Загрузка проца 100%

3 января, 2016

Проц загружен на 100%, internet explorer постоянно открывает рекламные вкладки вне зависимости от того включен ли он.

CollectionLog-2016.01.03-16.24.zip

3 января, 2016

Выполните скрипт в AVZ

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
 then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
 QuarantineFile('C:\Program Files (x86)\Window Update\task Update\task.exe','');
 QuarantineFile('C:\Users\1\AppData\Local\Chromium\Application\45.0.2433.0\Installer\updater\updater.exe','');
 QuarantineFile('C:\PROGRA~1\GROOVE~1\Lokza.bat','');
 QuarantineFile('C:\Users\1\AppData\Local\Form Cooking\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\gop.dll','');
 QuarantineFile('C:\Users\1\AppData\Local\Form Cooking\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\FormCooking.dll','');
 QuarantineFile('C:\Users\1\AppData\Local\PPTAssist\assistupdate.exe','');
 QuarantineFile('C:\Users\1\AppData\Local\PPTAssist\notify.exe','');
 QuarantineFile('C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe','');
 QuarantineFile('C:\Users\1\AppData\Local\31169\Updater.exe','');
 QuarantineFile('C:\ProgramData\SookFBBV\dnGtKNWBBXZasmK2.bat','');
 QuarantineFile('C:\ProgramData\qALvgSw\OPXFhJre5.bat','');
 QuarantineFile('C:\Users\1\AppData\Local\ndILSmC\dTlBqSIx0.bat','');
 QuarantineFile('C:\Program Files (x86)\IconRunner\MoneyBot.exe','');
 QuarantineFile('C:\Users\1\AppData\Local\SmartWeb\SmartWebHelper.exe','');
 QuarantineFile('C:\Program Files (x86)\Zaxar\ZaxarLoader.exe','');
 QuarantineFile('C:\Program Files (x86)\Zaxar\ZaxarGameBrowser.exe','');
 SetServiceStart('cherimoya', 4);
 DeleteService('cherimoya');
 QuarantineFile('C:\Windows\system32\drivers\cherimoya.sys','');
 DeleteService('server');
 QuarantineFile('C:\Program Files (x86)\Window Update\server Update\server.exe','');
 SetServiceStart('Iluuom', 4);
 DeleteService('Iluuom');
 SetServiceStart('productdqwwebdobnloa', 4);
 DeleteService('productdqwwebdobnloa');
 QuarantineFile('C:\Users\1\AppData\Local\Sailfase.exe','');
 QuarantineFile('C:\Users\1\AppData\Roaming\SoriAdypugo\Eetagn.exe','');
 SetServiceStart('zutuzuni', 4);
 DeleteService('zutuzuni');
 SetServiceStart('zizusyju', 4);
 DeleteService('zizusyju');
 SetServiceStart('zigipyro', 4);
 DeleteService('zigipyro');
 SetServiceStart('xewokonizbt', 4);
 DeleteService('xewokonizbt');
 SetServiceStart('wucotusy', 4);
 DeleteService('wucotusy');
 SetServiceStart('woforemu', 4);
 DeleteService('woforemu');
 SetServiceStart('WindowsMangerProtect', 4);
 DeleteService('WindowsMangerProtect');
 SetServiceStart('WdMan', 4);
 DeleteService('WdMan');
 SetServiceStart('vusesuwozbt', 4);
 DeleteService('vusesuwozbt');
 SetServiceStart('SSFK', 4);
 DeleteService('SSFK');
 SetServiceStart('rizyqibe', 4);
 DeleteService('rizyqibe');
 SetServiceStart('PuesoOhitbu', 4);
 DeleteService('PuesoOhitbu');
 SetServiceStart('ohnuze', 4);
 DeleteService('ohnuze');
 SetServiceStart('Idiwvivuxu', 4);
 DeleteService('Idiwvivuxu');
 SetServiceStart('HHandler Service', 4);
 DeleteService('HHandler Service');
 SetServiceStart('groover181220151147 Updater', 4);
 DeleteService('groover181220151147 Updater');
 SetServiceStart('ginoquci', 4);
 DeleteService('ginoquci');
 SetServiceStart('FinwarmSvc', 4);
 DeleteService('FinwarmSvc');
 SetServiceStart('Dripkick', 4);
 DeleteService('Dripkick');
 SetServiceStart('csrcc', 4);
 DeleteService('csrcc');
 SetServiceStart('ApplicationHosting', 4);
 DeleteService('ApplicationHosting');
 QuarantineFile('C:\ProgramData\ApplicationHosting\ApplicationHosting.exe','');
 SetServiceStart('3F153CC5-872A-4222-89B3-8A603FD1307F', 4);
 DeleteService('3F153CC5-872A-4222-89B3-8A603FD1307F');
 QuarantineFile('C:\Windows\system32\Idiwvivuxu.dll','');
 QuarantineFile('C:\Windows\SYSTEM32\DNSAPI.dll','');
 QuarantineFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\{AF4736D0-8782-556D-AC63-663BEF82E158}.dat','');
 QuarantineFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\twhkxd.dll','');
 QuarantineFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\BalanceComp.dll','');
 QuarantineFile('c:\program files\wnen\wnenlibs\iiadhu.dll','');
 TerminateProcessByName('c:\program files\groover181220151147\xhawlapkou.exe');
 QuarantineFile('c:\program files\groover181220151147\xhawlapkou.exe','');
 TerminateProcessByName('c:\programdata\twdmt\wdman.exe');
 QuarantineFile('c:\programdata\twdmt\wdman.exe','');
