О патчах напомню. Потребуется новая активация системы.
Код:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Скажите, а крокодилы ещё на Вас из ПК не нападали? Нет? Это удивительно.
Отключите ПК от сети.
Отключите антивирус.
Пофиксить
Код:
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\wind32.exe
O4 - HKLM\..\Run: [SystemDrive] C:\WINDOWS\System32\maxpaynow1.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [04ac7ca6] rundll32.exe "C:\WINDOWS\System32\upvwymes.dll",b
O4 - HKCU\..\Run: [herjek] C:\WINDOWS\herjek.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\qqq\cftmon.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Hhjg5jfd93dftdf] C:\DOCUME~1\qqq\LOCALS~1\Temp\winlagon.exe
O4 - HKCU\..\Run: [HJdfke9kfdf] C:\DOCUME~1\qqq\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\qqq\LOCALS~1\Temp\1F97.tmp.exe
O4 - HKCU\..\Run: [Multimedia Sound Manager] C:\Program Files\Common Files\System\soundmgr.exe
O4 - HKCU\..\RunOnce: [NodeSlot] ž
O17 - HKLM\System\CCS\Services\Tcpip\..\{3344E9D9-03B8-4946-958D-646C31FBB885}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{337746DD-7FA0-4F89-80AF-C37D324BD6F4}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{37FE27A4-58BB-4C84-9B2D-108640091616}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{540AB253-DEEB-4D22-9E0A-FF5DD6363DD8}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{64385F6C-46B0-4681-A202-B4A33FD66009}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{753F2BA2-8407-47BE-9862-79A5466EE7BB}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB8EA83A-0771-45E8-B029-BD5841B5E715}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBBB44CA-2490-4A42-98C5-14D705A5581C}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC700611-BEA5-43C4-9B83-60E98ACBA2C2}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.22 85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{3344E9D9-03B8-4946-958D-646C31FBB885}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.22 85.255.112.77
O17 - HKLM\System\CS4\Services\Tcpip\..\{3344E9D9-03B8-4946-958D-646C31FBB885}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.114.22 85.255.112.77
O17 - HKLM\System\CS5\Services\Tcpip\..\{3344E9D9-03B8-4946-958D-646C31FBB885}: NameServer = 85.255.114.22,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.22 85.255.112.77
O21 - SSODL: vbksrofa - {4D962590-B317-4645-AF6B-4EAD913419F2} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: mpfanvqg - {49E0475E-F1BC-4B4F-B536-09C535D62E0F} - C:\WINDOWS\mpfanvqg.dll
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\hdxjd4g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\djki397g.dll (file missing)
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\qqq\ie_updates3r.exe
O23 - Service: Ïëàíèðîâùèê çàäàíèé (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт- Нажать кнопку "Запустить".
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}');
QuarantineFile('gwin32.dll','');
DelBHO('{F2F2A4CB-DAAD-4D0C-BDFC-E945647202C2}');
DelBHO('{D2E5FE60-C0CB-4FC5-93D5-9736FA10A01B}');
DelBHO('{C1E6D2CA-9F1D-44CC-8908-80532F3F9FCB}');
DelBHO('{B5AF0562-94F3-42BD-F434-2604812C797D}');
DelBHO('{B5AC49A2-94F2-42BD-F434-2604812C897D}');
QuarantineFile('C:\WINDOWS\system32\wmcstd32.dll','');
DelBHO('{97182737-4655-64C7-8730-2921803F7A9D}');
DelBHO('{240A2128-ACD4-4124-87AF-527124CAAC38}');
QuarantineFile('realsched.exe','');
QuarantineFile('opnmMdby.dll','');
QuarantineFile('kdzwk.exe','');
QuarantineFile('crypts.dll','');
QuarantineFile('Explorer.exe C:\Documents and Settings\qqq\Рабочий стол\kttw472.exe','');
QuarantineFile('C:\WINDOWS\vbksrofa.dll','');
QuarantineFile('C:\WINDOWS\mrofinu27.exe','');
QuarantineFile('C:\WINDOWS\System32\wf2kcpl.dll','');
QuarantineFile('C:\WINDOWS\System32\vedxg6ame4.exe','');
