удалите через Установку программ.CloudNet
Main service
Кнопка "Яндекс" на панели задач
Менеджер браузеров
begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
TerminateProcessByName('C:\Program Files (x86)\GAOiga\357429775.exe');
TerminateProcessByName('C:\Program Files (x86)\GAOiga\75726712.exe');
TerminateProcessByName('c:\users\amourina\appdata\local\temp\csrss\cloudnet.exe');
TerminateProcessByName('C:\Users\1\AppData\Local\App\csrss.exe');
TerminateProcessByName('c:\windows\rss\csrss.exe');
TerminateProcessByName('c:\users\amourina\appdata\local\temp\csrss\lsa64.exe');
TerminateProcessByName('c:\programdata\windowsmenu\westat.exe');
TerminateProcessByName('c:\windows\windefender.exe');
TerminateProcessByName('c:\program files (x86)\machinerdata\modularinstaller.exe');
SetServiceStart('localNETService', 4);
SetServiceStart('Main Service', 4);
SetServiceStart('WinDefender', 4);
QuarantineFile('C:\Users\amourina\AppData\Local\Temp\csrss\scheduled.exe','');
QuarantineFile('C:\Program Files (x86)\OACnpkvCW\OACnpkvCW.dll','');
QuarantineFile('C:\Users\1\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe','');
QuarantineFile('C:\Program Files\Windows Photo Viewer\163ZIPYMGGO2LE5JNQPN72\UT4XOivOqe.exe','');
QuarantineFile('c:\program files (x86)\machinerdata\modularinstaller.exe','');
QuarantineFile('c:\users\amourina\appdata\local\temp\csrss\cloudnet.exe','');
QuarantineFile('c:\windows\windefender.exe','');
QuarantineFile('c:\programdata\windowsmenu\westat.exe','');
QuarantineFile('c:\programdata\localnetservice\localnetservice.exe','');
QuarantineFile('c:\users\amourina\appdata\local\temp\csrss\lsa64.exe','');
QuarantineFile('C:\Users\1\AppData\Local\App\csrss.exe','');
QuarantineFile('c:\windows\rss\csrss.exe','');
QuarantineFile('C:\Program Files (x86)\GAOiga\357429775.exe','');
DeleteFile('C:\Program Files (x86)\GAOiga\357429775.exe','32');
DeleteFile('c:\windows\rss\csrss.exe','32');
DeleteFile('C:\Users\1\AppData\Local\App\csrss.exe','32');
DeleteFile('c:\users\amourina\appdata\local\temp\csrss\lsa64.exe','32');
DeleteFile('c:\programdata\windowsmenu\westat.exe','32');
DeleteFile('c:\windows\windefender.exe','32');
DeleteFile('c:\users\amourina\appdata\local\temp\csrss\cloudnet.exe','32');
DeleteFile('c:\program files (x86)\machinerdata\modularinstaller.exe','32');
DeleteFile('C:\Program Files\Windows Photo Viewer\163ZIPYMGGO2LE5JNQPN72\UT4XOivOqe.exe','32');
DeleteFile('C:\Users\1\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe','32');
DeleteFile('C:\Program Files (x86)\OACnpkvCW\OACnpkvCW.dll','64');
DeleteFile('C:\Users\amourina\AppData\Local\Temp\csrss\scheduled.exe','64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','CloudNet','x32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','WinterSilence','x32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','App','x32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','395092','x32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','6745577','x32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','UT4XOivOqe.exe','x32');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','OMEWPRODUCT_','x64');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','ee3tij3zglb','x64');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','j5webvx1nvc','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','UT4XOivOqe.exe','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','6745577','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','395092','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','App','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','WinterSilence','x64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','CloudNet','x64');
DeleteSchedulerTask('csrss');
DeleteSchedulerTask('lsa64');
DeleteSchedulerTask('Microsoft\QuickLaunch');
DeleteSchedulerTask('Microsoft\Windows\Starter');
DeleteSchedulerTask('OACnpkvCW');
DeleteSchedulerTask('ScheduledUpdate');
DeleteService('Starter Check');
DeleteService('WinDefender');
DeleteService('Main Service');
DeleteService('localNETService');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.
begin
DeleteFile(GetAVZDirectory+'quarantine.7z');
ExecuteFile(GetAVZDirectory+'7za.exe', 'a -mx9 -pvirus quarantine ./Quarantine/', 1, 0, true);
end.
