{Перед использованием скрипта убедиться, что в системе не установлены упомянутые в скрипте антивирусы. Автор скрипта: regist}
var
ProgramData, ProgramFiles, ProgramFiles86, fname, OSVer: string;
PD_folders, PF_folders, O_folders : TStringList;
procedure FillList;
begin
PD_folders := TStringList.Create;
PD_folders.Add('360TotalSecurity');
PD_folders.Add('360safe');
PD_folders.Add('AVAST Software');
PD_folders.Add('Avg');
PD_folders.Add('Avira');
PD_folders.Add('ESET');
PD_folders.Add('Indus');
PD_folders.Add('Kaspersky Lab Setup Files');
PD_folders.Add('Kaspersky Lab');
PD_folders.Add('MB3Install');
PD_folders.Add('Malwarebytes');
PD_folders.Add('McAfee');
PD_folders.Add('Norton');
PD_folders.Add('grizzly');
PD_folders.Add('RealtekHD');
PD_folders.Add('RunDLL');
PD_folders.Add('Setup');
PD_folders.Add('System32');
PD_folders.Add('Windows');
PD_folders.Add('WindowsTask');
PD_folders.Add('install');
PF_folders := TStringList.Create;
PF_folders.Add('360');
PF_folders.Add('AVAST Software');
PF_folders.Add('AVG');
PF_folders.Add('ByteFence');
PF_folders.Add('COMODO');
PF_folders.Add('Cezurity');
PF_folders.Add('Common Files\McAfee');
PF_folders.Add('ESET');
PF_folders.Add('Enigma Software Group');
PF_folders.Add('GRIZZLY Antivirus');
PF_folders.Add('Kaspersky Lab');
PF_folders.Add('Malwarebytes');
PF_folders.Add('Microsoft JDX');
PF_folders.Add('Panda Security');
PF_folders.Add('SpyHunter');
PF_folders.Add('RDP Wrapper');
O_folders := TStringList.Create;
O_folders.Add(NormalDir('%SYSTEMDRIVE%'+'\AdwCleaner'));
O_folders.Add(NormalDir('%SYSTEMDRIVE%'+'\KVRT_Data'));
O_folders.Add(NormalDir('%windir%'+'\NetworkDistribution'));
O_folders.Add(NormalDir('%windir%'+'\speechstracing'));
O_folders.Add(NormalDir('%windir%'+'\Fonts\Mysql'));
end;
procedure Del_folders(path:string; AFL : TStringList);
var
i : integer;
begin
for i := 0 to AFL.Count - 1 do
begin
fname := NormalDir(path + AFL[i]);
if DirectoryExists(fname) then
begin
QuarantineFileF(fname, '*.exe, *.dll, *.sys, *.bat, *.vbs, *.ps1, *.js*, *.tmp*', true, '', 0, 0);
DeleteFileMask(fname, '*', true);
FSResetSecurity(fname);
DeleteDirectory(fname);
end;
end;
end;
procedure swprv;
begin
ExecuteFile('sc.exe', 'create "swprv" binpath= "%SystemRoot%\System32\svchost.exe -k swprv" type= own start= demand depend= RPCSS', 0, 15000, true);
RegKeyParamDel ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'wow64');
RegKeyStrParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'Description', '@%SystemRoot%\System32\swprv.dll,-102');
RegKeyStrParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'DisplayName', '@%SystemRoot%\System32\swprv.dll,-103');
RegKeyIntParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv', 'ServiceSidType', '1');
RegKeyParamWrite('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv\Parameters', 'ServiceDll', 'REG_EXPAND_SZ', '%Systemroot%\System32\swprv.dll');
OSVer := RegKeyStrParamRead('HKLM','SOFTWARE\Microsoft\Windows NT\CurrentVersion','CurrentVersion');
if OSVer > '6.1' then RegKeyIntParamWrite ('HKLM', 'SYSTEM\CurrentControlSet\Services\swprv\Parameters', 'ServiceDllUnloadOnStop', '1');;
ExecuteFile('sc.exe', 'privs "swprv" SeBackupPrivilege/SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeCreatePermanentPrivilege/SeImpersonatePrivilege/SeManageVolumePrivilege/SeRestorePrivilege/SeIncreaseBasePriorityPrivilege/SeManageVolumePrivilege/SeRestorePrivilege/SeTcbPrivilege', 0, 15000, true);
ExecuteFile('net.exe', 'start "swprv"', 0, 15000, true);
end;
procedure AV_block_remove;
begin
clearlog;
FillList;
ProgramData := GetEnvironmentVariable('ProgramData');
ProgramFiles := NormalDir('%PF%');
ProgramFiles86 := NormalDir('%PF% (x86)');
Del_folders(ProgramData +'\', PD_folders);
Del_folders(ProgramFiles, PF_folders);
Del_folders(ProgramFiles86, PF_folders);
Del_folders('', O_folders);
ExpRegKey('HKCU','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun','DisallowRun_backup.reg');
RegKeyDel('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun');
RegKeyParamWrite('HKLM', 'SYSTEM\CurrentControlSet\services\TermService\Parameters', 'ServiceDlll', 'REG_EXPAND_SZ', '%SystemRoot%\System32\termsrv.dll');
swprv;
if MessageDLG('Удалить пользователя "John" ?'+ #13#10 + 'Если пользователь с таким именем вам не знаком, то нажмите "Да".', mtConfirmation, mbYes+mbNo, 0) = 6 then
ExecuteFile('net.exe', 'user john /delete', 0, 15000, true);
SaveLog(GetAVZDirectory +'AV_block_remove.log');
PD_folders.Free;
PF_folders.Free;
O_folders.Free;
ExecuteWizard('SCU', 2, 3, true);
ExecuteSysClean;
end;
begin
AV_block_remove;
end.
