Andrey Noskov
Новый пользователь
- Сообщения
- 12
- Реакции
- 0
begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\documents and settings\all users\application data\{3a57d343-a5b0-bafa-db95-f3a1465e046e}\251842.exe');
QuarantineFile('c:\documents and settings\all users\application data\{377A9B92-ED61-B7D7-DB95-F3A1465E046E}\9ac54b0d.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\{4EFE4282-F955-F529-222D-0B60C46F49F4}\F0E450A9-474F-E702-D742-7C5ABA2CC553.exe','');
QuarantineFile('c:\documents and settings\Андрей\application data\{D3C9C03C-D15F-88D4-34C2-26FE06E69261}\7e7610a3.exe','');
QuarantineFile('C:\Documents and Settings\Андрей\Application Data\WindowsUpdate\mobsync.exe','');
QuarantineFile('C:\Documents and Settings\Андрей\Application Data\WindowsUpdate\System.exe','');
DeleteFile('C:\Documents and Settings\Андрей\Application Data\WindowsUpdate\System.exe','32');
DeleteFile('C:\Documents and Settings\Андрей\Application Data\WindowsUpdate\mobsync.exe','32');
DeleteFile('c:\documents and settings\Андрей\application data\{D3C9C03C-D15F-88D4-34C2-26FE06E69261}\7e7610a3.exe','32');
DeleteFile('C:\Documents and Settings\All Users\Application Data\{4EFE4282-F955-F529-222D-0B60C46F49F4}\F0E450A9-474F-E702-D742-7C5ABA2CC553.exe','32');
DeleteFile('c:\documents and settings\all users\application data\{377A9B92-ED61-B7D7-DB95-F3A1465E046E}\9ac54b0d.exe','32');
QuarantineFile('c:\documents and settings\all users\application data\{3a57d343-a5b0-bafa-db95-f3a1465e046e}\251842.exe', '');
QuarantineFile('C:\Documents and Settings\Application Data\GVMTKIX.exe', '');
QuarantineFile('C:\Documents and Settings\Андрей\Local Settings\Application Data\svshost\svshost.exe', '');
QuarantineFile('C:\Documents and Settings\Application Data\TJAOMV.exe', '');
QuarantineFile('C:\Documents and Settings\Application Data\XAVNJJZY.exe', '');
QuarantineFile('C:\DOCUME~1\ALLUSE~1\APPLIC~1\1c89c365\7520cf2e.dll', '');
ExecuteFile('schtasks.exe', '/delete /TN "C:\WINDOWS\Tasks\GVMTKIX.job" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "C:\WINDOWS\Tasks\svshost.job" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "C:\WINDOWS\Tasks\TJAOMV.job" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "C:\WINDOWS\Tasks\XAVNJJZY.job" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "C:\WINDOWS\Tasks\{B1AA8F04-0894-F922-12CF-066671D0E46D}.job" /F', 0, 15000, true);
DeleteFile('c:\documents and settings\all users\application data\{3a57d343-a5b0-bafa-db95-f3a1465e046e}\251842.exe', '32');
DeleteFile('C:\Documents and Settings\Application Data\GVMTKIX.exe', '32');
DeleteFile('C:\Documents and Settings\Андрей\Local Settings\Application Data\svshost\svshost.exe', '32');
DeleteFile('C:\Documents and Settings\Application Data\TJAOMV.exe', '32');
DeleteFile('C:\Documents and Settings\Application Data\XAVNJJZY.exe', '32');
DeleteFile('C:\DOCUME~1\ALLUSE~1\APPLIC~1\1c89c365\7520cf2e.dll', '32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Windows System Installer');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Taskman');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
ExecuteWizard('SCU', 2, 3, true);
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
Прикрепить свежий CollectionLogautologger'ом диагностировал. Что дальше делать?
