begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SetServiceStart('SvcHost Service Host', 4);
StopService('SvcHost Service Host');
QuarantineFile('C:\Program Files\hola\app\hola_updater.exe', '');
QuarantineFile('C:\Program Files\hola\app\hola.exe', '');
QuarantineFile('C:\Users\Admin\appdata\local\filesystemdriver\filesystemdriver.exe', '');
QuarantineFile('C:\Users\Admin\AppData\Local\xmarin\xmarin.exe', '');
QuarantineFile('C:\Program Files\rempl\remsh.exe', '');
QuarantineFile('C:\Users\Admin\AppData\Roaming\curl\curl.exe', '');
QuarantineFile('C:\Program Files (x86)\kqEuPYMaU\alvmfs.dll', '');
QuarantineFile('C:\Users\Admin\AppData\Roaming\SETUPS~1\python\pythonw.exe', '');
QuarantineFile('C:\Users\Admin\AppData\Roaming\SETUPS~1\ml.py', '');
QuarantineFile('C:\Users\Admin\AppData\Local\yc\Application\yc.exe', '');
QuarantineFile('C:\Users\Admin\AppData\Roaming\setupsk\python\python3.dll', '');
QuarantineFile('C:\Users\Admin\AppData\Roaming\setupsk\python\_ctypes.pyd', '');
QuarantineFile('C:\Program Files (x86)\ZfJRwqLPhIE\k7zVdU1Vp.dll', '');
QuarantineFile('C:\Program Files (x86)\ZfJRwqLPhIE\7ipk0.dll', '');
QuarantineFile('C:\Windows\Microsoft\svchost.exe.exe', '');
QuarantineFile('c:\windows\microsoft\svchost.exe', '');
QuarantineFile('c:\users\admin\appdata\roaming\setupsk\python\pythonw.exe', '');
QuarantineFile('c:\program files (x86)\zfjrwqlphie\dqqxdyufja.exe', '');
DeleteFile('c:\program files (x86)\zfjrwqlphie\dqqxdyufja.exe', '32');
DeleteFile('C:\Windows\Microsoft\svchost.exe.exe', '32');
DeleteFile('C:\Program Files (x86)\ZfJRwqLPhIE\7ipk0.dll', '32');
DeleteFile('C:\Program Files (x86)\ZfJRwqLPhIE\k7zVdU1Vp.dll', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\setupsk\python\_ctypes.pyd', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\setupsk\python\python3.dll', '32');
DeleteFile('C:\Windows\Microsoft\svchost.exe', '32');
DeleteFile('C:\Users\Admin\AppData\Local\yc\Application\yc.exe', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\setupsk\python\pythonw.exe', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\SETUPS~1\ml.py', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\SETUPS~1\python\pythonw.exe', '32');
DeleteFile('C:\Windows\Tasks\PjDfytumxbayONn.job', '32');
DeleteFile('C:\Windows\system32\Tasks\curl', '64');
DeleteFile('C:\Program Files (x86)\kqEuPYMaU\alvmfs.dll', '32');
DeleteFile('C:\Users\Admin\AppData\Roaming\curl\curl.exe', '32');
DeleteFile('C:\Windows\system32\Tasks\PjDfytumxbayONn', '64');
DeleteFile('C:\Windows\system32\Tasks\PjDfytumxbayONn2', '64');
DeleteFile('C:\Windows\system32\Tasks\setupsk', '64');
DeleteFile('C:\Users\Admin\AppData\Roaming\setupsk\ml.py', '32');
DeleteFile('C:\Windows\system32\Tasks\setupsk_upd', '64');
DeleteFile('C:\Windows\system32\Tasks\System.2', '64');
DeleteFile('C:\Users\Admin\AppData\Local\xmarin\xmarin.exe', '32');
DeleteFile('C:\Windows\system32\Tasks\xmarin', '64');
DeleteFile('C:\Windows\system32\Tasks\zjwPaeaadZaNwF', '64');
DeleteFile('C:\Users\Admin\appdata\local\filesystemdriver\filesystemdriver.exe', '32');
DelBHO('{C0D38E5A-7CF8-4105-8FE8-31B81443A114}');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'ycAutoLaunch_8805AEDEE4378A1CB9BB932D43532D08');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'yqqitsllzl');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'setupsk_upd');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'setupsk');
