1. Скачай
IceSword
Слева внизу найди меню File, в нем найди следующие файлы и удали по правой кнопке Force Delete.
Код:
WINDOWS\System32\Drivers\Winah37.sys');
C:\WINDOWS\System32\Drivers\WinCtrl32.dll
C:\WINDOWS\System32\Drivers\Winap46.sys
C:\WINDOWS\System32\Drivers\Wincj03.sys
C:\WINDOWS\System32\Drivers\Wincr37.sys
C:\WINDOWS\System32\Drivers\Winct36.sys
C:\WINDOWS\System32\Drivers\Windk36.sys
C:\WINDOWS\System32\Drivers\Winfn25.sys
C:\WINDOWS\System32\Drivers\Winmd15.sys
C:\WINDOWS\System32\Drivers\Winpx80.sys
C:\WINDOWS\System32\Drivers\Winxn14.sys
C:\WINDOWS\System32\Drivers\Winya03.sys
C:\WINDOWS\System32\Drivers\Winyg81.sys
В AVZ меню Файл -- Выполнить скрипт. Скопируй код и нажми "Запустить". (или в AVPtools)
Код:
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
DelBHO('{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}');
QuarantineFile('WinCtrl32.dll','');
QuarantineFile('C:\WINDOWS\system32\blphcrmuj0e14j.scr','');
DeleteService('Winyg81');
DeleteService('Winya03');
DeleteService('Winxn14');
DeleteService('Winpx80');
DeleteService('Winmd15');
DeleteService('Winfn25');
DeleteService('Windk36');
DeleteService('Winct36');
DeleteService('Wincr37');
DeleteService('Wincj03');
DeleteService('Winap46');
DeleteService('Winah37');
DeleteService('wscsvcSharedAccess');
DeleteService('upnphosthelpsvc');
DeleteService('TrkWkslanmanworkstation');
DeleteService('SwPrvPolicyAgent');
DeleteService('stisvcERSvcWZCSVC');
DeleteService('stisvcERSvc');
DeleteService('stisvcDcomLaunch');
DeleteService('ServiceLayerProtectedStorageMessenger');
DeleteService('ServiceLayerProtectedStorage');
DeleteService('SamSsNetDDERasMan');
DeleteService('SamSsNetDDEdsdm');
DeleteService('SamSsNetDDE');
DeleteService('RDSessMgrRDSessMgrMSIServer');
DeleteService('RDSessMgrRDSessMgr');
DeleteService('RDSessMgrProtectedStorage');
DeleteService('RDSessMgrCOMSysAppRasMan');
DeleteService('RasManNtmsSvc');
DeleteService('PolicyAgentPlugPlay');
DeleteService('PolicyAgentDnscacheProtectedStorage');
DeleteService('oseTrkWks');
DeleteService('ImapiServiceSamSs');
DeleteService('EventSystemTapiSrvDnscachelanmanserver');
DeleteService('EventSystemTapiSrv');
DeleteService('DnscacheProtectedStorage');
DeleteService('Dnscachelanmanserver');
DeleteService('COMSysAppwuauserv');
DeleteService('COMSysAppRasManhelpsvc');
DeleteService('COMSysAppRasMan');
DeleteService('BITSlanmanworkstation');
QuarantineFile('srv.exe','');
DeleteService('ALGEventlog');
DeleteFile('srv.exe');
DeleteFile('C:\WINDOWS\System32\Drivers\Winah37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\WinCtrl32.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Winap46.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wincj03.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Wincr37.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winct36.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Windk36.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winfn25.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winmd15.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winpx80.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winxn14.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winya03.sys');
DeleteFile('C:\WINDOWS\System32\Drivers\Winyg81.sys');
DeleteFile('C:\WINDOWS\system32\blphcrmuj0e14j.scr');
DeleteFile('WinCtrl32.dll');
Executerepair(5);
Executerepair(6);
Executerepair(9);
Executerepair(10);
Executerepair(17);
BC_ImportAll;
BC_DeleteSvc('wscsvcSharedAccess');
BC_DeleteSvc('upnphosthelpsvc');
BC_DeleteSvc('TrkWkslanmanworkstation');
BC_DeleteSvc('SwPrvPolicyAgent');
BC_DeleteSvc('stisvcERSvcWZCSVC');
BC_DeleteSvc('stisvcERSvc');
BC_DeleteSvc('stisvcDcomLaunch');
BC_DeleteSvc('ServiceLayerProtectedStorageMessenger');
BC_DeleteSvc('ServiceLayerProtectedStorage');
BC_DeleteSvc('SamSsNetDDERasMan');
BC_DeleteSvc('SamSsNetDDEdsdm');
BC_DeleteSvc('SamSsNetDDE');
BC_DeleteSvc('RDSessMgrRDSessMgrMSIServer');
BC_DeleteSvc('RDSessMgrRDSessMgr');
BC_DeleteSvc('RDSessMgrProtectedStorage');
BC_DeleteSvc('RDSessMgrCOMSysAppRasMan');
BC_DeleteSvc('RasManNtmsSvc');
BC_DeleteSvc('PolicyAgentPlugPlay');
BC_DeleteSvc('PolicyAgentDnscacheProtectedStorage');
BC_DeleteSvc('oseTrkWks');
BC_DeleteSvc('ImapiServiceSamSs');
BC_DeleteSvc('EventSystemTapiSrvDnscachelanmanserver');
BC_DeleteSvc('EventSystemTapiSrv');
BC_DeleteSvc('DnscacheProtectedStorage');
BC_DeleteSvc('Dnscachelanmanserver');
BC_DeleteSvc('COMSysAppwuauserv');
BC_DeleteSvc('COMSysAppRasManhelpsvc');
BC_DeleteSvc('COMSysAppRasMan');
BC_DeleteSvc('BITSlanmanworkstation');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Компьютер перезагрузится.
3. После выполни еще скрипт.
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Архив с карантином пришли мне в PM.
Пофикси в HijackThis. fix checked
Код:
O9 - Extra button: Cтатистика Веб-Антивируса - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
Вышли повторные логи.
