• Администрация SafeZone приветствует вас на нашем форуме!
    Если вы больше не желаете видеть рекламу при просмотре тем и сообщений - то достаточно просто зарегистрироваться. Для зарегистрированных пользователей реклама не отображается.

Решена ПОМОГИТЕ!

Статус
В этой теме нельзя размещать новые ответы.

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#1
На моем компе вирь. Никакие антивирусы не запускаются. Работает только АВЗ. Посмотрите пожалуйста логи, надеюсь на Вашу помощь. Все сделал как написано вправилах. Логи прилагаю.



[info]Карантин убрал.[/info]
 

akok

Команда форума
Администратор
Сообщения
15,000
Симпатии
12,267
#2
mlburmh.exe - Worm.Win32.AutoRun.diq (dr.web: Win32.HLLW.Autoruner.2497)

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".
Код:
begin
 ClearQuarantine;
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 QuarantineFile('C:\WINDOWS\system32\rebuild.exe','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\wpdusb.sys','');
 QuarantineFile('C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe','');
 QuarantineFile('C:\WINDOWS\system32\vksaver.dll','');
 DeleteFile('C:\WINDOWS\system32\vksaver.dll');
 DeleteFile('c:\windows\system32\vksaver.dll');
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\mlburmh.exe');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\mlburmh.exe');
 DeleteFile('F:\autorun.inf');
 DeleteFile('F:\mlburmh.exe');
 BC_ImportALL;
 ExecuteRepair(9);
 BC_Activate;
 ExecuteSysClean;
 RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.

Код:
begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.

Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)

Отключите автозапуск и повторите логи.
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#3
карантин выслал вам на почту
автозапуск отключил по первому пункту( хотя проги типа мэйл агента при загрузке все повключались), логи прилагаю
 
Последнее редактирование модератором:

akok

Команда форума
Администратор
Сообщения
15,000
Симпатии
12,267
#4
PartyPoker - играете?

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".
Код:
begin
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 ClearIECache;
 ClearQuarantine;
 QuarantineFile('C:\WINDOWS\system32\ieudinit.exe','');
 QuarantineFile('C:\WINDOWS\system32\AdvUninstCPL.cpl','');
 QuarantineFile('C:\WINDOWS\system32\Path2ClipboardSetup.cpl','');
 QuarantineFile('C:\WINDOWS\system32\Startup.cpl','');
 QuarantineFile('C:\PROGRA~1\FieryAds\FieryAds.dll','');
 QuarantineFile('%USERPROFILE%\Application Data\bpdata.dll','');
 QuarantineFile('E:\Миша\Grand Theft Auto IV\Rockstar Games Social Club\RGSCLauncher.exe','');
 DeleteFile('%USERPROFILE%\Application Data\bpdata.dll');
 DeleteFile('C:\PROGRA~1\FieryAds\FieryAds.dll');
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\mlburmh.exe');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\mlburmh.exe');
 DeleteFile('F:\autorun.inf');
 DeleteFile('F:\mlburmh.exe');
 DeleteFile('C:\WINDOWS\system32\aoupbie.dll');
 DeleteFile('C:\WINDOWS\system32\ati2avxx.bak');
 DeleteFile('C:\WINDOWS\system32\ati2avxx.exe');
 DelBHO('{CF272101-7F6E-4CF2-9453-B4C5D2FC32C0}');
 DelBHO('{9D64F819-9380-8473-DAB2-702FCB3D7A3E}');
 BC_ImportALL;
 BC_Activate;
 ExecuteSysClean;
 ExecuteRepair(6);
 ExecuteRepair(9);
 RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.

Код:
begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.

Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)

Скачайте Malwarebytes' Anti-Malware, установите, обновите базы, выберите "Perform Full Scan", нажмите "Scan", после сканирования - Ok - Show Results (показать результаты) - нажмите "Remove Selected" (удалить выделенные). Откройте лог и скопируйте в сообщение.

Включите AVZPM и повторите логи.
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#5
Malwarebytes' Anti-Malware 1.35
Версия базы данных: 1938
Windows 5.1.2600 Service Pack 2

04.04.2009 1:08:26
mbam-log-2009-04-04 (01-08-26).txt

Тип проверки: Полная (C:\|E:\|F:\|)
Проверено объектов: 166632
Прошло времени: 22 minute(s), 21 second(s)

Заражено процессов в памяти: 0
Заражено модулей в памяти: 0
Заражено ключей реестра: 130
Заражено значений реестра: 1
Заражено параметров реестра: 3
Заражено папок: 0
Заражено файлов: 4

Заражено процессов в памяти:
(Вредоносные программы не обнаружены)

Заражено модулей в памяти:
(Вредоносные программы не обнаружены)

Заражено ключей реестра:
HKEY_CLASSES_ROOT\CLSID\{1408e208-2ac1-42d3-9f10-78a5b36e05ac} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d64f819-9380-8473-dab2-702fcb3d7a3e} (Trojan.Ransom) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{b0ed4726-5bc8-4e22-a7a8-3074a73ce64e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9d64f819-9380-8473-dab2-702fcb3d7a3e} (Trojan.Ransom) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xvideoplugin.jetvideoplugin (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xvideoplugin.jetvideoplugin.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xvideoplugin.jetmimefiltr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xvideoplugin.jetmimefiltr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.

