Троян завелся.
в процессах висит system.exe, при перезагрузке вылезает заново, удалить этот файл из system32 не удается.
Куча dll'ек в system32, начинающиеся на HB*.dll
Победить не удается. Прошу помощи.
Printable View
Троян завелся.
в процессах висит system.exe, при перезагрузке вылезает заново, удалить этот файл из system32 не удается.
Куча dll'ек в system32, начинающиеся на HB*.dll
Победить не удается. Прошу помощи.
пофиксите
[code]
O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dll,HBQJSJ.dll
[/code]
выполните скрипт
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\RECYCLER\S-1-5-18\Dc5239.dll','');
QuarantineFile('C:\ARKA3.tmp','');
DelBHO('{97421D0D-E07F-40DF-8F07-99597B9585AD}');
QuarantineFile('C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll','');
QuarantineFile('C:\WINDOWS\system32\upnpsrv.dll','');
QuarantineFile('C:\WINDOWS\system32\SYSTEM.EXE','');
QuarantineFile('C:\WINDOWS\sysocmgr.dll','');
DeleteService('nvmini');
DeleteService('eth8023');
QuarantineFile('C:\WINDOWS\system32\drivers\eth8023.sys','');
DeleteService('cdralw');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\nvmini.sys','');
DeleteService('aecff9');
QuarantineFile('C:\WINDOWS\system32\aecff9.sys','');
SetServiceStart('HBKernel32', 4);
DeleteService('HBKernel32');
QuarantineFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys','');
QuarantineFile('C:\WINDOWS\system32\HBZG.dll','');
QuarantineFile('C:\WINDOWS\system32\HBQQFFO.dll','');
QuarantineFile('C:\WINDOWS\system32\HBmhly.dll','');
QuarantineFile('C:\WINDOWS\system32\HBBO.dll','');
DeleteFile('C:\WINDOWS\system32\HBBO.dll');
DeleteFile('C:\WINDOWS\system32\HBmhly.dll');
DeleteFile('C:\WINDOWS\system32\HBQQFFO.dll');
DeleteFile('C:\WINDOWS\system32\HBZG.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys');
DeleteFile('C:\WINDOWS\system32\aecff9.sys');
DeleteFile('C:\WINDOWS\system32\DRIVERS\nvmini.sys');
DeleteFile('C:\WINDOWS\system32\drivers\eth8023.sys');
DeleteFile('C:\WINDOWS\sysocmgr.dll');
DeleteFile('C:\WINDOWS\system32\HBCHIBI.dll');
DeleteFile('C:\WINDOWS\system32\HBZHUXIAN.dll');
DeleteFile('C:\WINDOWS\system32\SYSTEM.EXE');
DeleteFile('C:\WINDOWS\system32\upnpsrv.dll');
DeleteFile('C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll');
DeleteFile('C:\ARKA3.tmp');
DeleteFile('C:\RECYCLER\S-1-5-18\Dc5239.dll');
DeleteFile('C:\RECYCLER\S-1-5-18\Dc5240.dll');
DeleteFile('C:\RECYCLER\S-1-5-18\Dc5242.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил
повторите логи
Карантин выслал.
Логи прикладываю.
[URL="http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip"]Скачать[/URL],,меню,File,появится аналог проводника,найти:
[CODE]C:\WINDOWS\system32\Drivers\HBKernel32.sys[/CODE]
правая кнопка мыши Force Delete на запрос о перезагрузке ответьте положительно.
[URL="http://virusinfo.info/showthread.php?t=4491"]Пофиксить[/URL]
[CODE]O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dll,HBQJSJ.dll[/CODE]
[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]
[CODE]begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('HBKernel32');
DeleteFile('C:\WINDOWS\system32\Drivers\HBKernel32.sys');
DeleteFile('HB1000Y.dll');
DeleteFile('HBASKTAO.dll');
DeleteFile('HBBO.dll');
DeleteFile('HBCHD.dll');
DeleteFile('HBCHIBI.dll');
DeleteFile('HBCONQUER.dll');
DeleteFile('HBCT.dll');
DeleteFile('HBDNF.dll');
DeleteFile('HBFHZL.dll');
DeleteFile('HBFS2.dll');
DeleteFile('HBFY.dll');
DeleteFile('HBGC.dll');
DeleteFile('HBHM.dll');
DeleteFile('HBJTLQ.dll');
DeleteFile('HBJXSJ.dll');
DeleteFile('HBKDXY.dll');
DeleteFile('HBLYFX.dll');
DeleteFile('HBMIR2.dll');
DeleteFile('HBMXD.dll');
DeleteFile('HBPPBL.dll');
DeleteFile('HBQJSJ.dll');
DeleteFile('HBQQFFO.dll');
DeleteFile('HBQQHX.dll');
DeleteFile('HBQQSG.dll');
DeleteFile('HBQQXX.dll');
DeleteFile('HBRXJH.dll');
DeleteFile('HBSHQ.dll');
DeleteFile('HBSO2.dll');
DeleteFile('HBSOUL.dll');
DeleteFile('HBTJ.dll');
DeleteFile('HBSQ.dll');
DeleteFile('HBTL.dll');
DeleteFile('HBTW2.dll');
DeleteFile('HBTZ.dll');
DeleteFile('HBW2I.dll');
DeleteFile('HBWARLORDS.dll');
DeleteFile('HBWD.dll');
DeleteFile('HBWLQX.dll');
DeleteFile('HBWOOOL.dll');
DeleteFile('HBWORLD2.dll');
DeleteFile('HBWOW.dll');
DeleteFile('HBWULIN2.dll');
DeleteFile('HBXMJ.dll');
DeleteFile('HBXY2.dll');
DeleteFile('HBXY3.dll');
DeleteFile('HBYY.dll');
DeleteFile('HBZERO.dll');
DeleteFile('HBZG.dll');
DeleteFile('HBZHUXIAN.dll');
DeleteFile('HBZT.dll');
DeleteFile('HBmhly.dll');
DeleteFile('SYSTEM.EXE');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
Повторите логи...