Разрушаторов Володя,
Здравствуйте!
Закройте все программы
Отключите
- ПК от интернета/локалки.
- Антивирус и Файрвол
Выполните скрипт в АВЗ -
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory + 'Quarantine', '*', true);
QuarantineFile('c:\documents and settings\я\local settings\Temp\avd3ehjdu.exe',' ');
QuarantineFile('c:\WINDOWS\system32\calc.exe',' ');
QuarantineFile('c:\WINDOWS\system32\dp1.fne',' ');
QuarantineFile('c:\WINDOWS\system32\vfp8rrus.dll',' ');
QuarantineFile('c:\documents and settings\я\application data\avdrn.dat',' ');
QuarantineFile('c:\WINDOWS\system32\krnln.fnr','');
QuarantineFile('c:\WINDOWS\system32\og.dll',' ');
QuarantineFile('c:\WINDOWS\system32\og.EDT',' ');
QuarantineFile('c:\WINDOWS\system32\RegEx.fnr ',' ');
QuarantineFile('c:\WINDOWS\system32\spool\drivers\wmsncs.exe ',' ');
QuarantineFile('c:\WINDOWS\system32\ul.dll',' ');
QuarantineFile('c:\WINDOWS\system32\wsnpoem\audio.dll',' ');
QuarantineFileF('c:\WINDOWS\system32\wsnpoem\','*',true,' ',0 ,0);
DeleteFile('c:\documents and settings\я\local settings\Temp\avd3ehjdu.exe');
DeleteFile('c:\WINDOWS\system32\dp1.fne');
DeleteFile('c:\WINDOWS\system32\vfp8rrus.dll');
DeleteFile('c:\documents and settings\я\application data\avdrn.dat');
DeleteFile('c:\documents and settings\networkservice\application data\fvgqad.dat');
DeleteFile('c:\WINDOWS\system32\krnln.fnr');
DeleteFile('c:\WINDOWS\system32\og.dll');
DeleteFile('c:\WINDOWS\system32\og.EDT');
DeleteFile('c:\WINDOWS\system32\RegEx.fnr ');
DeleteFile('c:\WINDOWS\system32\spec.fne');
DeleteFile('c:\WINDOWS\system32\spool\drivers\wmsncs.exe ');
DeleteFile('c:\WINDOWS\system32\ul.dll');
DeleteFile('c:\WINDOWS\system32\wsnpoem\audio.dll');
BC_ImportALL;
ExecuteSysClean;
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
BC_Activate;
ExecuteWizard('TSW', 2, 3, true);
RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.
Пришлите карантин согласно Приложения 3 правил по красной ссылке Прислать запрошенный карантин вверху темы.
Профиксите в HijackThis
Код:
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: ICQ Lite - {E59EB121-F339-4851-A3BA-FE49C35617C2} - ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {E59EB121-F339-4851-A3BA-FE49C35617C2} - ICQ.exe (file missing)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
удалите в MBAM
Код:
Заражённые ключи в реестре:
HKEY_CLASSES_ROOT\AppID\{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\xvideoplugin.JetMimeFiltr (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\xvideoplugin.JetMimeFiltr.1 (Trojan.BHO) -> No action taken.
Заражённые параметры в реестре:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{6780A29E-6A18-0C70-1DFF-1610DDE00108} (Trojan.Agent) -> Value: {6780A29E-6A18-0C70-1DFF-1610DDE00108} -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{6780A29E-6A18-0C70-1DFF-1610DDE00108} (Trojan.Agent) -> Value: {6780A29E-6A18-0C70-1DFF-1610DDE00108} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{6780A29E-6A18-0C70-1DFF-1610DDE00108} (Trojan.Agent) -> Value: {6780A29E-6A18-0C70-1DFF-1610DDE00108} -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{F710FA10-2031-3106-8872-93A2B5C5C620} (Trojan.Agent) -> Value: {F710FA10-2031-3106-8872-93A2B5C5C620} -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{F710FA10-2031-3106-8872-93A2B5C5C620} (Trojan.Agent) -> Value: {F710FA10-2031-3106-8872-93A2B5C5C620} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{F710FA10-2031-3106-8872-93A2B5C5C620} (Trojan.Agent) -> Value: {F710FA10-2031-3106-8872-93A2B5C5C620} -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Value: {02FFAC45-0B10-5633-4296-1801F1A36678} -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Value: {02FFAC45-0B10-5633-4296-1801F1A36678} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Value: {02FFAC45-0B10-5633-4296-1801F1A36678} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{6780A29E-6A18-0C70-1DFF-1610DDE00108} (Trojan.Agent) -> Value: {6780A29E-6A18-0C70-1DFF-1610DDE00108} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{F710FA10-2031-3106-8872-93A2B5C5C620} (Trojan.Agent) -> Value: {F710FA10-2031-3106-8872-93A2B5C5C620} -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Value: {02FFAC45-0B10-5633-4296-1801F1A36678} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service (Trojan.Agent) -> Value: Spool Driver Service -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service (Trojan.Agent) -> Value: Spool Driver Service -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Value: UID -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WaitToKillServiceT (Malware.Trace) -> Value: WaitToKillServiceT -> No action taken.
перезагрузите компьтер и сделайте новые логи HijackThis и MBAM.