Ветеран
Консультант
Сообщения: 1544
Благодарности: 489
|
Профиль
|
Отправить PM
| Цитировать
Выполните скрипт в AVZ (Файл - Выполнить скрипт)
Код:  begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.'+#13#10+'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\windows\update.5.0\svchost.exe');
SetServiceStart('srvbtc1', 4);
SetServiceStart('srvbtcclient', 4);
StopService('srvbtc1');
StopService('srvbtcclient');
QuarantineFile('C:\WINDOWS\winlogin.exe','');
QuarantineFile('services32.exe','');
QuarantineFile('C:\WINDOWS\sysdriver32_.exe','');
QuarantineFile('C:\WINDOWS\tasks\system.job','');
QuarantineFile('C:\WINDOWS\sysdriver32.exe','');
QuarantineFile('C:\WINDOWS\TEMP\9937383.exe','');
QuarantineFile('C:\WINDOWS\TEMP\2955526.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8602390.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8519197.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8240517.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8064324.exe','');
QuarantineFile('C:\WINDOWS\winlogin.exe','');
QuarantineFile('C:\WINDOWS\taskmsgr.exe','');
QuarantineFile('C:\WINDOWS\systemxp.exe','');
QuarantineFile('C:\WINDOWS\winexp.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\7667377.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6985877.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6387535.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6365733.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\621017.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5983970.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5776888.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5338889.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4839128.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4579048.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4398545.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4331751.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\281428.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\174181.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\1245214.exe','');
QuarantineFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\1021112.exe','');
QuarantineFile('C:\WINDOWS\update.4.1\svchost.exe','');
QuarantineFile('c:\windows\update.5.0\svchost.exe','');
QuarantineFile('C:\WINDOWS\update.1\svchost.exe','');
QuarantineFile('c:\windows\update.2\svchost.exe','');
QuarantineFile('C:\WINDOWS\update.3\svchost.exe','');
QuarantineFile('c:\windows\update.4\svchost.exe','');
QuarantineFile('C:\WINDOWS\update.tray-2-0\svchost.exe','');
QuarantineFile('C:\WINDOWS\unrar.exe','');
QuarantineFile('C:\WINDOWS\myunrar2.exe','');
QuarantineFile('C:\WINDOWS\namecoind.exe','');
QuarantineFile('C:\WINDOWS\libeay32.dll','');
QuarantineFile('C:\WINDOWS\miner2.exe','');
QuarantineFile('C:\WINDOWS\loader2.exe_ok','');
QuarantineFile('C:\WINDOWS\bitcoind.exe','');
DeleteFile('C:\WINDOWS\update.tray-2-0\svchost.exe');
DeleteFile('C:\WINDOWS\winlogin.exe');
DeleteFile('C:\WINDOWS\tasks\system.job');
DeleteFile('C:\WINDOWS\update.5.0\svchost.exe');
DeleteFile('C:\WINDOWS\update.4.1\svchost.exe');
DeleteFile('C:\WINDOWS\update.1\svchost.exe');
DeleteFile('C:\WINDOWS\update.2\svchost.exe');
DeleteFile('C:\WINDOWS\update.3\svchost.exe');
DeleteFile('C:\WINDOWS\update.4\svchost.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\1021112.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\1245214.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\174181.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\281428.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4331751.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4398545.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4579048.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\4839128.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5338889.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5776888.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\5983970.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\621017.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6365733.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6387535.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\6985877.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\7667377.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8064324.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8240517.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8519197.exe');
DeleteFile('C:\DOCUME~1\559D~1\LOCALS~1\Temp\8602390.exe');
DeleteFile('C:\WINDOWS\TEMP\2955526.exe');
DeleteFile('C:\WINDOWS\TEMP\9937383.exe');
DeleteFile('C:\WINDOWS\sysdriver32.exe');
DeleteFile('C:\WINDOWS\sysdriver32_.exe');
DeleteFile('services32.exe');
DeleteFile('C:\WINDOWS\btc_client_iplist.txt');
DeleteFile('C:\WINDOWS\btc_iplist.txt');
DeleteFile('C:\WINDOWS\w_distrib_iplist.txt');
DeleteFile('C:\WINDOWS\iecheck_iplist.txt');
DeleteFile('C:\WINDOWS\ddh_iplist.txt');
DeleteFile('C:\WINDOWS\iplist.txt');
DeleteFile('C:\WINDOWS\front_ip_list.txt');
DeleteFile('C:\WINDOWS\av_ico');
DeleteFile('C:\WINDOWS\winlog-ids.txt');
DeleteFile('C:\WINDOWS\winlog-dirs.txt');
DeleteFile('C:\WINDOWS\unrar.exe');
DeleteFile('C:\WINDOWS\myunrar2.exe');
DeleteFile('C:\WINDOWS\namecoind.exe');
DeleteFile('C:\WINDOWS\libeay32.dll');
DeleteFile('C:\WINDOWS\miner2.exe');
DeleteFile('C:\WINDOWS\loader2.exe_ok');
