На время выполнения скрипта, отключитесь от сети и отключите антивирусный монитор. Пофиксите с помощью Hijackthis строчки:
Код:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\vmwp472.exe"
O2 - BHO: (no name) - {09A78B33-C7F6-465D-9CCA-98D5B98B78CB} - C:\WINDOWS\system32\ddcBSLFu.dll
O2 - BHO: (no name) - {B864BE51-8859-4BCC-B872-3E6FC3EBAD91} - C:\WINDOWS\system32\byXoLbcy.dll (file missing)
O2 - BHO: Std plugin - {FFFFFFFF-08DF-483c-BD3A-99CBCF44E4DC} - hnew32.dll (file missing)
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [advap32] "C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp"/r
O20 - Winlogon Notify: ddcBSLFu - C:\WINDOWS\SYSTEM32\ddcBSLFu.dll
O20 - Winlogon Notify: sysfldr - sysfldr.dll (file missing)
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
O21 - SSODL: pxgdslro - {DB4782FD-9A6E-4BE0-99CE-220B91044748} - (no file)
O21 - SSODL: gnowmebk - {505DB46A-E8BE-4C8C-8B5C-A87B20E92D7B} - (no file)
Программа AVZ - файл - выполнить скрипт - выполните следующий скрипт:
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetServiceStart('owE54', 4);
SetServiceStart('cjP07', 4);
SetServiceStart('Dls07', 4);
SetServiceStart('ksY63', 4);
SetServiceStart('Irx64', 4);
SetServiceStart('flS53', 4);
SetServiceStart('Dlt43', 4);
SetServiceStart('Bho30', 4);
QuarantineFile('C:\Program Files\Google\googletoolbar1user.exe','');
QuarantineFile('C:\WINDOWS\Downloaded Program Files\AMADEUSINIT.DLL','');
QuarantineFile('C:\WINDOWS\Downloaded Program Files\CCCert4.dll','');
QuarantineFile('C:\WINDOWS\Downloaded Program Files\MSIINSPECT.DLL','');
QuarantineFile('C:\WINDOWS\Downloaded Program Files\S1AVISTAPWCOMMS.DLL','');
QuarantineFile('C:\WINDOWS\DOWNLO~1\SP2Patch.dll','');
QuarantineFile('C:\WINDOWS\system32\byXoLbcy.dll','');
QuarantineFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp/r','');
QuarantineFile('Explorer.exe C:\WINDOWS\system32\vmwp472.exe','');
QuarantineFile('C:\WINDOWS\winlogon.exe','');
QuarantineFile('C:\WINDOWS\herjek.exe','');
QuarantineFile('C:\WINDOWS\TEMP\csrssc.exe','');
QuarantineFile('C:\Program Files\Automatic Update\AutoUpdate.exe','');
QuarantineFile('C:\Documents and Settings\LocalService\cftmon.exe','');
QuarantineFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\\stopinject.dll','');
QuarantineFile('C:\WINDOWS\System32\drivers\xeL86.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Vek54.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\vcI06.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Udk42.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\tcpsr.sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\smtpdrv.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Sbi76.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\riode32.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Owe54.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\ksY63.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Irx64.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Dlt43.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Dls07.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\cjP07.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\Bho30.sys','');
QuarantineFile('C:\Documents and Settings\AZaitseva\ie_updates3r.exe','');
QuarantineFile('C:\WINDOWS\system32\WinNt32.dll','');
QuarantineFile('C:\WINDOWS\system32\hnew32.dll','');
QuarantineFile('C:\WINDOWS\system32\ddcBSLFu.dll','');
DelBHO('{09A78B33-C7F6-465D-9CCA-98D5B98B78CB}');
DelBHO('{FFFFFFFF-08DF-483c-BD3A-99CBCF44E4DC}');
DelBHO('{B864BE51-8859-4BCC-B872-3E6FC3EBAD91}');
DeleteFile('C:\WINDOWS\system32\ddcBSLFu.dll');
BC_DeleteFile('C:\WINDOWS\system32\ddcBSLFu.dll');
DeleteFile('C:\WINDOWS\system32\hnew32.dll');
BC_DeleteFile('C:\WINDOWS\system32\hnew32.dll');
DeleteFile('C:\WINDOWS\system32\WinNt32.dll');
BC_DeleteFile('C:\WINDOWS\system32\WinNt32.dll');
DeleteFile('C:\Documents and Settings\AZaitseva\ie_updates3r.exe');
BC_DeleteFile('C:\Documents and Settings\AZaitseva\ie_updates3r.exe');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Bho30.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\cjP07.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Dls07.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Dlt43.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Irx64.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\ksY63.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Owe54.sys');
BC_DeleteFile('C:\WINDOWS\system32\drivers\riode32.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Sbi76.sys');
BC_DeleteFile('C:\WINDOWS\system32\DRIVERS\smtpdrv.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\tcpsr.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Udk42.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\vcI06.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\Vek54.sys');
BC_DeleteFile('C:\WINDOWS\System32\drivers\xeL86.sys');
DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\\stopinject.dll');
BC_DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\\stopinject.dll');
DeleteFile('C:\Documents and Settings\LocalService\cftmon.exe');
BC_DeleteFile('C:\Documents and Settings\LocalService\cftmon.exe');
DeleteFile('C:\WINDOWS\TEMP\csrssc.exe');
BC_DeleteFile('C:\WINDOWS\TEMP\csrssc.exe');
DeleteFile('C:\WINDOWS\herjek.exe');
BC_DeleteFile('C:\WINDOWS\herjek.exe');
DeleteFile('C:\WINDOWS\winlogon.exe');
BC_DeleteFile('C:\WINDOWS\winlogon.exe');
DeleteFile('Explorer.exe C:\WINDOWS\system32\vmwp472.exe');
BC_DeleteFile('Explorer.exe C:\WINDOWS\system32\vmwp472.exe');
DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp/r');
BC_DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp/r');
DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp');
BC_DeleteFile('C:\DOCUME~1\AZAITS~1\LOCALS~1\Temp\3.tmp');
DeleteFile('C:\WINDOWS\system32\byXoLbcy.dll');
BC_DeleteFile('C:\WINDOWS\system32\byXoLbcy.dll');
BC_Deletesvc('xeL86');
BC_Deletesvc('Vek54');
BC_Deletesvc('vcI06');
BC_Deletesvc('Udk42');
BC_Deletesvc('tcpsr');
BC_Deletesvc('smtpdrv');
BC_Deletesvc('Sbi76');
BC_Deletesvc('riode32');
BC_Deletesvc('owE54');
BC_Deletesvc('ksY63');
BC_Deletesvc('Irx64');
BC_Deletesvc('flS53');
BC_Deletesvc('Dlt43');
BC_Deletesvc('Dls07');
BC_Deletesvc('cjP07');
BC_Deletesvc('Bho30');
BC_Deletesvc('Google Online Services');
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
Executerepair(1);
Executerepair(5);
Executerepair(6);
Executerepair(8);
Executerepair(11);
RebootWindows(true);
end.
Система будет перезагружена. После перезагрузки, карантин AVZ загрузите по ссылке http://virusinfo.info/upload_virus.php?tid=23502 , как написано в прил.3 правил, и повторите логи, начиная с п. 10 правил.