Плз. посмотрите логи. "Spyware detected"

Printable View

07.09.2008, 13:58
Ippolit

Плз. посмотрите логи. "Spyware detected"

Добрый день!

Проблема появилась после просмотра сайта с фотографиями.

На рабочем столе сообщение:
"Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer".

Прикрепил логи.
Спасибо за помощь!
07.09.2008, 14:07
V_Bond

выполните скрипт ...
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Recycled\_del\s1-0156416-0654648-646-05\_del\speed\hidden32.exe','');
QuarantineFile('C:\WINDOWS\pagepromoterbar.dll','');
DelBHO('{84695FD5-A8A8-11D8-978E-005022E14DE2}');
QuarantineFile('C:\WINDOWS\System32\rilmavsi.dll','');
DeleteService('Winqw17');
DeleteService('winmgmtAVP');
DeleteService('VSSseclogon');
DeleteService('VSSFastUserSwitchingCompatibility');
DeleteService('TrkWksAudioSrv');
DeleteService('TapiSrvsrservice');
DeleteService('svcUpdateStatLmHosts');
DeleteService('srserviceDhcp');
DeleteService('SoccaemtwkstaNetman');
DeleteService('Soccaemtwksta');
DeleteService('SENSlanmanserver');
DeleteService('seclogonFirebirdServerDefaultInstance');
DeleteService('SCardSvrseclogonFirebirdServerDefaultInstance');
DeleteService('RemoteRegistryTrkWks');
DeleteService('PlugPlayCiSvcoseUMWdf');
DeleteService('PlugPlayactmovieactmoviewinmgmtIDriverTImapiService');
DeleteService('PlugPlayactmovieactmoviewinmgmtIDriverT');
DeleteService('PlugPlayactmovie');
DeleteService('oseUMWdf');
DeleteService('NetDDEdsdmServiceLayer');
DeleteService('MSSQLServerClipSrvWmiApSrv');
DeleteService('mnmsrvcSchedule');
DeleteService('IviRegMgrBrowser');
DeleteService('IviRegMgr Licensing Service');
DeleteService('ImapiServicewinmgmt');
DeleteService('helpsvcIviRegMgrTlntSvr');
DeleteService('FirebirdGuardianDefaultInstanceCOMSysApp');
DeleteService('Dot3svcAudioSrvusnjsvc');
DeleteService('dmserverTermService');
DeleteService('dmservermsdtcrpclocatordmadmin');
DeleteService('dmserverMSDTCRpcLocator');
DeleteService('dmserverMSDTC');
DeleteService('dmserverFirebirdGuardianDefaultInstance');
DeleteService('DhcpRasMan');
DeleteService('DcomLaunchseclogonFirebirdServerDefaultInstance');
DeleteService('COMSysAppdmserverNetDDEdsdm');
DeleteService('COMSysAppdmserver');
DeleteService('ClipSrvWmiApSrv');
DeleteService('BITSCiSvc');
DeleteService('CiSvcServiceLayer');
DeleteService('CiSvcoseUMWdf');
DeleteService('CiSvcNetlogon');
DeleteService('CCALib8AppMgmtactmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
DeleteService('CCALib8AppMgmt');
DeleteService('BonjourSocketServer');
DeleteService('AVPAudioSrvBrowser');
DeleteService('AudioSrvusnjsvc');
DeleteService('AudioSrvBrowser');
DeleteService('AudioSrvAudioSrvBrowser');
DeleteService('aspnet_stateusnjsvcWmdmPmSNaspnet_stateactmoviewinmgmtlanmanworkstation');
DeleteService('aspnet_stateusnjsvcWmdmPmSNaspnet_state');
DeleteService('aspnet_stateusnjsvcWmdmPmSN');
DeleteService('aspnet_stateusnjsvc');
DeleteService('aspnet_stateTlntSvr');
DeleteService('actmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
DeleteService('actmoviewinmgmtlanmanworkstation');
DeleteService('actmoviewinmgmtIDriverT');
DeleteService('actmoviewinmgmt');
QuarantineFile('srv.exe','');
DeleteFile('srv.exe');
DeleteFile('C:\WINDOWS\System32\Drivers\Winqw17.sys');
DeleteFile('C:\WINDOWS\system32\blphcvgaj0el6h.scr');
DeleteFile('C:\WINDOWS\System32\rilmavsi.dll');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000080.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000079.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000078.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000074.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000073.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000072.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000071.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000070.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000069.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000066.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000061.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000059.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000058.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000054.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000052.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000043.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000030.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000029.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000028.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000027.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000026.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000025.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000024.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000023.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000017.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000016.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000012.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000057.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000011.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000055.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000005.MSG');
DeleteFile('C:\Program Files\Far\Pochta\billon\Attach\00000007.MSG');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил ....
повторите логи ...
07.09.2008, 14:49
Ippolit

