1. Пофиксите в HJT:
Код:
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
2. Выполните скрипт в AVZ:
Код:
begin
DeleteFileMask(GetAVZDirectory+'Quarantine', '*.*', true);
SearchRootkit(true, true);
SetAVZGuardStatus(true);
TerminateProcessByName('c:\docume~1\admin\locals~1\temp\bn1.tmp');
TerminateProcessByName('c:\docume~1\admin\locals~1\temp\bn2.tmp');
TerminateProcessByName('c:\windows\system32\av_md.exe');
TerminateProcessByName('c:\documents and settings\admin\av_md.exe');
QuarantineFile('C:\Documents and Settings\Admin\Application Data\msmedia.dll','');
QuarantineFile('C:\WINDOWS\system32\sysmgr.exe','');
QuarantineFile('C:\WINDOWS\system32\lummy.exe','');
QuarantineFile('C:\WINDOWS\system32\csrcs.exe','');
QuarantineFile('C:\WINDOWS\system32\foudac.exe','');
QuarantineFile('C:\WINDOWS\System32\Drivers\mvaxsjlh.sys','');
DeleteService('eioyoj7hz8ql04yi');
DeleteService('mvaxsjlh');
QuarantineFile('C:\WINDOWS\system32\mkunicode.dll','');
QuarantineFile('C:\WINDOWS\system32\mmfinfo.dll','');
QuarantineFile('C:\WINDOWS\system32\av_md.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\BN2.tmp','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\BN1.tmp','');
QuarantineFile('C:\Documents and Settings\Admin\av_md.exe','');
DeleteFile('C:\Documents and Settings\Admin\av_md.exe');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\BN1.tmp');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\BN2.tmp');
DeleteFile('C:\WINDOWS\system32\av_md.exe');
DeleteFile('C:\WINDOWS\System32\Drivers\mvaxsjlh.sys');
DeleteFile('C:\WINDOWS\system32\foudac.exe');
DeleteFile('C:\WINDOWS\system32\csrcs.exe');
DeleteFile('C:\WINDOWS\system32\lummy.exe');
DeleteFile('C:\WINDOWS\system32\sysmgr.exe');
DeleteFile('C:\Documents and Settings\Admin\Application Data\msmedia.dll');
DeleteFileMask('%tmp%','*.*',true);
DelBHO('{88888888-8888-8888-8888-888888888888}');
DelBHO('{9D64F819-9380-8473-DAB2-702FCB3D7A3E}');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','av_md');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','av_md');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','csrcs');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft(R) System Manager');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunServices','fopetar');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','fopetar');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW', 2, 2, true);
BC_Activate;
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
RebootWindows(true);
end.
После выполнения скрипта компьютер перезагрузится.
3. Файл quarantine.zip из папки AVZ закачайте по ссылке прислать запрошенный карантин вверху темы
4. Сделайте новые логи