Добрый день!
Столкнулся с XP Security Center. Вроде как его убил, но на рабочем столе осталась картинка "WARNING! Spyware detected on your computer" + заблокированы несколько закладок в свойствах экрана.
Помогите победить плиз..
Printable View
Добрый день!
Столкнулся с XP Security Center. Вроде как его убил, но на рабочем столе осталась картинка "WARNING! Spyware detected on your computer" + заблокированы несколько закладок в свойствах экрана.
Помогите победить плиз..
Закройте все открытые приложения, кроме АVZ и Internet Explorer.
Отключите
- ПК от интернета/локалки
- Антивирус и Файрвол.
- Системное восстановление.
- [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\System32\Drivers\Winye83.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winye37.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winwc73.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winwc40.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winwc15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winwb37.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winvb15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winva83.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winty72.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winty05.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wintx50.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winsx61.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winsw37.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winqv48.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winqv05.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winpu50.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winpu37.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winpu15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winot27.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winns26.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winlq15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winlp26.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winkp72.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winkp50.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winko84.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winko51.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winim27.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winhm16.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wingk26.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winfj83.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winej37.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Windi83.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Windi72.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winch51.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winch15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winbg72.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winbg15.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winbg04.sys','');
QuarantineFile('dwshd.sys','');
QuarantineFile('srv.exe','');
DeleteService('AlerterPlugPlay');
DeleteService('AppMgmtRemoteAccess');
DeleteService('AudioSrvUPSwscsvcUPSwscsvc');
DeleteService('BrowserRemoteRegistry');
DeleteService('DcomLaunchDnscachePlugPlay');
DeleteService('dmadminBrowser');
DeleteService('dmadminPolicyAgent');
DeleteService('DnscachePlugPlay');
DeleteService('EventlogDnscachePlugPlay');
DeleteService('HidServNetDDE');
DeleteService('HidServUMWdf');
DeleteService('MessengerThemesWZCSVC');
DeleteService('MSIServerseclogon');
DeleteService('MSIServerUMWdfNetDDEdsdm');
DeleteService('NetlogonAppMgmtRemoteAccess');
DeleteService('Nlahelpsvc');
DeleteService('NlaSpooler');
DeleteService('RasAutostisvc');
DeleteService('RasAutoVSS');
DeleteService('RDSessMgrRSVP');
DeleteService('RemoteRegistrygusvc');
DeleteService('RpcLocatorNetDDEdsdm');
DeleteService('ScheduleRpcLocator');
DeleteService('SENSServiceLayer');
DeleteService('srserviceTermService');
DeleteService('SwPrvImapiService');
DeleteService('SwPrvImapiServiceUPSwscsvcUPSwscsvc');
DeleteService('SwPrvTlntSvr');
DeleteService('SwPrvWmiApSrv');
DeleteService('TermServiceRemoteAccess');
DeleteService('TermServiceRemoteAccessClipSrv');
DeleteService('TermServiceSpooler');
DeleteService('TermServiceSpoolerMSIServer');
DeleteService('ThemesRDSessMgr');
DeleteService('Themesstisvc');
DeleteService('TlntSvrNetlogon');
DeleteService('UMWdfccEvtMgr');
DeleteService('UMWdfccEvtMgrDcomLaunch');
DeleteService('UMWdfNetDDEdsdm');
DeleteService('upnphostlanmanserverTapiSrv');
DeleteService('upnphostlanmanserverTapiSrvNetDDEdsdm');
DeleteService('upnphostPlugPlay');
DeleteService('UPSMSIServerUMWdfNetDDEdsdm');
DeleteService('UPSwscsvc');
DeleteService('UPSwscsvcUPSwscsvc');
DeleteService('usnjsvcTapiSrv');
DeleteService('usnjsvcTapiSrvDnscache');
