begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
TerminateProcessByName('c:\users\pc\appdata\local\uwkwmedia\a2.exe');
QuarantineFile('C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe','');
QuarantineFile('C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe','');
QuarantineFile('C:\Users\PC\AppData\Local\Uwkwmedia\dnfbugsf.dll','');
QuarantineFile('C:\Users\PC\AppData\Local\Okvrics\smwwesng.dll','');
QuarantineFile('c:\users\pc\appdata\local\uwkwmedia\a2.exe','');
DeleteFile('c:\users\pc\appdata\local\uwkwmedia\a2.exe','32');
DeleteFile('C:\Users\PC\AppData\Local\Okvrics\smwwesng.dll','32');
DeleteFile('C:\Users\PC\AppData\Local\Uwkwmedia\dnfbugsf.dll','32');
DeleteFile('C:\Program Files (x86)\RegClean Pro\RegCleanPro.exe','32');
DeleteFile('C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe','32');
DeleteFile('C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe','32');
DeleteFile('C:\WINDOWS\system32\Tasks\ReimageUpdater','64');
DeleteFile('C:\WINDOWS\system32\Tasks\Reimage Reminder','64');
DeleteFile('C:\WINDOWS\system32\Tasks\RegClean Pro','64');
DeleteFile('C:\WINDOWS\system32\Tasks\WSE_Vosteran','64');
DeleteFile('C:\WINDOWS\system32\Tasks\win4036e0','64');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Okvrics');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Adcxworks');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Uwkwmedia');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Crypted');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.
begin
CreateQurantineArchive('c:\quarantine.zip');
end.
Это для кого было написано?Выполните ЕЩЕ РАЗ правила, прикрепите к сообщению НОВЫЕ логи
CreateRestorePoint:
HKU\S-1-5-21-55493536-1483388734-458660247-1000\...\Run: [**crhrgpq<*>] => "C:\WINDOWS\system32\mshta.exe" javascript:DO0YFo="Bcg";rL12=new%20ActiveXObject("WScript.Shell");afog2NUv="wjCiqsw";Gv0tJ=rL12.RegRead("HKCU\\software\\uenaupoi\\gifzttt");iHimrh4h1="3ScOz";eval(Gv0t (the data entry has 15 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-55493536-1483388734-458660247-1000\...\Run: [**nsqhuufuns<*>] => "C:\Users\PC\AppData\Local\e71657\70afa5.lnk" <===== ATTENTION (Value Name with invalid characters)
Startup: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2ddb7.lnk [2016-09-26]
ShortcutTarget: a2ddb7.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <======= ATTENTION
SearchScopes: HKU\S-1-5-21-55493536-1483388734-458660247-1000 -> {01461C3D-D1E1-4E36-BE1F-606A440D3618} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FWV5&o=14193&src=kw&q={searchTerms}&locale=&apn_ptnrs=FM&apn_dtid=YYYYYYUWUS&apn_uid=39ab011d-9a6b-4bda-93ef-fb4d0a69f592&apn_sauid=253657BD-6F62-4C17-94E8-0AD78FE3B61A
SearchScopes: HKU\S-1-5-21-55493536-1483388734-458660247-1000 -> {1A4AB845-7ADD-4FBD-AD39-368FBEF4F70C} URL = hxxp://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_mdaffmarmar_15_04_ch&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0E0B0ByEyEzz0F0DtBzyzztN0D0Tzu0StCtCtCyDtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0DyB0C0EtAtCtBtGyE0AtAtAtG0AtC0F0BtGtAtDyC0AtGyEtDyCyCtCyEyByBzyzz0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyDtDyByEyCtAzytG0AyBtCyBtGyEyCyEtBtG0AyBtA0EtGtC0ByCtAzyyC0ByCtBtCyCzz2Q&cr=835350743&ir=
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-55493536-1483388734-458660247-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
FF HKU\S-1-5-21-55493536-1483388734-458660247-1000\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12263.xpi => not found
