Надпись на рабочем столе о вирусе, не возможно поменять заставку рабочего стола. Через 1-2 минуты в интернете компьютер перезагружается
Printable View
Надпись на рабочем столе о вирусе, не возможно поменять заставку рабочего стола. Через 1-2 минуты в интернете компьютер перезагружается
[url]http://virusinfo.info/showthread.php?t=1235[/url]
[quote=Гриша;293683][URL]http://virusinfo.info/showthread.php?t=1235[/URL][/quote]
я не пойму как в редакторе прикрепить файлы с логами
Расширенный режим=>внизу "Управление вложениями"
там возникает таблица я файлы прикрепляю, но в письме они не отображаются :(
[size="1"][color="#666686"][B][I]Добавлено через 4 минуты[/I][/B][/color][/size]
Вот в этой таблице вставляю файлы, но они в письме не отображаются
[URL="http://virusinfo.info/newattachment.php?t=31587&poststarttime=1223317685&posthash=7f5e06ddcb416deff4a136de4db419b5#"]Close this window[/URL] Manage Attachments
11
Во блин, получилось вроде!!!
[URL="http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip"]Скачать[/URL],меню,File,появится аналог проводника,найти:
[CODE]C:\WINDOWS\System32\Drivers\Winjx74.sys[/CODE]
правая кнопка мыши Force Delete на запрос о перезагрузке ответьте положительно.
[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\winivstr.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\312.exe','');
QuarantineFile('C:\WINDOWS\system32\braviax.exe','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winxa82.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winuj57.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winty18.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wintq13.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Winie61.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Wincc28.sys','');
DeleteService('VIDEO');
QuarantineFile('C:\WINDOWS\SYSTEM32\VIDEO.sys','');
DeleteService('Winjx74');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccessScheduleNetDDEdsdm');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccessSchedule');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccess');
DeleteService('WZCSVCMSIServer');
DeleteService('wscsvcRSVPALGWmiApSrv');
DeleteService('wscsvcRSVPALG');
DeleteService('WebClientseclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('WebClientC-DillaCdaC11BA');
DeleteService('VSSWmdmPmSN');
DeleteService('upnphosthelpsvcWebClientRasMan');
DeleteService('TermServicePolicyAgentCiSvc');
DeleteService('TermServicePolicyAgent');
DeleteService('TapiSrvHTTPFilter');
DeleteService('SSDPSRVRSVPALGHTTPFilterC-DillaCdaC11BA');
DeleteService('SSDPSRVlanmanworkstationSENS');
DeleteService('SSDPSRVlanmanworkstation');
DeleteService('SSDPSRVBITSSCardSvr');
DeleteService('SSDPSRVBITS');
DeleteService('srserviceTapiSrvRemoteAccesssrserviceTapiSrvRemoteAccessBITS');
DeleteService('srserviceTapiSrvRemoteAccessseclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('srserviceTapiSrvRemoteAccessBITS');
DeleteService('srserviceTapiSrvRemoteAccess');
DeleteService('srserviceTapiSrvAVP');
DeleteService('srserviceTapiSrv');
DeleteService('ShellHWDetectionSharedAccess');
DeleteService('sfrem01helpsvcWebClient');
DeleteService('seclogonwuauserv');
DeleteService('seclogonPolicyAgentW32TimeTapiSrvsfrem01');
DeleteService('seclogonPolicyAgentW32TimeTapiSrv');
DeleteService('seclogonPolicyAgentW32Time');
DeleteService('seclogonPolicyAgentNtLmSspCOMSysAppCOMSysAppwinmgmtTermServicePolicyAgentCiSvc');
DeleteService('seclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('seclogonPolicyAgentBrowserERSvc');
DeleteService('seclogonPolicyAgent');
DeleteService('ScheduleWmdmPmSNCryptSvc');
DeleteService('ScheduleWmdmPmSN');
DeleteService('ScheduleTrkWks');
DeleteService('RSVPwscsvcwscsvc');
DeleteService('RSVPwscsvc');
DeleteService('RSVPALGose');