DeleteService('W32Timegusvc');
DeleteService('W32TimegusvcThemesstisvc');
DeleteService('W32TimeRasMan');
DeleteService('W32TimeusnjsvcTapiSrv');
DeleteService('Wmidmserver');
DeleteService('wuauservWZCSVC');
DeleteService('Winye83');
DeleteService('Winye37');
DeleteService('Winwc73');
DeleteService('Winwc40');
DeleteService('Winwc15');
DeleteService('Winwb37');
DeleteService('Winvb15');
DeleteService('Winva83');
DeleteService('Winty72');
DeleteService('Winty05');
DeleteService('Wintx50');
DeleteService('Winsx61');
DeleteService('Winsw37');
DeleteService('Winqv48');
DeleteService('Winqv05');
DeleteService('Winpu50');
DeleteService('Winpu37');
DeleteService('Winpu15');
DeleteService('Winot27');
DeleteService('Winns26');
DeleteService('Winlq15');
DeleteService('Winlp26');
DeleteService('Winkp72');
DeleteService('Winko84');
DeleteService('Winkp50');
DeleteService('Winko51');
DeleteService('Winim27');
DeleteService('Winhm16');
DeleteService('Wingk26');
DeleteService('Winfj83');
DeleteService('Winej37');
DeleteService('Windi83');
DeleteService('Windi72');
DeleteService('Winch51');
DeleteService('Winch15');
DeleteService('Winbg72');
DeleteService('Winbg15');
DeleteService('Winbg04');
QuarantineFile('C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe','');
QuarantineFile('C:\WINDOWS\system32\SVCH0ST.EXE','');
QuarantineFile('C:\WINDOWS\system32\blphca0lj0ejeg.scr','');
QuarantineFile('C:\WINDOWS\system32\lphca0lj0ejeg.exe','');
QuarantineFile('C:\WINDOWS\system32\userinit.exe','');
QuarantineFile('c:\windows\system32\avifil3.dll','');
QuarantineFile('C:\WINDOWS\system32\avifil3.dll','');
DeleteFile('C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL');
DeleteFile('C:\WINDOWS\system32\avifil3.dll');
DeleteFile('C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL');
DeleteFile('c:\windows\system32\avifil3.dll');
DeleteFile('C:\WINDOWS\system32\lphca0lj0ejeg.exe');
DeleteFile('C:\WINDOWS\system32\blphca0lj0ejeg.scr');
DeleteFile('C:\WINDOWS\system32\SVCH0ST.EXE');
DeleteFile('C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe');
DeleteFile('C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE');
DeleteFile('srv.exe');
DeleteFile('dwshd.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winbg04.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winbg15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winbg72.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winch15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winch51.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Windi72.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Windi83.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winej37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winfj83.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wingk26.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winhm16.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winim27.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winko51.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winko84.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winkp50.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winkp72.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winlq15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winns26.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winot27.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winpu15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winpu37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winpu50.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winqv05.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winqv48.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winsw37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winsx61.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wintx50.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winty05.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winty72.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winva83.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winvb15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winwb37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winwc15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winwc40.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winwc73.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winye37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winye83.sys');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('AlerterPlugPlay');
BC_DeleteSvc('AppMgmtRemoteAccess');
BC_DeleteSvc('AudioSrvUPSwscsvcUPSwscsvc');
BC_DeleteSvc('BrowserRemoteRegistry');
BC_DeleteSvc('DcomLaunchDnscachePlugPlay');
BC_DeleteSvc('dmadminBrowser');
BC_DeleteSvc('dmadminPolicyAgent');
BC_DeleteSvc('DnscachePlugPlay');
BC_DeleteSvc('EventlogDnscachePlugPlay');
