Несколько процессов Userini.exe

Printable View

03.06.2010, 17:07
Elmer

Несколько процессов Userini.exe

В процессах появляются несколько userini.exe, которые загружают цп.
Помогите, пожалуйста.:sos:
03.06.2010, 18:02
polword

- [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ[/URL]
[CODE]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
RegKeyStrParamWrite('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','UserInit', GetEnvironmentVariable ('WinDir')+'\System32\userinit.exe,');
QuarantineFile('F:\nastavi\palili.exe','');
QuarantineFile('F:\autorun.inf','');
QuarantineFile('C:\Temp\982.exe','');
QuarantineFile('C:\Temp\979.exe','');
QuarantineFile('C:\Temp\977.exe','');
QuarantineFile('C:\Temp\974.exe','');
QuarantineFile('C:\Temp\919.exe','');
QuarantineFile('C:\Temp\884.exe','');
QuarantineFile('C:\Temp\729.exe','');
QuarantineFile('C:\Temp\728.exe','');
QuarantineFile('C:\Temp\635.exe','');
QuarantineFile('C:\Temp\601.exe','');
QuarantineFile('C:\Temp\507.exe','');
QuarantineFile('C:\Temp\487.exe','');
QuarantineFile('C:\Temp\440.exe','');
QuarantineFile('C:\Temp\438.exe','');
QuarantineFile('C:\Temp\433.exe','');
QuarantineFile('C:\Temp\398.exe','');
QuarantineFile('C:\Temp\247.exe','');
QuarantineFile('C:\Temp\114.exe','');
QuarantineFile('C:\Temp\081.exe','');
QuarantineFile('C:\Temp\069.exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\fdewwdqkj[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\cvdsvcds[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\bhggrwefew[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\ewdemki[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dwwdknm[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dsgvds[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dfwklmkm[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\dcwmi[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cwmkom[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cvdsds[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cfewk[1].exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\C7OGTXOL\fekmnjk[1].exe','');
QuarantineFile('c:\windows\explorer.exe:userini.exe:$DATA','');
QuarantineFile('C:\WINDOWS\system32\y3kk3ww3ii3.exe','');
QuarantineFile('C:\WINDOWS\system32\wwriiduupg.exe','');
QuarantineFile('C:\WINDOWS\system32\w3yytkkfwwr.exe','');
QuarantineFile('C:\WINDOWS\system32\uu3gg3ss70z.exe','');
QuarantineFile('C:\WINDOWS\system32\userini.exe','');
QuarantineFile('C:\WINDOWS\system32\tz0vvrhhd.exe','');
QuarantineFile('C:\WINDOWS\system32\q6cc6oo6.exe','');
QuarantineFile('C:\WINDOWS\system32\o1aa6mm6.exe','');
QuarantineFile('C:\WINDOWS\system32\miiduupggb.exe','');
QuarantineFile('C:\WINDOWS\system32\l0rnii6uu.exe','');
QuarantineFile('C:\WINDOWS\system32\hxtopu86g.exe','');
QuarantineFile('C:\WINDOWS\system32\bg86s81epql.exe','');
QuarantineFile('C:\WINDOWS\system32\a0q3cc3oo3.exe','');
QuarantineFile('C:\WINDOWS\system32\97081gr.exe','');
QuarantineFile('C:\WINDOWS\system32\9m1ieez.exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\madb.exe','');
QuarantineFile('C:\Documents and Settings\Admin_01\ctfmon.exe','');
DeleteFile('C:\Documents and Settings\Admin_01\ctfmon.exe');
DeleteFile('C:\Documents and Settings\Admin_01\madb.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','bchdyy');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','bwwsii');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','iejzf');
DeleteFile('C:\WINDOWS\system32\9m1ieez.exe');
DeleteFile('C:\WINDOWS\system32\97081gr.exe');
DeleteFile('C:\WINDOWS\system32\a0q3cc3oo3.exe');
DeleteFile('C:\WINDOWS\system32\bg86s81epql.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','cydozav');
DeleteFile('C:\WINDOWS\system32\cii3uu360m3.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','ekkbg0c');
DeleteFile('C:\WINDOWS\system32\dyy6kk6ww.exe');
