Ваши файлы были зашифрованы. Чтобы расшифровать их, Вам необходимо отправить код: C8213E4490FFE5C887F2|0 на электронный адрес decode010@gmail.com или

[сергей77]

:Безымянный.png],

CollectionLog-2015.06.21-01.01.zip

[thyrex]

Выполните скрипт в AVZ

 

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
QuarantineFile('C:\Users\USER\appdata\roaming\x11\a\engine.exe','');
QuarantineFile('C:\Users\USER\appdata\local\temp\startpm.exe','');
QuarantineFile('C:\Users\USER\appdata\local\smartweb\swhk.dll','');
QuarantineFile('C:\Users\USER\appdata\local\smartweb\smartwebhelper.exe','');
QuarantineFile('C:\Users\USER\appdata\local\smartweb\smartwebapp.exe','');
QuarantineFile('C:\Users\USER\appdata\local\microsoft\start menu\вoйти в интeрнeт.exe','');
QuarantineFile('C:\Users\USER\AppData\Roaming\mystartsearch\UninstallManager.exe','');
QuarantineFile('C:\Program Files (x86)\YTDownloader\YTDownloader.exe','');
QuarantineFile('C:\Program Files (x86)\ShopperPro\ShopperPro.exe','');
QuarantineFile('C:\Program Files (x86)\ShopperPro\updater.exe','');
QuarantineFile('C:\Program Files (x86)\ShopperPro\JSDriver\1487.0.0.0\jsdrv.exe','');
QuarantineFile('C:\Users\USER\AppData\Roaming\newSI_1014\s_inst.exe','');
QuarantineFile('C:\Users\USER\AppData\Roaming\newSI_1001\s_inst.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-7.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-6.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-5.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-10.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-7.exe','');
QuarantineFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe','');
QuarantineFile('C:\Users\USER\AppData\Roaming\cppredistx86.exe','');
QuarantineFile('C:\Program Files (x86)\Twilight Tech\Pretty Search\dummyDlg.exe','');
QuarantineFile('SPDRIVER_1487.0.0.0','');
DeleteService('SPDRIVER_1487.0.0.0');
SetServiceStart('skinapp', 4);
DeleteService('skinapp');
SetServiceStart('DHCPArbSvc', 4);
DeleteService('DHCPArbSvc');
QuarantineFile('C:\Windows\system32\drivers\{4889ddce-7a83-45e6-afc9-1e4f1149fff4}Gw64.sys','');
QuarantineFile('C:\Windows\skinapp.sys','');
TerminateProcessByName('c:\users\user\appdata\local\wincheck\wincheck.exe');
QuarantineFile('c:\users\user\appdata\local\wincheck\wincheck.exe','');
TerminateProcessByName('c:\users\user\appdata\local\skinapp\skinapp.exe');
QuarantineFile('c:\users\user\appdata\local\skinapp\skinapp.exe','');
TerminateProcessByName('c:\program files\common files\system\svc\dllhost.exe');
QuarantineFile('c:\program files\common files\system\svc\dllhost.exe','');
TerminateProcessByName('c:\program files (x86)\savepass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-6.exe');
QuarantineFile('c:\program files (x86)\savepass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-6.exe','');
QuarantineFile('c:\program files (x86)\savepass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe','');
DeleteFile('c:\program files (x86)\savepass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe','32');
DeleteFile('c:\program files (x86)\savepass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-6.exe','32');
DeleteFile('c:\program files\common files\system\svc\dllhost.exe','32');
DeleteFile('c:\users\user\appdata\local\skinapp\skinapp.exe','32');
DeleteFile('c:\users\user\appdata\local\wincheck\wincheck.exe','32');
DeleteFile('C:\Windows\skinapp.sys','32');
DeleteFile('C:\Windows\system32\drivers\{4889ddce-7a83-45e6-afc9-1e4f1149fff4}Gw64.sys','32');
DeleteFile('SPDRIVER_1487.0.0.0','32');
DeleteFile('C:\Program Files (x86)\Twilight Tech\Pretty Search\dummyDlg.exe','32');
DeleteFile('C:\Program Files (x86)\Zaxar\ZaxarLoader.exe','32');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ZaxarLoader','command');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','WinCheck');
DeleteFile('C:\Users\USER\AppData\Roaming\cppredistx86.exe','32');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Visual C++ 2010');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','wcuawrzius');
DeleteFile('C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe','32');
DeleteFile('C:\Windows\Tasks\APSnotifierPP1.job','64');