DeleteService('RSVPALGHTTPFilterC-DillaCdaC11BA');
DeleteService('RSVPALGHTTPFilter');
DeleteService('RSVPALG');
DeleteService('RpcSsNtLmSspCOMSysApp');
DeleteService('RpcLocatorwinmgmtWZCSVCMSIServer');
DeleteService('RpcLocatorwinmgmt');
DeleteService('RpcLocatorMessenger');
DeleteService('RpcLocatorHTTPFilter');
DeleteService('RemoteAccessShellHWDetection');
DeleteService('RemoteAccessRpcSsTermServicePolicyAgent');
DeleteService('RemoteAccessRpcSs');
DeleteService('RemoteAccessoseupnphosthelpsvcWebClientRasMan');
DeleteService('RemoteAccessose');
DeleteService('RDSessMgrRSVP');
DeleteService('RDSessMgrBrowserERSvcDhcp');
DeleteService('PlugPlayMSIServer');
DeleteService('NVSvcRpcLocatorHTTPFilter');
DeleteService('NtmsSvcxmlprov');
DeleteService('NtmsSvcScheduleTrkWks');
DeleteService('NtmsSvcHidServ');
DeleteService('NtLmSspCOMSysAppNtmsSvcxmlprov');
DeleteService('NtLmSspCOMSysApp');
DeleteService('NetlogonseclogonPolicyAgentW32TimeC-DillaCdaC11BA');
DeleteService('NetlogonseclogonPolicyAgentW32Time');
DeleteService('NetlogonRSVPALGHTTPFilter');
DeleteService('NetlogonRemoteAccessRpcSs');
DeleteService('NetDDEBrowserERSvcDhcp');
DeleteService('mnmsrvcTrkWks');
DeleteService('HTTPFilterRpcLocatorwinmgmtWZCSVCMSIServer');
DeleteService('HTTPFilterNetlogonRSVPALGHTTPFiltermnmsrvcTrkWks');
DeleteService('HTTPFilterNetlogonRSVPALGHTTPFilter');
DeleteService('helpsvcWebClientRasManRSVP');
DeleteService('helpsvcWebClientRasMan');
DeleteService('helpsvcWebClient');
DeleteService('DnscacheLmHosts');
DeleteService('DhcpMSIServer');
DeleteService('CryptSvcIDriverT');
DeleteService('COMSysAppwinmgmtTermServicePolicyAgentCiSvc');
DeleteService('COMSysAppwinmgmt');
DeleteService('clr_optimization_v2.0.50727_32srserviceTapiSrvAVP');
DeleteService('CiSvcTuneUp.Defrag');
DeleteService('BrowserERSvcDhcp');
DeleteService('BrowserERSvc');
DeleteService('BITSVSS');
DeleteService('AudioSrvW32Timedmadmin');
DeleteService('AudioSrvW32Time');
DeleteService('AudioSrvRDSessMgrRSVPRemoteAccessoseupnphosthelpsvcWebClientRasMan');
DeleteService('AudioSrvRDSessMgrRSVP');
DeleteService('AudioSrvCiSvc');
DeleteService('AppMgmtlanmanworkstation');
DeleteService('AppMgmtaspnet_state');
DeleteService('ALGAppMgmtaspnet_state');
QuarantineFile('C:\WINDOWS\system32\Drivers\Winjx74.sys','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
QuarantineFile('c:\windows\system32\braviax.exe','');
TerminateProcessByName('c:\windows\system32\braviax.exe');
DeleteFile('c:\windows\system32\braviax.exe');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\Winjx74.sys');
DeleteFile('C:\WINDOWS\SYSTEM32\VIDEO.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wincc28.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winie61.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wintq13.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winty18.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winuj57.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winxa82.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winxm41.sys');
DeleteFile('C:\WINDOWS\system32\blphcewbj0ea56.scr');
DeleteFile('C:\WINDOWS\system32\braviax.exe');
DeleteFile('WinCtrl32.dll');
DeleteFile('karina.dat');
DeleteFile('C:\WINDOWS\system32\drivers\312.exe');
DeleteFile('C:\WINDOWS\system32\winivstr.exe');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(5 );
ExecuteRepair(6 );
RegKeyStrParamWrite('HKEY_USERS','.DEFAULT\Control Panel\Desktop','Wallpaper','');
RebootWindows(true);
end.[/CODE]
Пришлите карантин по правилам и повторите логи...
скачал программу, но по указанному адресу не нашел указанного файла :(
[size="1"][color="#666686"][B][I]Добавлено через 10 минут[/I][/B][/color][/size]
нашел, все ок, сделаю логи и пришлю
Все ок, спасибо.
Восстановление отключите!