DeleteFile('C:\WINDOWS\system32\hxtopu86g.exe');
DeleteFile('C:\WINDOWS\system32\l0rnii6uu.exe');
DeleteFile('C:\WINDOWS\system32\miiduupggb.exe');
DeleteFile('C:\WINDOWS\system32\nii6uu6gg6s.exe');
DeleteFile('C:\WINDOWS\system32\o1aa6mm6.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','zafbww6');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','pkk6w');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','stokkf');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','qrmnie');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','xyo1e');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','ejfaa6');
DeleteFile('C:\WINDOWS\system32\q6cc6oo6.exe');
DeleteFile('C:\WINDOWS\system32\tz0vvrhhd.exe');
DeleteFile('C:\WINDOWS\system32\userini.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','userini');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','userini');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','userini');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','pqvrm');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','qmmhy');
DeleteFile('C:\WINDOWS\system32\uu3gg3ss70z.exe');
DeleteFile('C:\WINDOWS\system32\w3yytkkfwwr.exe');
DeleteFile('C:\WINDOWS\system32\wwriiduupg.exe');
DeleteFile('C:\WINDOWS\system32\y3kk3ww3ii3.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','armm3');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','rmniee');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','opkgg');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','qwwnii');
DeleteFile('c:\windows\explorer.exe:userini.exe:$DATA');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\C7OGTXOL\dewds1[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\C7OGTXOL\fdefelkm[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\C7OGTXOL\fekmnjk[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cfewk[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cvdsds[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\cwmkom[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\ECV2OPKU\dcwmi[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dfwklmkm[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dsgvds[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\dwwdknm[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\NDQEI7BO\ewdemki[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\bhggrwefew[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\cvdsvcds[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\dfwemkmn1[1].exe');
DeleteFile('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5\UY234NLJ\fdewwdqkj[1].exe');
DeleteFile('C:\Temp\069.exe');
DeleteFile('C:\Temp\081.exe');
DeleteFile('C:\Temp\107.exe');
DeleteFile('C:\Temp\114.exe');
DeleteFile('C:\Temp\247.exe');
DeleteFile('C:\Temp\398.exe');
DeleteFile('C:\Temp\433.exe');
DeleteFile('C:\Temp\438.exe');
DeleteFile('C:\Temp\440.exe');
DeleteFile('C:\Temp\487.exe');
DeleteFile('C:\Temp\507.exe');
DeleteFile('C:\Temp\601.exe');
DeleteFile('C:\Temp\635.exe');
DeleteFile('C:\Temp\728.exe');
DeleteFile('C:\Temp\729.exe');
DeleteFile('C:\Temp\734.exe');
DeleteFile('C:\Temp\884.exe');
DeleteFile('C:\Temp\919.exe');
DeleteFile('C:\Temp\974.exe');
DeleteFile('C:\Temp\977.exe');
DeleteFile('C:\Temp\979.exe');
DeleteFile('C:\Temp\982.exe');
DeleteFile('C:\WINDOWS\explorer.exe:userini.exe:$DATA');
DeleteFile('F:\autorun.inf');
DeleteFileMask('C:\Documents and Settings\Admin_01\Local Settings\Temporary Internet Files\Content.IE5', '*.*', true);
QuarantineFile('C:\WINDOWS\explorer.exe:userini.exe','');
DeleteFile('C:\WINDOWS\explorer.exe:userini.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon','taskman');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(11);
ExecuteRepair(17);
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
BC_Activate;
RebootWindows(true);
end.[/CODE]

