Valeron173
Новый пользователь
- Сообщения
- 4
- Реакции
- 0
Внимание. Восстановление баз 1С7, 1C8 и Mssql после атаки шифровальщика, подробности и отзывы читайте в профильной теме.
Внимание. Восстановление архивов RAR и ZIP, образов Acronis и виртуальных машин, баз почтовых программ после атаки шифровальщика, подробности и отзывы читайте в профильной теме.
Start::
CreateRestorePoint:
VirusTotal: C:\Program Files (x86)\WinRAR\WinRAR.exe;
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [123394] => 123394
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\Downloads\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\Desktop\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\Roaming\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\LocalLow\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\how_to_decrypt.hta
2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Public\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Public\Downloads\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\Downloads\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\Desktop\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\AppData\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\Downloads\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\Desktop\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\AppData\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Downloads\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Documents\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Desktop\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Roaming\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\LocalLow\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Local\how_to_decrypt.hta
2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\how_to_decrypt.hta
2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\Documents\how_to_decrypt.hta
2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta
2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\AppData\Local\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\Documents\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Roaming\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Local\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\Documents\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Roaming\how_to_decrypt.hta
2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Local\how_to_decrypt.hta
2020-04-01 15:18 - 2020-04-01 15:18 - 000006061 _____ C:\ProgramData\Microsoft\Windows\Start Menu\how_to_decrypt.hta
2020-04-01 15:13 - 2020-04-01 15:13 - 000006061 _____ C:\Users\Public\Documents\how_to_decrypt.hta
2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\Users\Все пользователи\how_to_decrypt.hta
2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\Users\Public\Desktop\how_to_decrypt.hta
2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\ProgramData\how_to_decrypt.hta
2020-04-01 15:06 - 2020-04-01 15:06 - 000006061 _____ C:\Users\how_to_decrypt.hta
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileCoAuthLib64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ContextMenuHandlers1_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ContextMenuHandlers4_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
ContextMenuHandlers5_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File
FirewallRules: [{0E5A24B3-63B9-45EA-9654-E5B01FA9CA1C}] => (Allow) H:\2\AnyDesk.exe No File
FirewallRules: [{EA513EED-7E45-4C81-9209-15BC9C0154E2}] => (Allow) H:\2\AnyDesk.exe No File
FirewallRules: [{9A04B125-96E2-417B-A18B-B88A4DCE833B}] => (Allow) H:\2\AnyDesk.exe No File
FirewallRules: [{4D14EE45-163A-47F6-8DAF-2BD52C1F32FF}] => (Allow) H:\2\AnyDesk.exe No File
FirewallRules: [{35208F76-BC96-43A2-8A78-0315E243B2D0}] => (Allow) H:\2\AnyDesk.exe No File
FirewallRules: [{3B8A0E26-B846-4084-B402-09393E273927}] => (Allow) H:\2\AnyDesk.exe No File
EmptyTemp:
Reboot:
End::
Политики не настраивались!Политики сами настаивали?
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
Все пользователи ваши?
Cuctema (S-1-5-21-1377243392-1966040662-3555900388-1001 - Administrator - Enabled) => C:\Users\Cuctema
User (S-1-5-21-1377243392-1966040662-3555900388-1000 - Administrator - Enabled) => C:\Users\User
Удалите пользователя. Это вам подарок от хакеров остался, для дальнейшего входа. ++ Смените пароли на RDPПользователя с Cuctema небыло.
Тогда еще один скрипт, но выполнять после того как прикрепите отчет по предыдущему.Политики не настраивались!
Start::
CreateRestorePoint:
GroupPolicy: Restriction ? <==== ATTENTION
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
Reboot:
End::
Примите к сведению - после выполнения скрипта все открытые вкладки браузеров будут закрыты, произойдет выход из аккаунтов, временные файлы, куки и кэш будут очищены.
- Отключите до перезагрузки антивирус.