DeleteFile('C:\WINDOWS\bitcoind.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','tray_ico');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','tray_ico1');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','tray_ico2');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','tray_ico3');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','tray_ico4');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','1021112.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','1245214.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','174181.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','281428.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','4331751.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','4398545.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','4579048.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','4839128.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','5338889.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','5776888.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','5983970.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','621017.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','6365733.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','6387535.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','6985877.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','7667377.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','8064324.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','8240517.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','8519197.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','8602390.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','2955526.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','9937383.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','sysdriver32.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','sysdriver32_.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE',' System\CurrentControlSet\Control\SafeBoot',' AlternateShell');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\SafeBoot\network\wxpdrivers');
RegKeyStrParamWrite('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','UserInit', 'C:\WINDOWS\system32\userinit.exe,');
DeleteFileMask('C:\WINDOWS\rpcminer', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.5.0\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.5.0\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.1\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.2\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.3\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.4\', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.tray-2-0-lnk', '*.*', true);
DeleteFileMask('C:\WINDOWS\update.tray-2-0', '*.*', true);
DeleteFileMask('C:\DOCUME~1\559D~1\LOCALS~1\Temp\', '*.*', true);
DeleteFileMask('C:\WINDOWS\TEMP\', '*.*', true);
DeleteDirectory('C:\WINDOWS\rpcminer');
DeleteDirectory('c:\windows\update.1');
DeleteDirectory('c:\windows\update.2');
DeleteDirectory('c:\windows\update.3');
DeleteDirectory('c:\windows\update.4');
DeleteDirectory('c:\windows\update.4.1');
DeleteDirectory('c:\windows\update.5.0');
DeleteDirectory('C:\WINDOWS\update.tray-2-0-lnk');
DeleteDirectory('C:\WINDOWS\update.tray-2-0');
DeleteService('srvbtc1');
DeleteService('srvbtcclient');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteFile('Netsh', 'firewall reset', 0, 10000, true);
RebootWindows(true);
end.
Компьютер перезагрузится, После перезагрузки:
- выполните такой скрипт
Код: begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Полученный архив отправьте с помощью этой формы http://www.oszone.net/virusnet/ с указанием ссылки на тему в теме (заголовке) сообщения. с указанием пароля: virus в теле письма.
Пофиксите в HJT ( справка ):
Код: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [281428.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\281428.exe"
O4 - HKLM\..\Run: [8519197.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\8519197.exe"
O4 - HKLM\..\Run: [8064324.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\8064324.exe"
O4 - HKLM\..\Run: [5776888.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\5776888.exe"
O4 - HKLM\..\Run: [5983970.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\5983970.exe"
O4 - HKLM\..\Run: [5338889.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\5338889.exe"
O4 - HKLM\..\Run: [6365733.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\6365733.exe"
O4 - HKLM\..\Run: [1021112.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\1021112.exe"
O4 - HKLM\..\Run: [4579048.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\4579048.exe"
O4 - HKLM\..\Run: [6985877.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\6985877.exe"
O4 - HKLM\..\Run: [6387535.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\6387535.exe"
O4 - HKLM\..\Run: [1245214.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\1245214.exe"
O4 - HKLM\..\Run: [4398545.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\4398545.exe"
O4 - HKLM\..\Run: [621017.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\621017.exe"
O4 - HKLM\..\Run: [8240517.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\8240517.exe"
O4 - HKLM\..\Run: [8602390.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\8602390.exe"
O4 - HKLM\..\Run: [174181.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\174181.exe"
O4 - HKLM\..\Run: [4839128.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\4839128.exe"
O4 - HKLM\..\Run: [9937383.exe] "C:\WINDOWS\TEMP\9937383.exe"
O4 - HKLM\..\Run: [7667377.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\7667377.exe"
O4 - HKLM\..\Run: [2955526.exe] "C:\WINDOWS\TEMP\2955526.exe"
O4 - HKLM\..\Run: [4331751.exe] "C:\DOCUME~1\559D~1\LOCALS~1\Temp\4331751.exe"
O4 - HKLM\..\Run: [sysdriver32.exe] "C:\WINDOWS\sysdriver32.exe" rezerv
O4 - HKLM\..\Run: [sysdriver32_.exe] "C:\WINDOWS\sysdriver32_.exe" rezerv
Повторите логи AVZ и RSIT
Скачайте Malwarebytes' Anti-Malware или с зеркала, установите, обновите базы, выберите " Perform Full Scan", нажмите " Scan", после сканирования - Ok - Show Results (показать результаты) - Откройте лог и скопируйте в блокнот и прикрепите его к следующему посту. |