CHR StartupUrls: Default -> "hxxp://vosteran.com/?f=7&a=vst_mdaffmarmar_15_04_ch&cd=2XzuyEtN2Y1L1Qzu0EtD0C0ByE0E0B0ByEyEzz0F0DtBzyzztN0D0Tzu0StCtCtCyDtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0DyB0C0EtAtCtBtGyE0AtAtAtG0AtC0F0BtGtAtDyC0AtGyEtDyCyCtCyEyByBzyzz0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyDtDyByEyCtAzytG0AyBtCyBtGyEyCyEtBtG0AyBtA0EtGtC0ByCtAzyyC0ByCtBtCyCzz2Q&cr=835350743&ir="
CHR Extension: (Vosteran New Tab) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilkkkefbalmbfppgjmgjoefbclebkce [2015-01-20]
CHR Extension: (Chrome Media Router) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-28]
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-55493536-1483388734-458660247-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
2016-09-26 10:23 - 2016-09-29 09:29 - 00000000 ____D C:\Users\PC\AppData\Local\Okvrics
2016-09-26 10:23 - 2016-09-26 14:34 - 00001988 _____ C:\Users\Public\Desktop\PC Scan & Repair by Reimage.lnk
2016-09-26 10:23 - 2016-09-26 14:34 - 00000000 ____D C:\rei
2016-09-26 10:23 - 2016-09-26 10:23 - 00000000 ____D C:\ProgramData\Reimage Protector
2016-09-26 10:23 - 2016-09-26 10:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
2016-09-26 10:23 - 2016-09-26 10:23 - 00000000 ____D C:\Program Files\Reimage
2016-09-26 10:22 - 2016-09-26 14:34 - 00000140 _____ C:\WINDOWS\Reimage.ini
2016-09-26 10:22 - 2016-09-26 10:22 - 00604928 _____ (Reimage) C:\Users\PC\Downloads\ReimageRepair.exe
2016-09-26 10:14 - 2016-09-29 09:30 - 00000000 ____D C:\Users\PC\AppData\Local\Uwkwmedia
2016-09-26 10:14 - 2016-09-26 14:34 - 00000000 ____D C:\Users\PC\AppData\Local\e71657
2016-09-26 10:14 - 2016-09-26 10:14 - 00000000 ____D C:\Users\PC\AppData\Roaming\91081b
C:\Users\PC\AppData\Local\Temp\a2.exe
C:\Users\PC\AppData\Local\Temp\ReimagePackage.exe
Task: {0DB5E28E-9E9A-4886-A477-981CA096A88C} - \win4036e0 -> No File <==== ATTENTION
Task: {19186D08-82CD-486D-9BDE-0B55823433D1} - \2524189404 -> No File <==== ATTENTION
Task: {25927147-11A9-41EB-8518-2E5B70DB3797} - \3093057576 -> No File <==== ATTENTION
Task: {272ED47C-4910-4054-A7DE-834A5E5CB97E} - \Reimage Reminder -> No File <==== ATTENTION
Task: {4A2E5145-7E46-4223-8D6A-5D4435F4C67B} - System32\Tasks\SwiftSearch Auto Updater 1.10.0.25 Pending Update => C:\Program Files (x86)\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe <==== ATTENTION
Task: {4FB3F1AB-D574-41E7-89CE-4EAD15835472} - \ReimageUpdater -> No File <==== ATTENTION
Task: {66B742EB-856B-4BF1-BE42-92A28AB21381} - System32\Tasks\SwiftSearch Auto Updater 1.10.0.25 Core => C:\Program Files (x86)\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe <==== ATTENTION
Task: {9B72E505-33EF-4EFB-B1A0-607D942C15C8} - \WSE_Vosteran -> No File <==== ATTENTION
Task: {ACF6A2F1-CD85-4B0D-8750-61350843DBF1} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {E2B1479B-43E1-4D11-9DCC-ECC4EBC99333} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
C:\Users\PC\AppData\Local\e71657\70afa5.lnk
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
HKU\S-1-5-21-55493536-1483388734-458660247-1000\Software\Classes\3447af: "C:\WINDOWS\system32\mshta.exe" "javascript:OGn3kkh="4h2ys";s6b5=new ActiveXObject("WScript.Shell");HNdm4Xn="tuIUPrB";pMco1=s6b5.RegRead("HKCU\\software\\uenaupoi\\gifzttt");upGxL1tP="6L";eval(pMco1);Gq0cZl="e";" <===== ATTENTION
Reboot:
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?