Выполнил правила, прилагаю файлики. Были вирусы и еще было много одинаковых служб создано, первый раз такое видел, поубивал "левые"...
Printable View
Выполнил правила, прилагаю файлики. Были вирусы и еще было много одинаковых служб создано, первый раз такое видел, поубивал "левые"...
[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\setup.exe','');
DelBHO('{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}');
QuarantineFile('C:\WINDOWS\system32\vmmreg32.dll','');
DeleteService('Winyf85');
DeleteService('Winyf73');
DeleteService('Winyf63');
DeleteService('Winyf38');
DeleteService('Winyf28');
DeleteService('Winyf06');
DeleteService('Winxf51');
DeleteService('Winxe27');
DeleteService('Winxe17');
DeleteService('Winwd63');
DeleteService('Winwd41');
DeleteService('Winwd40');
DeleteService('Winwd30');
DeleteService('Winwd28');
DeleteService('Winwd06');
DeleteService('Winvd42');
DeleteService('Winvc85');
DeleteService('Winvc74');
DeleteService('Winvc38');
DeleteService('Winub84');
DeleteService('Winub74');
DeleteService('Winub41');
DeleteService('Winub28');
DeleteService('Wintb06');
DeleteService('Winta74');
DeleteService('Winta63');
DeleteService('Winta41');
DeleteService('Winta17');
DeleteService('Winta06');
DeleteService('Winsy85');
DeleteService('Winsy17');
DeleteService('Winry74');
DeleteService('Winrx52');
DeleteService('Winrx38');
DeleteService('Winrx28');
DeleteService('Winrx27');
DeleteService('Winqx74');
DeleteService('Winqx06');
DeleteService('Winqw52');
DeleteService('Winqw41');
DeleteService('Winqw28');
DeleteService('Winqw27');
DeleteService('Winqw17');
DeleteService('Winpw41');
DeleteService('Winpv85');
DeleteService('Winpv41');
DeleteService('Winov17');
DeleteService('Winou63');
DeleteService('Winou62');
DeleteService('Winou41');
DeleteService('Winou28');
DeleteService('Winou27');
DeleteService('Winou17');
DeleteService('Winnu41');
DeleteService('Winnu38');
DeleteService('Winnt85');
DeleteService('Winnt74');
DeleteService('Winnt63');
DeleteService('Winnt05');
DeleteService('Winms85');
DeleteService('Winms74');
DeleteService('Winms52');
DeleteService('Winms42');
DeleteService('Winms41');
DeleteService('Winms17');
DeleteService('Winms16');
DeleteService('Winms06');
DeleteService('Winlr73');
DeleteService('Winlr62');
DeleteService('Winlr51');
DeleteService('Winlr30');
DeleteService('Winlr28');
DeleteService('Winlr27');
DeleteService('Winkq73');
DeleteService('Winkq62');
DeleteService('Winkq51');
DeleteService('Winkq40');
DeleteService('Winkq30');
DeleteService('Winkq28');
DeleteService('Winkq06');
DeleteService('Winjp85');
DeleteService('Winjp62');
DeleteService('Winjp41');
DeleteService('Winio86');
DeleteService('Winio85');
DeleteService('Winio74');
DeleteService('Winio63');
DeleteService('Winio52');
DeleteService('Winio30');
DeleteService('Winio28');
DeleteService('Winio05');
DeleteService('Winhn74');
DeleteService('Winhn51');
DeleteService('Winhn28');
DeleteService('Winhn06');
DeleteService('Wingm73');
DeleteService('Wingm30');
DeleteService('Wingm28');
DeleteService('Wingm27');
DeleteService('Wingm06');
DeleteService('Winfm28');
DeleteService('Winfl85');
DeleteService('Winfl73');
DeleteService('Winfl28');
DeleteService('Winfl27');
DeleteService('Winfl06');
DeleteService('Winek85');
DeleteService('Winek74');
DeleteService('Winek30');
DeleteService('Winek16');
DeleteService('Windk74');
DeleteService('Windj51');
DeleteService('Windj06');
DeleteService('Wincj62');
DeleteService('Winci74');
DeleteService('Winci63');