После перезагрузки:
- выполните такой скрипт
[CODE]begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.[/CODE]
- Файл [B][COLOR="Red"]quarantine.zip[/COLOR][/B] из папки AVZ загрузите по ссылке [B][COLOR="Red"]Прислать запрошенный карантин[/COLOR][/B] вверху темы
- Сделайте повторные логи по [URL="http://virusinfo.info/pravila_old.html"]правилам[/URL] п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip; hijackthis.log)
- Сделайте лог [URL="http://virusinfo.info/showthread.php?t=53070"]MBAM[/URL]
03.06.2010, 20:11
Elmer

Карантин прислал.Процессы userini.exe исчезли. Заметил в процессах несколько svchost, скриншот прикрепил. Так и должно быть??? Подскажите,пожалуйста.
03.06.2010, 20:40
polword

1.удалите в MBAM
[CODE]
Зараженные ключи в реестре:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsirimuk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojandetector.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbcleaner.exe (Security.Hijack) -> No action taken.

Зараженные параметры в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> No action taken.

Зараженные файлы:
D:\avz4\Infected\2010-06-02\avz00001.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00002.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00004.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00005.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00010.dta (Malware.Packer.Gen) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00014.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00015.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00016.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00017.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00020.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00022.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00024.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00025.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00026.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00029.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00001.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00007.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00012.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00022.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00035.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00044.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00005.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00017.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00025.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00030.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00034.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00036.dta (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\Admin_01\Application Data\wiaservg.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Admin_01\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\All Users\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Default User\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\LocalService\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\NetworkService\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Администратор\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Администратор.ADMIN\secupdat.dat (Worm.Autorun) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\secupdat.dat (Worm.Autorun) -> No action taken.
[/CODE]

2.[URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ[/URL]
[CODE]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*.*', true);
QuarantineFile('C:\WINDOWS\system32\Drivers\lsirimuk.sys','');
QuarantineFile('C:\WINDOWS\Prefetch\EXPLORER.EXE ','');
DeleteFile('C:\WINDOWS\system32\Drivers\lsirimuk.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]

После перезагрузки:
- выполните такой скрипт
[CODE]begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.[/CODE]
- Файл [B][COLOR="Red"]quarantine.zip[/COLOR][/B] из папки AVZ загрузите по ссылке [B][COLOR="Red"]Прислать запрошенный карантин[/COLOR][/B] вверху темы
- Сделайте повторные логи virusinfo_syscheck.zip; MBAM

[size="1"][color="#666686"][B][I]Добавлено через 1 минуту[/I][/B][/color][/size]

[QUOTE=Elmer;648881]Заметил в процессах несколько svchost[/QUOTE] - это нормально
03.06.2010, 21:34
Elmer

[QUOTE=polword;648904]1.удалите в MBAM
[CODE]
Зараженные ключи в реестре:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsirimuk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojandetector.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbcleaner.exe (Security.Hijack) -> No action taken.

Зараженные параметры в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> No action taken.

Зараженные файлы:
D:\avz4\Infected\2010-06-02\avz00001.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00002.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00004.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00005.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00010.dta (Malware.Packer.Gen) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00014.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00015.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00016.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00017.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00020.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00022.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00024.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00025.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00026.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Infected\2010-06-02\avz00029.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00001.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00007.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00012.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00022.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00035.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-02\avz00044.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00005.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00017.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00025.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00030.dta (Trojan.Ddox) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00034.dta (Trojan.Dropper) -> No action taken.
D:\avz4\Quarantine\2010-06-03\avz00036.dta (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\Admin_01\Application Data\wiaservg.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Admin_01\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\All Users\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Default User\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\LocalService\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\NetworkService\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Администратор\secupdat.dat (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Администратор.ADMIN\secupdat.dat (Worm.Autorun) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\secupdat.dat (Worm.Autorun) -> No action taken.