V_Bond, большое спасибо!

Скрипт выполнился.
Но появились маленькие проблемки...

AVP начал сильно есть ресурсы.
Перестала работать одна из доверенных программ (висит). Предполагаю, не нужно было включать в скрипт вот эти строки:

DeleteService('dmserverFirebirdGuardianDefaultInstance');
DeleteService('DcomLaunchseclogonFirebirdServerDefaultInstance');

Другие программы не проверял.
Хотя программы можно переустановить, не проблема.

Прилагаю карантин и логи:

[COLOR="Red"]прочитайте в правилах куда закачивать карантин и какие нужны логи.[/COLOR]
07.09.2008, 15:36
V_Bond

DeleteService('dmserverFirebirdGuardianDefaultInst ance');
DeleteService('DcomLaunchseclogonFirebirdServerDef aultInstance');
точно не принадлежат нормальным программам ....
логи где ?
07.09.2008, 15:53
Ippolit

('dmserverFirebirdGuardianDefaultInst ance');
('DcomLaunchseclogonFirebirdServerDef aultInstance');

В этих строках увидел имя Firebird, а это сервер обмена данными с базой данных программы.
Но полностью доверяю Вам, что могут быть проблемными. Программу позже переустановлю.

Прилагаю файлы:
07.09.2008, 16:18
Rene-gad

Закройте/выгрузите все программы кроме AVZ и Internet Explorer.
Отключите
- ПК от интернета/локалки
- Антивирус и Файрвол.
- Системное восстановление.