Заражено значений реестра:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ati2avxx (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Заражено параметров реестра:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Заражено папок:
(Вредоносные программы не обнаружены)

Заражено файлов:
C:\WINDOWS\system32\ati2avxx.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\updater_29_118363602.exe (Trojan.Ransomware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\updater_29_118367554.exe (Trojan.Ransomware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\updater_29_152080483.exe (Trojan.Ransomware) -> Quarantined and deleted successfully.
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#6
а вот и скрипты, зараза вроде бы осталась

покер люблю, да... :)
 
Последнее редактирование модератором:
Сообщения
1,190
Симпатии
1,480
#7
AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".

Код:
begin
 SearchRootkit(true, true);
 SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\wpdusb.sys','');
 QuarantineFile('C:\WINDOWS\system32\IMES.dll','');
 QuarantineFile('fynlphmh.sys','');
 QuarantineFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_118363602.exe','');
 QuarantineFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_118367554.exe','');     
 QuarantineFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_152080483.exe','');
 DeleteFile('fynlphmh.sys');   
 DeleteFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_152080483.exe');
 DeleteFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_118367554.exe');
 DeleteFile('C:\Documents and Settings\Администратор\Local Settings\Application Data\Opera\Маша\profile\cache4\temporary_download\ updater_29_118363602.exe');     
 DeleteFile('C:\WINDOWS\system32\IMES.dll');
 DeleteFile('C:\WINDOWS\system32\DRIVERS\wpdusb.sys');
 DeleteFile('c:\windows\system32\ati2avxx.exe');     
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\mlburmh.exe');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\mlburmh.exe');
 DeleteFile('F:\autorun.inf');
 DeleteFile('F:\mlburmh.exe');
 BC_ImportALL;
 ExecuteSysClean;
 BC_Activate;
 ExecuteRepair(6);
 ExecuteRepair(8);
 RegKeyIntParamWrite( 'HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum', '{BDEADF00-C265-11D0-BCED-00A0C90AB50F}', 1);
 RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.

Код:
begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)

И подготовте полный комплект логов отсюда :
virusinfo_syscure.zip и virusinfo_syscheck.zip. - со включённым! AVZPM
log.txt
info.txt
 
Последнее редактирование:

akok

Команда форума
Администратор
Сообщения
15,000
Симпатии
12,267
#9
C:\WINDOWS\system32\IMES.dll - Trojan.Win32.Delf.fjk
FieryAds.dll - not-a-virus:AdWare.Win32.FearAds.am

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".
Код:
begin
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 DeleteFile('C:\WINDOWS\system32\aoupbie.dll');
 DeleteFile('c:\windows\system32\ati2avxx.exe');
 DeleteFile('C:\WINDOWS\system32\IMES.dll');
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\mlburmh.exe');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\mlburmh.exe');
 DeleteFile('F:\autorun.inf');
 DeleteFile('F:\mlburmh.exe');
 BC_ImportDeletedList;
 BC_Activate;
 ExecuteRepair(9);
 ExecuteSysClean;
 RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.

Код:
begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.


Пофиксить в HijackThis следующие строчки
Код:
O24 - Desktop Component 0: (no name) - http://line.mole.ru/metoyou/16112007_1_02_30_9_15_17_Hcce0eaf1e8-eceae520-f3e6e5 __.gif
У Вас два антивируса? Вижу Нод и Kaspersky

Скачайте OTMoveIt3 by OldTimer или с зеркала и сохраните на рабочий стол.
Запустите OTMoveIt3 (в ОС Windows Vista необходимо запускать через правую кн. мыши от имени администратора)
временно выключите антивирус, firewall и другое защитное программное обеспечение. Выделите и скопируйте текст ниже (Ctrl+C)
Код:
:Processes
explorer.exe

:Services
ati2avxx
:Files
C:\WINDOWS\system32\IMES.dll
C:\WINDOWS\SETE5.tmp
C:\WINDOWS\SETE8.tmp
C:\WINDOWS\SETF4.tmp
C:\WINDOWS\NV1304316.TMP
C:\WINDOWS\system32\aoupbie.dll
C:\mlburmh.exe
C:\WINDOWS\system32\ati2avxx.exe
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2823fa6d-a5ca-11dd-9686-101111111111}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bb6a18-f471-11dd-9a15-0080482fb263}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e5db280-1c96-11de-9c28-0080482fb263}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8495e1be-ed3c-11dd-99b7-0080482fb263}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8715501-a745-11dd-9692-101111111111}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e923c42e-0766-11de-9b18-0080482fb263}]
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
В OTMoveIt3 под панелью "Paste Instructions for Items to be Moved" (под желтой панелью) вставьте скопированный текст и нажмите кнопку "MoveIt!". Выделите (Ctrl+A) и скопируйте (Ctrl+C) текст из окна под панелью "Results" (правая зеленая панель) в следующее сообщение.
Прим: Если файлы и папки не могут быть перемещены немедленно и появиться запись <deleted on reboot>, потребуется перезагрузка. После перезагрузки откройте папку "C:\_OTMoveIt\MovedFiles", найдите последний .log файл (лог в формате mmddyyyy_hhmmss.log), откройте и скопируйте текст из него в следующее сообщение.
 

