В общем вирус пишет себя в реестр по адресу:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell и после exlporer.exe, дописывает вот это: "C:\Users\baks\AppData\Local\Temp\wineuje.exe", в результате exlporer не запускается при старте винды.Заблочены regedit & taskmanager, попытка решить приведенные выше проблемы правкой реестра с помощью альтернативных программ помогает временно только с ключом shell(спустя некоторое время туда опять дописывается вирус), а при попытке разблочить regedit & taskmanager ключи DisableRegistryTools и DisableTaskMgr за доли секунды збрасывают свои значения на "1".Также вирус при старте системы запускает в среднем 4 процесса с начальным слогом win, к примеру wineuje.exe или wingqklu.exe и по адресу C:\Users\baks\AppData\Local\Temp\ появляются аналогичные exe файлы.Спустя некоторое время после киляния процессов альтернативным диспетчером задач они запускаются снова.Судя по данным выдаваемым process explorer эти процессы активно поглощают траффик.
Логи:

Закройте/выгрузите все программы кроме AVZ и Internet Explorer.
Отключите
- ПК от интернета/локалки
- Антивирус и Файрвол.
- Системное восстановление.
-Пофиксите (http://virusinfo.info/showthread.php?t=4491)

F2 - REG:system.ini: Shell=Explorer.exe

- Выполните скрипт (http://virusinfo.info/showthread.php?t=7239)

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
executerepair(11);
executerepair(17);
QuarantineFile('rdpclip','');
QuarantineFile('mailKmd.sys','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w inpidn.exe','');
QuarantineFile('D:\Program Files\need\power strip\PStrip.exe','');
QuarantineFile('C:\Windows\system32\wmdrtc32.dll', '');
QuarantineFile('C:\Windows\System32\wmdrtc32.bak', '');
QuarantineFile('C:\Windows\system32\msiexec','');
QuarantineFile('C:\Windows\system32\IoctlSvc.exe', '');
QuarantineFile('c:\users\baks\appdata\local\temp\w inpidn.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w inpffod.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w injxrgs.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w iniyrlet.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Documents and Settings\All Users\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC .tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\ProgramData\Microsoft\Search\Da ta\Temp\usgthrsvc\Ntf2ECC.tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','');
QuarantineFile('C:\Users\All Users\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC .tmp','');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Documents and Settings\All Users\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC .tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\ProgramData\Microsoft\Search\Data\T emp\usgthrsvc\Ntf2ECC.tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp');
DeleteFile('C:\Users\All Users\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC .tmp');
DeleteService('PLFlash DeviceIoControl Service');
DeleteService('mailKmd');
DeleteFile('C:\Windows\system32\drivers\mailKmd.sy s');
DeleteFile('C:\Users\baks\AppData\Local\Temp\winpi dn.exe');
DeleteFile('C:\Windows\system32\wmdrtc32.dll');
DeleteFile('C:\Windows\System32\wmdrtc32.bak');
DeleteFile('C:\Windows\system32\IoctlSvc.exe');
DeleteFile('c:\users\baks\appdata\local\temp\winpi dn.exe');
DeleteFile('C:\Users\baks\AppData\Local\Temp\winpf fod.exe');
DeleteFile('C:\Users\baks\AppData\Local\Temp\winjx rgs.exe');
DeleteFile('C:\Users\baks\AppData\Local\Temp\winiy rlet.exe');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('PLFlash DeviceIoControl Service');
BC_DeleteSvc('mailKmd');
BC_Activate;
RebootWindows(true);
end.


После перезагрузки:
- Очистите (http://virusinfo.info/showthread.php?t=10025)темп-папки, кэш проводников и корзину.
- Закройте все программы, включая Антивирус и Файрвол, Оставьте запущенным только Internet Explorer. Если он не запущен - запустите!!!
- Сделайте повторные логи

virusinfo_syscure.zip
virusinfo_syscheck.zip
hijackthis.log
- Включите Антвирус и Файрволл
- Подключите ПК к интернету/локалке
- Закачайте карантин по ссылке Прислать запрошенный карантин вверху темы (Приложение 2 п.4 правил).
- Прикрепите логи к новому сообщению.

Насчет скрипта: пишет "Ошибка: ';' expexted в позиции 19:1"


begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
executerepair(11);
executerepair(17);
QuarantineFile('rdpclip','');
QuarantineFile('mailKmd.sys','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w inpidn.exe','');
QuarantineFile('D:\Program Files\need\power strip\PStrip.exe','');
QuarantineFile('C:\Windows\system32\wmdrtc32.dll', '');
QuarantineFile('C:\Windows\System32\wmdrtc32.bak', '');
QuarantineFile('C:\Windows\system32\msiexec','');
QuarantineFile('C:\Windows\system32\IoctlSvc.exe', '');
QuarantineFile('c:\users\baks\appdata\local\temp\w inpidn.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w inpffod.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w injxrgs.exe','');
QuarantineFile('C:\Users\baks\AppData\Local\Temp\w iniyrlet.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECC. tmp','')
Щас попробую в конце каждого покрасневшего скриптопредложения и далее повтыркать точкозапятые.Это будет геморно...
Прокатило!Что это вы товарисч хелпер?)Грубая ошибка так сказать)
После 2 х первых этапов эксплорер стартует без проблем и говнопроцессы не лезут при старте.Очень хорошо!)Щас займемся остальным...

Прокатило!Что это вы товарисч хелпер?)Грубая ошибка так сказать)
Бывает...Скрипт исправил, логи давайте.

Выполнение скрипта избавило от левых процессов и в shell теперь ничего не дописывает, но regedit & taskmanager спустя некоторое время заблочило опять.Еще я забыл сказать что некоторые exeшники постоянно приводятся вирусом в непригодность.
Щас кину логи.

некоторые exeшники постоянно приводятся вирусом в непригодность.
Выполните лечение от файловых вирусов: http://virusinfo.info/showthread.php?t=15927

Вот новые логи.Хотелось бы решить проблему с заблочиванием основных системных утилит.Скоро соберусь и полекаю дрвебом с диска)

проличитесь cureit ... только потом есть смысл делать что-то еще