Помогите пожалуйста. Nod [B]постоянно[/B] при входе в инет выдает предупреждение, что обнаружен вирус и был перемещен в карантин. Глубокий анализ с удалением вирусов не помог.
Printable View
Помогите пожалуйста. Nod [B]постоянно[/B] при входе в инет выдает предупреждение, что обнаружен вирус и был перемещен в карантин. Глубокий анализ с удалением вирусов не помог.
Отключив интернет и антивирус -
1. Пофиксите в HijackThis:
[code]
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\DOCUME~1\USER~1.USE\LOCALS~1\Temp\dat52E.tmp"
[/code]
2. Выполните скрипт в AVZ:
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\DOCUME~1\USER~1.USE\LOCALS~1\Temp\dat52E.tmp','');
QuarantineFile('C:\WINDOWS\System32\drivers\9e16595e.sys','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\System32\drivers\9e16595e.sys');
DeleteFile('C:\DOCUME~1\USER~1.USE\LOCALS~1\Temp\dat52E.tmp');
DeleteFile('C:\WINDOWS\system32\blphcg56j0el3g.scr');
BC_ImportDeletedList;
ExecuteSysClean;
BC_DeleteSvc('Winlq21');
BC_DeleteSvc('winla10');
BC_DeleteSvc('Winkw02');
BC_DeleteSvc('Wingu01');
BC_DeleteSvc('winfs00');
BC_DeleteSvc('xmlprovsharedaccessrdsessmgr');
BC_DeleteSvc('xmlprovSharedAccess');
BC_DeleteSvc('xmlprovdnscacheaspnet_statewzcsvc');
BC_DeleteSvc('xmlprovDnscache');
BC_DeleteSvc('WZCSVCAppMgmtW32Timedmserver');
BC_DeleteSvc('WZCSVCAppMgmtW32Time');
BC_DeleteSvc('wuauservNVSvcSharedAccessUPS');
BC_DeleteSvc('wscsvcseclogon');
BC_DeleteSvc('winmgmtsharedaccesswzcsvc');
BC_DeleteSvc('WebClientNtLmSsp');
BC_DeleteSvc('themeswzcsvcappmgmtw32timedmserver');
BC_DeleteSvc('termservicesharedaccess');
BC_DeleteSvc('sysmonlogrdsessmgr');
BC_DeleteSvc('SysmonLogImapiServiceupnphost');
BC_DeleteSvc('SysmonLogImapiService');
BC_DeleteSvc('stisvcCryptSvc');
BC_DeleteSvc('srserviceSharedAccessaspnet_stateLmHosts');
BC_DeleteSvc('srserviceSharedAccessaspnet_state');
BC_DeleteSvc('ShellHWDetectionAppMgmt');
BC_DeleteSvc('SharedAccessWZCSVC');
BC_DeleteSvc('SharedAccessSamSs');
BC_DeleteSvc('SharedAccessaspnet_state');
BC_DeleteSvc('sensxmlprovsharedaccess');
BC_DeleteSvc('seclogonwmistisvc');
BC_DeleteSvc('seclogonWmi');
BC_DeleteSvc('schedulewmimdmpolicyagent');
BC_DeleteSvc('ScheduleWmi');
BC_DeleteSvc('SCardSvrMDM');
BC_DeleteSvc('SamSsSCardSvr');
BC_DeleteSvc('SamSsNtLmSsp');
BC_DeleteSvc('RSVPSharedAccessaspnet_state');
BC_DeleteSvc('RpcLocatorERSvcSCardSvr');
BC_DeleteSvc('PlugPlayAppMgmtW32Time');
BC_DeleteSvc('NVSvcSharedAccessUPS');
BC_DeleteSvc('NVSvcSharedAccessERSvc');
BC_DeleteSvc('NVSvcSharedAccessBthServ');
BC_DeleteSvc('NVSvcSharedAccess');
BC_DeleteSvc('nod32krnremoteregistry');
BC_DeleteSvc('NlaTapiSrvdmserverSCardSvr');
BC_DeleteSvc('NlaTapiSrv');
BC_DeleteSvc('NetlogonsrserviceSharedAccessaspnet_state');
BC_DeleteSvc('NetDDEWZCSVC');
BC_DeleteSvc('netddedsdmwzcsvcappmgmtw32timedmserver');
BC_DeleteSvc('msiserverhidserv');
BC_DeleteSvc('msiservereventsystem');
BC_DeleteSvc('MessengerNetDDE');
BC_DeleteSvc('mdmpolicyagent');
BC_DeleteSvc('ImapiServiceSamSsNtLmSsp');
BC_DeleteSvc('HidServWZCSVC');
BC_DeleteSvc('hidservaudiosrvhidservwzcsvc');
BC_DeleteSvc('HidServAudioSrv');
BC_DeleteSvc('helpsvcWZCSVC');
BC_DeleteSvc('helpsvcImapiService');
BC_DeleteSvc('FastUserSwitchingCompatibilitySwPrvWmdmPmSN');
BC_DeleteSvc('FastUserSwitchingCompatibilitySwPrv');
BC_DeleteSvc('EventlogPlugPlay');
BC_DeleteSvc('Eventloglanmanworkstation');
BC_DeleteSvc('ERSvcSCardSvr');
BC_DeleteSvc('ERSvcaspnet_state');
BC_DeleteSvc('DnscacheRDSessMgr');
BC_DeleteSvc('dmserverSCardSvrWZCSVCstisvcCryptSvc');
BC_DeleteSvc('dmserverSCardSvrWZCSVC');
BC_DeleteSvc('dmserverscardsvrmdm');
BC_DeleteSvc('dmserverSCardSvr');
BC_DeleteSvc('Dhcpwscsvc');
BC_DeleteSvc('dcomlaunchmdmthemes');
BC_DeleteSvc('DcomLaunchMDM');
BC_DeleteSvc('CryptSvcHTTPFilter');
BC_DeleteSvc('CiSvclanmanworkstation');
BC_DeleteSvc('AudioSrvDcomLaunchMDM');
BC_DeleteSvc('aspnet_statewzcsvc');
BC_DeleteSvc('AppMgmtW32Time');
BC_Activate;
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
RegKeyIntParamWrite( 'HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum', '{BDEADF00-C265-11D0-BCED-00A0C90AB50F}', 1);
RebootWindows(true);
end.[/code]
Компьютер перезагрузится.
Пришлите карантин согласно приложению 3 правил
(загружать тут: [url]http://virusinfo.info/upload_virus.php?tid=29199[/url]).
Сделайте новые логи, начиная с п.10 правил.