Start::
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {2CDC0902-CF1C-4587-B303-9E715A51F7B0} - System32\Tasks\gerpril2 => C:\Users\1\AppData\Roaming\gerpril\python\pythonw.exe <==== ATTENTION
Task: {6DF2C05D-E00D-4290-8A00-FDF90B3FCFA3} - System32\Tasks\gerpril => C:\Users\1\AppData\Roaming\gerpril\python\pythonw.exe <==== ATTENTION
Task: {55758D25-E024-4FB4-887B-4CF062F19BFB} - System32\Tasks\OACnpkvCW => C:\windows\system32\rundll32.exe "C:\Program Files (x86)\OACnpkvCW\OACnpkvCW.dll",OACnpkvCW <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [cpegcopcfajiiibidlaelhjjblpefbjk] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gehngeifmelphpllncobkmimphfkckne] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [necfmkplpminfjagblfabggomdpaakan] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pfigaoamnncijbgomifamkmkidnnlikl] - hxxp://clients2.google.com/service/update2/crx
2019-05-10 17:47 - 2019-05-10 17:47 - 000011568 _____ C:\Users\1\AppData\Local\InstallationConfiguration.xml
2019-05-10 17:43 - 2019-05-10 17:43 - 000001288 _____ C:\Users\1\Downloads\axgbbkpqhywewkaq.txt
2019-05-10 16:49 - 2019-05-10 20:06 - 000000004 _____ C:\ProgramData\lock.dat
2019-05-10 16:49 - 2019-05-10 20:02 - 000000052 _____ C:\ProgramData\irw.atsd
2019-05-10 16:49 - 2019-05-10 16:49 - 000000008 _____ C:\ProgramData\ts.dat
2019-05-10 16:35 - 2019-05-10 16:35 - 000000000 ____D C:\ProgramData\localNETService
2019-05-10 16:09 - 2019-05-10 19:57 - 000016706 _____ C:\windows\System32\Tasks\OACnpkvCW
2019-05-10 16:09 - 2019-05-10 19:57 - 000000000 ____D C:\Program Files (x86)\OACnpkvCW
2019-05-10 16:07 - 2019-05-10 19:43 - 001312832 _____ C:\ProgramData\appdata.dat
2019-05-10 16:04 - 2019-05-10 19:56 - 000000000 ___HD C:\windows\rss
2019-05-10 16:04 - 2019-05-10 19:56 - 000000000 ____D C:\Users\1\AppData\Local\App
2019-05-10 16:04 - 2019-05-10 19:56 - 000000000 ____D C:\ProgramData\WindowsMenu
2019-05-10 16:04 - 2019-05-10 19:56 - 000000000 ____D C:\Program Files (x86)\MachinerData
2019-05-10 16:04 - 2019-05-10 18:02 - 000003386 __RSH C:\ProgramData\ntuser.pol
2019-05-10 16:03 - 2019-05-10 19:55 - 000000000 ____D C:\Users\1\AppData\Roaming\gerpril
2019-05-10 16:03 - 2019-05-10 17:47 - 000722944 _____ C:\Users\1\AppData\Local\sha.db
2019-05-10 16:03 - 2019-05-10 16:03 - 000140800 _____ C:\Users\1\AppData\Local\installer.dat
2019-05-10 16:03 - 2019-05-10 16:03 - 000003296 _____ C:\windows\System32\Tasks\gerpril2
2019-05-10 16:03 - 2019-05-10 16:03 - 000003286 _____ C:\windows\System32\Tasks\gerpril
2019-05-10 16:03 - 2019-05-10 16:03 - 000000000 ____D C:\Users\1\AppData\Roaming\Python
2019-05-10 16:03 - 2019-05-10 16:03 - 000000000 ____D C:\ProgramData\fb
2019-05-10 16:03 - 2019-05-10 16:03 - 000000000 ____D C:\Program Files (x86)\GAOiga
FirewallRules: [{B0AE8CAB-68FA-4CE5-B6EF-FBA51B6F25BC}] => (Allow) C:\Users\amourina\AppData\Local\Temp\csrss\lsa64.exe No File