- Выделите следующий код:
Код:Start:: CreateRestorePoint: VirusTotal: C:\Program Files (x86)\WinRAR\WinRAR.exe; HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [123394] => 123394 HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [NoInternetOpenWith] 1 HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\...\Policies\Explorer: [HideSCAHealth] 1 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION HKU\S-1-5-21-1377243392-1966040662-3555900388-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\Downloads\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\Desktop\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\Roaming\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\LocalLow\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\Users\User\AppData\how_to_decrypt.hta 2020-04-01 16:22 - 2020-04-01 16:22 - 000006061 _____ C:\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Public\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Public\Downloads\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\Downloads\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\Desktop\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default\AppData\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\Downloads\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\Desktop\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Default User\AppData\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Downloads\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Documents\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\Desktop\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Roaming\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\LocalLow\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\Local\how_to_decrypt.hta 2020-04-01 16:21 - 2020-04-01 16:21 - 000006061 _____ C:\Users\Cuctema\AppData\how_to_decrypt.hta 2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\Documents\how_to_decrypt.hta 2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta 2020-04-01 15:46 - 2020-04-01 15:46 - 000006061 _____ C:\Users\User\AppData\Local\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\Documents\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Roaming\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default\AppData\Local\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\Documents\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Roaming\how_to_decrypt.hta 2020-04-01 15:21 - 2020-04-01 15:21 - 000006061 _____ C:\Users\Default User\AppData\Local\how_to_decrypt.hta 2020-04-01 15:18 - 2020-04-01 15:18 - 000006061 _____ C:\ProgramData\Microsoft\Windows\Start Menu\how_to_decrypt.hta 2020-04-01 15:13 - 2020-04-01 15:13 - 000006061 _____ C:\Users\Public\Documents\how_to_decrypt.hta 2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\Users\Все пользователи\how_to_decrypt.hta 2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\Users\Public\Desktop\how_to_decrypt.hta 2020-04-01 15:12 - 2020-04-01 15:12 - 000006061 _____ C:\ProgramData\how_to_decrypt.hta 2020-04-01 15:06 - 2020-04-01 15:06 - 000006061 _____ C:\Users\how_to_decrypt.hta CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileCoAuthLib64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-1377243392-1966040662-3555900388-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll => No File ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ContextMenuHandlers1_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ContextMenuHandlers4_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File ContextMenuHandlers5_S-1-5-21-1377243392-1966040662-3555900388-1000: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Users\User\AppData\Local\Microsoft\OneDrive\19.002.0107.0005\amd64\FileSyncShell64.dll -> No File FirewallRules: [{0E5A24B3-63B9-45EA-9654-E5B01FA9CA1C}] => (Allow) H:\2\AnyDesk.exe No File FirewallRules: [{EA513EED-7E45-4C81-9209-15BC9C0154E2}] => (Allow) H:\2\AnyDesk.exe No File FirewallRules: [{9A04B125-96E2-417B-A18B-B88A4DCE833B}] => (Allow) H:\2\AnyDesk.exe No File FirewallRules: [{4D14EE45-163A-47F6-8DAF-2BD52C1F32FF}] => (Allow) H:\2\AnyDesk.exe No File FirewallRules: [{35208F76-BC96-43A2-8A78-0315E243B2D0}] => (Allow) H:\2\AnyDesk.exe No File FirewallRules: [{3B8A0E26-B846-4084-B402-09393E273927}] => (Allow) H:\2\AnyDesk.exe No File EmptyTemp: Reboot: End::
- Скопируйте выделенный текст (правой кнопкой - Копировать).
- Запустите FRST (FRST64) от имени администратора.
- Нажмите Fix и подождите. Программа создаст лог-файл (Fixlog.txt). Прикрепите его к своему следующему сообщению.
увы, это программа для взлома RDP, а не сам шифратор. По факту поймали новейшую версию 1.9.0.0. Без самого шифратора сказать что-то определенное проблематично.Вроде бы нашёл файл шифровальщика
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?