это червяк Yaha
aka I-Worm.Lentis.gen [KAV], W32/Yaha.t@MM [McAfee], W32/Yaha-T [Sophos]
Цитата:
When W32.Yaha.T@mm runs, it does the following:
Copies itself as the following files and sets the file attributes to Hidden:
%System%\WINTSK32.EXE
%System%\EXELDR32.EXE
Adds the value:
MicrosoftServiceManager %System%\WINTSK32.EXE
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that the worm runs when you start Windows.
Configures itself to run each time a .exe file runs, by changing the default value of the registry key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
to:
"%System%\exeldr32.exe"%1 %*
Copies itself to the \Windows\System folder as one of the following files:
Hotmail_hack.exe
Friendship.scr
World_of_friendship.scr
Shake.scr
Sweet.scr
Be_happy.scr
Friend_finder.exe
I_like_you.scr
Love.scr
Dance.scr
Gc_messenger.exe
True_love.scr
Friend_happy.scr
Best_friend.scr
Life.scr
Colour_of_life.scr
Friendship_funny.scr
Funny.scr
|
кстати, он пытается прибить процессы avp, norton antivirus, mcaffi viruscan и еще некоторые антивирусы и файрволы
вот
тут можно скачать Yaha Removal Tool, а на будущее забыть об avp/norton av и поставить drweb