DeleteService('Winah74');
DeleteService('Winag51');
DeleteService('Winag05');
DeleteService('WDICA');
DeleteService('Winci52');
DeleteService('Winci30');
DeleteService('Winci28');
DeleteService('Winci17');
DeleteService('Winci16');
DeleteService('Winbh74');
DeleteService('Winbh41');
DeleteService('Winbh27');
DeleteService('Winag63');
DeleteService('vmi386');
DeleteService('VIDEO');
QuarantineFile('C:\WINDOWS\System32\drivers\vmi386.sys','');
QuarantineFile('C:\WINDOWS\SYSTEM32\VIDEO.sys','');
DeleteService('ati8inxx');
DeleteService('ati6pvxx');
DeleteService('ati1yexx');
DeleteService('ati1dixx');
DeleteService('ati0yexx');
QuarantineFile('C:\WINDOWS\System32\Drivers\ati0yexx.sys','');
DeleteService('abp470n5');
QuarantineFile('C:\WINDOWS\system32\drivers\gqpkmm.sys','');
DeleteService('WmiWZCSVC');
DeleteService('TlntSvrmnmsrvcAppMgmtDhcpOutpostFirewallEventlog');
QuarantineFile('srv.exe','');
DeleteFile('srv.exe');
DeleteFile('C:\WINDOWS\system32\drivers\gqpkmm.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\ati0yexx.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\ati1dixx.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\ati1yexx.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\ati6pvxx.sys');
DeleteFile('C:\WINDOWS\SYSTEM32\VIDEO.sys');
DeleteFile('C:\WINDOWS\System32\drivers\vmi386.sys');
DeleteFile('WinCtrl32.dll');
DeleteFile('C:\WINDOWS\system32\vmmreg32.dll');
DeleteFile('C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\setup.exe');
DelCLSID('{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}');
BC_ImportALL;
ExecuteSysClean;
BC_DeleteSvc('abp470n5');
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(10);
ExecuteRepair(11);
ExecuteRepair(17);
RebootWindows(true);
end.[/CODE]
Пришлите карантин по правилам и повторите логи...
Выполнил скрипт, новые логи.
[COLOR=Red]Lavasoft Ad-Aware - деинсталлируйте![/COLOR]
[COLOR=Red]1. Отключите восстановление системы и антивирус.[/COLOR]
2. [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ:[/URL]
[code]begin
ExecuteRepair(13);
end.[/code]3. [URL="http://virusinfo.info/showthread.php?t=4491"]Пофиксите в HijackThis:[/URL]
[quote]O20 - AppInit_DLLs: vmmreg32.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\[/quote]4. Выполните скрипт [B]Гриши[/B] из поста #2.
5. Повторите логи.
Сделал, что вы сказали, прилагаю новые логи.
1. Отключите восстановление системы и антивирус.
2. [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ:[/URL]
[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\System32\Drivers\ati8inxx.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_DeleteSvc('Winyf85');
BC_DeleteSvc('Winyf73');
BC_DeleteSvc('Winyf63');
BC_DeleteSvc('Winyf38');
BC_DeleteSvc('Winyf28');
BC_DeleteSvc('Winyf06');
BC_DeleteSvc('Winxf51');
BC_DeleteSvc('Winxe27');
BC_DeleteSvc('Winxe17');
BC_DeleteSvc('Winwd63');
BC_DeleteSvc('Winwd41');
BC_DeleteSvc('Winwd40');
BC_DeleteSvc('Winwd30');
BC_DeleteSvc('Winwd28');
BC_DeleteSvc('Winwd06');
BC_DeleteSvc('Winvd42');
BC_DeleteSvc('Winvc85');
BC_DeleteSvc('Winvc74');
BC_DeleteSvc('Winvc38');
BC_DeleteSvc('Winub84');
BC_DeleteSvc('Winub74');
BC_DeleteSvc('Winub63');
BC_DeleteSvc('Winub52');
BC_DeleteSvc('Winub41');
BC_DeleteSvc('Winub40');
BC_DeleteSvc('Winub28');
BC_DeleteSvc('Wintb06');
BC_DeleteSvc('Winta74');
BC_DeleteSvc('Winta63');
BC_DeleteSvc('Winta41');
BC_DeleteSvc('Winta17');
BC_DeleteSvc('Winta06');
BC_DeleteSvc('Winsy85');
BC_DeleteSvc('Winsy38');
BC_DeleteSvc('Winsy17');