FirewallRules: [{88B481DB-C126-4DC3-A322-ADB582B5E8A3}] => (Allow) C:\Users\amourina\AppData\Local\Temp\csrss\lsa64.exe No File
FirewallRules: [{08A2A63F-6CF7-4B2E-95CF-396D6945A84A}] => (Allow) C:\windows\rss\csrss.exe No File
FirewallRules: [{61EF9649-A22A-4E02-8DC7-853C9B7862DF}] => (Allow) C:\Users\amourina\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe No File
C:\Users\amourina\AppData\Roaming\EpicNet Inc
Reboot:
End::
удалите вручную.c:\program files (x86)\google\update
c:\programdata\localnetservice
c:\users\amourina\appdata\local\temp\csrss
Это в конкретном браузере или во всех?
{Исправление в службах в реестре, значения ImagePath.
Данный скрипт распространяется свободно и может быть модицифирован по согласованию с авторами - представителями SafeZone.cc
При публикации скрипта данный комментарий и ссылка на VirusNet.Info обязателена. }
var DescriptionTextWuauServ, DispayNameTextWuauServ, DescriptionTextBITS: String;
DispayNameTextBITS, FullPathSystem32, NameFolderSystem32, FileServiceDll: String;
ImagePathStr, RootStr, SubRootStr, LangID: string;
AllRoots, AllKeys, RootsRestored, KeysRestored, KeysFixed: integer;
FinishMsg, RestoreMsg, FixMsg, CheckMsg: String;
RegSectMsg, ParamMsg, ParamValueMsg, InRegSectMsg, CorrectMsg, RestMsg: String;
procedure CheckAndRestoreSection(Root: String);
begin
Inc(AllRoots);
if RegKeyExistsEx('HKLM', Root) then
RegKeyResetSecurity('HKLM', Root)
else
begin
Inc(RootsRestored);
RegKeyCreate('HKLM', Root);
AddToLog(RegSectMsg + Root + RestMsg);
end;
end;
procedure CheckAndRestoreSubSection;
begin
CheckAndRestoreSection(SubRootStr);
end;
procedure RestoredMsg(Root, Param: String);
begin
AddToLog(ParamMsg + Param + InRegSectMsg + Root + RestMsg);
Inc(KeysRestored);
end;
procedure FixedMsg(Root, Param: String);
begin
AddToLog(ParamValueMsg + Param + InRegSectMsg + Root + CorrectMsg);
Inc(KeysFixed);
end;
procedure RestoreStrParam(Root, Param, Value: String);
begin
RegKeyStrParamWrite('HKLM', Root, Param, Value);
RestoredMsg(Root, Param);
end;
procedure CheckAndRestoreStrParam(Root, Param, Value: String);
begin
Inc(AllKeys);
if not RegKeyParamExists('HKLM', Root, Param) then
RestoreStrParam(Root, Param, Value);
end;
procedure CheckAndRestoreIntParam(Root, Param: String; Value: Integer);
begin
Inc(AllKeys);
if not RegKeyParamExists('HKLM', Root, Param) then
begin
RegKeyIntParamWrite('HKLM', Root, Param, Value);
RestoredMsg(Root, Param);
end;
end;
procedure CheckAndRestoreMultiSZParam(Param, Value: String);
begin
Inc(AllKeys);
if not RegKeyParamExists('HKLM', RootStr, Param) then
begin
ExecuteFile('REG ADD HKLM\' + RootStr + ' /v ' + Param + Value, '', 0, 10000, true);
RestoredMsg(RootStr, Param);
end;
end;
// Исправление значения параметра ImagePath для служб 'wuauserv' и 'BITS'
procedure ImagePathFix(Node, Srv: String);
var RegStr: String;
begin
RegStr := 'SYSTEM\' + Node + '\Services\' + Srv;
if RegKeyExistsEx('HKLM', RegStr) then
begin
Inc(AllKeys);
RegKeyResetSecurity('HKLM', RegStr);
