Пофиксите в HijackThis:
Код:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\TEMP\CZZW.exe
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\winds32.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Cpl32ver] C:\WINDOWS\System32\Cpl32ver.exe
O4 - HKLM\..\Run: [msbilltrust.exe] C:\WINDOWS\msbilltrust.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [lphcatkj0ened] C:\WINDOWS\system32\lphcatkj0ened.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [neos] C:\WINDOWS\neos.exe
O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system
O4 - HKCU\..\Run: [cpucooler] C:\WINDOWS\cpucooler.exe
O4 - HKCU\..\Run: [nmapi32.exe] C:\WINDOWS\system32\wpx98.cpx
O4 - HKCU\..\Run: [msbilltrust.exe] C:\WINDOWS\msbilltrust.exe
O20 - Winlogon Notify: lvztytj - C:\WINDOWS\SYSTEM32\lvztytj32.dll
O20 - Winlogon Notify: pcixmm - pcixmm.dll (file missing)
Выполните скрипт в AVZ:
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('F:\autorun.inf','');
QuarantineFile('pcixmm.dll','');
QuarantineFile('C:\WINDOWS\SYSTEM32\lvztytj32.dll','');
QuarantineFile('C:\WINDOWS\system32\wpx98.cpx','');
QuarantineFile('C:\WINDOWS\system32\winds32.exe','');
QuarantineFile('C:\WINDOWS\system32\oembios.exe','');
QuarantineFile('C:\WINDOWS\system32\lphcatkj0ened.exe','');
QuarantineFile('C:\WINDOWS\system32\blphcatkj0ened.scr','');
QuarantineFile('C:\WINDOWS\system32\amvo.exe','');
QuarantineFile('C:\WINDOWS\services.exe','');
QuarantineFile('C:\WINDOWS\neos.exe','');
QuarantineFile('C:\WINDOWS\msbilltrust.exe','');
QuarantineFile('C:\WINDOWS\iexplorer.exe','');
QuarantineFile('C:\WINDOWS\faceback.exe','');
QuarantineFile('C:\WINDOWS\cpucooler.exe','');
QuarantineFile('C:\WINDOWS\TEMP\CZZW.exe','');
QuarantineFile('C:\WINDOWS\System32\Cpl32ver.exe','');
QuarantineFile('C:\WINDOWS\TEMP\mqz1.tmp','');
QuarantineFile('C:\WINDOWS\system32\lvztytj32.dll','');
QuarantineFile('C:\WINDOWS\System32\CcEvtSvc.exe','');
QuarantineFile('C:\WINDOWS\System32\CbEvtSvc.exe','');
QuarantineFile('C:\WINDOWS\system32\basewoh32.dll','');
QuarantineFile('C:\WINDOWS\msbilltrust.dll','');
DeleteFile('C:\WINDOWS\System32\CbEvtSvc.exe');
DeleteFile('C:\WINDOWS\System32\CcEvtSvc.exe');
DeleteFile('C:\WINDOWS\system32\lvztytj32.dll');
DeleteFile('C:\WINDOWS\TEMP\mqz1.tmp');
DeleteFile('C:\WINDOWS\TEMP\CZZW.exe');
DeleteFile('C:\WINDOWS\faceback.exe');
DeleteFile('C:\WINDOWS\iexplorer.exe');
DeleteFile('C:\WINDOWS\msbilltrust.exe');
DeleteFile('C:\WINDOWS\neos.exe');
DeleteFile('C:\WINDOWS\services.exe');
DeleteFile('C:\WINDOWS\system32\amvo.exe');
DeleteFile('C:\WINDOWS\system32\blphcatkj0ened.scr');
DeleteFile('C:\WINDOWS\system32\lphcatkj0ened.exe');
DeleteFile('C:\WINDOWS\system32\oembios.exe');
DeleteFile('C:\WINDOWS\system32\winds32.exe');
DeleteFile('C:\WINDOWS\system32\wpx98.cpx');
DeleteFile('C:\WINDOWS\system32\lvztytj32.dll');
DeleteFile('F:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_DeleteSvc('Winpw87');
BC_DeleteSvc('Winjp28');
BC_DeleteSvc('Niv67');
BC_DeleteSvc('WZCSVCCryptSvc');
BC_DeleteSvc('WmdmPmSNWmiApSrv');
BC_DeleteSvc('winmgmtWebClient');
BC_DeleteSvc('VSSSamSs');
BC_DeleteSvc('upnphostUMWdf');
BC_DeleteSvc('Themessrservice');
BC_DeleteSvc('SwPrvwuauserv');
BC_DeleteSvc('ProtectedStorageCOMSysApp');
BC_DeleteSvc('PlugPlayCOMSysApp');
BC_DeleteSvc('NetDDEdsdm Smart');
BC_DeleteSvc('MSIServerTlntSvr');
BC_DeleteSvc('MDMDnscache');
BC_DeleteSvc('ImapiServicePlugPlayCOMSysApp');
BC_DeleteSvc('Eventloglanmanworkstation');
BC_DeleteSvc('EventlogEventSystem');
BC_DeleteSvc('dmserverRasAutoTapiSrv');
BC_DeleteSvc('dmserverRasAuto');
BC_DeleteSvc('ATIMessengerShellHWDetection');
BC_DeleteSvc('ATIMessenger');
BC_DeleteSvc('CcEvtSvc');
BC_DeleteSvc('CbEvtSvc');
BC_Activate;
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
RegKeyIntParamWrite( 'HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum', '{BDEADF00-C265-11D0-BCED-00A0C90AB50F}', 1);
RebootWindows(true);
end.
Компьютер перезагрузится.
Пришлите карантин согласно приложению 3 правил
(загружать тут: http://virusinfo.info/upload_virus.php?tid=29641).
Сделайте новые логи, начиная с п.10 правил.