1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVPTool:
Код:
begin
ClearHostsFile;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
QuarantineFile('C:\vbobovdozjx.bat','');
DelBHO('{5067A26B-1337-4436-8AFE-EE169C2DA79F}');
QuarantineFile('C:\WINDOWS\system32\qdxrlzogypkbbhkwfi.exe','');
QuarantineFile('C:\WINDOWS\system32\htmfylzqhxrhglnyg.exe','');
QuarantineFile('C:\WINDOWS\system32\dtqnkbtojdbvyhncourhe.exe','');
QuarantineFile('C:\WINDOWS\system32\aldvnzmcshapnrsc.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\qdxrlzogypkbbhkwfi.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\odzvrhysmfcvxfkyjokz.exe .','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\dtqnkbtojdbvyhncourhe.exe .','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\bpkfapfyrjfxyfjwgkf.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\opxfnp.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\jkzenlsw.dll','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\aldvnzmcshapnrsc.exe','');
QuarantineFile('c:\docume~1\user\locals~1\temp\opxfnp.exe','');
TerminateProcessByName('c:\docume~1\user\locals~1\temp\opxfnp.exe');
QuarantineFile('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe','');
TerminateProcessByName('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe');
DeleteFile('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe');
DeleteFile('c:\docume~1\user\locals~1\temp\opxfnp.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\aldvnzmcshapnrsc.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\jkzenlsw.dll');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\opxfnp.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\bpkfapfyrjfxyfjwgkf.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','sbrhxhsguhylhj');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','qtdnxbgo');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\dtqnkbtojdbvyhncourhe.exe .');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce','hlwhsxdmv');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\odzvrhysmfcvxfkyjokz.exe .');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','rzodsblylxnzu');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\qdxrlzogypkbbhkwfi.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','bdmvehl');
DeleteFile('C:\WINDOWS\system32\aldvnzmcshapnrsc.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','hlwhsxdmv');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce','sznbpxgsepep');
DeleteFile('C:\WINDOWS\system32\dtqnkbtojdbvyhncourhe.exe');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','vbobovdozjx');
DeleteFile('C:\WINDOWS\system32\htmfylzqhxrhglnyg.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','afrdpvcmwf');
DeleteFile('C:\WINDOWS\system32\qdxrlzogypkbbhkwfi.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','qtdnxbgo');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\vbobovdozjx.bat');
DeleteFile('D:\autorun.inf');
DeleteFile('D:\vbobovdozjx.bat');
DeleteFileMask('%tmp% ','*.* ',true );
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 3, 3, true);
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.
3. After reboot execute this script in AVPTool:
Код:
begin
CreateQurantineArchive('C:\quarantine.zip');
end.
Upload file C:\quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=62467
4. Execute this script in AVPTool:
Код:
var j:integer; NumStr:string;
begin
for j:=0 to 999 do
begin
if j=0 then
NumStr:='CurrentControlSet' else
if j<10 then
NumStr:='ControlSet00'+IntToStr(j) else
if j<100 then
NumStr:='ControlSet0'+IntToStr(j) else
NumStr:='ControlSet'+IntToStr(j);
if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS') then
begin
RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS');
RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\BITS исправлено на оригинальное.');
end;
if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv') then
begin
RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv');
RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\wuauserv исправлено на оригинальное.');
end;
end;
SaveLog(GetAVZDirectory + 'fystemRoot.log');
end.
5. Attach a new log to your new post.