Внимание. Восстановление баз 1С7, 1C8 и Mssql после атаки шифровальщика, подробности и отзывы читайте в профильной теме.
Внимание. Восстановление архивов RAR и ZIP, образов Acronis и виртуальных машин, баз почтовых программ после атаки шифровальщика, подробности и отзывы читайте в профильной теме.
Процесс хакером могли глушить антивирусные компоненты.вот что ещё любопытного щас нашёл
Start::
CreateRestorePoint:
2020-06-27 03:08 - 2020-06-27 03:09 - 000001949 ____R C:\Users\SQLSERVERAGENT\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:09 - 000001949 ____R C:\Users\MSSQLSERVER\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:09 - 000001949 ____R C:\Users\MSSQLLaunchpad\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:09 - 000001949 ____R C:\Users\MSSQLFDLauncher\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:09 - 000001949 ____R C:\Users\kyiv\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\USR1CV8\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\SSISTELEMETRY130\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\SQLTELEMETRY\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\SQLTELEMETRY$MSSQLSERVER01\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\SQLAgent$MSSQLSERVER01\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Public\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Public\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\MSSQL$MSSQLSERVER01\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\MsDtsServer130\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivdir\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivdir\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivdir\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh2\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh2\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh2\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyivbuh\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyiv\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\kyiv\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\DefaultAccount\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\DefaultAccount\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\DefaultAccount\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Default\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Default User\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Administrator\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Users\Administrator\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\ProgramData\Desktop\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\ProgramData\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Program Files\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Program Files (x86)\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R C:\Decoding help.hta
2020-06-27 03:24 - 2020-06-27 08:28 - 000000000 ____D C:\Program Files\Process Hacker 2
2020-06-27 03:24 - 2020-06-27 03:27 - 000003461 ____R C:\Users\kyivbuh2\Desktop\Process Hacker 2.lnk.[ID]u2jzk9lPUR3pJBZL[ID]
2020-06-27 03:24 - 2020-06-27 03:24 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2020-06-27 03:15 - 2020-06-27 03:15 - 000001949 ____R C:\Users\Public\Downloads\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R () C:\Program Files\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R () C:\Program Files (x86)\Decoding help.hta
2020-06-27 03:08 - 2020-06-27 03:08 - 000001949 ____R () C:\Users\Administrator\AppData\Local\Decoding help.hta
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL -> No File
ShellIconOverlayIdentifiers-x32-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL -> No File
ShellIconOverlayIdentifiers-x32-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL -> No File
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll -> No File
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll -> No File
ContextMenuHandlers6-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll -> No File
FirewallRules: [{56197AEA-EEFC-4B10-85F7-F86046C96367}] => (Allow) C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe => No File
FirewallRules: [{6B36CF4B-723A-4A9A-93C4-46A5BCA99112}] => (Allow) C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe => No File
FirewallRules: [{0CCC52A0-D812-46BC-9B63-D5E7F89FE5B6}] => (Allow) C:\Program Files\Microsoft MPI\Bin\mpiexec.exe => No File
FirewallRules: [{E3C6F082-BBDB-4F96-85FE-16A5C5FEF740}] => (Allow) C:\Program Files\Microsoft MPI\Bin\mpiexec.exe => No File
FirewallRules: [{4D4F2472-F0F2-4142-9E25-ACA8221842D5}] => (Allow) C:\Program Files\Microsoft MPI\Bin\smpd.exe => No File
FirewallRules: [{5F15E70C-F6C8-49D5-8944-7715BAFDF0BA}] => (Allow) C:\Program Files\Microsoft MPI\Bin\smpd.exe => No File
FirewallRules: [{A0893051-8422-435F-B1EF-59816D2A2D02}] => (Allow) C:\Program Files\2345Soft\HaoZip\tool\Haozip_2345DLAgent.exe => No File
FirewallRules: [{B6F1EFA4-E17B-48CF-AB50-780C7DC5F987}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe => No File
FirewallRules: [{24879F5C-14CD-4342-85FD-D3D185F8E48A}] => (Allow) C:\Users\kyiv\AppData\Local\Microsoft\OneDrive\OneDrive.exe => No File
FirewallRules: [{CFF9732C-986A-4817-B8E6-FCDF6CFE339A}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
FirewallRules: [{7B6CCE7F-4FAC-4493-8C1B-319318E77D3C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
FirewallRules: [{D3626FCB-2850-4CE7-9E92-D82505F94D6D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
FirewallRules: [{44EC9D55-A989-42D7-8D84-1B87CD7E1CA1}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
FirewallRules: [{CFDD99B6-1797-4B72-A03B-A7D600B5F419}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No File
FirewallRules: [{3DAC9F7B-7FB1-42F2-B932-89842DE4F195}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe => No File
FirewallRules: [{6BD5F16F-6FF7-4DB2-83F3-9D927C3A1704}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No File
End::
согласен но он сам себя ещё зашифровалC:\Users\kyivbuh2\Desktop\Ronald_Maguga.exe - это может быть сам шифратор, если судить о приписке к имени шифрованных файлов.
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?