Трояны

Erekle · Отправлено: **00:13, 05-04-2007** | #**180**

Так... Первое. Сравним:

Цитата:

C:\WINDOWS\system32\

comcsi7.dll
fdecarew.dll
pfxzmtforum.dll
pfxzmtsmt.dll
pfxzmtsmtspm.dll
pfxzmtwbmail.dll
qdviewfe.dll

http://www.trendmicro.com/vinfo/viru...PAM.AC&VSect=T

Цитата:

File type: PE
Size of malware: 90,112 Bytes (uncompressed)
Initial samples received on: Mar 12, 2007
Related to: TROJ_DROPPER.CEV
------------------------------------------------------
Payload 1: Intercepts network traffic
Payload 2: Sends email messages
------------------------------------------------------
Details:

This Trojan may arrive on a system as a .DLL file downloaded from the Internet by unsuspecting users.
It may also arrive as a file dropped by other malware, specifically by TROJ_DROPPER.CEV.
This Trojan arrives as RSVP32_2.DLL and is stored in the Windows system folder.

It is then registered as a Layered Service Provider (LSP) every time the network is connected. An LSP is a piece of software that can be inserted into the Windows TCP or IP handler like a link in a chain. The said action makes this Trojan capable of intercepting and logging network traffic before redirecting a target user to an originally desired Web site.

This Trojan attempts to connect to the URL {BLOCKED} sturma.info/zc.php to retrieve message details, which it sends via email.

It saves the gathered message details using any of the following file names:

forum
pfxzmt
sfxzmt
smtspm
uiqzmt
wbmail

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
RSVP32_2.DLL
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.

Надо думать, что RSVP32_2.DLL ещё остаётся на диске, потому что обращение к создаваемым им файлам запрещено.
С запретом/очисткой СистемРесторе не стоит торопиться (при ваших экспериментах с AVZ). Взамен можно поискать в этой папке (или прямо - если она видна, или пойском) DLL-файл размером 90,112 Bytes и удалить.
Только поищите этот файл - пока продолжу.