begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\epstmzb.exe', '');
QuarantineFile('C:\Documents and Settings\Admin\Application Data\GWMRO9Af79dxSAl97rTG.exe', '');
QuarantineFile('C:\DOCUME~1\Admin\APPLIC~1\UPDATE~1\UPDATE~1\UPDATE~1.EXE', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-5.exe', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-4.exe', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-11.exe', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-10.exe', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-7.exe', '');
QuarantineFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-6.exe', '');
QuarantineFileF('C:\Documents and Settings\Admin\Local Settings\Application Data\SmartWeb', '*', true, '', 0 , 0);
QuarantineFile('C:\Documents and Settings\Admin\Local Settings\Application Data\SmartWeb\SmartWebHelper.exe', '');
QuarantineFile('C:\WINDOWS\system32\drivers\wsafd_1_10_0_19.sys', '');
QuarantineFile('C:\WINDOWS\system32\drivers\ppfd_vt_1_10_0_22.sys', '');
QuarantineFileF('C:\Program Files\PlusHD_1.02mV09.08', '*', true, '', 0 , 0);
QuarantineFile('C:\Documents and Settings\Admin\Local Settings\Application Data\Kometa\Application\kometa.bat', '');
QuarantineFile('C:\Program Files\Yandex\Punto Switcher\punto.bat', '');
QuarantineFile('C:\Program Files\Internet Explorer\IEXPLORE.bat', '');
QuarantineFile('C:\Documents and Settings\Admin\Избранное\Панель закладок\Слава\http csmg.lgmobile.com 9002 csmg b2c client auth_model_check2.js', '');
QuarantineFile('C:\WINDOWS\TEMP\8a22018d-e32f-4dac-823f-18ec0d91dc86\AgileDotNetRT.dll', '');
QuarantineFile('C:\WINDOWS\TEMP\9e8ef525-6395-44e7-ad8b-f1f79dbf42d9\AgileDotNetRT.dll', '');
QuarantineFile('C:\Documents and Settings\All Users\App', '');
DeleteFile('C:\WINDOWS\system32\drivers\ppfd_vt_1_10_0_22.sys', '32');
DeleteFile('C:\WINDOWS\system32\drivers\wsafd_1_10_0_19.sys', '32');
DeleteFile('C:\Documents and Settings\Admin\Local Settings\Application Data\SmartWeb\SmartWebHelper.exe', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-6.exe', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-6.job', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-7.exe', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-1-7.job', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-10_user.job', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-10.exe', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-11.exe', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-11.job', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-4.job', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-4.exe', '32');
DeleteFile('C:\Program Files\PlusHD_1.02mV09.08\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-5.exe', '32');
DeleteFile('C:\WINDOWS\Tasks\59acf12a-3c64-4be8-ad9c-16dd07bba4c4-5.job', '32');
DeleteFile('C:\WINDOWS\Tasks\At1.job', '32');
DeleteFile('C:\Documents and Settings\Admin\Application Data\GWMRO9Af79dxSAl97rTG.exe', '32');
DeleteFile('C:\WINDOWS\Tasks\GWMRO9Af79dxSAl97rTG.job', '32');
DeleteFile('C:\WINDOWS\Tasks\lzrnpqb.job', '32');
DeleteFile('C:\Documents and Settings\Admin\Local Settings\Application Data\Kometa\Application\kometa.bat', '');
DeleteFile('C:\Program Files\Yandex\Punto Switcher\punto.bat', '');
DeleteFile('C:\Program Files\Internet Explorer\IEXPLORE.bat', '');
DeleteFile('C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\epstmzb.exe', '32');
DeleteFile('C:\WINDOWS\TEMP\8a22018d-e32f-4dac-823f-18ec0d91dc86\AgileDotNetRT.dll');
DeleteFile('C:\WINDOWS\TEMP\9e8ef525-6395-44e7-ad8b-f1f79dbf42d9\AgileDotNetRT.dll');
DeleteFile('C:\Documents and Settings\All Users\App');
DeleteFileMask('C:\Documents and Settings\Admin\Local Settings\Application Data\SmartWeb', '*', true);
DeleteFileMask('C:\Program Files\PlusHD_1.02mV09.08', '*', true);
DeleteDirectory('C:\Documents and Settings\Admin\Local Settings\Application Data\SmartWeb', '');
DeleteDirectory('C:\Program Files\PlusHD_1.02mV09.08', '');
DelBHO('{0633EE93-D776-472f-A0FF-E1416B8B2E3D}');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\Eventlog\Application\WdsManPro', 'EventMessageFile');
BC_ImportALL;
ExecuteSysClean;
ExecuteRepair(2);
ExecuteWizard('SCU', 2, 3, true);
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
start
CreateRestorePoint:
HKLM\...\Run: [gmsd_ru_025010076] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
GroupPolicyScripts: Group Policy detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-602162358-1580436667-1417001333-500] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKU\S-1-5-21-602162358-1580436667-1417001333-500 -> {77F2B683-BFE4-4140-A5D5-3004C16E3A8F} URL = hxxp://inet123.ru/?cx=partner-pub-7107628092852806%3Asxiti5-ktqk&cof=FORID%3A10&ie=windows-1251&q={searchTerms}&sa=%CF%EE%E8%F1%EA&siteurl=inet123.ru%2F#881