BC_DeleteSvc('Winry74');
BC_DeleteSvc('Winrx52');
BC_DeleteSvc('Winrx51');
BC_DeleteSvc('Winrx38');
BC_DeleteSvc('Winrx28');
BC_DeleteSvc('Winrx27');
BC_DeleteSvc('Winrx16');
BC_DeleteSvc('Winqx74');
BC_DeleteSvc('Winqx06');
BC_DeleteSvc('Winqw52');
BC_DeleteSvc('Winqw41');
BC_DeleteSvc('Winqw28');
BC_DeleteSvc('Winqw27');
BC_DeleteSvc('Winqw17');
BC_DeleteSvc('Winpw41');
BC_DeleteSvc('Winpv85');
BC_DeleteSvc('Winpv41');
BC_DeleteSvc('Winov17');
BC_DeleteSvc('Winou85');
BC_DeleteSvc('Winou63');
BC_DeleteSvc('Winou62');
BC_DeleteSvc('Winou41');
BC_DeleteSvc('Winou38');
BC_DeleteSvc('Winou28');
BC_DeleteSvc('Winou27');
BC_DeleteSvc('Winou17');
BC_DeleteSvc('Winnu41');
BC_DeleteSvc('Winnu38');
BC_DeleteSvc('Winnt85');
BC_DeleteSvc('Winnt74');
BC_DeleteSvc('Winnt63');
BC_DeleteSvc('Winnt05');
BC_DeleteSvc('Winms85');
BC_DeleteSvc('Winms74');
BC_DeleteSvc('Winms52');
BC_DeleteSvc('Winms42');
BC_DeleteSvc('Winms41');
BC_DeleteSvc('Winms17');
BC_DeleteSvc('Winms16');
BC_DeleteSvc('Winms06');
BC_DeleteSvc('Winls51');
BC_DeleteSvc('Winlr73');
BC_DeleteSvc('Winlr62');
BC_DeleteSvc('Winlr51');
BC_DeleteSvc('Winlr30');
BC_DeleteSvc('Winlr28');
BC_DeleteSvc('Winlr27');
BC_DeleteSvc('Winkq73');
BC_DeleteSvc('Winkq62');
BC_DeleteSvc('Winkq51');
BC_DeleteSvc('Winkq40');
BC_DeleteSvc('Winkq30');
BC_DeleteSvc('Winkq28');
BC_DeleteSvc('Winkq06');
BC_DeleteSvc('Winjp85');
BC_DeleteSvc('Winjp62');
BC_DeleteSvc('Winjp41');
BC_DeleteSvc('Winjp27');
BC_DeleteSvc('Winjp06');
BC_DeleteSvc('Winio86');
BC_DeleteSvc('Winio85');
BC_DeleteSvc('Winio74');
BC_DeleteSvc('Winio63');
BC_DeleteSvc('Winio52');
BC_DeleteSvc('Winio30');
BC_DeleteSvc('Winio28');
BC_DeleteSvc('Winio05');
BC_DeleteSvc('Winhn74');
BC_DeleteSvc('Winhn51');
BC_DeleteSvc('Winhn41');
BC_DeleteSvc('Winhn28');
BC_DeleteSvc('Winhn06');
BC_DeleteSvc('Wingm73');
BC_DeleteSvc('Wingm62');
BC_DeleteSvc('Wingm30');
BC_DeleteSvc('Wingm28');
BC_DeleteSvc('Wingm27');
BC_DeleteSvc('Wingm06');
BC_DeleteSvc('Winfm28');
BC_DeleteSvc('Winfl85');
BC_DeleteSvc('Winfl73');
BC_DeleteSvc('Winfl28');
BC_DeleteSvc('Winfl27');
BC_DeleteSvc('Winfl06');
BC_DeleteSvc('Winek85');
BC_DeleteSvc('Winek74');
BC_DeleteSvc('Winek52');
BC_DeleteSvc('Winek30');
BC_DeleteSvc('Winek17');
BC_DeleteSvc('Winek16');
BC_DeleteSvc('Windk74');
BC_DeleteSvc('Windj51');
BC_DeleteSvc('Windj06');
BC_DeleteSvc('Wincj62');
BC_DeleteSvc('Winci74');
BC_DeleteSvc('Winci63');
BC_DeleteSvc('Winci52');
BC_DeleteSvc('Winci30');
BC_DeleteSvc('Winci28');
BC_DeleteSvc('Winci17');
BC_DeleteSvc('Winci16');
BC_DeleteSvc('Winbh74');
BC_DeleteSvc('Winbh41');
BC_DeleteSvc('Winbh27');
BC_DeleteSvc('Winah74');
BC_DeleteSvc('Winag63');
BC_DeleteSvc('Winag52');
BC_DeleteSvc('Winag51');
BC_DeleteSvc('Winag05');
BC_DeleteSvc('ati8inxx');
BC_Activate;
RebootWindows(true);
end.[/code]После выполнения скрипта компьютер перезагрузится!
3. [URL="http://virusinfo.info/showthread.php?t=4491"]Пофиксите в HijackThis:[/URL]
[quote]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe[/quote]4. Повторите логи.
Ох уж этот Sality... выполнил рекомендации, новые логи....
Где был Салити? По логам его не видно.
И он тоже был.... Возможно его прибил или НОД или DrWeb с загрузочной болванки, но факт в том, что диспетчер задач разблокировался, будучи заблокированным Салити....
Скажите, сейчас в логах видно какую - нибудь заразу?
Ну скажите пожалуйста кто - нибудь, есть ли какая зараза в логах?
Чисто, сказали бы, если было что-то :)
Всем огромное спасибо за помощь! :pray: