1.Профиксите в HijackThis
Код:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{299CFDF0-82C8-4F1B-9B3A-309C8DCC0A2E}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE14459-F511-4A1F-94B2-96B826B83BE1}: NameServer = 195.34.32.116 212.188.4.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{527183B0-8090-42AC-9767-4D8BD9690B01}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B217ABEF-1A88-4ED6-97CF-8F70D94EA68A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D08521EC-8BBF-428D-A45E-A1CECDEE920B}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFEB6DB-06D9-44E2-A9C5-CC8F78636F55}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS8\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS11\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS12\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS13\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS14\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS15\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS16\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS17\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
O17 - HKLM\System\CS18\Services\Tcpip\..\{0435F9A4-0328-48F4-9497-64248DAB628A}: NameServer = 195.226.220.30,195.226.220.31
2.Выполните скрипт в AVZ
Код:
procedure WhatService(AServiceName : string);
var
dllname, servicekey : string;
begin
servicekey := 'SYSTEM\CurrentControlSet\Services\'+AServiceName;
RegKeyResetSecurity( 'HKLM', servicekey);
RegKeyResetSecurity( 'HKLM', servicekey+'\Parameters');
AddToLog('Description: '+RegKeyStrParamRead( 'HKLM', servicekey, 'Description'));
AddToLog('DisplayName: '+RegKeyStrParamRead( 'HKLM', servicekey, 'DisplayName'));
AddToLog('ImagePath: '+RegKeyStrParamRead( 'HKLM', servicekey, 'ImagePath'));
dllname := RegKeyStrParamRead( 'HKLM', servicekey+'\Parameters', 'ServiceDll');
AddToLog('ServiceDll: '+dllname);
QuarantineFile(dllname,'');
end;
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
WhatService('wmwiguhh');
QuarantineFile('C:\WINDOWS\system32\jvyzenk.dll','');
QuarantineFile('G:\Temp\dGOd6PSs.sys','');
DeleteFile('G:\Temp\dGOd6PSs.sys');
DeleteFile('C:\WINDOWS\system32\jvyzenk.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Generic Host for Win32 Services');
RegKeyStrParamWrite('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows','AppInit_DLLs','');
BC_ImportAll;
ExecuteSysClean;
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
BC_Activate;
SaveLog(GetAVZDirectory+'wmwiguhh.log');
RebootWindows(true);
end.
После перезагрузки:
- выполните такой скрипт
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
- Файл quarantine.zip из папки AVZ загрузите по ссылке Прислать запрошенный карантин вверху темы
- Сделайте повторные логи по правилам п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip;hijackthis.log)
- файл wmwiguhh.log прикрепите к сообщению