BC_DeleteSvc('HidServNetDDE');
BC_DeleteSvc('HidServUMWdf');
BC_DeleteSvc('MessengerThemesWZCSVC');
BC_DeleteSvc('MSIServerseclogon');
BC_DeleteSvc('MSIServerUMWdfNetDDEdsdm');
BC_DeleteSvc('NetlogonAppMgmtRemoteAccess');
BC_DeleteSvc('Nlahelpsvc');
BC_DeleteSvc('NlaSpooler');
BC_DeleteSvc('RasAutostisvc');
BC_DeleteSvc('RasAutoVSS');
BC_DeleteSvc('RDSessMgrRSVP');
BC_DeleteSvc('RemoteRegistrygusvc');
BC_DeleteSvc('RpcLocatorNetDDEdsdm');
BC_DeleteSvc('ScheduleRpcLocator');
BC_DeleteSvc('SENSServiceLayer');
BC_DeleteSvc('srserviceTermService');
BC_DeleteSvc('SwPrvImapiService');
BC_DeleteSvc('SwPrvImapiServiceUPSwscsvcUPSwscsvc');
BC_DeleteSvc('SwPrvTlntSvr');
BC_DeleteSvc('SwPrvWmiApSrv');
BC_DeleteSvc('TermServiceRemoteAccess');
BC_DeleteSvc('TermServiceRemoteAccessClipSrv');
BC_DeleteSvc('TermServiceSpooler');
BC_DeleteSvc('TermServiceSpoolerMSIServer');
BC_DeleteSvc('ThemesRDSessMgr');
BC_DeleteSvc('Themesstisvc');
BC_DeleteSvc('TlntSvrNetlogon');
BC_DeleteSvc('UMWdfccEvtMgr');
BC_DeleteSvc('UMWdfccEvtMgrDcomLaunch');
BC_DeleteSvc('UMWdfNetDDEdsdm');
BC_DeleteSvc('upnphostlanmanserverTapiSrv');
BC_DeleteSvc('upnphostlanmanserverTapiSrvNetDDEdsdm');
BC_DeleteSvc('upnphostPlugPlay');
BC_DeleteSvc('UPSMSIServerUMWdfNetDDEdsdm');
BC_DeleteSvc('UPSwscsvc');
BC_DeleteSvc('UPSwscsvcUPSwscsvc');
BC_DeleteSvc('usnjsvcTapiSrv');
BC_DeleteSvc('usnjsvcTapiSrvDnscache');
BC_DeleteSvc('W32Timegusvc');
BC_DeleteSvc('W32TimegusvcThemesstisvc');
BC_DeleteSvc('W32TimeRasMan');
BC_DeleteSvc('W32TimeusnjsvcTapiSrv');
BC_DeleteSvc('Wmidmserver');
BC_DeleteSvc('wuauservWZCSVC');
BC_DeleteSvc('Winye83');
BC_DeleteSvc('Winye37');
BC_DeleteSvc('Winwc73');
BC_DeleteSvc('Winwc40');
BC_DeleteSvc('Winwc15');
BC_DeleteSvc('Winwb37');
BC_DeleteSvc('Winvb15');
BC_DeleteSvc('Winva83');
BC_DeleteSvc('Winty72');
BC_DeleteSvc('Winty05');
BC_DeleteSvc('Wintx50');
BC_DeleteSvc('Winsx61');
BC_DeleteSvc('Winsw37');
BC_DeleteSvc('Winqv48');
BC_DeleteSvc('Winqv05');
BC_DeleteSvc('Winpu50');
BC_DeleteSvc('Winpu37');
BC_DeleteSvc('Winpu15');
BC_DeleteSvc('Winot27');
BC_DeleteSvc('Winns26');
BC_DeleteSvc('Winlq15');
BC_DeleteSvc('Winlp26');
BC_DeleteSvc('Winkp72');
BC_DeleteSvc('Winko84');
BC_DeleteSvc('Winkp50');
BC_DeleteSvc('Winko51');
BC_DeleteSvc('Winim27');
BC_DeleteSvc('Winhm16');
BC_DeleteSvc('Wingk26');
BC_DeleteSvc('Winfj83');
BC_DeleteSvc('Winej37');
BC_DeleteSvc('Windi83');
BC_DeleteSvc('Windi72');
BC_DeleteSvc('Winch51');
BC_DeleteSvc('Winch15');
BC_DeleteSvc('Winbg72');
BC_DeleteSvc('Winbg15');
BC_DeleteSvc('Winbg04');
BC_Activate;
RebootWindows(true);
end.
[/CODE]
После перезагрузки:
- [url="http://virusinfo.info/showthread.php?t=10025"] Очистите [/url]темп-папки, кэш проводников и корзину.
- Закройте все программы, включая Антивирус и Файрвол, Оставьте запущенным [B]только Internet Explorer[/B]. Если он не запущен - запустите!!!
- Сделайте повторные логи по правилам.
- Включите Антвирус и Файрволл
- Подключите ПК к интернету/локалке
- Закачайте карантин по ссылке [COLOR="Red"][B]Прислать запрошенный карантин[/B][/COLOR] вверху темы (Приложение 3 правил).
- Прикрепите логи к новому сообщению.
Вот, что пока получилось...
Закладки не вернулись, картина на рабочем столе осталась.
Отключите восстановление системы!
[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]
[CODE]begin
ClearQuarantine;
SetAVZGuardStatus(True);
DeleteService('MessengerThemes');
DeleteService('lanmanserverTapiSrv');
ExecuteSysClean;
BC_DeleteSvc('MessengerThemes');
BC_DeleteSvc('lanmanserverTapiSrv');
BC_Activate;
ExecuteRepair(5 );
ExecuteRepair(6 );
RegKeyStrParamWrite('HKEY_USERS','.DEFAULT\Control Panel\Desktop','Wallpaper','');
RebootWindows(true);
end.[/CODE]
Пришлите карантин по правилам и повторите логи...
[size="1"][color="#666686"][B][I]Добавлено через 50 минут[/I][/B][/color][/size]
userinit.exe_ - [B]Trojan.Win32.Agent.adjr[/B]
Его нужно заменить на чистый из дистрибутива...
Вроде всё исчезло. Посмотрите логи пожалуйста, так или нет?
В логах ничего подозрительного.
Какие еще проблемы?
Больше проблем нет. Спасибо огромное!
Поставьте Сервис Пак 3, возможно потребуется активация системы.
Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]100[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\\system volume information\\_restore{078295f9-5e2d-44d6-bd7e-1b309159e9e0}\\rp2\\a0000057.dll - [B]Rootkit.Win32.Podnuha.bcr[/B][*] c:\\system volume information\\_restore{078295f9-5e2d-44d6-bd7e-1b309159e9e0}\\rp2\\a0000058.dll - [B]not-a-virus:WebToolbar.Win32.MyWebSearch[/B] (DrWEB: Adware.Msearch)[*] c:\\windows\\system32\\avifil3.dll - [B]Rootkit.Win32.Podnuha.bcr[/B][*] c:\\windows\\system32\\lphca0lj0ejeg.exe - [B]Backdoor.Win32.Frauder.fk[/B] (DrWEB: Trojan.Packed.636)[*] c:\\windows\\system32\\userinit.exe - [B]Trojan.Win32.Agent.adjr[/B][/LIST][/LIST]