В AVZ выполните скрипт:
Код:
Function RegKeyResetSecurityEx(ARoot, AName : string) : boolean;
var
i : integer;
KeyList : TStringList;
KeyName : string;
begin
RegKeyResetSecurity(ARoot, AName);
KeyList := TStringList.Create;
RegKeyEnumKey(ARoot, AName, KeyList);
for i := 0 to KeyList.Count-1 do
begin
KeyName := AName+'\'+KeyList[i];
RegKeyResetSecurity(ARoot, KeyName);
RegKeyResetSecurityEx(ARoot, KeyName);
end;
KeyList.Free;
end;
Function BC_ServiceKill(AServiceName : string; AIsSvcHosted : boolean = true) : byte;
var
i : integer;
KeyList : TStringList;
KeyName : string;
begin
Result := 0;
if StopService(AServiceName) then Result := Result or 1;
if DeleteService(AServiceName, not(AIsSvcHosted)) then Result := Result or 2;
KeyList := TStringList.Create;
RegKeyEnumKey('HKLM','SYSTEM', KeyList);
for i := 0 to KeyList.Count-1 do
if pos('controlset', LowerCase(KeyList[i])) > 0 then begin
KeyName := 'SYSTEM\'+KeyList[i]+'\Services\'+AServiceName;
if RegKeyExistsEx('HKLM', KeyName) then begin
Result := Result or 4;
RegKeyResetSecurityEx('HKLM', KeyName);
RegKeyDel('HKLM', KeyName);
if RegKeyExistsEx('HKLM', KeyName) then
Result := Result or 8;
end;
end;
if AIsSvcHosted then
BC_DeleteSvcReg(AServiceName)
else
BC_DeleteSvc(AServiceName);
KeyList.Free;
end;
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\Program Files\hfs\hfs.exe','');
QuarantineFile('C:\WINDOWS\system32\fwyrr.dll','');
QuarantineFile('\\?\globalroot\systemroot\system32\tP9DJ79.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\h57CZAe.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\T7NTsoA.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\Mmir4T8.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\BbXVjF9.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\1rXCo3b.exe','');
QuarantineFile('c:\windows\system32\tP9DJ79.exe','');
QuarantineFile('c:\windows\system32\h57CZAe.exe','');
QuarantineFile('c:\windows\system32\T7NTsoA.exe','');
QuarantineFile('c:\windows\system32\Mmir4T8.exe','');
QuarantineFile('c:\windows\system32\BbXVjF9.exe','');
QuarantineFile('c:\windows\system32\1rXCo3b.exe','');
QuarantineFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\jvhGg9eJ.sys','');
DeleteFile('C:\DOCUME~1\Admin\LOCALS~1\Temp\jvhGg9eJ.sys');
DeleteFile('\\?\globalroot\systemroot\system32\1rXCo3b.exe');
DeleteFile('\\?\globalroot\systemroot\system32\BbXVjF9.exe');
DeleteFile('\\?\globalroot\systemroot\system32\Mmir4T8.exe');
DeleteFile('\\?\globalroot\systemroot\system32\T7NTsoA.exe');
DeleteFile('\\?\globalroot\systemroot\system32\h57CZAe.exe');
DeleteFile('\\?\globalroot\systemroot\system32\tP9DJ79.exe');
DeleteFile('c:\windows\system32\tP9DJ79.exe');
DeleteFile('c:\windows\system32\h57CZAe.exe');
DeleteFile('c:\windows\system32\T7NTsoA.exe');
DeleteFile('c:\windows\system32\Mmir4T8.exe');
DeleteFile('c:\windows\system32\BbXVjF9.exe');
DeleteFile('c:\windows\system32\1rXCo3b.exe');
DeleteFile('C:\WINDOWS\system32\fwyrr.dll');
BC_ImportAll;
ExecuteSysClean;
AddToLog(inttostr(BC_ServiceKill('orkppbqc')) );
SaveLog(GetAVZDirectory+'avz_log.txt');
ExecuteWizard('TSW',2,2,true);
BC_Activate;
ExecuteRepair(20);
RegKeyStrParamWrite('HKLM', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'UserInit', GetEnvironmentVariable ('WinDir')+'\System32\userinit.exe,');
SetAVZPMStatus(True);
RebootWindows(true);
end.
После перезагрузки
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Пришлите карантин quarantine.zip по красной ссылке Прислать запрошенный карантин вверху темы.
Сохраните текст ниже как cleanup.bat в ту же папку, где находится klp148zx.exe (gmer)
Код:
klp148zx.exe -del service orkppbqc
klp148zx.exe -del file "C:\WINDOWS\system32\fwyrr.dll"
klp148zx.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\orkppbqc"
klp148zx.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\orkppbqc"
klp148zx.exe -reboot
И запустите cleanup.bat.
Компьютер перезагрузится!
Сделать новый лог gmer.
Логи avz повторите.