1) Пофиксите в HijackThis:
Код:
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [Tet-a-Tet] C:\Documents and Settings\Tanya\Local Settings\Temporary Internet Files\Content.IE5\KHCRIXSR\Tet-A-Tet[1].exe -m
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O15 - Trusted Zone: *.p0rt2.com
O20 - AppInit_DLLs: cru629.dat
2) Выполните скрипт в AVZ:
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory+'Quarantine', '*.*', true);
DelBHO('{83821C2B-32A8-4DD7-B6D4-44309A78E668}');
QuarantineFile('C:\Program Files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll','');
QuarantineFile('cru629.dat','');
QuarantineFile('braviax.exe','');
QuarantineFile('C:\WINDOWS\system32\regedit.exe','');
QuarantineFile('C:\Documents and Settings\Tanya\Local Settings\Temporary Internet Files\Content.IE5\KHCRIXSR\Tet-A-Tet[1].exe','');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\ntias64\ntias64.dll','');
DeleteService('zclpk');
DeleteService('yzsrsxq');
DeleteService('ydxrctkzu');
DeleteService('xzwswr');
DeleteService('xzuqiac');
DeleteService('xxmxs');
DeleteService('xohfscmxy');
DeleteService('xalgyt');
DeleteService('wktpsvizu');
DeleteService('wgfvgt');
DeleteService('weprbcobi');
DeleteService('vxqpvbe');
DeleteService('vhxyijpy');
DeleteService('uytlfa');
DeleteService('uqstpe');
DeleteService('uqqfskgl');
DeleteService('tsurvw');
DeleteService('togiy');
DeleteService('tjgkhpyj');
DeleteService('tcvmomav');
DeleteService('sdrwdccmb');
DeleteService('rrvayvq');
DeleteService('rhabb');
DeleteService('ovkor');
DeleteService('oquytksxy');
DeleteService('oeawrscje');
DeleteService('odkqfh');
DeleteService('nxqvwgivm');
DeleteService('njccyjkyf');
DeleteService('nbvpm');
DeleteService('mmnawxb');
DeleteService('mdkfozd');
DeleteService('lojztpdz');
DeleteService('lmkqpex');
DeleteService('kydcwqr');
DeleteService('kglwlm');
DeleteService('jhbsgoa');
DeleteService('ixlxypd');
DeleteService('iwyqmpcd');
DeleteService('ismws');
DeleteService('igsfww');
DeleteService('hywnvwfaz');
DeleteService('httcaheif');
DeleteService('hqhkgntnx');
DeleteService('gmmclzteb');
DeleteService('gckonfmgr');
DeleteService('fnbtmx');
DeleteService('fhrlalre');
DeleteService('fcosrq');
DeleteService('ekrsfp');
DeleteService('eeakgw');
DeleteService('dszjskjwe');
DeleteService('djfdhq');
DeleteService('coqebazoh');
DeleteService('cgjsu');
DeleteService('atxqporqd');
DeleteService('amhku');
DeleteService('aihlfgd');
QuarantineFile('C:\WINDOWS\system32\04.tmp','');
QuarantineFile('C:\WINDOWS\system32\03.tmp','');
QuarantineFile('C:\WINDOWS\system32\02.tmp','');
QuarantineFile('C:\WINDOWS\system32\01.tmp','');
DeleteFile('C:\WINDOWS\system32\01.tmp');
DeleteFile('C:\WINDOWS\system32\03.tmp');
DeleteFile('C:\WINDOWS\system32\02.tmp');
DeleteFile('C:\WINDOWS\system32\04.tmp');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\ntias64\ntias64.dll');
RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','ntias64');
RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','ntias64');
DeleteFile('C:\Documents and Settings\Tanya\Local Settings\Temporary Internet Files\Content.IE5\KHCRIXSR\Tet-A-Tet[1].exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Tet-a-Tet');
DeleteFile('C:\WINDOWS\system32\regedit.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Regedit32');
DeleteFile('C:\WINDOWS\system32\braviax.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run-','braviax');
DeleteFile('C:\WINDOWS\system32\cru629.dat');
DeleteFile('C:\Program Files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll');
BC_ImportALL;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 2, 2, true);
BC_Activate;
RebootWindows(true);
end.
Компьютер перезагрузится.
3) Затем выполните второй скрипт в AVZ:
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Файл quarantine.zip из папки с AVZ закачайте по ссылке "прислать запрошенный карантин" вверху темы.
4) Сделайте новые логи по правилам + такой лог: http://virusinfo.info/showthread.php?t=40118