Follow along with the video below to see how to install our site as a web app on your home screen.
Примечание: This feature may not be available in some browsers.
GamesDesktop 033.005010185
istartpageing uninstall
Oursoft
TSearch
Unity Web Player
Амиго
Служба автоматического обновления программ
begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
TerminateProcessByName('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\knsoa5da.tmpfs');
TerminateProcessByName('c:\programdata\jwdmj\wdman.exe');
TerminateProcessByName('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\rnsjba27.exe');
TerminateProcessByName('c:\users\sp\appdata\local\temp\nsy37aa.tmp');
StopService('rizyqibe');
StopService('WdMan');
StopService('gefutesi');
QuarantineFile('C:\Users\SP\appdata\roaming\aspackage\aspackage.exe', '');
QuarantineFile('C:\Windows\syswow64\searchprotectservice.exe', '');
QuarantineFile('C:\Windows\system32\searchprotectservice.exe', '');
QuarantineFile('C:\Users\SP\AppData\Local\Hostinstaller\4042898823_monster.exe', '');
QuarantineFile('C:\ProgramData\wGJbPVhkafGIqM\mNIXCViBvpo5.bat', '');
QuarantineFile('C:\ProgramData\bFnTBNqA\YPKtOxzXsEySOzd0.bat', '');
QuarantineFile('C:\Program Files (x86)\Zaxar\ZaxarLoader.exe', '');
QuarantineFile('C:\Program Files (x86)\Zaxar\ZaxarGameBrowser.exe', '');
QuarantineFile('C:\ProgramData\TimeTasks\timetasks.exe', '');
QuarantineFile('C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie\config.json', '');
QuarantineFile('C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie\stub.exe', '');
QuarantineFile('C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}\{A68BEFF6-E79C-00FF-BD6E-9A9B779AF8B1}.dat', '');
QuarantineFile('C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}\wrzkkd.dll', '');
QuarantineFile('C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}\StyleExperience.dll', '');
QuarantineFile('c:\programdata\jwdmj\wdman.exe', '');
QuarantineFile('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\rnsjba27.exe', '');
QuarantineFile('c:\users\sp\appdata\local\temp\nsy37aa.tmp', '');
QuarantineFile('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\knsoa5da.tmpfs', '');
QuarantineFile('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\jnszc3ad.tmp', '');
QuarantineFile('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b\hnsje0df.tmp', '');
DeleteFile('c:\users\sp\appdata\local\temp\nsy37aa.tmp', '32');
DeleteFile('C:\Windows\system32\Tasks\Soft installer', '64');
DeleteFile('C:\Windows\system32\Tasks\Style Experience', '64');
DeleteFile('C:\Windows\system32\Tasks\Style Experience2', '64');
DeleteFile('C:\Windows\system32\searchprotectservice.exe', '32');
DeleteFile('C:\Windows\syswow64\searchprotectservice.exe', '32');
DeleteService('rizyqibe');
DeleteService('zizusyju');
DeleteService('WdMan');
DeleteService('gefutesi');
DeleteFileMask('C:\Users\SP\appdata\roaming\aspackage', '*', true);
DeleteFileMask('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b', '*', true);
DeleteFileMask('C:\Users\SP\AppData\Local\Hostinstaller', '*', true);
DeleteFileMask('C:\ProgramData\wGJbPVhkafGIqM', '*', true);
DeleteFileMask('C:\ProgramData\bFnTBNqA', '*', true);
DeleteFileMask('C:\Users\SP\AppData\Local\Hostinstaller', '*', true);
DeleteFileMask('C:\Program Files (x86)\Zaxar', '*', true);
DeleteFileMask('C:\ProgramData\TimeTasks', '*', true);
DeleteFileMask('C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie', '*', true);
DeleteFileMask('C:\Users\SP\AppData\Local\Style Experience', '*', true);
DeleteFileMask('c:\programdata\jwdmj', '*', true);
DeleteFileMask('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZaxarGameBrowser', '*', true);
DeleteDirectory('C:\Users\SP\appdata\roaming\aspackage');
DeleteDirectory('c:\program files (x86)\e5642cdc-1450976481-e411-aa1f-f0761c2f892b');
DeleteDirectory('C:\Users\SP\AppData\Local\Hostinstaller');
DeleteDirectory('C:\ProgramData\wGJbPVhkafGIqM');
DeleteDirectory('C:\ProgramData\bFnTBNqA');
DeleteDirectory('C:\Program Files (x86)\Zaxar');