Start::
CreateRestorePoint:
FF HKLM\...\Firefox\Extensions: [jid1-n5ARdBzHkUEdAA@jetpack] - C:\Documents and Settings\Андрей\Application Data\Mozilla\Extensions\jid1-n5ARdBzHkUEdAA@jetpack => not found
CHR HomePage: Default -> mail.ru/cnt/11956636?rciguc__PARAM__
OPR StartupUrls: "hxxp://granena.ru/?utm_content=31b5cebd524a9af6c7a772dca81815e9&utm_source=startpm&utm_term=93FE30B5AEBD857B0F2E3A9F7151C643&utm_d=20161126"
StartMenuInternet: (HKLM) Opera.exe - C:\Program Files\Opera\Opera.exe hxxp://www.luckysearches.com/?type=sc&ts=1429255339&from=cmi&uid=ST3500418AS_9VMQACVLXXXX9VMQACVL
2017-06-15 10:24 - 2017-04-13 14:47 - 00000406 _____ C:\WINDOWS\Tasks\{AB6AB3A2-C551-2BC7-DB95-F3A1465E046E}.job
2017-06-15 10:24 - 2017-03-27 19:38 - 00000400 _____ C:\WINDOWS\Tasks\{4FD9E80C-F96F-14C4-34C2-26FE06E69261}.job
2017-06-15 10:24 - 2015-04-17 11:23 - 00001364 _____ C:\WINDOWS\Tasks\TJAOMV.job
2017-06-15 10:24 - 2015-04-14 15:58 - 00001712 _____ C:\WINDOWS\Tasks\XAVNJJZY.job
2017-06-15 10:24 - 2015-03-31 11:19 - 00001710 _____ C:\WINDOWS\Tasks\GVMTKIX.job
2017-06-15 10:24 - 2016-12-02 15:01 - 00000314 ____H C:\WINDOWS\Tasks\AVG EUpdate Task.job
2017-06-15 00:39 - 2017-04-13 14:47 - 00000000 ____D C:\Documents and Settings\Андрей\Application Data\WindowsUpdate
Task: C:\WINDOWS\Tasks\AVG EUpdate Task.job => C:\Program Files\AVG\Setup AVG Technologies иЂ‡ 0 Я 0Я
Task: C:\WINDOWS\Tasks\GVMTKIX.job => C:\Documents and Settings\Application Data\GVMTKIX.exe
Task: C:\WINDOWS\Tasks\svshost.job => C:\Documents and Settings\Андрей\Local Settings\Application Data\svshost\svshost.exe
Task: C:\WINDOWS\Tasks\TJAOMV.job => C:\Documents and Settings\Application Data\TJAOMV.exe
Task: C:\WINDOWS\Tasks\XAVNJJZY.job => C:\Documents and Settings\Application Data\XAVNJJZY.exe
Task: C:\WINDOWS\Tasks\{4FD9E80C-F96F-14C4-34C2-26FE06E69261}.job => c:\documents and settings\Андрей\application data\{D3C9C03C-D15F-88D4-34C2-26FE06E69261}\7e7610a3.exe
Task: C:\WINDOWS\Tasks\{51CF55AB-E664-E200-7705-2E91BB9B5210}.job => C:\Documents and Settings\All Users\Application Data\{4EFE4282-F955-F529-222D-0B60C46F49F4}\F0E450A9-474F-E702-D742-7C5ABA2CC553.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\{AB6AB3A2-C551-2BC7-DB95-F3A1465E046E}.job => c:\documents and settings\all users\application data\{377A9B92-ED61-B7D7-DB95-F3A1465E046E}\9ac54b0d.exe
Task: C:\WINDOWS\Tasks\{B1AA8F04-0894-F922-12CF-066671D0E46D}.job => C:\WINDOWS\system32\regsvr32.exe F /s /n /i:/rt C:\DOCUME~1\ALLUSE~1\APPLIC~1\1c89c365\7520cf2e.dll <==== ATTENTION
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\MTA San Andreas All:NT [40]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\MTA San Andreas All:NT2 [432]
EmptyTemp:
Reboot:
End::
Также еще есть проблема с выскакиванием окон "точка входа не найдена"(иногда сразу 3 подряд)
(См. фото в сообщении выше)А ещё и такое бывает
В других браузерах ее нет?Реклама в браузере (Chrome)
Start::
CreateRestorePoint:
HKU\S-1-5-21-796845957-57989841-682003330-1004\...\Run: [Windows System Installer] => c:\documents and settings\all users\application data\{377a9b92-ed61-b7d7-db95-f3a1465e046e}\9ac54b0d.exe
HKU\S-1-5-21-796845957-57989841-682003330-1004\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Андрей\Application Data\WindowsUpdate\mobsync.exe <==== ATTENTION
Tcpip\Parameters: [NameServer] 82.163.143.176 82.163.142.178
Reboot:
End::
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?