- [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\System32\Drivers\Soccaemtwksta.sys','');
QuarantineFile('C:\WINDOWS\System32\desktop.exe','');
DelBHO('{84695FD5-A8A8-11D8-978E-005022E14DE2}');
QuarantineFile('C:\WINDOWS\System32\rilmavsi.dll','');
DeleteService('winmgmtAVP');
DeleteService('VSSseclogon');
DeleteService('VSSFastUserSwitchingCompatibility');
DeleteService('TrkWksAudioSrv');
DeleteService('TapiSrvsrservice');
DeleteService('svcUpdateStatLmHosts');
DeleteService('srserviceDhcp');
DeleteService('SQLServerAgentMSSQLServer');
DeleteService('SoccaemtwkstaNetman');
DeleteService('Soccaemtwksta');
DeleteService('SENSlanmanserver');
DeleteService('seclogonFirebirdServerDefaultInstance');
DeleteService('SCardSvrseclogonFirebirdServerDefaultInstance');
DeleteService('SCardSvrHidServ');
DeleteService('RemoteRegistryTrkWks');
DeleteService('PlugPlayCiSvcoseUMWdf');
DeleteService('PlugPlayactmovieactmoviewinmgmtIDriverTImapiService');
DeleteService('PlugPlayactmovieactmoviewinmgmtIDriverT');
DeleteService('PlugPlayactmovie');
DeleteService('oseUMWdf');
DeleteService('NetmanNtLmSsp');
DeleteService('NetDDEdsdmServiceLayer');
DeleteService('MSSQLServerClipSrvWmiApSrv');
DeleteService('mnmsrvcSchedule');
DeleteService('IviRegMgrTlntSvr');
DeleteService('IviRegMgrBrowser');
DeleteService('IviRegMgr Licensing Service');
DeleteService('ImapiServicewinmgmt');
DeleteService('helpsvcIviRegMgrTlntSvr');
DeleteService('FirebirdGuardianDefaultInstanceCOMSysApp');
DeleteService('Dot3svcAudioSrvusnjsvc');
DeleteService('dmserverTermService');
DeleteService('dmservermsdtcrpclocatordmadmin');
DeleteService('dmserverMSDTCRpcLocator');
DeleteService('dmserverMSDTC');
DeleteService('dmserverFirebirdGuardianDefaultInstance');
DeleteService('DhcpRasMan');
DeleteService('DcomLaunchseclogonFirebirdServerDefaultInstance');
DeleteService('COMSysAppdmserverNetDDEdsdm');
DeleteService('COMSysAppdmserver');
DeleteService('ClipSrvWmiApSrv');
DeleteService('CiSvcServiceLayer');
DeleteService('CiSvcoseUMWdf');
DeleteService('CiSvcNetlogon');
DeleteService('CCALib8AppMgmtactmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
DeleteService('CCALib8AppMgmt');
DeleteService('BonjourSocketServer');
DeleteService('Bonjour Service');
DeleteService('BITSCiSvc');
DeleteService('AVPAudioSrvBrowser');
DeleteService('AudioSrvusnjsvc');
DeleteService('AudioSrvBrowser');
DeleteService('AudioSrvAudioSrvBrowser');
DeleteService('aspnet_stateusnjsvcWmdmPmSNaspnet_stateactmoviewinmgmtlanmanworkstation');
DeleteService('aspnet_stateusnjsvcWmdmPmSNaspnet_state');
DeleteService('aspnet_stateusnjsvcWmdmPmSN');
DeleteService('aspnet_stateusnjsvc');
DeleteService('aspnet_stateTlntSvr');
DeleteService('actmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
DeleteService('actmoviewinmgmtlanmanworkstation');
DeleteService('actmoviewinmgmtIDriverT');
DeleteService('actmoviewinmgmt');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winqw17.sys','');
DeleteService('Winqw17');
DeleteFile('c:\program files\bonjour\mdnsresponder.exe');