А как это сделать? Это приложение я удалил как и просили в описании программы. - Сделайте лог [URL="http://virusinfo.info/showthread.php?t=53070"]MBAM[/URL]
03.06.2010, 21:46
polword

это надо смотреть [URL="http://virusinfo.info/showpost.php?p=493584&postcount=2"] тут[/URL]
04.06.2010, 00:48
Elmer

Карантин загрузил. Установил заново МВАМ, просканировал, но программа нашла не все, что Вы просили удалить (сделал скриншот [URL=http://img337.imageshack.us/i/3333a.png/][IMG]http://img337.imageshack.us/img337/8859/3333a.png[/IMG][/URL]

Uploaded with [URL=http://imageshack.us]ImageShack.us[/URL]). Папку D:\avz4 я удалил ранее, вместе с МВАМ. После выполнения скрипта (который расположен ниже), перезагрузки Windows не произошло, перезагрузил вручную.

2.Выполните скрипт в AVZ
Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*.*', true);
QuarantineFile('C:\WINDOWS\system32\Drivers\lsirimuk.sys','');
QuarantineFile('C:\WINDOWS\Prefetch\EXPLORER.EXE ','');
DeleteFile('C:\WINDOWS\system32\Drivers\lsirimuk.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
04.06.2010, 13:13
polword

- [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ[/URL]
[CODE]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*.*', true);
DeleteFile('C:\WINDOWS\Prefetch\EXPLORER.EXE');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]

После перезагрузки:
- Сделайте лог [URL="http://virusinfo.info/showthread.php?t=53070"]MBAM[/URL]
04.06.2010, 19:05
Elmer

Скрипт выполнил, логи прикрепил.
04.06.2010, 20:53
polword

Чисто.

обновите систему
- SP2 обновите до [URL="http://www.microsoft.com/Downloads/details.aspx?displaylang=ru&FamilyID=5b33b5a8-5e76-401f-be08-1e1555d4f3d4"]Service Pack 3[/URL](может потребоваться активация)
[B]*[/B] Перед установкой Сервис Пака необходимо выгрузить антивирус, файрвол, а так же резидентные приложения типа TeaTimer (Spybot Search and Destroy) и др.)
- Установите [URL="http://www.microsoft.com/rus/windows/internet-explorer/default.aspx"]Internet-Explorer 8[/URL].(даже если Вы его не используете)
- Поставте все последние обновления системы Windows - [URL="http://www.update.microsoft.com"]тут[/URL]
04.06.2010, 22:53
Elmer

