Сообщение о фишинг-атаке

[Ruda]

Добрый день!

При включении компьюера появилось сообщение о фишинг-атаке со следующего адреса:

http://heavenplace.cn/boom/hex.php

После выбора «запретить», сообщение появляется опять

Помогите, пожалуйста!

virusinfo_syscure.zip

virusinfo_syscheck.zip

hijackthis.log

[akoK]

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".

begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(true);
DeleteService('Wingn00');
DeleteService('Nlahelpsvc');
DeleteService('CryptSvcCryptSvc');
DeleteService('BITSNetlogon');
DeleteFile('C:\WINDOWS\System32\Drivers\Wingn00.sys');
DeleteFile('C:\WINDOWS\system32\blphc14lj0e1p3.scr');
DeleteFile('C:\WINDOWS\system32\twext.exe');
DeleteFile('digeste.dll');
BC_ImportDeletedList;
BC_DeleteSvc('Nlahelpsvc');
BC_DeleteSvc('Nlahelpsvc');
BC_DeleteSvc('CryptSvcCryptSvc');
BC_DeleteSvc('BITSNetlogon');
ExecuteRepair(6);
ExecuteRepair(5);
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

После выполнения скрипта компьютер перезагрузится.

 

Скачайте Malwarebytes' Anti-Malware, установите, обновите базы, выберите "Perform Full Scan", нажмите "Scan", после сканирования - Ok - Show Results (показать результаты) - нажмите "Remove Selected" (удалить выделенные). Откройте лог и скопируйте в сообщение.

 

Повторите логи.

[Ruda]

Спасибо, большое, получилось!

Правда, не поняла, что копировать и прикладывать . После этого

нажмите "Remove Selected" (удалить выделенные). Откройте лог и скопируйте в сообщение.

получила вот такой текст:

Malwarebytes' Anti-Malware 1.34

Database version: 1814

Windows 5.1.2600 Service Pack 3

 

03.03.2009 9:46:20

mbam-log-2009-03-03 (09-46-20).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 198675

Time elapsed: 48 minute(s), 12 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 17

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 9

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\activationmanager.activationmanager (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\activationmanager.activationmanager.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adstechnology.adstechnology (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adstechnology.adstechnology.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{831cbac4-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{831cbac3-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{831cbac2-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{86a44ef9-78fc-4e18-a564-b18f806f7f56} (Trojan.MultiDefender) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ActivationManager (Trojan.MultiDefender) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\free-downloads.net toolbar (Adware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Program Files\ActivationManager (Trojan.MultiDefender) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Program Files\ADSTechnology (Trojan.BHO) -> Quarantined and deleted successfully.

 

Files Infected:

C:\Program Files\ActivationManager\Uninstall.exe (Trojan.MultiDefender) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Program Files\ADSTechnology\Uninstall.exe (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phc14lj0e1p3.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

 

а после этого

Повторите логи.

Повторила AVZ и HJT, прикладываю полученные логи.

virusinfo_syscure.zip

virusinfo_syscheck.zip

hijackthis.log

Изменено 3 марта, 2009 пользователем Ruda