begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.'+#13#10+'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFileF('C:\Documents and Settings\User\Application Data\4BB7A519', '*.*', true, '', 0, 0);
QuarantineFileF('C:\Documents and Settings\User\Application Data\4BB7A2AB', '*.*', true, '', 0, 0);
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\60421406FdOh','');
QuarantineFile('C:\Documents and Settings\User\Application Data\190.exe','');
DeleteFile('C:\Documents and Settings\User\Application Data\190.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\60421406FdOh');
DeleteFileMask('C:\Documents and Settings\User\Application Data\4BB7A519', '*.*', true);
DeleteDirectory('C:\Documents and Settings\User\Application Data\4BB7A519');
DeleteFileMask('C:\Documents and Settings\User\Application Data\4BB7A2AB', '*.*', true);
DeleteDirectory('C:\Documents and Settings\User\Application Data\4BB7A2AB');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','60421875');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(13);
ExecuteWizard('SCU',2,3,true);
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
O1 - Hosts: 46.251.249.137 my.mail.ru odnoklassniki.ru m.vk.com wap.odnoklassniki.ru www.odnoklassniki.ru vk.com m.odnoklassniki.ru
O1 - Hosts: 46.251.249.136 mc.yandex.ru admulti.com counter.spylog.com counter.rambler.ru www.google-analytics.com
O4 - HKLM\..\Run: [60421875] cmd.exe /c copy C:\DOCUME~1\User\LOCALS~1\Temp\60421406FdOh C:\WINDOWS\system32\drivers\etc\hosts /Y && attrib +H C:\WINDOWS\system32\drivers\etc\hosts /f
%appdata%\Malwarebytes\Malwarebytes' Anti-Malware\Logs
Security Check by glax24 version 0.1.5.41 beta
WebSite: [url]www.safezone.cc[/url]
DataLog 30.11.2012 09:47:05
Program directory: C:\Documents and Settings\User\Local Settings\Temp\SecurityCheck\
Log directory: C:\SecurityCheck\
IsAdmin: True
XML File - VersionInet=1.1
__________________________________________________
WIN_XP (x86) Lan:0409
Service Pack 3
Internet Explorer 8.0
-------------Windows------------------------------
Notify of download and installation
Date install updates: 2012-11-14 16:53:25
Automatic Updates (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
-------------Antivirus_WMI------------------------
Doctor Web Anti-Virus
Antivirus up to date!
-------------Firewall_WMI-------------------------
-------------AntiVirusFirewallInstall-------------
Dr.Web anti-virus for Windows 6.0 (x86) v.6.00.0.10201
-------------OtherUtilities-----------------------
CCleaner v.3.21
Malwarebytes Anti-Malware, версия 1.65.1.1000 v.1.65.1.1000
-------------Java---------------------------------
Java(TM) 6 Update 31 v.6.0.310 [color=red][b]Warning! [url=http://www.java.com/en/download/manual_v6.jsp]Download UpDate[/url][/b][/color]
-------------AppleProduction----------------------
-------------AdobeProduction----------------------
Adobe Flash Player 11 ActiveX v.11.4.402.287 [color=red][b]Warning! [url=http://get.adobe.com/flashplayer/]Download UpDate[/url][/b][/color]
Adobe Flash Player 11 Plugin v.11.5.502.110
Adobe Reader 9.5.1 - Russian v.9.5.1 [color=red][b]Warning! [url=http://get.adobe.com/reader/otherversions]Download UpDate[/url][/b][/color]
-------------Browser------------------------------
Mozilla Firefox 17.0 (x86 ru) v.17.0
Opera 11.00 v.11.00.1156 [color=red][b]Warning! [url=http://www.opera.com/browser/]Download UpDate[/url][/b][/color]
-------------RunningProcess-----------------------
C:\Program Files\Mozilla Firefox\firefox.exe v.17.0.0.4706
-------------EndLog-------------------------------
begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.'+#13#10+'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFileF('C:\Documents and Settings\User\Application Data\Microsoft\', '*.exe', false, '', 0, 0);
QuarantineFileF('C:\Recycle.Bin', '*.*', true, '', 0, 0);
QuarantineFileF('C:\Program Files\dd2\', '*.*', true, '', 0, 0);
QuarantineFileF('C:\Program Files\insta2\', '*.*', true, '', 0, 0);
QuarantineFile('C:\Documents and Settings\User\Application Data\Microsoft\198.exe','');
QuarantineFile('C:\Documents and Settings\User\0.3334076819292544.exe','');
DeleteFile('C:\Documents and Settings\User\Application Data\Microsoft\198.exe');
