{Перед использованием скрипта убедиться, что в системе не установлены упомянутые в скрипте антивирусы. Автор скрипта: regist}
var
ProgramData, ProgramFiles, ProgramFiles86, fname, OSVer: string;
PD_folders, PF_folders, O_folders : TStringList;
procedure FillList;
begin
PD_folders := TStringList.Create;
PD_folders.Add('360TotalSecurity');
PD_folders.Add('360safe');
PD_folders.Add('AVAST Software');
PD_folders.Add('Avg');
PD_folders.Add('Avira');
PD_folders.Add('ESET');
PD_folders.Add('Indus');
PD_folders.Add('Kaspersky Lab Setup Files');
PD_folders.Add('Kaspersky Lab');
PD_folders.Add('MB3Install');
PD_folders.Add('Malwarebytes');
PD_folders.Add('McAfee');
PD_folders.Add('Norton');
PD_folders.Add('grizzly');
PD_folders.Add('RealtekHD');
PD_folders.Add('RunDLL');
PD_folders.Add('Setup');
PD_folders.Add('System32');
PD_folders.Add('Windows');
PD_folders.Add('WindowsTask');
PD_folders.Add('install');
PF_folders := TStringList.Create;
PF_folders.Add('360');
PF_folders.Add('AVAST Software');
PF_folders.Add('AVG');
PF_folders.Add('ByteFence');
PF_folders.Add('COMODO');
PF_folders.Add('Cezurity');
PF_folders.Add('Common Files\McAfee');
PF_folders.Add('ESET');
PF_folders.Add('Enigma Software Group');
PF_folders.Add('GRIZZLY Antivirus');
PF_folders.Add('Kaspersky Lab');
PF_folders.Add('Malwarebytes');
PF_folders.Add('Microsoft JDX');
PF_folders.Add('Panda Security');
PF_folders.Add('SpyHunter');
PF_folders.Add('RDP Wrapper');
O_folders := TStringList.Create;
O_folders.Add(NormalDir('%SYSTEMDRIVE%'+'\AdwCleaner'));
O_folders.Add(NormalDir('%SYSTEMDRIVE%'+'\KVRT_Data'));
O_folders.Add(NormalDir('%windir%'+'\NetworkDistribution'));
O_folders.Add(NormalDir('%windir%'+'\speechstracing'));
O_folders.Add(NormalDir('%windir%'+'\Fonts\Mysql'));
end;
procedure Del_folders(path:string; AFL : TStringList);
var
i : integer;
begin
for i := 0 to AFL.Count - 1 do
begin
fname := NormalDir(path + AFL[i]);
if DirectoryExists(fname) then
begin
QuarantineFileF(fname, '*.exe, *.dll, *.sys, *.bat, *.vbs, *.ps1, *.js*, *.tmp*', true, '', 0, 0);
DeleteFileMask(fname, '*', true);
DeleteDirectory(fname);
end;
end;
end;
procedure swprv;
begin
ExecuteFile('sc.exe', 'create "swprv" binpath= "%SystemRoot%\System32\svchost.exe -k swprv" type= own start= demand depend= RPCSS', 0, 15000, true);
RegKeyParamDel ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'wow64');
RegKeyStrParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'Description', '@%SystemRoot%\System32\swprv.dll,-102');
RegKeyStrParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'DisplayName', '@%SystemRoot%\System32\swprv.dll,-103');
RegKeyIntParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'ServiceSidType', '1');
RegKeyParamWrite('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv\Parameters', 'ServiceDll', 'REG_EXPAND_SZ', '%Systemroot%\System32\swprv.dll');
OSVer := RegKeyStrParamRead('HKLM','SOFTWARE\Microsoft\Windows NT\CurrentVersion','CurrentVersion');
if OSVer > '6.1' then RegKeyIntParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv\Parameters', 'ServiceDllUnloadOnStop', '1');;
ExecuteFile('sc.exe', 'privs "swprv" SeBackupPrivilege/SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeCreatePermanentPrivilege/SeImpersonatePrivilege/SeManageVolumePrivilege/SeRestorePrivilege/SeIncreaseBasePriorityPrivilege/SeManageVolumePrivilege/SeRestorePrivilege/SeTcbPrivilege', 0, 15000, true);
