Здравствуйте !!!
Пофиксите в HijackThis:
Код:
O4 - HKCU\..\Run: [NextLive] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Admin\Application Data\newnext.me\nengine.dll",EntryPoint -m l
O4 - HKCU\..\Run: [PriceMeterW] "C:\Documents and Settings\Admin\Local Settings\Application Data\PriceMeter\pricemeterw.exe"
Выполните скрипт в AVZ:
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\program files\browsemark\bin\utilbrowsemark.exe');
TerminateProcessByName('c:\program files\browsemark\updatebrowsemark.exe');
TerminateProcessByName('c:\documents and settings\admin\local settings\application data\pricemeter\pricemeterw.exe');
TerminateProcessByName('c:\program files\pricemeterliveupdate\update\pricemeterliveupdate.exe');
TerminateProcessByName('c:\program files\browsemark\bin\browsemark.browseradapter.exe');
StopService('Util BrowseMark');
StopService('Update BrowseMark');
QuarantineFile('C:\WINDOWS\TEMP\0.del','');
QuarantineFile('C:\Documents and Settings\Admin\Local Settings\Application Data\Schedule\Schedule.exe','');
QuarantineFile('C:\Documents and Settings\Admin\Application Data\newnext.me\nengine.dll','');
QuarantineFile('C:\Program Files\PriceMeterLiveUpdate\Update\1.3.23.0\goopdate.dll','');
QuarantineFile('C:\Program Files\BrowseMark\bin\BrowseMarkBAApp.dll','');
QuarantineFile('C:\Program Files\BrowseMark\bin\{b99c8534-7800-48fa-bd71-519a46cdc7e1}.dll','');
QuarantineFile('c:\program files\browsemark\bin\utilbrowsemark.exe','');
QuarantineFile('c:\program files\browsemark\updatebrowsemark.exe','');
QuarantineFile('c:\documents and settings\admin\local settings\application data\pricemeter\pricemeterw.exe','');
QuarantineFile('c:\program files\pricemeterliveupdate\update\pricemeterliveupdate.exe','');
QuarantineFile('c:\program files\browsemark\bin\browsemark.browseradapter.exe','');
DeleteFile('c:\program files\browsemark\bin\browsemark.browseradapter.exe','32');
DeleteFile('C:\Program Files\BrowseMark\bin\{b99c8534-7800-48fa-bd71-519a46cdc7e1}.dll','32');
DeleteFile('C:\Program Files\PriceMeterLiveUpdate\Update\1.3.23.0\goopdate.dll','32');
DeleteFile('C:\Program Files\BrowseMark\updateBrowseMark.exe','32');
DeleteFile('C:\Program Files\BrowseMark\bin\utilBrowseMark.exe','32');
DeleteFile('C:\Program Files\PriceMeterLiveUpdate\Update\PriceMeterLiveUpdate.exe','32');
DeleteFile('C:\Documents and Settings\Admin\Application Data\newnext.me\nengine.dll','32');
DeleteFile('C:\Documents and Settings\Admin\Local Settings\Application Data\PriceMeter\pricemeterw.exe','32');
DeleteFile('C:\Documents and Settings\Admin\Local Settings\Application Data\Schedule\Schedule.exe','32');
DeleteFile('C:\WINDOWS\TEMP\0.del','32');
DeleteFile('C:\DOCUME~1\Admin\APPLIC~1\PRICEM~1\UPDATE~1\UPDATE~1.EXE','32');
DeleteFile('C:\WINDOWS\Tasks\At1.job','32');
DeleteFile('C:\DOCUME~1\NETWOR~1\APPLIC~1\PRICEM~1\UPDATE~1\UPDATE~1.EXE','32');
DeleteFile('C:\WINDOWS\Tasks\At2.job','32');
DeleteFile('C:\Documents and Settings\Admin\Local Settings\Application Data\PriceMeter\pricemeter.exe','32');
DeleteFile('C:\WINDOWS\Tasks\pricemetertask.job','32');
DeleteFile('C:\WINDOWS\Tasks\pricemeterwatcher.job','32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','NextLive');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','PriceMeterW');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PriceMeterW','command');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Schedule','command');
RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce','Del263546');
RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce','Del263546');
DeleteService('pricemeterliveUpdatem');
DeleteService('pricemeterliveUpdate');
DeleteService('Util BrowseMark');
DeleteService('Update BrowseMark');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteWizard('TSW',2,2,true);
ExecuteWizard('SCU',2,2,true);
RebootWindows(true);
end.
После перезагрузки выполните скрипт:
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Загрузите quarantine.zip из папки AVZ по красной ссылке вверху темы Прислать запрошенный карантин
- Сделайте повторные логи по правилам п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip;hijackthis.log )