akok

Команда форума
Администратор
Сообщения
15,000
Симпатии
12,267
#10
Если не облегчения не наступило, то:
Очистите временные файлы через Пуск-Программы-Стандартные-Служебные-Очистка диска или с помощью ATF Cleaner
- скачайте ATF Cleaner или с зеркала, запустите, поставьте галочку напротив Select All и нажмите Empty Selected.
- если вы используете Firefox, нажмите Firefox - Select All - Empty Selected
- нажмите No, если вы хотите оставить ваши сохраненные пароли
- если вы используете Opera, нажмите Opera - Select All - Empty Selected
- нажмите No, если вы хотите оставить ваши сохраненные пароли


Скачайте SDFix, загрузитесь в безопасном режиме, запустите утилиту (запустить RunThis.bat - подтвердить, нажав "Y"), после окончания сканирования скопируйте текст из C:\Report.txt и вставьте в следующее сообщение или запакуйте файл C:\Report.txt и прикрепите к сообщению
Описание SDFix есть здесь


Скачайте ComboFix здесь, здесь или здесь и сохраните на рабочий стол.

1. Необходимо установить Recovery Console по инструкции - how-to-use-combofix:
  • Скачайте установочный файл для своей ОС и сохраните на рабочий стол.
    Windows XP Professional с пакетом обновления 2 (SP2)
    Windows XP Home Edition с пакетом обновления 2 (SP2)

    Установочный файл Recovery Console для Windows XP SP3 идентичен Windows XP SP2

    Если Вы используете Windows XP с пакетом обновления 1 (SP1) или Исходный выпуск Windows XP, то необходимо обязательно ознакомится со статьей Как получить установочные диски Windows XP и скачать установочный файл Recovery Console, который соответствует виду Вашей системы.

  • Закройте все остальные приложения и мышкой перенесите установочный файл на иконку ComboFix, подтвердите лицензионное соглашение и установите Microsoft Recovery Console.


2. Внимание! Обязательно закройте все браузеры, временно выключите антивирус, firewall и другое защитное программное обеспечение. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.
3. Запустите combofix.exe, когда процесс завершится, скопируйте текст из C:\ComboFix.txt и вставьте в следующее сообщение или запакуйте файл C:\ComboFix.txt и прикрепите к сообщению.
Прим: В случае, если ComboFix не запускается, переименуйте combofix.exe в combo-fix.exe


скачайте Gmer или с зеркала. Запустите программу. После автоматической экспресс-проверки, отметьте галочкой все жесткие диски и нажмите на кнопку Scan. После окончания проверки сохраните его
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#11
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service\Driver ati2avxx not found.
Service\Driver ati2avxx not found.
========== FILES ==========
LoadLibrary failed for C:\WINDOWS\system32\IMES.dll
C:\WINDOWS\system32\IMES.dll NOT unregistered.
C:\WINDOWS\system32\IMES.dll moved successfully.
C:\WINDOWS\SETE5.tmp moved successfully.
C:\WINDOWS\SETE8.tmp moved successfully.
C:\WINDOWS\SETF4.tmp moved successfully.
C:\WINDOWS\NV1304316.TMP moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\aoupbie.dll
C:\WINDOWS\system32\aoupbie.dll NOT unregistered.
C:\WINDOWS\system32\aoupbie.dll moved successfully.
File/Folder C:\mlburmh.exe not found.
C:\WINDOWS\system32\ati2avxx.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2823fa6d-a5ca-11dd-9686-101111111111}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bb6a18-f471-11dd-9a15-0080482fb263}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e5db280-1c96-11de-9c28-0080482fb263}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8495e1be-ed3c-11dd-99b7-0080482fb263}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8715501-a745-11dd-9692-101111111111}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e923c42e-0766-11de-9b18-0080482fb263}\\ deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Администратор\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04052009_192558

Files moved on Reboot...
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#13
HijackThis не запускается, процесс ati2avxx висит
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#15
попробывать SDfix не получилось, компьютер не загружаетя в безопаном режиме
 

akok

Команда форума
Администратор
Сообщения
15,000
Симпатии
12,267
#16
Пропускаем шаг.
 

antispy

Активный пользователь
Сообщения
103
Симпатии
251
#17
Поробуйте в IceSword: Запустите программу.
Появится аналог проводника. Найдите в нем файл C:\WINDOWS\system32\ati2avxx.exe
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#19
Поробуйте в IceSword: Запустите программу.
Появится аналог проводника. Найдите в нем файл C:\WINDOWS\system32\ati2avxx.exe
к сожалению, Айссворд тоже не загружается
 

adamgills

Активный пользователь
Сообщения
14
Симпатии
0
#20
после комбыча вроде все нормально стало, Нод заработал...
вот логи посмотрите
 
Статус
В этой теме нельзя размещать новые ответы.
Сверху Снизу