begin
DeleteFile(GetAVZDirectory+'quarantine.7z');
ExecuteFile(GetAVZDirectory+'7za.exe', 'a -mx9 -pmalware quarantine .\Quarantine\*', 1, 300000, false);
end.
Start::
SystemRestore: On
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {30d29e1e-185b-11e8-afcc-94de80b778dc} - E:\HiSuiteDownLoader.exe
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {43b65465-1997-11ea-ad16-94de80b778dc} - E:\HiSuiteDownLoader.exe
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {83ed4240-ba7d-11e4-9e89-94de80b778dc} - K:\./MTP/LMPC.exe
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {ac4264c9-31ed-11e4-abbd-806e6f6e6963} - D:\Run.exe
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {cedbe45d-d7d2-11e6-a1c8-94de80b778dc} - E:\Lenovo_Suite.exe
HKU\S-1-5-21-804432708-671412679-2834045610-1000\...\MountPoints2: {eb818ba8-7033-11ea-99fa-94de80b778dc} - D:\HiSuiteDownLoader.exe
FF user.js: detected! => C:\Users\Dasnebel\AppData\Roaming\Mozilla\Firefox\Profiles\4j37h1o6.default\user.js [2015-04-16]
CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/10445?gp=ticno2"
C:\Users\Dasnebel\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpegcopcfajiiibidlaelhjjblpefbjk
2020-11-24 14:26 - 2014-11-04 00:23 - 000000000 __SHD C:\ProgramData\Doctor Web
2020-11-23 16:20 - 2020-11-24 00:16 - 000000000 ____D C:\ProgramData\ProductData
2020-11-23 16:20 - 2020-11-23 16:20 - 000000000 ____D C:\Users\Dasnebel\AppData\LocalLow\IObit
2020-11-23 16:19 - 2020-11-23 16:20 - 000002274 _____ C:\Users\Public\Desktop\Driver Booster 8.lnk
2020-11-23 16:19 - 2020-11-23 16:20 - 000002274 _____ C:\ProgramData\Desktop\Driver Booster 8.lnk
2020-11-23 16:19 - 2020-11-23 16:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Booster 8
2020-11-23 16:19 - 2020-11-23 16:19 - 000000000 ____D C:\Program Files (x86)\IObit
2020-11-23 16:18 - 2020-11-23 16:20 - 000000000 ____D C:\Users\Dasnebel\AppData\Roaming\IObit
2020-11-23 16:18 - 2020-11-23 16:20 - 000000000 ____D C:\ProgramData\IObit
AlternateDataStreams: C:\ProgramData\TEMP:41ADDB8A [161]
AlternateDataStreams: C:\ProgramData\TEMP:A064CECC [146]
AlternateDataStreams: C:\Users\Dasnebel\Application Data:77a575add9465d78c606d381e5f202fb [394]
AlternateDataStreams: C:\Users\Dasnebel\AppData\Roaming:77a575add9465d78c606d381e5f202fb [394]
HKU\S-1-5-21-804432708-671412679-2834045610-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=7221e83a459a4987b6f445150422b0fb&text={searchTerms}
Toolbar: HKU\S-1-5-21-804432708-671412679-2834045610-1000 -> No Name - {C500C267-63BF-451F-8797-4D720C9A2ED9} - No File
Toolbar: HKU\S-1-5-21-804432708-671412679-2834045610-1000 -> No Name - {EF293C5A-9F37-49FD-91C4-2B867063FC54} - No File
FirewallRules: [{B3C29DBE-BFEB-414F-BEB0-C488B79C91A3}] => (Block) LPort=445
FirewallRules: [{7AF6496C-B6B3-4843-B7E1-9B14C091D767}] => (Block) LPort=139
FirewallRules: [{DF1B1735-924A-4C93-B903-A096C72E360F}] => (Block) LPort=445
FirewallRules: [{FB248796-C314-4411-A5C1-48D48576DD5D}] => (Block) LPort=139
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
EmptyTemp:
Reboot:
End::
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?