День добрый! Запускал проверку Каспером,ничего не находил! запустил очиску диска,отключил востановление системы и Каспер ругнулся на этот вирус,но убить его не смог он!
Printable View
День добрый! Запускал проверку Каспером,ничего не находил! запустил очиску диска,отключил востановление системы и Каспер ругнулся на этот вирус,но убить его не смог он!
Отключите [B][COLOR="Red"] Системное восстановление!!![/COLOR][/B][URL="http://avptool.ru/ru/AVPTool_helpdesk_sysrestore.htm"] как- посмотреть можно тут[/URL]
- [URL="http://virusinfo.info/showthread.php?t=7239"]Выполните скрипт в AVZ[/URL]
[CODE]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\SETUP\DATA\June.exe','');
QuarantineFile('C:\Documents and Settings\User\sxdinsyejotyekpuafkpu.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\gsf10\build.exe','');
DeleteFile('C:\Documents and Settings\User\sxdinsyejotyekpuafkpu.exe');
DeleteFile('C:\RECYCLED\BIN\ok.exe');
DeleteFile('C:\SETUP\DATA\June.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\gsf10\build.exe');
QuarantineFile('C:\explorer.exe','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anvFC.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv96.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv95.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv90.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv30.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv2F.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv29.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv27.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv26.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv25.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv22.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv20.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv1C.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv16.tmp','');
QuarantineFile('C:\Documents and Settings\User\Local Settings\Temp\anv11.tmp','');
QuarantineFile('win-explorer.exe','');
QuarantineFile('C:\WINDOWS\system32\mmmbebbe.dll','');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv11.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv16.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv1C.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv20.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv22.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv25.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv26.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv27.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv29.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv2B.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv2E.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv2F.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv30.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv33.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv46.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv48.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv4A.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv4B.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv4F.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv51.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv53.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv5A.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv61.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv67.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv6A.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv6B.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv6D.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv72.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv75.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv77.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv79.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv7E.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv9.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv90.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv95.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv96.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv97.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv98.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anv9B.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvA.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvA1.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvA5.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvAB.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvAC.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvAE.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvB3.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvB8.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC0.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC1.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC4.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC5.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC6.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvC8.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvCC.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvCF.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvD6.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvD7.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvDD.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvDF.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvE0.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvE7.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvE8.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvEA.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvF.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvF1.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvF2.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvF3.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvFC.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\anvFD.tmp');
DeleteFile('C:\Documents and Settings\User\Local Settings\Temp\BN130.tmp');
RegKeyStrParamWrite('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows','AppInit_DLLs','C:\PROGRA~1\KASPER~1\KASPER~4\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll');
BC_ImportAll;
ExecuteSysClean;
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
BC_Activate;
RebootWindows(true);
end.[/CODE]
После перезагрузки:
- выполните такой скрипт
[CODE]begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.[/CODE]
- Файл [B][COLOR="Red"]quarantine.zip[/COLOR][/B] из папки AVZ загрузите по ссылке [B][COLOR="Red"]Прислать запрошенный карантин[/COLOR][/B] вверху темы
- Сделайте повторные логи по [URL="http://virusinfo.info/pravila_old.html"]правилам[/URL] п.2 и 3 раздела Диагностика.([COLOR="Blue"]virusinfo_syscheck.zip;hijackthis.log[/COLOR])
- Сделайте лог [URL="http://virusinfo.info/showpost.php?p=457118&postcount=1"][COLOR="Blue"][B]MBAM[/B][/COLOR][/URL]
извиняюсь за лишние логи! сделал все в соответсвии с правилами !
- Файл quarantine.zip из папки AVZ загрузите по ссылке Прислать запрошенный карантин вверху темы
не отправляет,пишет что файл уже был отправлен! ((
готовы логи
ай ай яй...кто нибудь...не дайте мне в пятницу сидеть до упора на работе...гляньте логи (((
[url="http://virusinfo.info/showpost.php?p=493584&postcount=2"]Удалите в МВАМ[/url] [code]Зараженные ключи в реестре:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1408e208-2ac1-42d3-9f10-78a5b36e05ac} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-00we-aax5-74cc2a323342} (Backdoor.Bifrose) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\StimulProfit (Adware.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\m1RC (IRCBot.Trace.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Cl4sses (IRCBot.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FieryAds (Adware.FieryAds) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\m1RC (Backdoor.Bot) -> No action taken.
Зараженные параметры в реестре:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> No action taken.
Зараженные папки:
C:\Documents and Settings\User\Application Data\FieryAds (Adware.FieryAds) -> No action taken.
C:\Documents and Settings\User\Application Data\Rapid Antivirus (Rogue.RapidAntiVirus) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> No action taken.
C:\Program Files\FieryAds (Adware.Adware.FearAds) -> No action taken.
C:\RECYCLED\BIN (Worm.AutoRun) -> No action taken.
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.
Зараженные файлы:
C:\Documents and Settings\User\Рабочий стол\avz4.35\avz4\Quarantine\2010-11-19\avz00001.dta (Backdoor.IRCbot) -> No action taken.
C:\ErdUndoCache\rp365\A0228848.EXE (Trojan.Agent.CK) -> No action taken.
C:\Program Files\FieryAds\FieryAdsUninstall.exe (Adware.FieryAds) -> No action taken.
C:\WINDOWS\system32\Beclickz.dll (Backdoor.IRCFlood) -> No action taken.
C:\WINDOWS\system32\dmans.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\psme2.exe (Malware.Tool) -> No action taken.
C:\WINDOWS\system32\ReFixerz.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\System (Backdoor.IRCbot) -> No action taken.
E:\System Volume Information\_restore{1F62B33A-EFD2-4F7C-B882-0DB135CBE405}\RP188\A0429900.exe (Worm.Koobface) -> No action taken.
E:\System Volume Information\_restore{1F62B33A-EFD2-4F7C-B882-0DB135CBE405}\RP188\A0429898.exe (Worm.Koobface) -> No action taken.
E:\System Volume Information\_restore{1F62B33A-EFD2-4F7C-B882-0DB135CBE405}\RP188\A0429899.exe (Worm.Koobface) -> No action taken.
C:\Documents and Settings\User\Application Data\Rapid Antivirus\Rapid Antivirus.ini (Rogue.RapidAntiVirus) -> No action taken.
C:\Documents and Settings\User\Application Data\Rapid Antivirus\spl.ini (Rogue.RapidAntiVirus) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\RECYCLED\BIN\Desktop.ini (Worm.AutoRun) -> No action taken.
C:\Documents and Settings\User\Application Data\fieryads.dat (Adware.FieryAds) -> No action taken.
C:\explorer.exe (Worm.AutoRun) -> No action taken.
C:\setup.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\imds.hlp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ionfgs.hlp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\irsss.hlp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\Refix.ocx (Malware.Trace) -> No action taken.
C:\Documents and Settings\LocalService.NT AUTHORITY\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.[/code]