-
Junior Member
- Вес репутации
- 57
Здравствуйте.
Проблема в следующем: была куча вирусов на машине, поудалял их сначала Нодом затем пандой. Сейчас стоит Нод. При сканирование ничего не находит. Но после включения компьютера или после загрузки нод радостно сообщает
myceck.com/codec.exe Win32/TrojanDownloader.FakeAlert.GU
C:\WINDOWS\System32\drivers\Winms30.sys Win32/Wigon.CK
Логи приложил.
Добавлено через 2 минуты
не цепляется вложение...
Спасибо, помогло удаление
На ввсякий случай залил на депозит
http://depositfiles.com/files/7905232
Последний раз редактировалось Rene-gad; 12.09.2008 в 15:34.
-
Будь в курсе!
Будь в курсе!
Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:
-
На время выполнения скрипта, отключитесь от сети и отключите антивирусный монитор.
Пофиксите с помощью Hijackthis строку:
Код:
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
Программа AVZ - файл - выполнить скрипт - выполните скрипт:
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('Winag62');
DeleteService('Winag85');
DeleteService('Winah86');
DeleteService('Winbh17');
DeleteService('Windi51');
DeleteService('Winfl06');
DeleteService('Wingo86');
DeleteService('Winhn74');
DeleteService('Winmt42');
DeleteService('Winnt52');
DeleteService('Winnt85');
DeleteService('Winnu31');
DeleteService('Winot84');
DeleteService('Winov75');
DeleteService('Winqx53');
DeleteService('Winrx28');
DeleteService('Winsy28');
DeleteService('Winta05');
DeleteService('Wintc07');
DeleteService('Winvb62');
DeleteService('Winvc38');
DeleteService('Winvd07');
DeleteService('Winve64');
DeleteService('Winwc05');
DeleteService('Winyf17');
DeleteService('Winwe20');
DeleteService('WudfSvcEventlogDhcplanmanworkstation');
DeleteService('WudfSvcEventlog');
DeleteService('W32TimeSharedAccess');
DeleteService('ThemesNtLmSspwinmgmt');
DeleteService('ThemesNtLmSsp');
DeleteService('ThemesDnscache');
DeleteService('TapiSrvAppMgmt');
DeleteService('SysmonLogImapiService');
DeleteService('SSDPSRVRDSessMgr');
DeleteService('SamSsawhost32');
DeleteService('RSVPSR_Service');
DeleteService('RpcLocatorBITS');
DeleteService('RemoteAccess Service');
DeleteService('PlugPlay Service');
DeleteService('NtmsSvcRasMan');
DeleteService('MSDTCPlugPlay');
DeleteService('MSDTCbtwdins');
DeleteService('LmHostsDhcplanmanworkstation');
DeleteService('lanmanserverSR_WatchDogdmserver');
DeleteService('lanmanserverSR_WatchDog');
DeleteService('iPodRemoteAccess');
DeleteService('iPodRasAuto');
DeleteService('ImapiServiceALGNetDDEdsdmNetDDENVSvc');
DeleteService('HidServTapiSrvAppMgmt');
DeleteService('FastUserSwitchingCompatibilitySamSs');
DeleteService('FastUserSwitchingCompatibilitylanmanworkstationWMPNetworkSvc');
DeleteService('FastUserSwitchingCompatibilitylanmanworkstation');
DeleteService('FastUserSwitchingCompatibilityFastUserSwitchingCompatibilitylanmanworkstation');
DeleteService('dmserverALGNetDDEdsdmNetDDENVSvc');
DeleteService('Dhcplanmanworkstation');
DeleteService('DcomLaunchlanmanserver');
DeleteService('COMSysApplanmanserver');
DeleteService('ClipSrvlanmanserverSR_WatchDog');
DeleteService('btwdinswinmgmt');
DeleteService('awhost32SysmonLog');
DeleteService('aspnet_stateSSDPSRV');
DeleteService('aspnet_stateDhcpwscsvcProtectedStorage');
DeleteService('aspnet_stateDhcpwscsvc');
DeleteService('aspnet_stateDhcp');
DeleteService('AppMgmtNetDDE');
