Александр К.
Новый пользователь
- Сообщения
- 29
- Реакции
- 0
begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
QuarantineFile('C:\ProgramData\wintools\WintoolUprI.exe','');
QuarantineFile('C:\Program Files (x86)\Uncheckit\cktSvc.exe','');
DeleteFile('C:\Program Files (x86)\Uncheckit\cktSvc.exe','64');
DeleteFile('C:\ProgramData\wintools\WintoolUprI.exe','64');
DeleteSchedulerTask('{07DA3013-2AEF-468A-BE20-3F6DC2578024}');
DeleteSchedulerTask('UncheckitTaskMN');
DeleteSchedulerTask('WinTOOL');
BC_Activate;
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
BC_ImportALL;
RebootWindows(true);
end.
begin
DeleteFile(GetAVZDirectory+'quarantine.7z');
ExecuteFile(GetAVZDirectory+'7za.exe', 'a -mx9 -pmalware quarantine .\Quarantine\*', 1, 300000, false);
end.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = http://www.amisites.com/?type=hp&ts=1484650253&z=08a48d799b414352cdc6d67gaz8b1z6qawce8o8zeb&from=archer1028&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX
R0 - HKCU\Software\Microsoft\Internet Explorer\Main: [Search Page] = http://www.nuesearch.com/search/?type=ds&ts=1473246052&z=66fa2bde8c8625f7387b00ag1z1m4c0o7z1q9edzbb&from=che0812&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX&q={searchTerms}
R0 - HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command: (default) = "c:\program files\internet explorer\iexplore.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = http://www.amisites.com/?type=hp&ts=1484650253&z=08a48d799b414352cdc6d67gaz8b1z6qawce8o8zeb&from=archer1028&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX
R0 - HKLM\Software\Microsoft\Internet Explorer\Main: [Default_Search_URL] = http://www.nuesearch.com/search/?type=ds&ts=1466501406&z=6764b3211464e341ac87fd1g3zfq0q0waeag8zae2c&from=wpm0616&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main: [Search Page] = http://www.nuesearch.com/search/?type=ds&ts=1466501406&z=6764b3211464e341ac87fd1g3zfq0q0waeag8zae2c&from=wpm0616&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX&q={searchTerms}
R0-32 - HKLM\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = http://www.amisites.com/?type=hp&ts=1484650253&z=08a48d799b414352cdc6d67gaz8b1z6qawce8o8zeb&from=archer1028&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX
R0-32 - HKLM\Software\Microsoft\Internet Explorer\Main: [Default_Search_URL] = http://www.nuesearch.com/search/?type=ds&ts=1466501406&z=6764b3211464e341ac87fd1g3zfq0q0waeag8zae2c&from=wpm0616&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX&q={searchTerms}
R0-32 - HKLM\Software\Microsoft\Internet Explorer\Main: [Search Page] = http://www.nuesearch.com/search/?type=ds&ts=1466501406&z=6764b3211464e341ac87fd1g3zfq0q0waeag8zae2c&from=wpm0616&uid=TOSHIBAXDT01ACA050_14QD5UKASXX14QD5UKASX&q={searchTerms}
O22 - Task: AdobeFlashPlayer-S-2-1-24-198293847112UI - C:\Users\керя\AppData\Roaming\Auslogics\adobeupd.exe (file missing)
O22 - Task: BirdsarahUpdateTaskMachineCore - C:\Program Files (x86)\Birdsarah\Update\BirdsarahUpdate.exe -c (file missing)
O22 - Task: BirdsarahUpdateTaskMachineUA - C:\Program Files (x86)\Birdsarah\Update\BirdsarahUpdate.exe -ua (file missing)
O22 - Task: Browser Updater Task(Core) - C:\Program Files (x86)\TXQQBrowser\Update\C73A30F731C62BF3031B381F747FA3B5\Update\BrowserUpdate.exe 87B20C06-6890-4CFE-B40F-004064F87F12 (file missing)
Все верно. Это делается, чтоб не допустить удаления легитимного ПО. Вот сейчас будем удалятьпросто закрыть программу или как?
Часть китайского ПО. В списке установленных программ есть программы с иероглифами?Tencent не устанавливал, и не знаю что это такое.
- отчет будет сохранен в следующем расположении: C:\AdwCleaner\Logs\AdwCleaner[C00].txt.
- Прикрепите отчет к своему следующему сообщению
Start::
CreateRestorePoint:
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: D - D:\iLinker.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {138ac427-59ae-11e4-8c0c-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {38ecde3b-a2cd-11e4-adc0-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {3d397fb3-4301-11e4-9fd5-9932714a00fc} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {3d397fbd-4301-11e4-9fd5-9932714a00fc} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {56eb4249-99a1-11e4-bcd0-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {56eb4256-99a1-11e4-bcd0-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {56eb4262-99a1-11e4-bcd0-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {6ddcde74-a926-11e4-9631-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {6ddcde9f-a926-11e4-9631-c03fd5b0e097} - G:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {8b435f87-b1e6-11e4-a7da-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {a818455f-46d8-11e4-8364-c03fd5b0e097} - D:\iLinker.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {ac16537f-a3a6-11e4-9ab8-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {ac16538f-a3a6-11e4-9ab8-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {ac16539b-a3a6-11e4-9ab8-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {b739b38f-a478-11e4-88fa-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {ba7c423b-6356-11e4-8318-c03fd5b0e097} - D:\AutoRun.exe
HKU\S-1-5-21-1014014660-1423473450-48691024-1000\...\MountPoints2: {cb4072c6-95a8-11e4-84cb-c03fd5b0e097} - D:\AutoRun.exe
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [aminlpmkfcdibgpgfajlgnamicjckkjf] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jdkihdhlegcdggknokfekoemkjjnjhgi] - hxxp://clients2.google.com/service/update2/crx
S2 3DM; C:\windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 3DM; C:\windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 ihctrl32; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 ihctrl32; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 MCRL; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 MCRL; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
R2 MS_CHECK_SVC; C:\ProgramData\Microsoft\DeviceSync\LocalBackup.dll [487424 2017-02-08] () [File not signed] <==== ATTENTION
S2 MVCSrv; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION <==== ATTENTION (no ServiceDLL)
S2 MVCSrv; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION <==== ATTENTION (no ServiceDLL)
S2 WinInstallSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 WinInstallSvc; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 WPDTSrv; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 WPDTSrv; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 wsaudio; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 wsaudio; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 GameExplorerUpdate; C:\ProgramData\Microsoft\Windows\GameExplorer\Resources.dll [X] <==== ATTENTION
S2 MSCFG_SVR; C:\ProgramData\Microsoft\Office\office_updater.dll [X] <==== ATTENTION
S2 SNARE; C:\Users\керя\AppData\Local\SNARE\Snarer.dll [X] <==== ATTENTION
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\QMUdisk64.sys [X]
S1 softaal; \??\C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\softaal64.sys [X]
S1 SRepairDrv; \??\C:\Program Files (x86)\Tencent\QQPCMGR\SRepairDrv [X]
S2 tsnethlpx64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\TsNetHlpX64.sys [X]
S3 TSSKX64; System32\drivers\tsskx64.sys [X]
Task: {2B2F7CC1-0193-48CD-86CF-E18301F17613} - \Milimili -> No File <==== ATTENTION
Task: {D4E6E522-24A1-4B9C-804B-871658D7F576} - \kerja -> No File <==== ATTENTION
EmptyTemp:
Reboot:
End::
Хвосты всё ещё видны. Пройдитесь их утилитой удаления:ESET: все что смог найти - удалил
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?