"Пофиксите" в HijackThis
Код:
F2 - REG:system.ini: Shell=Explorer.exe svcroot.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\portmap.exe
F2 - REG:system.ini: UserInit=userinit.exe,riodrv.exe,C:\WINDOWS\system32\sdra64.exe,
В AVZ -> файл-> Выполнить скрипт
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('svcroot.exe','');
QuarantineFile('C:\WINDOWS\system32\alderlcm.dll','');
QuarantineFile('riodrv.exe','');
QuarantineFile('digiwet.dll','');
QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
QuarantineFile('C:\WINDOWS\system32\portmap.exe','');
QuarantineFile('C:\Documents and Settings\user\.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\securentm.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\acpi32.sys','');
QuarantineFile('C:\WINDOWS\system32\mmfinfo.dll','');
QuarantineFile('C:\WINDOWS\system32\mkunicode.dll','');
TerminateProcessByName('c:\windows\system32\servises.exe');
QuarantineFile('c:\windows\system32\servises.exe','');
QuarantineFile('C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHG10D0F\1[1].exe','');
QuarantineFile('C:\WINDOWS\Temp\rdl9F.tmp.exe','');
DeleteFile('C:\WINDOWS\Temp\rdl9F.tmp.exe');
DeleteFile('C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHG10D0F\1[1].exe');
DeleteFile('c:\windows\system32\servises.exe');
DeleteFile('C:\WINDOWS\system32\mkunicode.dll');
DeleteFile('C:\WINDOWS\system32\mmfinfo.dll');
DeleteFile('C:\WINDOWS\system32\drivers\acpi32.sys');
DeleteFile('C:\WINDOWS\system32\drivers\netsik.sys');
DeleteFile('C:\WINDOWS\system32\drivers\securentm.sys');
DeleteFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys');
DeleteFile('C:\Documents and Settings\user\.exe');
DeleteFile('C:\WINDOWS\system32\portmap.exe');
DeleteFile('C:\WINDOWS\system32\sdra64.exe');
DeleteFile('digiwet.dll');
DeleteFile('riodrv.exe');
DeleteFile('svcroot.exe');
DeleteFile('C:\WINDOWS\system32\svcroot.exe');
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '2201', 1);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '2201', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1004', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1001', 1);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1201', 3);
BC_ImportAll;
BC_DeleteSvc('acpi32');
BC_DeleteSvc('ws2_32sik');
BC_DeleteSvc('securentm');
BC_DeleteSvc('netsik');
BC_DeleteSvc('winmgmtSchedule');
BC_DeleteSvc('UPSWmdmPmSN');
BC_DeleteSvc('TrkWksAudioSrv');
BC_DeleteSvc('TapiSrvEventlog');
BC_DeleteSvc('SSDPSRVUPSWmdmPmSN');
BC_DeleteSvc('ShellHWDetectionW32TimeALG');
BC_DeleteSvc('ShellHWDetectionW32Time');
BC_DeleteSvc('SavRoam');
BC_DeleteSvc('RSVPSysmonLog');
BC_DeleteSvc('NtLmSspaspnet_state');
BC_DeleteSvc('NlaRDSessMgr');
BC_DeleteSvc('Netlogonlanmanworkstation');
BC_DeleteSvc('NetDDEdmadmin');
BC_DeleteSvc('MessengerNla');
BC_DeleteSvc('LmHostssrservice');
BC_DeleteSvc('FguyvfiqvbNetlogonlanmanworkstation');
BC_DeleteSvc('EventSystemVSS');
BC_DeleteSvc('DnscacheccSetMgrUMWdf');
BC_DeleteSvc('DefWatchCiSvc');
BC_DeleteSvc('COMSysAppNla');
BC_DeleteSvc('ClipSrvWmiApSrv');
BC_DeleteSvc('ccSetMgrUMWdf');
BC_DeleteSvc('AppMgmtShellHWDetectionW32TimeALG');
BC_DeleteSvc('ALGxmlprov');
BC_DeleteSvc('ALGBITS');
ExecuteSysClean;
ExecuteRepair(13);
ExecuteRepair(16);
BC_Activate;
RebootWindows(true);
end.
Компьютер перезагрузится.
Пришлите карантин согласно правил по ссылке http://virusinfo.info/upload_virus.php?tid=47311
AVZ => Файл => Мастер поиска и устранения проблем. Категория проблемы - поставьте "Системные проблемы", степень опасности - "Все проблемы". Нажмите "Пуск". Всё найденное следует пометить и пофиксить.
Повторите логи по правилам.