ExecuteFile('net.exe', 'start "swprv"', 0, 15000, true);
end;
procedure AV_block_remove;
begin
clearlog;
FillList;
ProgramData := GetEnvironmentVariable('ProgramData');
ProgramFiles := NormalDir('%PF%');
ProgramFiles86 := NormalDir('%PF% (x86)');
Del_folders(ProgramData +'\', PD_folders);
Del_folders(ProgramFiles, PF_folders);
Del_folders(ProgramFiles86, PF_folders);
Del_folders('', O_folders);
ExpRegKey('HKCU','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun','DisallowRun_backup.reg');
RegKeyDel('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun');
RegKeyParamWrite('HKLM', 'SYSTEM\CurrentControlSet\services\TermService\Parameters', 'ServiceDlll', 'REG_EXPAND_SZ', '%SystemRoot%\System32\termsrv.dll');
swprv;
if MessageDLG('Удалить пользователя "John" ?'+ #13#10 + 'Если пользователь с таким именем вам не знаком, то нажмите "Да".', mtConfirmation, mbYes+mbNo, 0) = 6 then
ExecuteFile('net.exe', 'user john /delete', 0, 15000, true);
SaveLog(GetAVZDirectory +'AV_block_remove.log');
PD_folders.Free;
PF_folders.Free;
O_folders.Free;
ExecuteWizard('SCU', 2, 3, true);
ExecuteSysClean;
end;
begin
TerminateProcessByName('c:\programdata\windows\rutserv.exe');
AV_block_remove;
RebootWindows(true);
end.
begin
DeleteFile(GetAVZDirectory+'quarantine.7z');
ExecuteFile(GetAVZDirectory+'7za.exe', 'a -mx9 -pmalware quarantine .\Quarantine\*', 1, 300000, false);
end.
Start::
SystemRestore: On
CreateRestorePoint:
HKLM\...\Run: [Realtek HD Audio] => C:\ProgramData\RealtekHD\taskhostw.exe <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-350612990-1591811396-3829588097-1000\...\Policies\Explorer: [DisallowRun] 1
GroupPolicy: Restriction ? <==== ATTENTION
Task: {1C347150-24E0-48D6-81E0-44F9266B7E80} - System32\Tasks\Microsoft\Windows\Wininet\RealtekHDStartUP => C:\Programdata\RealtekHD\taskhost.exe <==== ATTENTION
Task: {4275A7D6-F159-4B2E-ABF5-297998AC0163} - System32\Tasks\Microsoft\Windows\Wininet\Taskhost => C:\Programdata\RealtekHD\taskhostw.exe <==== ATTENTION
Task: {90258DAD-933F-476E-BB9E-409F55F5C3DF} - System32\Tasks\Microsoft\Windows\Wininet\Cleaner => C:\Programdata\WindowsTask\winlogon.exe <==== ATTENTION
Task: {A90A7878-1389-40EB-BD60-1245B668AE83} - System32\Tasks\Microsoft\Windows\Wininet\RealtekHDControl => C:\Programdata\RealtekHD\taskhost.exe <==== ATTENTION
Task: {E9BAE7CA-2ED7-4337-A776-EA58F40B0B4F} - System32\Tasks\Microsoft\Windows\Wininet\Taskhostw => C:\Programdata\RealtekHD\taskhostw.exe <==== ATTENTION
Hosts:
S2 RManService; C:\ProgramData\Windows\rutserv.exe [X]
S3 TermService; %ProgramFiles%\RDP Wrapper\rdpwrap.dll [X] <==== ATTENTION (no ServiceDLL)
2020-09-28 21:18 - 2020-10-21 20:09 - 000000000 __SHD C:\Program Files\RDP Wrapper
2020-09-28 21:18 - 2020-09-28 21:18 - 000000000 __SHD C:\rdp
2020-09-24 08:30 - 2020-10-21 20:09 - 000000000 __SHD C:\ProgramData\WindowsTask
2020-09-24 08:30 - 2020-10-21 20:09 - 000000000 __SHD C:\ProgramData\RealtekHD
2020-09-24 08:30 - 2020-09-24 08:30 - 000000000 __SHD C:\ProgramData\Doctor Web
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
EmptyTemp:
Reboot:
End::
Вроде пофиксилось, по крайней мере диспетчер и браузер не закрываются. Понаблюдаю пока. Спасибо большое!Что с проблемой?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?