[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('Winjx74');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccessScheduleNetDDEdsdmRpcLocatorwinmgmtWZCSVCMSIServer');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccessScheduleNetDDEdsdm');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccessSchedule');
DeleteService('WZCSVCsrserviceTapiSrvRemoteAccess');
DeleteService('WZCSVCMSIServer');
DeleteService('wscsvcRSVPALGWmiApSrv');
DeleteService('wscsvcRSVPALG');
DeleteService('WebClientseclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('WebClientC-DillaCdaC11BA');
DeleteService('VSSWmdmPmSN');
DeleteService('upnphosthelpsvcWebClientRasManDcomLaunch');
DeleteService('upnphosthelpsvcWebClientRasMan');
DeleteService('TermServicePolicyAgentCiSvc');
DeleteService('TermServicePolicyAgent');
DeleteService('TapiSrvHTTPFilter');
DeleteService('SysmonLogUMWdf');
DeleteService('SSDPSRVRSVPALGHTTPFilterC-DillaCdaC11BA');
DeleteService('SSDPSRVlanmanworkstationSENS');
DeleteService('SSDPSRVlanmanworkstation');
DeleteService('SSDPSRVBITSSCardSvr');
DeleteService('SSDPSRVBITS');
DeleteService('srserviceTapiSrvRemoteAccesssrserviceTapiSrvRemoteAccessBITS');
DeleteService('srserviceTapiSrvRemoteAccessseclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('srserviceTapiSrvRemoteAccessBITS');
DeleteService('srserviceTapiSrvRemoteAccess');
DeleteService('srserviceTapiSrvAVP');
DeleteService('srserviceTapiSrv');
DeleteService('ShellHWDetectionSharedAccess');
DeleteService('sfrem01helpsvcWebClient');
DeleteService('seclogonwuauserv');
DeleteService('seclogonPolicyAgentW32TimeTapiSrvsfrem01');
DeleteService('seclogonPolicyAgentW32TimeTapiSrv');
DeleteService('seclogonPolicyAgentW32Time');
DeleteService('seclogonPolicyAgentNtLmSspCOMSysAppCOMSysAppwinmgmtTermServicePolicyAgentCiSvcSysmonLog');
DeleteService('seclogonPolicyAgentNtLmSspCOMSysApp');
DeleteService('seclogonPolicyAgentBrowserERSvc');
DeleteService('ScheduleWmdmPmSNCryptSvc');
DeleteService('ScheduleWmdmPmSN');
DeleteService('ScheduleTrkWks');
DeleteService('RSVPALGose');
DeleteService('RSVPALGHTTPFilterC-DillaCdaC11BA');
DeleteService('RSVPALGHTTPFilter');
DeleteService('RSVPALG');
DeleteService('RpcSsShellHWDetection');
DeleteService('RpcSsNtLmSspCOMSysApp');
DeleteService('RpcLocatorwinmgmtWZCSVCMSIServer');
DeleteService('RpcLocatorwinmgmt');
DeleteService('RpcLocatorMessenger');
DeleteService('RpcLocatorHTTPFilter');
DeleteService('RemoteAccessShellHWDetection');
DeleteService('RemoteAccessRpcSsTermServicePolicyAgent');
DeleteService('RemoteAccessRpcSs');
DeleteService('RemoteAccessoseupnphosthelpsvcWebClientRasMan');
DeleteService('RemoteAccessose');
DeleteService('RDSessMgrRSVP');
DeleteService('RDSessMgrBrowserERSvcDhcp');
DeleteService('PlugPlayMSIServer');
DeleteService('NVSvcRpcLocatorHTTPFilter');
DeleteService('NtmsSvcxmlprov');
DeleteService('NtmsSvcScheduleTrkWks');
DeleteService('NtmsSvcHidServ');
DeleteService('NtLmSsphelpsvcWebClientRasManRSVP');