DeleteFile('C:\Windows\Tasks\APSnotifierPP2.job','64');
DeleteFile('C:\Windows\Tasks\APSnotifierPP3.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-1-6.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-1-7.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-10_user.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-11.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-5.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-5_user.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-6.job','64');
DeleteFile('C:\Windows\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-7.job','64');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe','32');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-1-6.job','64');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-1-7.job','64');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-1-7.exe','32');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-10.exe','32');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-10_user.job','64');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-5.job','64');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-5.exe','32');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-5_user.job','64');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-6.job','64');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-6.exe','32');
DeleteFile('C:\Program Files (x86)\SavePass 1.1\cd1edcae-196b-43f2-88be-93cc51a21963-7.exe','32');
DeleteFile('C:\Windows\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-7.job','64');
DeleteFile('C:\Users\USER\AppData\Roaming\newSI_1001\s_inst.exe','32');
DeleteFile('C:\Windows\Tasks\newSI_1001.job','64');
DeleteFile('C:\Windows\Tasks\newSI_1014.job','64');
DeleteFile('C:\Users\USER\AppData\Roaming\newSI_1014\s_inst.exe','32');
DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP1','64');
DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP2','64');
DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP3','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-1-6','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-1-7','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-10_user','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-11','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-5','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-5_user','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-6','64');
DeleteFile('C:\Windows\system32\Tasks\bfe394d3-fc9c-47ec-b240-bf771885e7e2-7','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-1-6','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-1-7','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-10_user','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-5','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-5_user','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-6','64');
DeleteFile('C:\Windows\system32\Tasks\cd1edcae-196b-43f2-88be-93cc51a21963-7','64');
DeleteFile('C:\Windows\system32\Tasks\newSI_1001','64');
DeleteFile('C:\Windows\system32\Tasks\newSI_1014','64');
DeleteFile('C:\Windows\system32\Tasks\ShopperPro','64');
DeleteFile('C:\Windows\system32\Tasks\ShopperProJSUpd','64');
DeleteFile('C:\Windows\system32\Tasks\SPDriver','64');
DeleteFile('C:\Program Files (x86)\ShopperPro\JSDriver\1487.0.0.0\jsdrv.exe','32');
DeleteFile('C:\Program Files (x86)\ShopperPro\updater.exe','32');
DeleteFile('C:\Program Files (x86)\ShopperPro\ShopperPro.exe','32');
DeleteFile('C:\Windows\system32\Tasks\YTDownloader','64');
DeleteFile('C:\Program Files (x86)\YTDownloader\YTDownloader.exe','32');
DeleteFile('C:\Users\USER\AppData\Roaming\mystartsearch\UninstallManager.exe','32');
DeleteFile('C:\Users\USER\appdata\local\microsoft\start menu\вoйти в интeрнeт.exe','32');
DeleteFile('C:\Users\USER\appdata\local\smartweb\smartwebapp.exe','32');
DeleteFile('C:\Users\USER\appdata\local\smartweb\smartwebhelper.exe','32');
DeleteFile('C:\Users\USER\appdata\local\smartweb\swhk.dll','32');
DeleteFile('C:\Users\USER\appdata\local\temp\startpm.exe','32');
DeleteFile('C:\Users\USER\appdata\roaming\x11\a\engine.exe','32');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.

