1.Профиксите в HijackThis
Код:
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {63432924-FF0F-4F2D-BA15-FE46454977A3} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Orbitdownloader\Orbitdownloader\GrabPro.dll (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\ICQ6.5\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\ICQ6.5\ICQ.exe (file missing)
2. Отключитесистемное восстановление!!! как- посмотреть можно тут
- Выполните скрипт в AVZ
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\csrcs.exe','');
RegKeyStrParamWrite('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','UserInit', GetEnvironmentVariable ('WinDir')+'\System32\userinit.exe,');
DeleteService('QWZQ');
DeleteService('VZK');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\VZK.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\QWZQ.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\OJCSWQDRZ.exe','');
DeleteService('OJCSWQDRZ');
DeleteService('NMZVZUJQ');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\NMZVZUJQ.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\J.exe','');
DeleteService('J');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\FHBBUPXIZWEXBE.exe','');
DeleteService('FHBBUPXIZWEXBE');
DeleteService('EZGEO');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\EZGEO.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\DDNJHER.exe','');
DeleteService('DDNJHER');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\DDNJHER.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\EZGEO.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\FHBBUPXIZWEXBE.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\J.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\NMZVZUJQ.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\OJCSWQDRZ.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\QWZQ.exe');
DeleteFile('C:\WINDOWS\system32\csrcs.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','csrcs');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(16);
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun',221);
BC_Activate;
RebootWindows(true);
end.
После перезагрузки:
- выполните такой скрипт
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
- Файл quarantine.zip из папки AVZ загрузите по ссылке Прислать запрошенный карантин вверху темы
- Сделайте повторные логи по правилам п.2 и 3 раздела Диагностика.(virusinfo_syscheck.zip;hijackthis.log)
- Сделайте лог MBAM