R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1428250704&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=dspp&ts=1428250704&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=dspp&ts=1428250704&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW&q={searchTerms}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=95044903_hao_pg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1428250704&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1428250676&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW&q={searchTerms}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1428250676&from=face&uid=WDCXWD10JPVX-22JC3T0_WD-WXV1E74YTUAWYTUAW&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=95044903_hao_pg
begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
TerminateProcessByName('c:\users\Ксения\appdata\local\b5cba486-1428258856-1841-94a0-00e0b8b2178d\snsn453.tmp');
TerminateProcessByName('c:\users\Ксения\appdata\roaming\b5cba486-1428244228-1841-94a0-00e0b8b2178d\nstd9ce.tmpfs');
TerminateProcessByName('c:\users\Ксения\appdata\local\b5cba486-1428258841-1841-94a0-00e0b8b2178d\cnsrceed.tmp');
TerminateProcessByName('c:\users\Ксения\appdata\local\host installer\2853903760_installcube.exe');
SetServiceStart('TS888x64', 4);
SetServiceStart('QMUdisk', 4);
SetServiceStart('turopylo', 4);
SetServiceStart('rusoweli', 4);
SetServiceStart('byhytezy', 4);
StopService('TS888x64');
StopService('QMUdisk');
StopService('turopylo');
StopService('rusoweli');
StopService('byhytezy');
QuarantineFile('C:\Users\??????\AppData\Roaming\SFSHTSVK.exe', '');
QuarantineFile('C:\Users\Ксения\AppData\Roaming\Browsers\exe.erolpxei.bat', '');
QuarantineFile('C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe', '');
QuarantineFile('C:\Program Files (x86)\Tencent\QQPCMgr\10.6.15950.224\TS888x64.sys', '');
QuarantineFile('C:\Program Files (x86)\Tencent\QQPCMgr\10.6.15950.224\QMUdisk64.sys', '');
QuarantineFile('c:\users\Ксения\appdata\local\b5cba486-1428258856-1841-94a0-00e0b8b2178d\snsn453.tmp', '');
QuarantineFile('c:\users\Ксения\appdata\roaming\b5cba486-1428244228-1841-94a0-00e0b8b2178d\nstd9ce.tmpfs', '');
QuarantineFile('c:\users\Ксения\appdata\local\b5cba486-1428258841-1841-94a0-00e0b8b2178d\cnsrceed.tmp', '');
QuarantineFile('c:\users\Ксения\appdata\local\host installer\2853903760_installcube.exe', '');
DeleteFile('C:\Users\Ксения\AppData\Local\B5CBA486-1428258841-1841-94A0-00E0B8B2178D\cnsrCEED.tmp', '32');
DeleteFile('C:\Users\Ксения\AppData\Roaming\B5CBA486-1428244228-1841-94A0-00E0B8B2178D\nstD9CE.tmpfs', '32');
DeleteFile('C:\Users\Ксения\AppData\Local\B5CBA486-1428258856-1841-94A0-00E0B8B2178D\snsn453.tmp', '32');
DeleteFile('C:\Program Files (x86)\Tencent\QQPCMgr\10.6.15950.224\QMUdisk64.sys', '32');
DeleteFile('C:\Program Files (x86)\Tencent\QQPCMgr\10.6.15950.224\TS888x64.sys', '32');
DeleteFile('C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe', '32');
DeleteFile('C:\Users\Ксения\AppData\Roaming\Browsers\exe.erolpxei.bat', '32');
DeleteFile('C:\Users\??????\AppData\Roaming\SFSHTSVK.exe', '32');
DeleteFile('C:\Users\Ксения\AppData\Local\Host installer\2853903760_installcube.exe', '32');
DeleteFile('C:\Windows\system32\Tasks\Soft installer', '64');
DeleteFile('C:\Windows\Tasks\SFSHTSVK.job', '64');
DeleteService('TS888x64');
DeleteService('QMUdisk');
DeleteService('turopylo');
DeleteService('rusoweli');
DeleteService('byhytezy');
DeleteFileMask('C:\Users\Ксения\AppData\Roaming\Browsers\', '*', true);
DeleteDirectory('C:\Users\Ксения\AppData\Roaming\Browsers\');
DeleteFileMask('C:\Users\Ксения\AppData\Local\Host installer\', '*', true);
DeleteDirectory('C:\Users\Ксения\AppData\Local\Host installer\');
DeleteFileMask('C:\Program Files (x86)\Crossbrowse\', '*', true);
DeleteDirectory('C:\Program Files (x86)\Crossbrowse\');
DeleteFileMask('C:\Users\Ксения\AppData\Local\B5CBA486-1428258856-1841-94A0-00E0B8B2178D\', '*', true);
DeleteDirectory('C:\Users\Ксения\AppData\Local\B5CBA486-1428258856-1841-94A0-00E0B8B2178D\');
DeleteFileMask('C:\Program Files (x86)\Tencent\', '*', true);
DeleteDirectory('C:\Program Files (x86)\Tencent\');
DeleteFileMask('c:\users\Ксения\appdata\roaming\b5cba486-1428244228-1841-94a0-00e0b8b2178d\', '*', true);
DeleteDirectory('c:\users\Ксения\appdata\roaming\b5cba486-1428244228-1841-94a0-00e0b8b2178d\');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'GoogleChromeAutoLaunch_E8D6BA4DA78CD852AD27B8DA02DB2CF5');
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1201', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1001', 1);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1004', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '2201', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1804', 1);
BC_ImportAll;
ExecuteWizard('SCU', 2, 3, true);
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
start
CHR Extension: (CinemaPlus-3.2cV05.04) - C:\Users\Ксения\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp [2015-04-05]
OPR Extension: (CinemaPlus-3.2cV05.04) - C:\Users\Ксения\AppData\Roaming\Opera Software\Opera Stable\Extensions\papbadoldddalgcjcicnikcfenodpghp [2015-04-05]
Task: {EE75F4EA-C18D-43FD-8FD5-4D341D527445} - \Soft installer No Task File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP => ""="service"
EmptyTemp:
Reboot:
end
Наверно эту папку с иероглифами надо вручную удалять?
net user 袣褋械薪懈褟 /delete
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?