DeleteFile('C:\WINDOWS\System32\rilmavsi.dll');
DeleteFile('C:\WINDOWS\system32\blphcvgaj0el6h.scr');
DeleteFile('C:\WINDOWS\System32\desktop.exe');
DeleteFile('C:\WINDOWS\System32\Drivers\Winqw17.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Soccaemtwksta.sys');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('winmgmtAVP');
BC_DeleteSvc('VSSseclogon');
BC_DeleteSvc('VSSFastUserSwitchingCompatibility');
BC_DeleteSvc('TrkWksAudioSrv');
BC_DeleteSvc('TapiSrvsrservice');
BC_DeleteSvc('svcUpdateStatLmHosts');
BC_DeleteSvc('srserviceDhcp');
BC_DeleteSvc('SQLServerAgentMSSQLServer');
BC_DeleteSvc('SoccaemtwkstaNetman');
BC_DeleteSvc('Soccaemtwksta');
BC_DeleteSvc('SENSlanmanserver');
BC_DeleteSvc('seclogonFirebirdServerDefaultInstance');
BC_DeleteSvc('SCardSvrseclogonFirebirdServerDefaultInstance');
BC_DeleteSvc('SCardSvrHidServ');
BC_DeleteSvc('RemoteRegistryTrkWks');
BC_DeleteSvc('PlugPlayCiSvcoseUMWdf');
BC_DeleteSvc('PlugPlayactmovieactmoviewinmgmtIDriverTImapiService');
BC_DeleteSvc('PlugPlayactmovieactmoviewinmgmtIDriverT');
BC_DeleteSvc('PlugPlayactmovie');
BC_DeleteSvc('oseUMWdf');
BC_DeleteSvc('NetmanNtLmSsp');
BC_DeleteSvc('NetDDEdsdmServiceLayer');
BC_DeleteSvc('MSSQLServerClipSrvWmiApSrv');
BC_DeleteSvc('mnmsrvcSchedule');
BC_DeleteSvc('IviRegMgrTlntSvr');
BC_DeleteSvc('IviRegMgrBrowser');
BC_DeleteSvc('IviRegMgr Licensing Service');
BC_DeleteSvc('ImapiServicewinmgmt');
BC_DeleteSvc('helpsvcIviRegMgrTlntSvr');
BC_DeleteSvc('FirebirdGuardianDefaultInstanceCOMSysApp');
BC_DeleteSvc('Dot3svcAudioSrvusnjsvc');
BC_DeleteSvc('dmserverTermService');
BC_DeleteSvc('dmservermsdtcrpclocatordmadmin');
BC_DeleteSvc('dmserverMSDTCRpcLocator');
BC_DeleteSvc('dmserverMSDTC');
BC_DeleteSvc('dmserverFirebirdGuardianDefaultInstance');
BC_DeleteSvc('DhcpRasMan');
BC_DeleteSvc('DcomLaunchseclogonFirebirdServerDefaultInstance');
BC_DeleteSvc('COMSysAppdmserverNetDDEdsdm');
BC_DeleteSvc('COMSysAppdmserver');
BC_DeleteSvc('ClipSrvWmiApSrv');
BC_DeleteSvc('CiSvcServiceLayer');
BC_DeleteSvc('CiSvcoseUMWdf');
BC_DeleteSvc('CiSvcNetlogon');
BC_DeleteSvc('CCALib8AppMgmtactmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
BC_DeleteSvc('CCALib8AppMgmt');
BC_DeleteSvc('BonjourSocketServer');
BC_DeleteSvc('BITSCiSvc');
BC_DeleteSvc('AVPAudioSrvBrowser');
BC_DeleteSvc('AudioSrvusnjsvc');
BC_DeleteSvc('AudioSrvBrowser');
BC_DeleteSvc('AudioSrvAudioSrvBrowser');
BC_DeleteSvc('aspnet_stateusnjsvcWmdmPmSNaspnet_stateactmoviewinmgmtlanmanworkstation');
BC_DeleteSvc('aspnet_stateusnjsvcWmdmPmSNaspnet_state');
BC_DeleteSvc('aspnet_stateusnjsvcWmdmPmSN');
BC_DeleteSvc('aspnet_stateusnjsvc');
BC_DeleteSvc('aspnet_stateTlntSvr');
BC_DeleteSvc('actmoviewinmgmtlanmanworkstationactmoviewinmgmtlanmanworkstation');
BC_DeleteSvc('actmoviewinmgmtlanmanworkstation');
BC_DeleteSvc('actmoviewinmgmtIDriverT');
BC_DeleteSvc('actmoviewinmgmt');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winqw17.sys','');
BC_DeleteSvc('Winqw17');
BC_Activate;
RebootWindows(true);
end.
[/CODE]

