Тема уже не новая, но я так понял решение индивидуально для каждого. Прошу помочь.
Printable View
Тема уже не новая, но я так понял решение индивидуально для каждого. Прошу помочь.
выполните скрипт
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{D88E1558-7C2D-407A-953A-C044F5607CEA}');
DelBHO('{B200799F-9538-403d-9A6E-36F5942EC540}');
DelBHO('{92860A02-4D69-48c1-82D7-EF6B2C609502}');
DelBHO('{6D7B211A-88EA-490c-BAB9-3600D8D7C503}');
DelBHO('{6C517674-DE1C-4493-977C-34A1BFAB35BA}');
DeleteService('Winyx34');
DeleteService('Winys56');
DeleteService('Winys08');
DeleteService('Winyb34');
DeleteService('Winxw12');
DeleteService('Winwv67');
DeleteService('Winwq67');
DeleteService('Winwn80');
DeleteService('Winwf78');
DeleteService('Winvx80');
DeleteService('Winvj12');
DeleteService('Winvb45');
DeleteService('Winuw36');
DeleteService('Wintn12');
DeleteService('Winsp67');
DeleteService('Winqs60');
DeleteService('Winqs56');
DeleteService('Winqp78');
DeleteService('Winqm12');
DeleteService('Winoy03');
DeleteService('Winot80');
DeleteService('Winoi12');
DeleteService('Winoc21');
DeleteService('Winnp78');
DeleteService('Winmu78');
DeleteService('Winmu01');
DeleteService('Winmd67');
DeleteService('Winmd45');
DeleteService('Winly87');
DeleteService('Winlt45');
DeleteService('Winlc71');
DeleteService('Winlc01');
DeleteService('Winja45');
DeleteService('Winic23');
DeleteService('Winhx67');
DeleteService('Winhp67');
DeleteService('Wingl23');
DeleteService('Wingi12');
DeleteService('Wineu60');
DeleteService('Winer67');
DeleteService('Winer23');
DeleteService('Winej67');
DeleteService('Wineg38');
DeleteService('Wined78');
DeleteService('Windy43');
DeleteService('Windh03');
DeleteService('Wincv01');
DeleteService('Wincp56');
DeleteService('Winch67');
DeleteService('Winbr27');
DeleteService('Winay47');
DeleteService('Winay25');
DeleteService('Winat56');
DeleteService('Winat12');
QuarantineFile('E:\WINDOWS\System32\Drivers\Winac23.sys','');
DeleteService('Winac23');
DeleteService('aswArKrn');
QuarantineFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys','');
DeleteService('wscsvcCryptSvc');
DeleteService('WMPNetworkSvcdmserver');
DeleteService('WmdmPmSNDhcp');
DeleteService('WebClientServiceLayer');
DeleteService('W32Timeclr_optimization_v2.0.50727_32');
DeleteService('upnphostSSDPSRVRasMan');
DeleteService('upnphostSSDPSRV');
DeleteService('ThemesupnphostSSDPSRVRasManShellHWDetection');
DeleteService('ThemesupnphostSSDPSRVRasMan');
DeleteService('TapiSrvWmdmPmSNDhcp');
DeleteService('TermServiceEventSystem');
DeleteService('SwPrvClipSrv');
DeleteService('srserviceSysmonLog');
DeleteService('RpcSsW32Timeclr_optimization_v2.0.50727_32WmdmPmSNDhcp');
DeleteService('RpcSsW32Timeclr_optimization_v2.0.50727_32');
DeleteService('RDSessMgrRDSessMgr');
DeleteService('ProtectedStorageNMIndexingServiceSwPrv');
DeleteService('ProtectedStorageNMIndexingService');
DeleteService('NtmsSvcAudioSrv');
DeleteService('NetDDEWmiTlntSvr');
DeleteService('NetDDEWmi');
DeleteService('NetDDEWmdmPmSNPolicyAgent');
DeleteService('NetDDEWmdmPmSN');
DeleteService('NetDDEdsdmSQLAgent$SONY_MEDIAMGR');
DeleteService('MSSQLServerADHelperMSDTC');
DeleteService('mnmsrvcNetDDEdsdmPlugPlay');
DeleteService('mnmsrvcNetDDEdsdm');
DeleteService('COMSysAppNtLmSsp');
DeleteService('COMSysAppFastUserSwitchingCompatibility');
DeleteService('clr_optimization_v2.0.50727_32WmdmPmSNDhcp');
DeleteService('ClipSrvclr_optimization_v2.0.50727_32');
DeleteService('CiSvcTapiSrv');
DeleteService('ATKKeyboardServiceNetDDE');
DeleteService('ATKKeyboardServicelanmanworkstation');
DeleteService('AlerterWMPNetworkSvc');
QuarantineFile('srv.exe','');
QuarantineFile('E:\WINDOWS\System32\atkosdmini.dll','');
QuarantineFile('E:\WINDOWS\system32\drivers\RegCs.exe','');
QuarantineFile('E:\WINDOWS\system32\drivers\DegCs.exe','');
QuarantineFile('e:\windows\system32\drivers\degcs.exe','');
DeleteFile('e:\windows\system32\drivers\degcs.exe');
DeleteFile('E:\WINDOWS\system32\drivers\DegCs.exe');
DeleteFile('E:\WINDOWS\system32\drivers\RegCs.exe');
DeleteFile('srv.exe');
DeleteFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winac23.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winat12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winat56.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winay25.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winay47.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winbr27.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winch67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wincp56.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wincv01.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Windh03.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Windy43.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wined78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wineg38.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winej67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winer23.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winer67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wineu60.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wingi12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wingl23.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winhp67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winhx67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winic23.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winja45.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winlc01.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winln08.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winlt45.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winly87.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winmd45.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winmd67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winmu01.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winmu78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winnp78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winoc21.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winoi12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winot80.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winoy03.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winqm12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winqp78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winqs56.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winqs60.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winsp67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Wintn12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winuw36.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winuw78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winvb45.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winvj12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winvx80.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winwf78.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winwn80.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winwq67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winwv67.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winxw12.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winyb34.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winys08.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winys56.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winyx34.sys');
DeleteFile('WinCtrl32.dll');
DeleteFile('msansspc.dll');
DeleteFile('sysfldr.dll');
ExecuteRepair(11);
ExecuteRepair(17);
ExecuteRepair(16);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите карантин согласно приложения 3 правил
повторите логи
Спасибо, проблема исчезла, отослал карантин, вот логи:
Прошу посмотреть логи, т.к. после отправления вам автоматического сбора файлов, получил ответ:
[B][COLOR=#ff0000]Внимание, в архиве обнаружены опасные или вредоносные объекты:
[/COLOR][/B]E:\WINDOWS\system32\drivers\RegCs.exe: Trojan.Win32.Agent.ckeq
E:\WINDOWS\system32\drivers\DegCs.exe: Backdoor.Win32.SdBot.mpv
выполните скрипт
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('E:\Documents and Settings\NrJa\Application Data\Facegame\Facegame.exe','');
DeleteService('Winlc71');
DeleteService('aswArKrn');
QuarantineFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys','');
DeleteFile('E:\DOCUME~1\NrJa\LOCALS~1\Temp\aswArKrn.sys');
DeleteFile('E:\WINDOWS\System32\Drivers\Winlc71.sys');
DeleteFile('E:\Documents and Settings\NrJa\Application Data\Facegame\Facegame.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/code]
пришлите крантин согласно приложения 3 правил
повторите логи
Скрипт выполнил, в карантине ничего нет, сделал логи:
Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]3[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] e:\windows\system32\drivers\degcs.exe - [B]Backdoor.Win32.SdBot.mpv[/B] ( DrWEB: BackDoor.IRC.Sdbot.4876, BitDefender: Gen:Trojan.Packed.Heur.F3A393ADAD )[*] e:\windows\system32\drivers\regcs.exe - [B]Trojan.Win32.Agent.ckeq[/B] ( DrWEB: BackDoor.IRC.Sdbot.4874, BitDefender: Trojan.Loader.BR )[/LIST][/LIST]