DeleteDirectory('C:\ProgramData\TimeTasks');
DeleteDirectory('C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie');
DeleteDirectory('C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}');
DeleteDirectory('C:\Users\SP\AppData\Local\Style Experience');
DeleteDirectory('c:\programdata\jwdmj');
DelBHO('{0633EE93-D776-472f-A0FF-E1416B8B2E3D}');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\epohbbbfeldaodfhfljalhiilifmneie', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Timestasks', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ZaxarGameBrowser', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ZaxarLoader', 'command');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'C');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://firstsputnik.ru/?ri=1&uid=10b52a6553bdd78e170c64cccc6f2260&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://firstsputnik.ru/?ri=1&uid=10b52a6553bdd78e170c64cccc6f2260&q={searchTerms}
R3 - URLSearchHook: (no name) - {0633EE93-D776-472f-A0FF-E1416B8B2E3D} - (no file)
O4 - MSConfig..HKLM: 2015/12/24 [ZaxarLoader] "C:\Program Files (x86)\Zaxar\ZaxarLoader.exe" /verysilent (no file)
O4 - MSConfig..HKLM: 2015/12/24 [epohbbbfeldaodfhfljalhiilifmneie] "C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie\stub.exe" /run "C:\Users\SP\AppData\Local\epohbbbfeldaodfhfljalhiilifmneie\config.json"
O4-64 - HKLM\..\Run: [gmsd_ru_005010185] "C:\Program Files (x86)\gmsd_ru_005010185\gmsd_ru_005010185.exe"
O22 - ScheduledTask: (Ready) Soft installer - {root} - "C:\Users\SP\AppData\Local\Hostinstaller\4042898823_monster.exe" subid=0;scheduler=1
O22 - ScheduledTask: (Running) Style Experience - {root} - C:\Windows\system32\rundll32.exe "C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}\StyleExperience.dll",#1
O22 - ScheduledTask: (Running) Style Experience2 - {root} - C:\Windows\system32\rundll32.exe "C:\Users\SP\AppData\Local\Style Experience\{09798C57-BF52-592A-FCDA-417E5236F15E}\wrzkkd.dll",#1
O23 - Service: Comment Box Visit (rizyqibe) - Unknown owner - C:\Program Files (x86)\E5642CDC-1450976481-E411-AA1F-F0761C2F892B\jnszC3AD.tmp.exe (file missing)
O23 - Service: HHandler Service - Unknown owner - C:\Program Files (x86)\Oursoft\Oursoft.exe
O23 - Service: Presentation Software Satellite (zizusyju) - Microsoft Corporation - C:\Program Files (x86)\E5642CDC-1450976481-E411-AA1F-F0761C2F892B\hnsjE0DF.tmp.exe (file missing)
O23 - Service: Recycle Bin Insert (gefutesi) - Unknown owner - C:\Program Files (x86)\E5642CDC-1450976481-E411-AA1F-F0761C2F892B\knsoA5DA.tmpfs.exe (file missing)
O23 - Service: WdMan Service (WdMan) - TFuns LIMITED - C:\ProgramData\JWdMJ\WdMan.exe
Unity Web Player
Амиго
Служба автоматического обновления программ
я удалил их сразу.GamesDesktop 033.005010185
istartpageing uninstall
Oursoft
TSearch
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\SP\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-12-24]
CHR Extension: (Advatube) - C:\Users\SP\AppData\Local\Google\Chrome\User Data\Default\Extensions\epohbbbfeldaodfhfljalhiilifmneie [2015-12-24]
start
CreateRestorePoint:
Task: {2F399859-C33C-448D-9214-EFDE1954B6D4} - \Style Experience2 -> No File <==== ATTENTION
Task: {B5C70537-212C-4D4A-9CA3-F8977975604D} - \Style Experience -> No File <==== ATTENTION
FirewallRules: [{F2690523-ED80-4E5A-892A-0E69B004E0DE}] => (Allow) C:\Users\SP\AppData\Local\Amigo\Application\amigo.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR StartupUrls: Default -> "hxxp://www.istartpageing.com/?type=hp&ts=1450981917&z=7d13a24ab6e57e5a0e20122g2z4w2e3t1bfgetdgaw&from=cmi&uid=ST500LT012-1DG142_W3P70X2MXXXXW3P70X2M","hxxp://www.yoursearching.com/?type=hp&ts=1451021876&z=3572fb8e881f4bbf8e3fc41gbz9w1g2e8odg6bdm6c&from=face&uid=ST500LT012-1DG142_W3P70X2MXXXXW3P70X2M"
2015-12-25 08:38 - 2015-12-25 08:39 - 00000000 ____D C:\Users\Все пользователи\BWdMB
2015-12-25 08:38 - 2015-12-25 08:39 - 00000000 ____D C:\ProgramData\BWdMB
2015-12-25 08:04 - 2015-12-25 08:04 - 00000000 ____D C:\Users\Все пользователи\ueoxVAIbhUjP