RegKeyStrParamWrite('HKLM', RegStr, 'ImagePath', ImagePathStr);
FixedMsg(RegStr, 'ImagePath');
end;
end;
{ Выполнение исправление всех ключей в ветках -
'HKLM\SYSTEM\CurrentControlSet\Services\BITS' и 'HKLM\SYSTEM\CurrentControlSet\Services\wuauserv'}
procedure CorrectRegistryRoot(DescriptionText, DisplayNameText, Srv: String);
var FileServiceDll, CCSNumber: string;
i : integer;
begin
if Srv = 'BITS' then
FileServiceDll := FullPathSystem32 + 'qmgr.dll'
else
FileServiceDll := FullPathSystem32 + 'wuauserv.dll';
RootStr:= 'SYSTEM\CurrentControlSet\Services\' + Srv;
CheckAndRestoreSection(RootStr);
CheckAndRestoreStrParam(RootStr, 'Description', DescriptionText);
CheckAndRestoreStrParam(RootStr, 'DisplayName', DisplayNameText);
CheckAndRestoreStrParam(RootStr, 'ObjectName', 'LocalSystem');
Inc(AllKeys);
if not RegKeyParamExists('HKLM', RootStr, 'ImagePath') then
RestoreStrParam(RootStr, 'ImagePath', ImagePathStr)
else
begin
Dec(AllKeys);
if LowerCase(RegKeyStrParamRead('HKLM', RootStr, 'ImagePath')) <> LowerCase(ImagePathStr) then
for i:= 0 to 999 do
begin
if i > 0 then
CCSNumber := FormatFloat('ControlSet000', i)
else
CCSNumber := 'CurrentControlSet';
ImagePathFix(CCSNumber, Srv);
end;
end;
CheckAndRestoreIntParam(RootStr, 'ErrorControl', 1);
CheckAndRestoreIntParam(RootStr, 'Start', 2);
CheckAndRestoreIntParam(RootStr, 'Type', 32);
if Srv = 'BITS' then
begin
CheckAndRestoreMultiSZParam('DependOnService', ' /t REG_MULTI_SZ /d RpcSs');
CheckAndRestoreMultiSZParam('DependOnGroup', ' /t REG_MULTI_SZ');
end;
SubRootStr:= RootStr + '\Enum';
CheckAndRestoreSubSection;
CheckAndRestoreStrParam(SubRootStr, '0', 'Root\LEGACY_' + UpperCase(Srv) + '\0000');
CheckAndRestoreIntParam(SubRootStr, 'Count', 1);
CheckAndRestoreIntParam(SubRootStr, 'NextInstance', 1);
SubRootStr := RootStr + '\Security';
CheckAndRestoreSubSection;
Inc(AllKeys);
if not RegKeyParamExists('HKLM', SubRootStr, 'Security') then
begin
RegKeyBinParamWrite('HKLM', SubRootStr, 'Security', '01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,00,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,48,00,03,00,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00');
RestoredMsg(SubRootStr, 'Security');
end;
SubRootStr:= RootStr + '\Parameters';
CheckAndRestoreSubSection;
Inc(AllKeys);
if not RegKeyParamExists('HKLM', SubRootStr, 'ServiceDll') then
begin
RegKeyParamWrite('HKLM', SubRootStr, 'ServiceDll', 'REG_EXPAND_SZ', FileServiceDll);
RestoredMsg(SubRootStr, 'ServiceDll');
end
else if LowerCase(RegKeyStrParamRead('HKLM', SubRootStr, 'ServiceDll')) <> LowerCase(FileServiceDll) then
begin
RegKeyParamWrite('HKLM', SubRootStr, 'ServiceDll', 'REG_EXPAND_SZ', FileServiceDll);
FixedMsg(SubRootStr, 'ServiceDll');
end
end;
{ Главное выполнение }
begin
ClearLog;
ExpRegKey('HKLM', 'SYSTEM\CurrentControlSet\Services\wuauserv', 'wuauserv.reg');
ExpRegKey('HKLM', 'SYSTEM\CurrentControlSet\Services\BITS', 'BITS.reg');
