-
Здравствуйте.
Проблема в следующем: была куча вирусов на машине, поудалял их сначала Нодом затем пандой. Сейчас стоит Нод. При сканирование ничего не находит. Но после включения компьютера или после загрузки нод радостно сообщает
[URL="http://:http/codec.exe"]:http:myceck.com/codec.exe[/URL] Win32/TrojanDownloader.FakeAlert.GU
C:\WINDOWS\System32\drivers\Winms30.sys Win32/Wigon.CK
Логи приложил.
[size="1"][color="#666686"][B][I]Добавлено через 2 минуты[/I][/B][/color][/size]
не цепляется вложение...
Спасибо, помогло удаление
На ввсякий случай залил на депозит
[URL]http://depositfiles.com/files/7905232[/URL]
-
На время выполнения скрипта, отключитесь от сети и отключите антивирусный монитор.
Пофиксите с помощью Hijackthis строку: [code]O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll[/code]
Программа AVZ - файл - выполнить скрипт - выполните скрипт: [code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('Winag62');
DeleteService('Winag85');
DeleteService('Winah86');
DeleteService('Winbh17');
DeleteService('Windi51');
DeleteService('Winfl06');
DeleteService('Wingo86');
DeleteService('Winhn74');
DeleteService('Winmt42');
DeleteService('Winnt52');
DeleteService('Winnt85');
DeleteService('Winnu31');
DeleteService('Winot84');
DeleteService('Winov75');
DeleteService('Winqx53');
DeleteService('Winrx28');
DeleteService('Winsy28');
DeleteService('Winta05');
DeleteService('Wintc07');
DeleteService('Winvb62');
DeleteService('Winvc38');
DeleteService('Winvd07');
DeleteService('Winve64');
DeleteService('Winwc05');
DeleteService('Winyf17');
DeleteService('Winwe20');
DeleteService('WudfSvcEventlogDhcplanmanworkstation');
DeleteService('WudfSvcEventlog');
DeleteService('W32TimeSharedAccess');
DeleteService('ThemesNtLmSspwinmgmt');
DeleteService('ThemesNtLmSsp');
DeleteService('ThemesDnscache');
DeleteService('TapiSrvAppMgmt');
DeleteService('SysmonLogImapiService');
DeleteService('SSDPSRVRDSessMgr');
DeleteService('SamSsawhost32');
DeleteService('RSVPSR_Service');
DeleteService('RpcLocatorBITS');
DeleteService('RemoteAccess Service');
DeleteService('PlugPlay Service');
DeleteService('NtmsSvcRasMan');
DeleteService('MSDTCPlugPlay');
DeleteService('MSDTCbtwdins');
DeleteService('LmHostsDhcplanmanworkstation');
DeleteService('lanmanserverSR_WatchDogdmserver');
DeleteService('lanmanserverSR_WatchDog');
DeleteService('iPodRemoteAccess');
DeleteService('iPodRasAuto');
DeleteService('ImapiServiceALGNetDDEdsdmNetDDENVSvc');
DeleteService('HidServTapiSrvAppMgmt');
DeleteService('FastUserSwitchingCompatibilitySamSs');
DeleteService('FastUserSwitchingCompatibilitylanmanworkstationWMPNetworkSvc');
DeleteService('FastUserSwitchingCompatibilitylanmanworkstation');
DeleteService('FastUserSwitchingCompatibilityFastUserSwitchingCompatibilitylanmanworkstation');
DeleteService('dmserverALGNetDDEdsdmNetDDENVSvc');
DeleteService('Dhcplanmanworkstation');
DeleteService('DcomLaunchlanmanserver');
DeleteService('COMSysApplanmanserver');
DeleteService('ClipSrvlanmanserverSR_WatchDog');
DeleteService('btwdinswinmgmt');
DeleteService('awhost32SysmonLog');
DeleteService('aspnet_stateSSDPSRV');
DeleteService('aspnet_stateDhcpwscsvcProtectedStorage');
DeleteService('aspnet_stateDhcpwscsvc');
DeleteService('aspnet_stateDhcp');
DeleteService('AppMgmtNetDDE');
DeleteService('ALGNetDDEdsdmNetDDENVSvc');