2015-12-25 08:04 - 2015-12-25 08:04 - 00000000 ____D C:\Users\Все пользователи\JeDJiixhUOe
2015-12-25 08:04 - 2015-12-25 08:04 - 00000000 ____D C:\ProgramData\ueoxVAIbhUjP
2015-12-25 08:04 - 2015-12-25 08:04 - 00000000 ____D C:\ProgramData\JeDJiixhUOe
2015-12-24 21:31 - 2015-12-24 21:31 - 00000000 ____D C:\Users\SP\AppData\Local\Style Experience
2015-12-24 20:04 - 2015-12-24 20:04 - 00000000 ____D C:\Users\SP\AppData\Roaming\ProductData
2015-12-24 20:03 - 2015-12-24 20:04 - 00000000 ____D C:\Users\Все пользователи\IObit
2015-12-24 20:03 - 2015-12-24 20:04 - 00000000 ____D C:\ProgramData\IObit
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\Users\Все пользователи\ProductData
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\Users\Все пользователи\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\Users\SP\AppData\Roaming\IObit
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\Users\SP\AppData\LocalLow\IObit
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\ProgramData\ProductData
2015-12-24 20:03 - 2015-12-24 20:03 - 00000000 ____D C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
2015-12-24 19:59 - 2015-12-25 08:52 - 00000000 ____D C:\Users\SP\AppData\LocalLow\Unity
2015-12-24 19:59 - 2015-12-25 08:52 - 00000000 ____D C:\Users\SP\AppData\Local\Unity
cmd: reg delete HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Advanced SystemCare 8
cmd: reg delete HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Timestasks
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [X]
2015-12-24 20:01 - 2015-12-24 20:55 - 00000000 ____D C:\Users\SP\AppData\Roaming\Calculator
EmptyTemp:
Reboot:
end
Begin
ClearQuarantine;
QuarantineFile('C:\Windows\SysWOW64\L','');
QuarantineFile('C:\Users\SP\AppData\Local\blacount\blcn_sb.exe','');
QuarantineFile('C:\Users\SP\AppData\Local\blacount\config.json','');
QuarantineFile('C:\Users\SP\AppData\Local\kYrYHR.ctp','');
QuarantineFile('C:\Windows\system32\Drivers\etc\hp.bak','');
QuarantineFileF('C:\Users\SP\AppData\Local\dIEatOahxv.yjm', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js', true, '', 0, 0);
QuarantineFileF('C:\Windows\SysWOW64\L', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js', true, '', 0, 0);
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
CHR Extension: (Advatube) - C:\Users\SP\AppData\Local\Google\Chrome\User Data\Default\Extensions\epohbbbfeldaodfhfljalhiilifmneie [2015-12-24]
C:\Users\SP\AppData\Local\blacount\blcn_sb.exe
C:\Users\SP\AppData\Local\blacount\config.json
C:\Users\SP\AppData\Local\kYrYHR.ctp
этих файлов не нашёл.C:\Users\SP\AppData\Local\blacount\blcn_sb.exe
C:\Users\SP\AppData\Local\blacount\config.json
- это папка. Была пустая, удалил её.C:\Users\SP\AppData\Local\kYrYHR.ctp
эта папка также была пуста, удалил её.C:\Users\SP\AppData\Local\dIEatOahxv.yjm
Extension imhbhejbkpjegnkkcbodncoljnnneajf 1 Style Experience 1.3.1
begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
QuarantineFile('C:\Users\SP\AppData\Local\blacount\blcn_sb.exe', '');
QuarantineFile('C:\Users\SP\AppData\Local\blacount\config.json', '');
DeleteFileMask('C:\Users\SP\AppData\Local\blacount', '*', true);
DeleteDirectory('C:\Users\SP\AppData\Local\blacount');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'blacount');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
O4 - MSConfig..HKLM: 2015/12/24 [Advanced SystemCare 8] (no file)
O4 - MSConfig..HKLM: 2015/12/24 [Timestasks] (no file)
такого расширение не нашёл, на всякий случай удалил все расширения кроме hola и Kaspersky ProtectionExtension imhbhejbkpjegnkkcbodncoljnnneajf 1 Style Experience 1.3.1
нет такой папкиc:\Users\SP\AppData\Local\Google\Chrome\User Data\Default\Extensions\ есть папка imhbhejbkpjegnkkcbodncoljnnneajf?
его также советую удалить, подробней Популярная бесплатная служба VPN Hola используется в качестве ботнетарасширения кроме hola
спасибо, удалил.его также советую удалить, подробней Популярная бесплатная служба VPN Hola используется в качестве ботнета