DeleteService('ALGNetDDEdsdmNetDDENVSvc');
DeleteService('ALGNetDDEdsdmNetDDE');
DeleteService('ALGNetDDEdsdm');
BC_DeleteSVC('Winag62');
BC_DeleteSVC('Winag85');
BC_DeleteSVC('Winah86');
BC_DeleteSVC('Winbh17');
BC_DeleteSVC('Windi51');
BC_DeleteSVC('Winfl06');
BC_DeleteSVC('Wingo86');
BC_DeleteSVC('Winhn74');
BC_DeleteSVC('Winmt42');
BC_DeleteSVC('Winnt52');
BC_DeleteSVC('Winnt85');
BC_DeleteSVC('Winnu31');
BC_DeleteSVC('Winot84');
BC_DeleteSVC('Winov75');
BC_DeleteSVC('Winqx53');
BC_DeleteSVC('Winrx28');
BC_DeleteSVC('Winsy28');
BC_DeleteSVC('Winta05');
BC_DeleteSVC('Wintc07');
BC_DeleteSVC('Winvb62');
BC_DeleteSVC('Winvc38');
BC_DeleteSVC('Winvd07');
BC_DeleteSVC('Winve64');
BC_DeleteSVC('Winwc05');
BC_DeleteSVC('Winyf17');
BC_DeleteSVC('Winwe20');
BC_DeleteSVC('WudfSvcEventlogDhcplanmanworkstation');
BC_DeleteSVC('WudfSvcEventlog');
BC_DeleteSVC('W32TimeSharedAccess');
BC_DeleteSVC('ThemesNtLmSspwinmgmt');
BC_DeleteSVC('ThemesNtLmSsp');
BC_DeleteSVC('ThemesDnscache');
BC_DeleteSVC('TapiSrvAppMgmt');
BC_DeleteSVC('SysmonLogImapiService');
BC_DeleteSVC('SSDPSRVRDSessMgr');
BC_DeleteSVC('SamSsawhost32');
BC_DeleteSVC('RSVPSR_Service');
BC_DeleteSVC('RpcLocatorBITS');
BC_DeleteSVC('RemoteAccess Service');
BC_DeleteSVC('PlugPlay Service');
BC_DeleteSVC('NtmsSvcRasMan');
BC_DeleteSVC('MSDTCPlugPlay');
BC_DeleteSVC('MSDTCbtwdins');
BC_DeleteSVC('LmHostsDhcplanmanworkstation');
BC_DeleteSVC('lanmanserverSR_WatchDogdmserver');
BC_DeleteSVC('lanmanserverSR_WatchDog');
BC_DeleteSVC('iPodRemoteAccess');
BC_DeleteSVC('iPodRasAuto');
BC_DeleteSVC('ImapiServiceALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('HidServTapiSrvAppMgmt');
BC_DeleteSVC('FastUserSwitchingCompatibilitySamSs');
BC_DeleteSVC('FastUserSwitchingCompatibilitylanmanworkstationWMPNetworkSvc');
BC_DeleteSVC('FastUserSwitchingCompatibilitylanmanworkstation');
BC_DeleteSVC('FastUserSwitchingCompatibilityFastUserSwitchingCompatibilitylanmanworkstation');
BC_DeleteSVC('dmserverALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('Dhcplanmanworkstation');
BC_DeleteSVC('DcomLaunchlanmanserver');
BC_DeleteSVC('COMSysApplanmanserver');
BC_DeleteSVC('ClipSrvlanmanserverSR_WatchDog');
BC_DeleteSVC('btwdinswinmgmt');
BC_DeleteSVC('awhost32SysmonLog');
BC_DeleteSVC('aspnet_stateSSDPSRV');
BC_DeleteSVC('aspnet_stateDhcpwscsvcProtectedStorage');
BC_DeleteSVC('aspnet_stateDhcpwscsvc');
BC_DeleteSVC('aspnet_stateDhcp');
BC_DeleteSVC('AppMgmtNetDDE');
BC_DeleteSVC('ALGNetDDEdsdmNetDDENVSvc');
BC_DeleteSVC('ALGNetDDEdsdmNetDDE');
BC_DeleteSVC('ALGNetDDEdsdm');
QuarantineFile('C:\WINDOWS\system32\dns-sd.exe','');
QuarantineFile('C:\WINDOWS\system32\WinCtrl32.dll','');
DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
BC_DeleteFile('C:\WINDOWS\system32\WinCtrl32.dll');
delwinlogonnotifybykeyname('WinCtrl32');
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.
После перезагрузки, карантин AVZ загрузите по ссылке http://virusinfo.info/upload_virus.php?tid=30054 , как написано в прил. 3 правил, и повторите логи.
-
-
Итог лечения
Статистика проведенного лечения:
- Получено карантинов: 5
- Обработано файлов: 7
- В ходе лечения обнаружены вредоносные программы:
- c:\\windows\\system32\\winctrl32.dll - Trojan-Downloader.Win32.Mutant.bgz (DrWEB: BackDoor.Bulknet.23
- c:\\windows\\system32\\winctrl32.dll - Trojan-Downloader.Win32.Mutant.bhl (DrWEB: BackDoor.Bulknet.23
-