DeleteService('ALGNetDDEdsdmNetDDE');
DeleteService('ALGNetDDEdsdm');
BC_DeleteSVC('Winag62');
BC_DeleteSVC('Winag85');
BC_DeleteSVC('Winah86');
BC_DeleteSVC('Winbh17');
BC_DeleteSVC('Windi51');
BC_DeleteSVC('Winfl06');
BC_DeleteSVC('Wingo86');
BC_DeleteSVC('Winhn74');
BC_DeleteSVC('Winmt42');
BC_DeleteSVC('Winnt52');
BC_DeleteSVC('Winnt85');
BC_DeleteSVC('Winnu31');
BC_DeleteSVC('Winot84');
BC_DeleteSVC('Winov75');
BC_DeleteSVC('Winqx53');
BC_DeleteSVC('Winrx28');
BC_DeleteSVC('Winsy28');
BC_DeleteSVC('Winta05');
BC_DeleteSVC('Wintc07');
BC_DeleteSVC('Winvb62');
BC_DeleteSVC('Winvc38');
BC_DeleteSVC('Winvd07');
BC_DeleteSVC('Winve64');
BC_DeleteSVC('Winwc05');
BC_DeleteSVC('Winyf17');
BC_DeleteSVC('Winwe20');
BC_DeleteSVC('WudfSvcEventlogDhcplanmanworkstation');
BC_DeleteSVC('WudfSvcEventlog');
BC_DeleteSVC('W32TimeSharedAccess');
BC_DeleteSVC('ThemesNtLmSspwinmgmt');
BC_DeleteSVC('ThemesNtLmSsp');
BC_DeleteSVC('ThemesDnscache');
BC_DeleteSVC('TapiSrvAppMgmt');
BC_DeleteSVC('SysmonLogImapiService');
BC_DeleteSVC('SSDPSRVRDSessMgr');
BC_DeleteSVC('SamSsawhost32');
BC_DeleteSVC('RSVPSR_Service');
BC_DeleteSVC('RpcLocatorBITS');
BC_DeleteSVC('RemoteAccess Service');
BC_DeleteSVC('PlugPlay Service');
BC_DeleteSVC('NtmsSvcRasMan');
BC_DeleteSVC('MSDTCPlugPlay');
BC_DeleteSVC('MSDTCbtwdins');
BC_DeleteSVC('LmHostsDhcplanmanworkstation');
BC_DeleteSVC('lanmanserverSR_WatchDogdmserver');
BC_DeleteSVC('lanmanserverSR_WatchDog');
BC_DeleteSVC('iPodRemoteAccess');
BC_DeleteSVC('iPodRasAuto');
BC_DeleteSVC('ImapiServiceALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('HidServTapiSrvAppMgmt');
BC_DeleteSVC('FastUserSwitchingCompatibilitySamSs');
BC_DeleteSVC('FastUserSwitchingCompatibilitylanmanworkstationWMPNetworkSvc');
BC_DeleteSVC('FastUserSwitchingCompatibilitylanmanworkstation');
BC_DeleteSVC('FastUserSwitchingCompatibilityFastUserSwitchingCompatibilitylanmanworkstation');
BC_DeleteSVC('dmserverALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('Dhcplanmanworkstation');
BC_DeleteSVC('DcomLaunchlanmanserver');
BC_DeleteSVC('COMSysApplanmanserver');
BC_DeleteSVC('ClipSrvlanmanserverSR_WatchDog');
BC_DeleteSVC('btwdinswinmgmt');
BC_DeleteSVC('awhost32SysmonLog');
BC_DeleteSVC('aspnet_stateSSDPSRV');
BC_DeleteSVC('aspnet_stateDhcpwscsvcProtectedStorage');
BC_DeleteSVC('aspnet_stateDhcpwscsvc');
BC_DeleteSVC('aspnet_stateDhcp');
BC_DeleteSVC('AppMgmtNetDDE');
BC_DeleteSVC('ALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('ALGNetDDEdsdmNetDDE');
BC_DeleteSVC('ALGNetDDEdsdm');
QuarantineFile('C:\WINDOWS\system32\dns-sd.exe','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
delwinlogonnotifybykeyname('WinCtrl32');
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.[/code]После перезагрузки, карантин AVZ загрузите по ссылке [url]http://virusinfo.info/upload_virus.php?tid=30054[/url] , как написано в прил. 3 правил, и повторите логи.
-
Итог лечения
Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]5[/B][*]Обработано файлов: [B]7[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\\windows\\system32\\winctrl32.dll - [B]Trojan-Downloader.Win32.Mutant.bgz[/B] (DrWEB: BackDoor.Bulknet.238)[*] c:\\windows\\system32\\winctrl32.dll - [B]Trojan-Downloader.Win32.Mutant.bhl[/B] (DrWEB: BackDoor.Bulknet.238)[/LIST][/LIST]
Page generated in 0.00132 seconds with 10 queries