DeleteFile('C:\Documents and Settings\User\0.3334076819292544.exe');
DeleteFileMask('C:\Recycle.Bin', '*.*', true);
DeleteDirectory('C:\Recycle.Bin');
DeleteFileMask('C:\Program Files\dd2\', '*.*', true);
DeleteDirectory('C:\Program Files\dd2\');
DeleteFileMask('C:\Program Files\insta2\', '*.*', true);
DeleteDirectory('C:\Program Files\insta2\');
if MessageDLG('Заражение Вашего компьютера произошло через автоматический запуск программ на съемных накопителях. Отключить автозапуск?', mtConfirmation, mbYes+mbNo, 0) = 6 then
RegKeyIntParamWrite('HKLM', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer', 'NoDriveTypeAutoRun', '221');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteWizard('SCU',2,3,true);
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
:processes
:OTL
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=710&systemid=2&sr=0&q="
CHR - homepage: http://search.bearshare.net
CHR - homepage: http://search.bearshare.net
O4 - Startup: C:\Documents and Settings\Administrator.NOTEBOOK-COMPAQ\Start Menu\Programs\Startup\setup_9.0.0.722_31.03.2011_18-25.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
[2012.11.27 02:12:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\VnLLFiUBHxE
[2012.11.15 16:21:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\User\Application Data\4BB7A519
[2012.11.15 14:52:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\User\Application Data\4BB7A2AB
[2012.11.15 15:41:59 | 000,049,335 | ---- | M] () -- C:\Documents and Settings\User\Application Data\B4595F61a
[2012.11.15 15:41:57 | 000,000,037 | ---- | M] () -- C:\Documents and Settings\User\Application Data\b4595fa3a
[2012.10.22 00:18:40 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\User\0.3334076819292544.PIF
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A064CECC
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41ADDB8A
:Services
:Files
ipconfig /flushdns /c
:Reg
:Commands
[EMPTYTEMP]
[purity]
[start explorer]
[Reboot]
All processes killed
========== PROCESSES ==========
========== OTL ==========
Prefs.js: "http://dts.search-results.com/sr?src=ffb&appid=710&systemid=2&sr=0&q=" removed from keyword.URL
Use Chrome's Settings page to change the HomePage.
Use Chrome's Settings page to change the HomePage.
C:\Documents and Settings\Administrator.NOTEBOOK-COMPAQ\Start Menu\Programs\Startup\setup_9.0.0.722_31.03.2011_18-25.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ deleted successfully.
C:\Documents and Settings\All Users\VnLLFiUBHxE\GOxeV6VMZSY folder moved successfully.
C:\Documents and Settings\All Users\VnLLFiUBHxE folder moved successfully.
C:\Documents and Settings\User\Application Data\4BB7A519 folder moved successfully.
C:\Documents and Settings\User\Application Data\4BB7A2AB folder moved successfully.
C:\Documents and Settings\User\Application Data\B4595F61a moved successfully.
C:\Documents and Settings\User\Application Data\b4595fa3a moved successfully.
C:\Documents and Settings\User\0.3334076819292544.PIF moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A064CECC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:41ADDB8A deleted successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
[color=#A23BEC]< ipconfig /flushdns /c >[/color]
Настройка протокола IP для Windows
Успешно сброшен кэш распознавателя DNS.
C:\Documents and Settings\User\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\User\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 247699 bytes
->Flash cache emptied: 2836 bytes
User: Administrator.NOTEBOOK-COMPAQ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 215018 bytes
->FireFox cache emptied: 7033138 bytes
->Flash cache emptied: 41620 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: User
->Temp folder emptied: 2938 bytes
->Temporary Internet Files folder emptied: 992107 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 497248053 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1239 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 83181423 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 564,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 11302012_132552
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?