\system\smss.exe');
DeleteFile('C:\WINDOWS\twain_32.exe');
DeleteFile('C:\WINDOWS\winlogon.exe');
DeleteFile('WinNt32.dll');
DeleteFile('wxtf473.exe');
DeleteFile('crypts.dll');
DeleteFile('C:\WINDOWS\system\wlcstd32.dll');
DeleteFile('C:\WINDOWS\system\hnqtse32.dll');
DeleteFile('C:\WINDOWS\system32\actvtalk.dll');
DeleteFile('c:\autoex.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ....
повторите логи ...
29.05.2008, 23:34
Marygold

Вложений: 3

вот логи, и архив по ссылке загрузила
30.05.2008, 00:10
V_Bond

пофиксите ...
[code]
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,userinit.exe,
[/code]
выполните скрипт ...
[code]
begin
ClearQuarantine;
QuarantineFile('C:\WINDOWS\Resources\BootAlrt.dll','');
QuarantineFile('C:\WINDOWS\system32\userinit.exe','');
QuarantineFile('C:\WINDOWS\gndarmblpne.dll','');
BC_ImportQuarantineList;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ....
22.02.2009, 05:10
CyberHelper

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]1[/B][*]В ходе лечения вредоносные программы в карантинах не обнаружены[/LIST]