LangID:= RegKeyStrParamRead('HKLM', 'SYSTEM\CurrentControlSet\Control\Nls\Language', 'InstallLanguage');
if LangID = '0419' then
begin
DescriptionTextWuauServ := 'Включает загрузку и установку обновлений Windows. Если служба отключена, то на этом компьютере нельзя будет использовать возможности автоматического обновления или веб-узел Центра обновления Windows.';
DispayNameTextWuauServ := 'Автоматическое обновление';
DescriptionTextBITS := 'Обеспечивает передачу данных между клиентами и серверами в фоновом режиме. Если служба BITS отключена, такие возможности, как Windows Update, не могут правильно работать.';
DispayNameTextBITS := 'Фоновая интеллектуальная служба передачи (BITS)';
AddToLog('Операционная система - русская');
FinishMsg := '–––– Восстановление завершено ––––';
RestoreMsg := 'Восстановлено разделов\параметров: ';
FixMsg := 'Исправлено параметров: ';
CheckMsg := 'Проверено разделов\параметров: ';
RegSectMsg := 'Раздел реестра HKLM\';
ParamMsg := 'Параметр ';
ParamValueMsg := 'Значение параметра ';
InRegSectMsg := ' в разделе реестра HKLM\';
CorrectMsg := ' исправлено на оригинальное.';
RestMsg := 'восстановлен.';
end
else if LangID = '0409' then
begin
DescriptionTextWuauServ := 'Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.';
DispayNameTextWuauServ := 'Automatic Updates';
DescriptionTextBITS := 'Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.';
DispayNameTextBITS := 'Background Intelligent Transfer Service';
AddToLog('Operation system - english');
FinishMsg := '–––– Restoration finished ––––';
RestoreMsg := 'Sections\parameters restored: ';
FixMsg := 'Parameters corrected: ';
CheckMsg := 'Sections\parameters checked: ';
RegSectMsg := 'Registry section HKLM\';
ParamMsg := 'Parameter ';
ParamValueMsg := 'Value of parameter ';
InRegSectMsg := ' in registry section HKLM\';
CorrectMsg := ' corrected on original.';
RestMsg := ' restored.';
end;
AddToLog('');
{ Определение папки X:\Windows\System32\ }
NameFolderSystem32 := RegKeyStrParamRead('HKLM', 'SYSTEM\CurrentControlSet\Control\Windows', 'SystemDirectory');
ImagePathStr := NameFolderSystem32 + '\svchost.exe -k netsvcs';
Delete(NameFolderSystem32, 1, pos('\', NameFolderSystem32) - 1);
FullPathSystem32 := GetEnvironmentVariable('WinDir') + NameFolderSystem32 + '\';
AllRoots := 0;
AllKeys := 0;
RootsRestored := 0;
KeysRestored := 0;
KeysFixed := 0;
CorrectRegistryRoot(DescriptionTextBITS, DispayNameTextBITS, 'BITS');
CorrectRegistryRoot(DescriptionTextWuauServ, DispayNameTextWuauServ, 'wuauserv');
AddToLog('');
AddToLog(FinishMsg);
AddToLog('');
AddToLog(RestoreMsg + IntToStr(RootsRestored) + ' \ ' + IntToStr(KeysRestored));
AddToLog(FixMsg + IntToStr(KeysFixed));
AddToLog(CheckMsg + IntToStr(AllRoots) + ' \ ' + IntToStr(AllKeys));
SaveLog(RegKeyStrParamRead('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', 'Desktop') + '\Correct_wuauserv&BITS.log');
RebootWindows(false);
end.
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?