После перезагрузки:

1. Скачать архив: [url]http://freenet-homepage.de/rene-gad/123.zip[/url]
2. Распаковать не в темп-папку, напр. C:\123
3. Файл 123.pif - переименованный Avenger - запустить
4. Подтвердить все, откроется окно.
5. Поставить галку [B]Scan for Rootkits[/B]
6. Скопировать скрипт в окно:
[CODE]files to delete:
C:\Program Files\Far\Pochta\billon\Attach\00000005.MSG/{E-MAIL:base64}/Joke.exe.safe
C:\Program Files\Far\Pochta\billon\Attach\00000007.MSG/{E-MAIL:base64}/price.cpl.safe
C:\Program Files\Far\Pochta\billon\Attach\00000055.MSG/{E-MAIL:base64}/document.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000011.MSG/{E-MAIL:base64}/message.zip/{ZIP}/message.txt .exe
C:\Program Files\Far\Pochta\billon\Attach\00000057.MSG/{E-MAIL:base64}/readme.zip/{ZIP}/readme.pif
C:\Program Files\Far\Pochta\billon\Attach\00000012.MSG/{E-MAIL:base64}/test.zip/{ZIP}/test.txt .exe
C:\Program Files\Far\Pochta\billon\Attach\00000016.MSG/{E-MAIL:base64}/doc.zip/{ZIP}/doc.pif
C:\Program Files\Far\Pochta\billon\Attach\00000017.MSG/{E-MAIL:base64}/document.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000023.MSG/{E-MAIL:base64}/document.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000024.MSG/{E-MAIL:base64}/body.zip/{ZIP}/body.htm .pif
C:\Program Files\Far\Pochta\billon\Attach\00000025.MSG/{E-MAIL:base64}/thxy.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000026.MSG/{E-MAIL:base64}/body.zip/{ZIP}/body.htm .pif
C:\Program Files\Far\Pochta\billon\Attach\00000027.MSG/{E-MAIL:base64}/message.bat.safe
C:\Program Files\Far\Pochta\billon\Attach\00000028.MSG/{E-MAIL:base64}/readme.scr.safe
C:\Program Files\Far\Pochta\billon\Attach\00000029.MSG/{E-MAIL:base64}/text.scr.safe
C:\Program Files\Far\Pochta\billon\Attach\00000030.MSG/{E-MAIL:base64}/document.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000043.MSG/{E-MAIL:base64}/document.scr.safe
C:\Program Files\Far\Pochta\billon\Attach\00000052.MSG/{E-MAIL:base64}/text.zip/{ZIP}/text.htm .exe
C:\Program Files\Far\Pochta\billon\Attach\00000053.MSG/{E-MAIL:base64}/doc.scr.safe
C:\Program Files\Far\Pochta\billon\Attach\00000054.MSG/{E-MAIL:base64}/doc.pif.safe
C:\Program Files\Far\Pochta\billon\Attach\00000058.MSG/{E-MAIL:base64}/doc.zip/{ZIP}/doc.exe
C:\Program Files\Far\Pochta\billon\Attach\00000059.MSG/{E-MAIL:base64}/data.scr.safe
C:\Program Files\Far\Pochta\billon\Attach\00000061.MSG/{E-MAIL:base64}/file.zip/{ZIP}/file.pif
C:\Program Files\Far\Pochta\billon\Attach\00000066.MSG/{E-MAIL:base64}/document.zip/{ZIP}/document.htm .pif
C:\Program Files\Far\Pochta\billon\Attach\00000069.MSG/{E-MAIL:base64}/patch3425.zip/{ZIP}/data.rtf .scr
C:\Program Files\Far\Pochta\billon\Attach\00000070.MSG/{E-MAIL:base64}/details05.zip/{ZIP}/data.rtf .scr
C:\Program Files\Far\Pochta\billon\Attach\00000071.MSG/{E-MAIL:base64}/document.exe.safe
C:\Program Files\Far\Pochta\billon\Attach\00000072.MSG/{E-MAIL:base64}/document.zip/{ZIP}/document.doc .scr
C:\Program Files\Far\Pochta\billon\Attach\00000073.MSG/{E-MAIL:base64}/mail.zip/{ZIP}/mail.txt .scr
C:\Program Files\Far\Pochta\billon\Attach\00000074.MSG/{E-MAIL:base64}/Readme.exe.safe
C:\Program Files\Far\Pochta\billon\Attach\00000076.MSG/{E-MAIL:base64}/Document.exe.safe
C:\Program Files\Far\Pochta\billon\Attach\00000078.MSG/{E-MAIL:base64}/Document.exe.safe
C:\Program Files\Far\Pochta\billon\Attach\00000079.MSG/{E-MAIL:base64}/text.zip/{ZIP}/text.pif
C:\Program Files\Far\Pochta\billon\Attach\00000080.MSG/{E-MAIL:base64}/document.zip/{ZIP}/document.htm .pif
C:\Recycled\_del\s1-0156416-0654648-646-05\_del\speed\hidden32.exe
[/CODE]
7. Закрыть все окна кроме Avenger
8. Запустить программу, все сообщения подтвердить
9. ПК перегрузится. После перезагрузки могут появиться сообщения об ошибках чтения драйвов - проигнорировать.
10. Откроется окошко с логом. Его сохранить и прикрепить к сообщению.

- [url="http://virusinfo.info/showthread.php?t=10025"] Очистите [/url]темп-папки, кэш проводников и корзину.
- Закройте все программы, включая Антивирус и Файрвол, Оставьте запущенным [B]только Internet Explorer[/B]. Если он не запущен - запустите!!!
- Сделайте повторные логи по правилам.
- Включите Антвирус и Файрволл
- Подключите ПК к интернету/локалке
- Закачайте карантин по ссылке [COLOR="Red"][B]Прислать запрошенный карантин[/B][/COLOR] вверху темы (Приложение 3 правил).
- Прикрепите логи к новому сообщению.