DeleteService('NtLmSspCOMSysAppNtmsSvcxmlprov');
DeleteService('NtLmSspCOMSysApp');
DeleteService('NetlogonseclogonPolicyAgentW32TimeC-DillaCdaC11BA');
DeleteService('NetlogonseclogonPolicyAgentW32Time');
DeleteService('NetlogonRSVPALGHTTPFilter');
DeleteService('NetlogonRemoteAccessRpcSs');
DeleteService('mnmsrvcTrkWks');
DeleteService('HTTPFilterRpcLocatorwinmgmtWZCSVCMSIServer');
DeleteService('HTTPFilterNetlogonRSVPALGHTTPFiltermnmsrvcTrkWks');
DeleteService('HTTPFilterNetlogonRSVPALGHTTPFilter');
DeleteService('helpsvcWebClientRasManRSVP');
DeleteService('helpsvcWebClientRasMan');
DeleteService('helpsvcWebClient');
DeleteService('DnscacheLmHosts');
DeleteService('DhcpMSIServer');
DeleteService('CryptSvcIDriverT');
DeleteService('COMSysAppwinmgmtTermServicePolicyAgentCiSvc');
DeleteService('COMSysAppwinmgmtDnscacheLmHosts');
DeleteService('COMSysAppwinmgmt');
DeleteService('clr_optimization_v2.0.50727_32srserviceTapiSrvAVP');
DeleteService('CiSvcTuneUp.Defrag');
DeleteService('BrowserERSvcDhcp');
DeleteService('BrowserERSvc');
DeleteService('BITSVSS');
DeleteService('AudioSrvW32Timedmadmin');
DeleteService('AudioSrvW32Time');
DeleteService('AudioSrvRDSessMgrRSVPRemoteAccessoseupnphosthelpsvcWebClientRasMan');
DeleteService('AudioSrvRDSessMgrRSVP');
DeleteService('AudioSrvCiSvc');
DeleteService('AppMgmtlanmanworkstation');
DeleteService('AppMgmtaspnet_state');
DeleteService('ALGAppMgmtaspnet_state');
DeleteFile('C:\WINDOWS\System32\Drivers\Winjx74.sys');
DeleteFile('C:\System Volume Information\_restore{1747C650-6F94-4508-9612-D97E027055C8}\RP1\A0000170.exe');
DeleteFile('C:\System Volume Information\_restore{1747C650-6F94-4508-9612-D97E027055C8}\RP1\A0000171.exe');
ExecuteSysClean;
BC_DeleteSvc('Winjx74');
BC_DeleteSvc('WZCSVCsrserviceTapiSrvRemoteAccessScheduleNetDDEdsdmRpcLocatorwinmgmtWZCSVCMSIServer');
BC_DeleteSvc('WZCSVCsrserviceTapiSrvRemoteAccessScheduleNetDDEdsdm');
BC_DeleteSvc('WZCSVCsrserviceTapiSrvRemoteAccessSchedule');
BC_DeleteSvc('WZCSVCsrserviceTapiSrvRemoteAccess');
BC_DeleteSvc('WZCSVCMSIServer');
BC_DeleteSvc('wscsvcRSVPALGWmiApSrv');
BC_DeleteSvc('wscsvcRSVPALG');
BC_DeleteSvc('WebClientseclogonPolicyAgentNtLmSspCOMSysApp');
BC_DeleteSvc('WebClientC-DillaCdaC11BA');
BC_DeleteSvc('VSSWmdmPmSN');
BC_DeleteSvc('upnphosthelpsvcWebClientRasManDcomLaunch');
BC_DeleteSvc('upnphosthelpsvcWebClientRasMan');
BC_DeleteSvc('TermServicePolicyAgentCiSvc');
BC_DeleteSvc('TermServicePolicyAgent');
BC_DeleteSvc('TapiSrvHTTPFilter');
BC_DeleteSvc('SysmonLogUMWdf');
BC_DeleteSvc('SSDPSRVRSVPALGHTTPFilterC-DillaCdaC11BA');
BC_DeleteSvc('SSDPSRVlanmanworkstationSENS');
BC_DeleteSvc('SSDPSRVlanmanworkstation');
BC_DeleteSvc('SSDPSRVBITSSCardSvr');
BC_DeleteSvc('SSDPSRVBITS');
BC_DeleteSvc('srserviceTapiSrvRemoteAccesssrserviceTapiSrvRemoteAccessBITS');
BC_DeleteSvc('srserviceTapiSrvRemoteAccessseclogonPolicyAgentNtLmSspCOMSysApp');
BC_DeleteSvc('srserviceTapiSrvRemoteAccessBITS');
BC_DeleteSvc('srserviceTapiSrvRemoteAccess');
BC_DeleteSvc('srserviceTapiSrvAVP');
