begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
QuarantineFileF('c:\users\classick\appdata\roaming\aswast', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFileF('c:\program files (x86)\torrent search', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFileF('c:\program files (x86)\vk ok adblock', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFileF('c:\users\classick\appdata\local\fupdate', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFileF('c:\users\classick\appdata\local\searchgo', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFileF('c:\users\classick\appdata\local\syslog', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\amigo_scoped_dir_1487929400\9bfq7WxpZFGd.exe', '');
QuarantineFile('c:\users\classick\appdata\roaming\aswast\python\pythonw.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Roaming\aswast\python\DLLs\_ctypes.pyd', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Roaming\aswast\ml.py', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\e.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\startpm.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\T0bSDUUumU1u.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\hD09mdLXf43x.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\Temp\sqdgTToEkw3C.exe', '');
QuarantineFile('C:\Program Files (x86)\Torrent Search\IEEF\ntYXbCxQ.dll', '');
QuarantineFile('C:\Program Files (x86)\VK OK AdBlock\IEEF\8o95XoQ.dll', '');
QuarantineFile('C:\Program Files (x86)\Torrent Search\87HJFtH.exe', '');
QuarantineFile('C:\Program Files (x86)\VK OK AdBlock\NdIimwJ.dll', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Roaming\aswast\app.py', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\fupdate\fupdate.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\SearchGo\searchgo.exe', '');
QuarantineFile('C:\Users\ClasSICK\AppData\Local\syslog\syslog.exe', '');
DeleteFile('C:\Windows\Tasks\Update Service for Torrent Search.job', '64');
DeleteFile('C:\Windows\Tasks\Update Service for Torrent Search2.job', '64');
DeleteFile('C:\Windows\Tasks\Update Service for VK OK AdBlock.job', '64');
DeleteFile('C:\Windows\Tasks\Update Service for VK OK AdBlock2.job', '64');
ExecuteFile('schtasks.exe', '/delete /TN "aswast" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "aswast2" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "fupdate" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "SearchGo Task" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "syslog" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "Update Service for Torrent Search" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "Update Service for Torrent Search2" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "Update Service for VK OK AdBlock" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "Update Service for VK OK AdBlock2" /F', 0, 15000, true);
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\amigo_scoped_dir_1487929400\9bfq7WxpZFGd.exe', '32');
DeleteFile('c:\users\classick\appdata\roaming\aswast\python\pythonw.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Roaming\aswast\python\DLLs\_ctypes.pyd', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Roaming\aswast\ml.py', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\e.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\startpm.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\T0bSDUUumU1u.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\hD09mdLXf43x.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\Temp\sqdgTToEkw3C.exe', '32');
DeleteFile('C:\Program Files (x86)\Torrent Search\IEEF\ntYXbCxQ.dll', '32');
DeleteFile('C:\Program Files (x86)\VK OK AdBlock\IEEF\8o95XoQ.dll', '32');
DeleteFile('C:\Program Files (x86)\Torrent Search\87HJFtH.exe', '32');
DeleteFile('C:\Program Files (x86)\VK OK AdBlock\NdIimwJ.dll', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Roaming\aswast\app.py', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\fupdate\fupdate.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\SearchGo\searchgo.exe', '32');
DeleteFile('C:\Users\ClasSICK\AppData\Local\syslog\syslog.exe', '32');
DeleteFileMask('c:\users\classick\appdata\roaming\aswast', '*', true);
DeleteFileMask('c:\program files (x86)\torrent search', '*', true);
DeleteFileMask('c:\program files (x86)\vk ok adblock', '*', true);
DeleteFileMask('c:\users\classick\appdata\local\fupdate', '*', true);
DeleteFileMask('c:\users\classick\appdata\local\searchgo', '*', true);
DeleteFileMask('c:\users\classick\appdata\local\syslog', '*', true);
DeleteDirectory('c:\users\classick\appdata\roaming\aswast');
DeleteDirectory('c:\program files (x86)\torrent search');
DeleteDirectory('c:\program files (x86)\vk ok adblock');
DeleteDirectory('c:\users\classick\appdata\local\fupdate');
DeleteDirectory('c:\users\classick\appdata\local\searchgo');
DeleteDirectory('c:\users\classick\appdata\local\syslog');
DelBHO('{6E727987-C8EA-44DA-8749-310C0FBE3C3E}');
DelBHO('{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}');
DelBHO('{03AE1B7B-A9E7-4D5A-9D34-89999C31B659}');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','stbehhhleu');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','aswast');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','aswast');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunOnce','curloihwdc');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunOnce','npsmjljuoy');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunOnce','exjbkgzosj');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunOnce','iyadhpsccw');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunOnce','ynekphfwlk');
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
RebootWindows(true);
end.