Огромное спасибо:thank_you2:
05.06.2010, 22:53
CyberHelper

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]2[/B][*]Обработано файлов: [B]150[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\documents and settings\admin_01\ctfmon.exe - [B]P2P-Worm.Win32.Palevo.akvu[/B] ( DrWEB: Win32.HLLW.Lime.18 )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\c7ogtxol\fekmnjk[1].exe - [B]Trojan.Win32.Ddox.ln[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810, NOD32: Win32/Lethic.AA trojan )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ecv2opku\cfewk[1].exe - [B]Trojan.Win32.Ddox.li[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ecv2opku\cvdsds[1].exe - [B]Trojan.Win32.Ddox.mj[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4123123, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ecv2opku\cwmkom[1].exe - [B]Trojan.Win32.Ddox.lj[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Backdoor.Generic.353295, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ecv2opku\dcwmi[1].exe - [B]Trojan.Win32.Ddox.lc[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ndqei7bo\dfwklmkm[1].exe - [B]Trojan.Win32.Ddox.ls[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ndqei7bo\dsgvds[1].exe - [B]Trojan.Win32.Ddox.lh[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ndqei7bo\dwwdknm[1].exe - [B]Trojan.Win32.Ddox.lw[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\ndqei7bo\ewdemki[1].exe - [B]Trojan.Win32.Ddox.le[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Backdoor.Generic.353295, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\uy234nlj\bhggrwefew[1].exe - [B]Trojan.Win32.Ddox.ky[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\uy234nlj\cvdsvcds[1].exe - [B]Trojan.Win32.Ddox.lt[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\local settings\temporary internet files\content.ie5\uy234nlj\fdewwdqkj[1].exe - [B]Trojan.Win32.Ddox.lt[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\documents and settings\admin_01\madb.exe - [B]Trojan-Dropper.Win32.Mudrop.ixz[/B] ( DrWEB: BackDoor.Tofsee.7, BitDefender: Gen:Trojan.Heur.GZ.amGfbCguNKb, AVAST4: Win32:Malware-gen )[*] c:\temp\069.exe - [B]Trojan.Win32.Ddox.lc[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\081.exe - [B]Trojan.Win32.Ddox.ln[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810, NOD32: Win32/Lethic.AA trojan )[*] c:\temp\114.exe - [B]Trojan.Win32.Ddox.lh[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, AVAST4: Win32:Malware-gen )[*] c:\temp\247.exe - [B]Trojan.Win32.Ddox.lt[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\398.exe - [B]Trojan.Win32.Ddox.le[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Backdoor.Generic.353295, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\433.exe - [B]Trojan.Win32.Ddox.ln[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810, NOD32: Win32/Lethic.AA trojan )[*] c:\temp\438.exe - [B]Trojan.Win32.Ddox.lu[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\440.exe - [B]Trojan.Win32.Ddox.ls[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\487.exe - [B]Trojan.Win32.Ddox.ky[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\507.exe - [B]Trojan.Win32.Ddox.lu[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\601.exe - [B]Trojan.Win32.Ddox.lr[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\635.exe - [B]Trojan.Win32.Ddox.lc[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\728.exe - [B]Trojan.Win32.Ddox.lu[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\729.exe - [B]Trojan.Win32.Ddox.lw[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, AVAST4: Win32:Malware-gen )[*] c:\temp\919.exe - [B]Trojan.Win32.Ddox.lt[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\974.exe - [B]Trojan.Win32.Ddox.lj[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Backdoor.Generic.353295, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\977.exe - [B]Trojan.Win32.Ddox.lr[/B] ( DrWEB: Trojan.Packed.20337, BitDefender: Trojan.Generic.4075810 )[*] c:\temp\979.exe - [B]Trojan.Win32.Ddox.lt[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4026522, NOD32: Win32/Lethic.AA trojan, AVAST4: Win32:Malware-gen )[*] c:\temp\982.exe - [B]Trojan.Win32.Ddox.mj[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4123123, AVAST4: Win32:Malware-gen )[*] c:\windows\explorer.exe:userini.exe:$data - [B]Packed.Win32.Krap.x[/B] ( DrWEB: Trojan.Packed.20382, BitDefender: Trojan.Bredolab.BY, AVAST4: Win32:Malware-gen )[*] c:\windows\system32\drivers\lsirimuk.sys - [B]Rootkit.Win32.Pakes.zo[/B] ( DrWEB: Trojan.Siggen.18257, BitDefender: Backdoor.Tofsee.Gen, NOD32: Win32/TrojanDownloader.Genome.CLU trojan, AVAST4: Win32:Malware-gen )[*] c:\windows\system32\q6cc6oo6.exe - [B]Trojan.Win32.Ddox.me[/B] ( DrWEB: Trojan.Siggen1.37164, BitDefender: Trojan.Generic.4122130 )[*] c:\windows\system32\userini.exe - [B]Packed.Win32.Krap.x[/B] ( DrWEB: Trojan.Packed.20382, BitDefender: Trojan.Bredolab.BY, AVAST4: Win32:Malware-gen )[*] c:\windows\system32\wwriiduupg.exe - [B]Trojan.Win32.Ddox.mj[/B] ( DrWEB: BackDoor.Siggen.14353, BitDefender: Trojan.Generic.4123123, AVAST4: Win32:Malware-gen )[*] f:\nastavi\palili.exe - [B]P2P-Worm.Win32.Palevo.akvu[/B] ( DrWEB: Win32.HLLW.Lime.18 )[/LIST][/LIST]