QuarantineFile('C:\WINDOWS\System32\maxpaynow1.exe','');
QuarantineFile('C:\WINDOWS\System32\hdxjd4g.dll','');
QuarantineFile('C:\WINDOWS\System32\djki397g.dll','');
QuarantineFile('C:\DOCUME~1\qqq\LOCALS~1\Temp\winlagon.exe','');
QuarantineFile('C:\DOCUME~1\qqq\LOCALS~1\Temp\csrssc.exe','');
StopService('TSP');
DeleteService('TSP');
SetServiceStart('TSP', 4);
StopService('qandr');
DeleteService('qandr');
SetServiceStart('qandr', 4);
QuarantineFile('C:\WINDOWS\system32\drivers\kbd.sys','');
StopService('Multimedia Sound Driver');
DeleteService('Multimedia Sound Driver');
SetServiceStart('Multimedia Sound Driver', 4);
StopService('kbd');
DeleteService('kbd');
SetServiceStart('kbd', 4);
StopService('klstm');
DeleteService('klstm');
SetServiceStart('klstm', 4);
StopService('ids0005c');
DeleteService('ids0005c');
SetServiceStart('ids0005c', 4);
StopService('ids00026');
DeleteService('ids00026');
SetServiceStart('ids00026', 4);
QuarantineFile('C:\WINDOWS\system32\drivers\spools.exe','');
StopService('Schedule');
DeleteService('Schedule');
SetServiceStart('Schedule', 4);
QuarantineFile('Umh31.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\arusvmgo.SYS','');
QuarantineFile('C:\WINDOWS\System32\Drivers\acemk32l.SYS','');
QuarantineFile('C:\WINDOWS\System32\upvwymes.dll','');
QuarantineFile('C:\WINDOWS\System32\opnmMdby.dll','');
QuarantineFile('C:\WINDOWS\mpfanvqg.dll','');
QuarantineFile('C:\WINDOWS\herjek.exe','');
QuarantineFile('C:\WINDOWS\fvowketqksn.dll','');
QuarantineFile('C:\Documents and Settings\qqq\ie_updates3r.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Документы\Settings\partnership.dll','');
QuarantineFile('c:\autoex.dll','');
TerminateProcessByName('c:\documents and settings\qqq\ie_updates3r.exe');
TerminateProcessByName('c:\windows\herjek.exe');
QuarantineFile('c:\windows\herjek.exe','');
DeleteFile('c:\windows\herjek.exe');
DeleteFile('c:\documents and settings\qqq\ie_updates3r.exe');
DeleteFile('c:\autoex.dll');
DeleteFile('C:\Documents and Settings\All Users\Документы\Settings\partnership.dll');
DeleteFile('C:\Documents and Settings\qqq\ie_updates3r.exe');
DeleteFile('C:\WINDOWS\fvowketqksn.dll');
DeleteFile('C:\WINDOWS\herjek.exe');
DeleteFile('C:\WINDOWS\mpfanvqg.dll');
DeleteFile('C:\WINDOWS\System32\opnmMdby.dll');
DeleteFile('C:\WINDOWS\System32\upvwymes.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\acemk32l.SYS');
DeleteFile('C:\WINDOWS\System32\Drivers\arusvmgo.SYS');
DeleteFile('Umh31.sys');
DeleteFile('C:\WINDOWS\system32\drivers\spools.exe');
DeleteFile('C:\WINDOWS\system32\drivers\kbd.sys');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys');
DeleteFile('C:\DOCUME~1\qqq\LOCALS~1\Temp\soundmgr.sys');
DeleteFile('C:\WINDOWS\system32\drivers\qandr.sys');
DeleteFile('C:\WINDOWS\system32\drivers\klif.sys');
DeleteFile('C:\DOCUME~1\qqq\LOCALS~1\Temp\csrssc.exe');
DeleteFile('C:\DOCUME~1\qqq\LOCALS~1\Temp\winlagon.exe');
DeleteFile('C:\Documents and Settings\qqq\cftmon.exe');
DeleteFile('C:\WINDOWS\System32\djki397g.dll');
DeleteFile('C:\WINDOWS\System32\hdxjd4g.dll');
DeleteFile('C:\WINDOWS\System32\maxpaynow1.exe');
DeleteFile('C:\WINDOWS\System32\vedxg6ame4.exe');
DeleteFile('C:\WINDOWS\System32\wf2kcpl.dll');
DeleteFile('C:\WINDOWS\System32\wind32.exe');
DeleteFile('C:\WINDOWS\mrofinu27.exe');
DeleteFile('C:\WINDOWS\vbksrofa.dll');
DeleteFile('Explorer.exe C:\Documents and Settings\qqq\Рабочий стол\kttw472.exe');
DeleteFile('crypts.dll');
DeleteFile('kdzwk.exe');
DeleteFile('opnmMdby.dll');
DeleteFile('realsched.exe');
DeleteFile('C:\WINDOWS\system32\wmcstd32.dll');
DeleteFile('C:\WINDOWS\System32\awTMFvww.dll');
DeleteFile('gwin32.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.
Пришите карантин и повторите логи.