Компьютер перезагрузится.

 

Выполните скрипт в AVZ

 

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

c:\quarantine.zip отправьте по адресу newvirus@kaspersky.com

Полученный ответ сообщите здесь (с указанием номера KLAN)

 

Скачайте ClearLNK и сохраните архив с утилитой на Рабочем столе.

• Распакуйте архив с утилитой в отдельную папку.
  
• Перенесите Check_Browsers_LNK.log на ClearLNK как показано на рисунке
  
  
• Отчет о работе ClearLNK-<Дата>.log будет сохранен в папке LOG.
  
• Прикрепите этот отчет к своему следующему сообщению.
  

 

Сделайте новые логи по правилам

[сергей77]

Re: [KLAN-2888778157]

От кого: newvirus@kaspersky.com Кому: fox42rus77@mail.ru

 

сегодня, 15:14

 

 

Здравствуйте,

Это сообщение сформировано автоматической системой приёма писем. Сообщение содержит информацию о том, какие вердикты на файлы (если таковые есть в письме) выносит Антивирус с последними обновлениями. 

{4889ddce-7a83-45e6-afc9-1e4f1149fff4}Gw64.sys,
dllhost.exe,
s_inst.exe,
s_inst_0.exe,
skinapp.exe,
skinapp.sys,
UninstallManager.exe,
wincheck.exe
cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe

Получен набор неизвестных файлов, они будут переданы в Вирусную Лабораторию.

cd1edcae-196b-43f2-88be-93cc51a21963-6.exe - not-a-virus:WebToolbar.Win32.CrossRider.lpz
cppredistx86.exe - not-a-virus:RiskTool.Win32.BitCoinMiner.xik
engine.exe - not-a-virus:RiskTool.Win32.BitCoinMiner.uvp
вoйти в интeрнeт.exe - not-a-virus:Downloader.Win32.LMN.afw

Это - потенциально опасное ПО. Детектирование файлов будет добавлено в следующее обновление.

dummyDlg.exe

Вредоносный код в файле не обнаружен.

smartwebhelper.exe - not-a-virus:AdWare.Win32.Agent.hpot

Это файл от рекламной системы. Детектирование файла будет добавлено в следующее обновление расширенного набора баз. Подробная информация о расширенных базах: http://www.kaspersky.ru/extraavupdates

С уважением, Лаборатория Касперского

"125212, Россия, Москва, Ленинградское шоссе, д.39А, стр.3 Тел./факс: + 7 (495) 797 8700http://www.kaspersky.ru http://www.viruslist.ru"


Hello,

This message has been generated by an automatic message response system. The message contains details about verdicts that have been returned by Anti-Virus in response to the files (if any are included in the message) with the latest updates installed. 

{4889ddce-7a83-45e6-afc9-1e4f1149fff4}Gw64.sys,
dllhost.exe,
s_inst.exe,
s_inst_0.exe,
skinapp.exe,
skinapp.sys,
UninstallManager.exe,
wincheck.exe
cd1edcae-196b-43f2-88be-93cc51a21963-1-6.exe

A set of unknown files has been received. They will be sent to the Virus Lab.

cd1edcae-196b-43f2-88be-93cc51a21963-6.exe - not-a-virus:WebToolbar.Win32.CrossRider.lpz
cppredistx86.exe - not-a-virus:RiskTool.Win32.BitCoinMiner.xik
engine.exe - not-a-virus:RiskTool.Win32.BitCoinMiner.uvp
вoйти в интeрнeт.exe - not-a-virus:Downloader.Win32.LMN.afw

New potentially risk software was found in these files. Detection will be included in the next update. Thank you for your help.

dummyDlg.exe

No malicious code was found in this file.

smartwebhelper.exe - not-a-virus:AdWare.Win32.Agent.hpot

This file is an Advertizing Tool, It's detection will be included in the next update of extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates

Best Regards, Kaspersky Lab

"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.comhttp://www.viruslist.com"
 

 

ClearLNK-21.06.2015_15-36.log

[thyrex]

1. Не нужно плодить темы

2. Не вижу новых логов по правилам

[сергей77]

подскажите пожалуста как создать новые логи по правилам я в этом деле профан ищу в инте-те везде все поразному зарание спосибо

[thyrex]

Еще раз запустить Autologger

[сергей77]

новые логи 

CollectionLog-2015.06.21-22.45.zip

[thyrex]

Скачайте Farbar Recovery Scan Tool   и сохраните на Рабочем столе.