BHO: MailRuBHO Class -> {8984B388-A5BB-4DF7-B274-77B879E179DB} -> C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll No File
BHO: No Name -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> No File
BHO: No Name -> {f9b7dbed-3b15-45f1-9011-938749d35eb1} -> No File
Toolbar: HKLM - Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll No File
Toolbar: HKU\S-1-5-21-602162358-1580436667-1417001333-500 -> Спутник@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll No File
OPR Extension: (PlusHD_1.02mV09.08) - C:\Documents and Settings\Admin\Application Data\Opera Software\Opera Stable\Extensions\papbadoldddalgcjcicnikcfenodpghp [2015-09-01]
2015-09-01 09:57 - 2015-09-01 09:57 - 00000000 ____D C:\Documents and Settings\Admin\Local Settings\Application Data\gmsd_ru_005010076
2015-09-01 09:26 - 2015-09-01 19:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\aWdsManProa
2015-09-01 08:19 - 2015-09-01 19:04 - 00000000 ____D C:\Program Files\gmsd_ru_005010076
2015-09-01 08:19 - 2015-09-01 08:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\7WdsManPro7
2015-09-01 08:18 - 2015-09-01 19:29 - 00000000 ____D C:\Program Files\baidu
2015-09-01 08:17 - 2015-09-01 17:26 - 00000004 _____ C:\WINDOWS\system32\029B560A371F4E00AB32838EBC01B9E7
2015-09-01 08:16 - 2015-09-01 19:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\nWdsManPron
2015-09-01 08:07 - 2015-09-01 19:04 - 00000000 ____D C:\Program Files\FFFFFFFF-1441069639-FFFF-FFFF-FFFFFFFFFFFF
2015-09-01 08:06 - 2015-09-01 19:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\ZWdsManProZ
2015-09-01 08:06 - 2015-09-01 19:04 - 00000000 ____D C:\Program Files\gmsd_ru_025010076
2015-09-01 08:06 - 2015-09-01 17:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\update
2015-09-01 08:06 - 2015-09-01 09:56 - 00000178 _____ C:\Documents and Settings\All Users\Application Data\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-09-01 08:06 - 2015-09-01 09:26 - 00000000 ____D C:\Documents and Settings\Admin\Local Settings\Application Data\gmsd_ru_025010076
2015-09-01 08:05 - 2015-09-01 11:04 - 00000000 ____D C:\Documents and Settings\Admin\Application Data\WindowsUpdater
2015-09-01 10:21 - 2014-10-25 18:40 - 00000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
CustomCLSID: HKU\S-1-5-21-602162358-1580436667-1417001333-500_Classes\CLSID\{5157F497-D629-47A4-A73D-41ACE6766B0E}\localserver32 -> "C:\Documents and Settings\Admin\Local Settings\Application Data\Kometa\Application\44.0.2403.125\de (the data entry has 27 more characters).
CustomCLSID: HKU\S-1-5-21-602162358-1580436667-1417001333-500_Classes\CLSID\{61CED8F3-2CB2-4C3C-9484-7530E1127A58}\InprocServer32 -> C:\Program Files\IQIYI Video\LStyle\npWebPlayer.dll No File
CustomCLSID: HKU\S-1-5-21-602162358-1580436667-1417001333-500_Classes\CLSID\{D96C1D26-5CDF-4506-9244-57233C3984DF}\InprocServer32 -> C:\Program Files\IQIYI Video\LStyle\npWebPlayer.dll No File
CustomCLSID: HKU\S-1-5-21-602162358-1580436667-1417001333-500_Classes\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF-NOT}\InprocServer32 -> C:\Program Files\IQIYI Video\LStyle\npWebPlayer.dll No File
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:BF14D50A
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
[-HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
[-HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys]
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Admin\Local Settings\Application Data\Kometa\Application\kometa.exe] => Enabled:Kometa
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Admin\Application Data\IQIYI Video\LStyle\GpUpdate.exe] => Enabled:爱奇艺升级模块
StandardProfile\AuthorizedApplications: [C:\Program Files\IQIYI Video\GeePlayer\GeePlayer.exe] => Enabled:爱奇艺万能播放器
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Admin\Application Data\IQIYI Video\LStyle\QyUpdate.exe] => Enabled:爱奇艺升级模块
StandardProfile\AuthorizedApplications: [C:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe] => Enabled:Crossbrowse
StandardProfile\AuthorizedApplications: [C:\Program Files\IQIYI Video\LStyle\QyClient.exe] => Enabled:爱奇艺PPS影音
StandardProfile\AuthorizedApplications: [C:\Program Files\IQIYI Video\LStyle\QyWebPlayer.exe] => Enabled:爱奇艺PPS影音
StandardProfile\AuthorizedApplications: [C:\Program Files\IQIYI Video\Common\QyKernel.exe] => Enabled:爱奇艺HCDN网络数据传输组件
StandardProfile\AuthorizedApplications: [C:\Program Files\IQIYI Video\LStyle\QyPlayer.exe] => Enabled:爱奇艺视频播放器
EmptyTemp:
Reboot:
end
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?