BC_DeleteSvc('srserviceTapiSrv');
BC_DeleteSvc('ShellHWDetectionSharedAccess');
BC_DeleteSvc('sfrem01helpsvcWebClient');
BC_DeleteSvc('seclogonwuauserv');
BC_DeleteSvc('seclogonPolicyAgentW32TimeTapiSrvsfrem01');
BC_DeleteSvc('seclogonPolicyAgentW32TimeTapiSrv');
BC_DeleteSvc('seclogonPolicyAgentW32Time');
BC_DeleteSvc('seclogonPolicyAgentNtLmSspCOMSysAppCOMSysAppwinmgmtTermServicePolicyAgentCiSvcSysmonLog');
BC_DeleteSvc('seclogonPolicyAgentNtLmSspCOMSysApp');
BC_DeleteSvc('seclogonPolicyAgentBrowserERSvc');
BC_DeleteSvc('ScheduleWmdmPmSNCryptSvc');
BC_DeleteSvc('ScheduleWmdmPmSN');
BC_DeleteSvc('ScheduleTrkWks');
BC_DeleteSvc('RSVPALGose');
BC_DeleteSvc('RSVPALGHTTPFilterC-DillaCdaC11BA');
BC_DeleteSvc('RSVPALGHTTPFilter');
BC_DeleteSvc('RSVPALG');
BC_DeleteSvc('RpcSsShellHWDetection');
BC_DeleteSvc('RpcSsNtLmSspCOMSysApp');
BC_DeleteSvc('RpcLocatorwinmgmtWZCSVCMSIServer');
BC_DeleteSvc('RpcLocatorwinmgmt');
BC_DeleteSvc('RpcLocatorMessenger');
BC_DeleteSvc('RpcLocatorHTTPFilter');
BC_DeleteSvc('RemoteAccessShellHWDetection');
BC_DeleteSvc('RemoteAccessRpcSsTermServicePolicyAgent');
BC_DeleteSvc('RemoteAccessRpcSs');
BC_DeleteSvc('RemoteAccessoseupnphosthelpsvcWebClientRasMan');
BC_DeleteSvc('RemoteAccessose');
BC_DeleteSvc('RDSessMgrRSVP');
BC_DeleteSvc('RDSessMgrBrowserERSvcDhcp');
BC_DeleteSvc('PlugPlayMSIServer');
BC_DeleteSvc('NVSvcRpcLocatorHTTPFilter');
BC_DeleteSvc('NtmsSvcxmlprov');
BC_DeleteSvc('NtmsSvcScheduleTrkWks');
BC_DeleteSvc('NtmsSvcHidServ');
BC_DeleteSvc('NtLmSsphelpsvcWebClientRasManRSVP');
BC_DeleteSvc('NtLmSspCOMSysAppNtmsSvcxmlprov');
BC_DeleteSvc('NtLmSspCOMSysApp');
BC_DeleteSvc('NetlogonseclogonPolicyAgentW32TimeC-DillaCdaC11BA');
BC_DeleteSvc('NetlogonseclogonPolicyAgentW32Time');
BC_DeleteSvc('NetlogonRSVPALGHTTPFilter');
BC_DeleteSvc('NetlogonRemoteAccessRpcSs');
BC_DeleteSvc('mnmsrvcTrkWks');
BC_DeleteSvc('HTTPFilterRpcLocatorwinmgmtWZCSVCMSIServer');
BC_DeleteSvc('HTTPFilterNetlogonRSVPALGHTTPFiltermnmsrvcTrkWks');
BC_DeleteSvc('HTTPFilterNetlogonRSVPALGHTTPFilter');
BC_DeleteSvc('helpsvcWebClientRasManRSVP');
BC_DeleteSvc('helpsvcWebClientRasMan');
BC_DeleteSvc('helpsvcWebClient');
BC_DeleteSvc('DnscacheLmHosts');
BC_DeleteSvc('DhcpMSIServer');
BC_DeleteSvc('CryptSvcIDriverT');
BC_DeleteSvc('COMSysAppwinmgmtTermServicePolicyAgentCiSvc');
BC_DeleteSvc('COMSysAppwinmgmtDnscacheLmHosts');
BC_DeleteSvc('COMSysAppwinmgmt');
BC_DeleteSvc('clr_optimization_v2.0.50727_32srserviceTapiSrvAVP');
BC_DeleteSvc('CiSvcTuneUp.Defrag');
BC_DeleteSvc('BrowserERSvcDhcp');
BC_DeleteSvc('BrowserERSvc');
BC_DeleteSvc('BITSVSS');
BC_DeleteSvc('AudioSrvW32Timedmadmin');
BC_DeleteSvc('AudioSrvW32Time');
BC_DeleteSvc('AudioSrvRDSessMgrRSVPRemoteAccessoseupnphosthelpsvcWebClientRasMan');
BC_DeleteSvc('AudioSrvRDSessMgrRSVP');
BC_DeleteSvc('AudioSrvCiSvc');
BC_DeleteSvc('AppMgmtlanmanworkstation');
BC_DeleteSvc('AppMgmtaspnet_state');
BC_DeleteSvc('ALGAppMgmtaspnet_state');
BC_Activate;
RebootWindows(true);
end.[/CODE]
Повторите логи...