 

Примечание: необходимо выбрать версию, совместимую с Вашей операционной системой. Если Вы не уверены, какая версия подойдет для Вашей системы, скачайте обе и попробуйте запустить. Только одна из них запустится на Вашей системе.

• Запустите программу двойным щелчком. Когда программа запустится, нажмите Yes для соглашения с предупреждением.

Убедитесь, что в окне Optional Scan отмечены "List BCD" и "Driver MD5".

Нажмите кнопку Scan.

После окончания сканирования будет создан отчет (FRST.txt) в той же папке, откуда была запущена программа. Пожалуйста, прикрепите отчет в следующем сообщении.

Если программа была запущена в первый раз, будет создан отчет (Addition.txt). Пожалуйста, прикрепите его в следующем сообщении.

[сергей77]

спасибо вот отчеты

FRST.rar

Addition.txt

[thyrex]

Скопируйте приведенный ниже текст в Блокнот и сохраните файл как fixlist.txt в ту же папку, откуда была запущена утилита Farbar Recovery Scan Tool:

 

CreateRestorePoint:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
GroupPolicy-x32: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-4019205412-2965844411-740053983-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">web/?type=dspp&q={searchTerms}
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yandex.ru/?win=155&clid=2153738
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/ru-ru/?ocid=iehp
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">?type=hppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">web/?type=dspp&q={searchTerms}
HKU\S-1-5-21-4019205412-2965844411-740053983-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webalta.ru/search
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1431938818&z=23f25194a0514cd5a1cffbegczacfg4t9c8waobq4o&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://yandex.ru/yandsearch?win=155&clid=2153739&text={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> 923FB571E0FFAB87C6C2CC88348798A2 URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://yandex.ru/yandsearch?win=155&clid=2153739&text={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">web/?type=dspp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {61EB20A4-D4D5-4276-A2C9-DCCE8CE9F633} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {A06ED961-D98F-4CF9-A89B-80AB11DB149C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4019205412-2965844411-740053983-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=con&utm_campaign=install_ie&utm_content=ds&from=con&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV&ts=1431938861&type=default&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://isearch.omiga-plus.com/?type=sc&ts=1422572865&from=obw&uid=ST3160815AS_6RA8X2ZVXXXX6RA8X2ZV
FF Homepage: hxxp://okoptil.ru/?utm_source=startpage03&utm_content=723d9c7f0c637b28d803a972c8994e8d
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll No File
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll No File
FF SearchPlugin: C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\searchplugins\GoSearch.xml [2015-04-06]
2015-06-20 17:28 - 2015-06-20 17:28 - 03932214 _____ C:\Users\USER\AppData\Roaming\01DEB2BA01DEB2BA.bmp
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README9.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README8.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README7.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README6.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README5.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README4.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README3.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README2.txt