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1804', 1);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '2201', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1004', 3);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1001', 1);
RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1201', 3);
BC_ImportALL;
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://utseto.ru/?utm_source=startpage03&utm_content=cb3f78290a3d2d5553dc37155a410e28&utm_term=24F936F8DCF8FC597016A9D8245D932E&utm_d=20171028
O2 - BHO: YoutubeAdBlock - {C0D38E5A-7CF8-4105-8FE8-31B81443A114} - C:\Program Files (x86)\ZfJRwqLPhIE\tZcAvuy.dll
O2-32 - BHO: YoutubeAdBlock - {C0D38E5A-7CF8-4105-8FE8-31B81443A114} - C:\Program Files (x86)\ZfJRwqLPhIE\k7zVdU1Vp.dll
O4 - HKCU\..\Run: [yqqitsllzl] C:\Windows\explorer.exe "http://utseto.ru/?utm_source=uoua03&utm_content=a9bd265196ae2ea231e90e10654635e2&utm_term=24F936F8DCF8FC597016A9D8245D932E&utm_d=20171028"
O17 - HKLM\System\CSS\Services\Tcpip\..\{42b19f6e-c6d5-43ed-b807-f97fb3b06f5a}: NameServer = 35.177.46.238
O17 - HKLM\System\CSS\Services\Tcpip\..\{42b19f6e-c6d5-43ed-b807-f97fb3b06f5a}: NameServer = 46.101.28.31
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{42b19f6e-c6d5-43ed-b807-f97fb3b06f5a}: NameServer = 35.177.46.238
O17 - HKLM\System\ControlSet001\Services\Tcpip\..\{42b19f6e-c6d5-43ed-b807-f97fb3b06f5a}: NameServer = 46.101.28.31
>>> [HTTP][MASK] "C:\Users\Admin\Desktop\Вoйти в Интeрнет.lnk" -> ["C:\Windows\explorer.exe" =>> "hxxp://utseto.ru/?utm_source=desktop03&utm_content=beeec9b5b7c407982aa48918dfecc286&utm_term=bd229c498107bb8d6882848cc86a4b8b&utm_d=20171028"]
Ещё заметил такую проблему. Что при попытке подключиться к некоторым сайтам, а пример таких сайтов gtazona.ru мне показывает следующее:Ваш провайдер - 82.202.226.203?
Start::
CreateRestorePoint:
GroupPolicy: Restriction - Chrome <==== ATTENTION
FF Homepage: Mozilla\Firefox\Profiles\tskghxfe.default -> hxxp://utseto.ru/?utm_source=startpage03&utm_content=cb3f78290a3d2d5553dc37155a410e28&utm_term=24F936F8DCF8FC597016A9D8245D932E&utm_d=20171028
CHR HomePage: Default -> hxxp://utseto.ru/?utm_source=startpage03&utm_content=cb3f78290a3d2d5553dc37155a410e28&utm_term=24F936F8DCF8FC597016A9D8245D932E&utm_d=20171028
OPR StartupUrls: "hxxp://utseto.ru/?utm_source=startpage03&utm_content=cb3f78290a3d2d5553dc37155a410e28&utm_term=24F936F8DCF8FC597016A9D8245D932E&utm_d=20171028"
2017-10-29 19:58 - 2017-10-29 19:58 - 000003722 _____ C:\Windows\System32\Tasks\up2news1comrioalz
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {07A839D2-9F74-4AD1-951E-8C4A6DD50447} - \xmarin -> No File <==== ATTENTION
Task: {0A2B13A6-1EAC-47D6-9133-2DCE5939CA69} - System32\Tasks\curls => C:\Users\Admin\AppData\Roaming\curl\curl.exe <==== ATTENTION
Task: {202FEFC8-0CA5-43AF-B51E-1EAEECA7C58A} - \curl -> No File <==== ATTENTION
Task: {62524D83-477F-42FA-9FBB-02F476B81678} - \setupsk -> No File <==== ATTENTION
Task: {8D383279-E9C5-4871-B417-79FB50E4AA34} - \setupsk_upd -> No File <==== ATTENTION
Task: {ACDEFC0B-B7D2-4700-B169-FCC0C5E6657F} - System32\Tasks\up2news1comrioalz => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" up2news1.com/rioalz <==== ATTENTION
FirewallRules: [{ADF23A93-8B02-4C38-949F-F69931B826F4}] => (Allow) C:\Users\Admin\AppData\Local\yc\Application\yc.exe
EmptyTemp:
Reboot:
End::
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?