Лог не тот выложили или очистку так и не сделали.Удалите параметры запуска ярлыков. Лог, который создается после удаления, прикрепите к сообщению.
begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
QuarantineFileF('c:\users\classick\appdata\roaming\setupsk', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 ,0);
QuarantineFile('C:\Users\ClasSICK\AppData\Roaming\setupsk\ml.py', '');
QuarantineFile('C:\Users\ClasSICK\Desktop\Поиcк в Интeрнете.lnk', '');
DeleteFile('C:\Users\ClasSICK\Desktop\Поиcк в Интeрнете.lnk');
ExecuteFile('schtasks.exe', '/delete /TN "setupsk" /F', 0, 15000, true);
DeleteFile('C:\Users\ClasSICK\AppData\Roaming\setupsk\ml.py', '32');
DeleteFileMask('c:\users\classick\appdata\roaming\setupsk', '*', true);
DeleteDirectory('c:\users\classick\appdata\roaming\setupsk');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','setupsk');
ExecuteSysClean;
ExecuteWizard('SCU', 2, 3, true);
CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
RebootWindows(true);
end.
start
CreateRestorePoint:
Task: {D6312EF8-FCAC-4679-8FC5-5E564A931356} - System32\Tasks\setupsk => C:\Users\ClasSICK\AppData\Roaming\setupsk\python\pythonw.exe [2015-12-21] ()
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
BHO: TSearch -> {6E727987-C8EA-44DA-8749-310C0FBE3C3E} -> C:\Program Files (x86)\Torrent Search\IEEF\zVnVFVyZ.dll => No File
BHO: VK OK AdBlock -> {FF20459C-DA6E-41A7-80BC-8F4FEFD9C575} -> C:\Program Files (x86)\VK OK AdBlock\IEEF\r9U2fX.dll => No File
HKU\S-1-5-21-3132329110-160724464-2602932941-1000\...\Run: [setupsk] => C:\Users\ClasSICK\AppData\Roaming\setupsk\python\pythonw.exe [27648 2015-12-21] ()
2017-02-24 16:54 - 2017-02-24 16:54 - 00003448 _____ C:\Windows\System32\Tasks\setupsk
2017-02-24 12:47 - 2017-02-24 17:22 - 00001530 _____ C:\Users\ClasSICK\Desktop\Войти в Интернет.LNK
2017-02-24 12:46 - 2017-02-24 16:54 - 00000000 ____D C:\Users\ClasSICK\AppData\Roaming\setupsk
EmptyTemp:
Reboot:
end
Нужно скрипт выполнять, а уж потом логи FRST делать.Скрипт сейчас выполню.
Ждем.Лог, который будет создан после выполнения скрипта, прикрепите к сообщению.
Легальная игра от mail.ru, поэтому не трогал, но раз настаиваете, тогдаостались на раб. столе "Игры престолов"
start
CreateRestorePoint:
ShortcutWithArgument: C:\Users\ClasSICK\Desktop\Войны престолов.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "hxxp://goooodlink.ru/WarOfThrones16_"
2017-02-24 12:54 - 2017-02-24 12:54 - 00001638 _____ C:\Users\ClasSICK\Desktop\Войны престолов.lnk
2017-02-24 12:54 - 2017-02-24 12:54 - 00000000 ____D C:\Users\ClasSICK\AppData\Local\Войны престолов
EmptyTemp:
Reboot:
end
???Ого!)
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?