2015-06-20 17:28 - 2015-06-20 17:28 - 00000893 _____ C:\Users\USER\Desktop\README10.txt
2015-06-20 16:40 - 2015-06-21 00:14 - 00000000 __SHD C:\Users\Все пользователи\Windows
2015-06-20 16:40 - 2015-06-21 00:14 - 00000000 __SHD C:\ProgramData\Windows
2015-06-07 21:35 - 2015-06-07 21:35 - 00000000 ____D C:\Users\USER\AppData\Local\Вoйти в Интeрнет
2015-06-07 21:26 - 2015-06-20 17:04 - 00000000 ____D C:\Users\USER\AppData\Local\skinapp
2015-06-07 21:26 - 2015-06-07 21:26 - 00000000 ____D C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skinapp
2015-06-21 21:02 - 2015-02-02 06:51 - 00000000 ____D C:\Program Files (x86)\SavePass 1.1
2015-06-21 21:02 - 2015-02-02 06:51 - 00000000 ____D C:\Program Files (x86)\00144a5b-dbe8-4f78-a435-e92561fdeae7
2015-06-21 21:02 - 2015-01-30 10:38 - 00000000 ____D C:\Program Files (x86)\17420459-ebc4-4ec4-a591-39719b0d7b92
2015-06-21 21:02 - 2015-01-30 05:08 - 00000000 ____D C:\Users\Все пользователи\WindowsMangerProtect
2015-06-21 21:02 - 2015-01-30 05:08 - 00000000 ____D C:\ProgramData\WindowsMangerProtect
2015-06-21 21:02 - 2015-01-30 05:08 - 00000000 ____D C:\Program Files (x86)\XTab
2015-06-21 14:49 - 2015-01-30 05:14 - 00000000 ____D C:\Users\USER\AppData\Local\SmartWeb
2015-06-21 14:49 - 2015-01-30 05:04 - 00000000 ____D C:\Users\USER\AppData\Local\wincheck
2015-06-21 00:21 - 2015-01-30 05:03 - 00000000 ____D C:\Users\Все пользователи\ShopperPro
2015-06-21 00:21 - 2015-01-30 05:03 - 00000000 ____D C:\ProgramData\ShopperPro
2015-06-20 23:26 - 2015-03-01 21:18 - 00000000 ____D C:\Users\USER\AppData\Local\SystemDir
2015-06-10 10:44 - 2015-03-01 21:28 - 00000000 ____D C:\Users\USER\AppData\Local\Kometa
2015-04-08 07:02 - 2015-04-08 07:02 - 0000040 _____ () C:\Program Files\{AACE8122-B27D-421C-A5BB-95060941AFD7}.sys
2015-06-20 17:28 - 2015-06-20 17:28 - 3932214 _____ () C:\Users\USER\AppData\Roaming\01DEB2BA01DEB2BA.bmp
2015-03-19 12:01 - 2015-03-19 12:01 - 0442896 _____ () C:\Users\USER\AppData\Roaming\data13.dat
2015-06-21 03:31 - 2015-06-21 03:31 - 0000000 _____ () C:\Users\USER\AppData\Roaming\ssleas.exe
Task: {549E9570-F205-4CCE-85C8-22F2892F32C5} - \Microsoft\Windows\Multimedia\SMupdate3 No Task File <==== ATTENTION
Task: {665DEEF3-4B96-49E7-95C6-BB020753A65B} - \SPDriver No Task File <==== ATTENTION
Task: {8EF75629-9BE0-405B-8F79-78355250398F} - \nethost task No Task File <==== ATTENTION
Task: {9612914D-6F1D-418F-B5CE-EF5B564DC3A2} - \Microsoft\Windows\Maintenance\SMupdate2 No Task File <==== ATTENTION
Task: {A808A80B-9E3D-4C20-9D0A-C60FF3C9CB78} - \YTDownloader No Task File <==== ATTENTION
Task: {AE2BD7B0-C59C-4F93-B5CB-FEAD7F93AE29} - \ShopperProJSUpd No Task File <==== ATTENTION
Task: {BD737F13-ECF4-4E14-B0C8-12771385C8D4} - \SMupdate1 No Task File <==== ATTENTION
Task: {AE15FA2A-A3FE-41B2-AE7C-E44D3F063AE2} - System32\Tasks\{7DF3B0BE-FBDC-46EC-AC4D-C016242C411E} => pcalua.exe -a C:\Users\USER\AppData\Roaming\mystartsearch\UninstallManager.exe -c  -ptid=con
Task: {C7284344-C169-4EF0-98D9-9ED949C3B2EA} - \ShopperPro No Task File <==== ATTENTION
Reboot:

• Запустите FRST, нажмите один раз на кнопку Fix и подождите. Программа создаст лог-файл (Fixlog.txt). Пожалуйста, прикрепите его в следующем сообщении!
  
• Обратите внимание, что компьютер будет перезагружен.
  

[сергей77]

огромное спасибо подскажите где и как можно расшифровать файлы 

Fixlog.txt

[thyrex]

Мусор почистили.

 

С расшифровкой не поможем.

 

По имеющейся информации техподдержка ЛК оказывает индивидуально помощь в расшифровке обладателям действующей лицензии

[сергей77]

большущие спасибо