Выполните скрипт в AVZ
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\windows\system32\dogouwegov.exe');
TerminateProcessByName('c:\docume~1\1\locals~1\temp\5436468 .exe');
TerminateProcessByName('c:\windows\system32\nemibe.exe');
QuarantineFile('C:\Documents and Settings\1\Application Data\ahrg.exe','');
QuarantineFile('C:\System Volume Information\_restore{F918BC58-45AA-4FE0-9C45-66E428BA9339}\RP128\A0062505.exe:exe.exe:$DATA','');
QuarantineFile('c:\windows\system32\svchost.exe:exe.exe:$DATA','');
QuarantineFile('C:\Windows\RUNXMLPL.exe','');
QuarantineFile('C:\Documents and Settings\1\Application Data\yrpv.exe','');
QuarantineFile('C:\WINDOWS\system32\gevi.exe','');
QuarantineFile('C:\WINDOWS\system32\lidoowibou.exe','');
QuarantineFile('c:\windows\system32\winupd01.exe','');
QuarantineFile('c:\windows\system32\nemibe.exe','');
QuarantineFile('C:\Documents and Settings\1\Application Data\zwlr.exe','');
QuarantineFile('C:\Documents and Settings\1\Application Data\yrpv.exe,C:\Documents and Settings\1\Application Data\ahrg.exe,explorer.exe,C:\Documents and Settings\1\Application Data\zwlr.exe','');
QuarantineFile('c:\windows\system32\dogouwegov.exe','');
QuarantineFile('c:\docume~1\1\locals~1\temp\5436468 .exe','');
DeleteFile('c:\docume~1\1\locals~1\temp\5436468 .exe');
DeleteFile('c:\windows\system32\dogouwegov.exe');
DeleteFile('C:\Documents and Settings\1\Application Data\yrpv.exe,C:\Documents and Settings\1\Application Data\ahrg.exe,explorer.exe,C:\Documents and Settings\1\Application Data\zwlr.exe');
DeleteFile('C:\Documents and Settings\1\Application Data\zwlr.exe');
DeleteFile('c:\windows\system32\nemibe.exe');
DeleteFile('c:\windows\system32\winupd01.exe');
DeleteFile('C:\WINDOWS\system32\lidoowibou.exe');
DeleteFile('C:\WINDOWS\system32\gevi.exe');
DeleteFile('C:\Documents and Settings\1\Application Data\yrpv.exe');
DeleteFile('C:\Windows\RUNXMLPL.exe');
DeleteFile('c:\windows\system32\svchost.exe:exe.exe:$DATA');
DeleteFile('C:\System Volume Information\_restore{F918BC58-45AA-4FE0-9C45-66E428BA9339}\RP128\A0062505.exe:exe.exe:$DATA');
DeleteFile('C:\Documents and Settings\1\Application Data\ahrg.exe');
DeleteFile('c:\windows\system32\svchost.exe:exe.exe:$DATA');
DeleteFile('C:\System Volume Information\_restore{F918BC58-45AA-4FE0-9C45-66E428BA9339}\RP128\A0062505.exe:exe.exe:$DATA');
DeleteFile('C:\Documents and Settings\1\Application Data\ahrg.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','gucu');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','loussupal');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','preload');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','gucu');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon','Taskman');
DeleteService('eou6gbe3yeav5o');
DeleteService('ag4yaexiwy');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteREpair(6);
ExecuteREpair(9);
ExecuteREpair(13);
RegKeyIntParamWrite('HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum', '{BDEADF00-C265-11D0-BCED-00A0C90AB50F}', 1);
RebootWindows(true);
end.
Компьютер перезагрузится.
Пришлите карантин согласно Приложения 3 правил по красной ссылке Прислать запрошенный карантин вверху темы
Сделайте новые логи