 TerminateProcessByName('c:\users\1\appdata\local\gmsd_ru_005010195\upgmsd_ru_005010195.exe');
 QuarantineFile('c:\users\1\appdata\local\gmsd_ru_005010195\upgmsd_ru_005010195.exe','');
 TerminateProcessByName('C:\Users\Public\Videos\Adobe\Reader\svchost.exe');
 QuarantineFile('C:\Users\Public\Videos\Adobe\Reader\svchost.exe','');
 TerminateProcessByName('c:\program files (x86)\sfk\ssfk.exe');
 QuarantineFile('c:\program files (x86)\sfk\ssfk.exe','');
 TerminateProcessByName('c:\program files (x86)\spacesondpro_v53.11424\spacesondpro_service.exe');
 QuarantineFile('c:\program files (x86)\spacesondpro_v53.11424\spacesondpro_service.exe','');
 TerminateProcessByName('c:\program files\sound+\sound+.exe');
 QuarantineFile('c:\program files\sound+\sound+.exe','');
 TerminateProcessByName('c:\users\1\appdata\roaming\softwebbar\softwebbar.exe');
 QuarantineFile('c:\users\1\appdata\roaming\softwebbar\softwebbar.exe','');
 TerminateProcessByName('c:\users\1\appdata\local\03de0294-1449763435-05ff-5d06-a10700080009\snsqbd3a.tmp');
 QuarantineFile('c:\users\1\appdata\local\03de0294-1449763435-05ff-5d06-a10700080009\snsqbd3a.tmp','');
 TerminateProcessByName('C:\Users\1\AppData\Local\Temp\8a0Mzx\runner.exe');
 QuarantineFile('C:\Users\1\AppData\Local\Temp\8a0Mzx\runner.exe','');
 TerminateProcessByName('c:\program files (x86)\rec_ru_145\rec_ru_145.exe');
 QuarantineFile('c:\program files (x86)\rec_ru_145\rec_ru_145.exe','');
 TerminateProcessByName('c:\program files (x86)\rec_ru_142\rec_ru_142.exe');
 QuarantineFile('c:\program files (x86)\rec_ru_142\rec_ru_142.exe','');
 TerminateProcessByName('c:\users\1\appdata\local\03de0294-1451810827-05ff-5d06-a10700080009\qnss26a4.tmp');
 QuarantineFile('c:\users\1\appdata\local\03de0294-1451810827-05ff-5d06-a10700080009\qnss26a4.tmp','');
 TerminateProcessByName('C:\Program Files\groover181220151147\Qhmesm64.exe');
 QuarantineFile('C:\Program Files\groover181220151147\Qhmesm64.exe','');
 TerminateProcessByName('c:\program files\groover181220151147\qhmesm.exe');
 QuarantineFile('c:\program files\groover181220151147\qhmesm.exe','');
 TerminateProcessByName('c:\program files\groover181220151147\pyvab.exe');
 QuarantineFile('c:\program files\groover181220151147\pyvab.exe','');
 TerminateProcessByName('c:\programdata\tmp0x0x\protectwindowsmanager.exe');
 QuarantineFile('c:\programdata\tmp0x0x\protectwindowsmanager.exe','');
 TerminateProcessByName('c:\programdata\ohnuze\ohnuze.exe');
 QuarantineFile('c:\programdata\ohnuze\ohnuze.exe','');
 TerminateProcessByName('c:\users\1\appdata\local\temp\nsncd12.tmp');
 QuarantineFile('c:\users\1\appdata\local\temp\nsncd12.tmp','');
 TerminateProcessByName('c:\program files (x86)\feed notifier\notifier.exe');
 QuarantineFile('c:\program files (x86)\feed notifier\notifier.exe','');
 TerminateProcessByName('c:\program files (x86)\manager\manager.exe');
 QuarantineFile('c:\program files (x86)\manager\manager.exe','');
 TerminateProcessByName('c:\program files\groover181220151147\luutoci.exe');
 QuarantineFile('c:\program files\groover181220151147\luutoci.exe','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\knsme196.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\knsme196.tmp','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\knsc5a82.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\knsc5a82.tmp','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\jnsp3c7e.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\jnsp3c7e.tmp','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\jnsb751f.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\jnsb751f.tmp','');
 TerminateProcessByName('c:\program files (x86)\spacesondpro_v53.11424\ioproduct.exe');
 QuarantineFile('c:\program files (x86)\spacesondpro_v53.11424\ioproduct.exe','');
 TerminateProcessByName('c:\program files\groover181220151147\idiwvivuxu.exe');
 QuarantineFile('c:\program files\groover181220151147\idiwvivuxu.exe','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\hnsn9309.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\hnsn9309.tmp','');
 TerminateProcessByName('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\hnsb5846.tmp');
 QuarantineFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\hnsb5846.tmp','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010195\gmsd_ru_005010195.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010195\gmsd_ru_005010195.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010193\gmsd_ru_005010193.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010193\gmsd_ru_005010193.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010192\gmsd_ru_005010192.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010192\gmsd_ru_005010192.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010190\gmsd_ru_005010190.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010190\gmsd_ru_005010190.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010189\gmsd_ru_005010189.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010189\gmsd_ru_005010189.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010188\gmsd_ru_005010188.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010188\gmsd_ru_005010188.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010183\gmsd_ru_005010183.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010183\gmsd_ru_005010183.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010178\gmsd_ru_005010178.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010178\gmsd_ru_005010178.exe','');
 TerminateProcessByName('c:\program files (x86)\gmsd_ru_005010177\gmsd_ru_005010177.exe');
 QuarantineFile('c:\program files (x86)\gmsd_ru_005010177\gmsd_ru_005010177.exe','');
 TerminateProcessByName('C:\Program Files\WNEn\ff62b92908634f70c54b9d9fc96d09cc.exe');
 QuarantineFile('C:\Program Files\WNEn\ff62b92908634f70c54b9d9fc96d09cc.exe','');
 TerminateProcessByName('c:\program files\wnen\fb01efa87f3d7dad8c148b279a84ed67.exe');
 QuarantineFile('c:\program files\wnen\fb01efa87f3d7dad8c148b279a84ed67.exe','');
 QuarantineFile('C:\Program Files\Dripkick\Dripkick.exe','');
 TerminateProcessByName('c:\program files\groover181220151147\csrcc.exe');
 QuarantineFile('c:\program files\groover181220151147\csrcc.exe','');
 TerminateProcessByName('c:\programdata\applicationhosting\applicationhosting.exe');
 QuarantineFile('c:\programdata\applicationhosting\applicationhosting.exe','');
 DeleteFile('c:\programdata\applicationhosting\applicationhosting.exe','32');
 DeleteFile('c:\program files\groover181220151147\csrcc.exe','32');
 DeleteFile('c:\program files\wnen\fb01efa87f3d7dad8c148b279a84ed67.exe','32');
 DeleteFile('C:\Program Files\WNEn\ff62b92908634f70c54b9d9fc96d09cc.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010177\gmsd_ru_005010177.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010178\gmsd_ru_005010178.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010183\gmsd_ru_005010183.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010188\gmsd_ru_005010188.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010189\gmsd_ru_005010189.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010190\gmsd_ru_005010190.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010192\gmsd_ru_005010192.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010193\gmsd_ru_005010193.exe','32');
 DeleteFile('c:\program files (x86)\gmsd_ru_005010195\gmsd_ru_005010195.exe','32');
 DeleteFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\hnsb5846.tmp','32');
 DeleteFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\hnsn9309.tmp','32');
 DeleteFile('c:\program files\groover181220151147\idiwvivuxu.exe','32');
 DeleteFile('c:\program files (x86)\spacesondpro_v53.11424\ioproduct.exe','32');
 DeleteFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\jnsb751f.tmp','32');
 DeleteFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\jnsp3c7e.tmp','32');
 DeleteFile('c:\program files (x86)\03de0294-1449752589-05ff-5d06-a10700080009\knsc5a82.tmp','32');
 DeleteFile('c:\program files (x86)\03de0294-1451183645-05ff-5d06-a10700080009\knsme196.tmp','32');
 DeleteFile('c:\program files\groover181220151147\luutoci.exe','32');
 DeleteFile('c:\program files (x86)\manager\manager.exe','32');
 DeleteFile('c:\program files (x86)\feed notifier\notifier.exe','32');
 DeleteFile('c:\users\1\appdata\local\temp\nsncd12.tmp','32');
 DeleteFile('c:\programdata\ohnuze\ohnuze.exe','32');
 DeleteFile('c:\programdata\tmp0x0x\protectwindowsmanager.exe','32');
 DeleteFile('c:\program files\groover181220151147\pyvab.exe','32');
 DeleteFile('c:\program files\groover181220151147\qhmesm.exe','32');
 DeleteFile('C:\Program Files\groover181220151147\Qhmesm64.exe','32');
 DeleteFile('c:\users\1\appdata\local\03de0294-1451810827-05ff-5d06-a10700080009\qnss26a4.tmp','32');
 DeleteFile('c:\program files (x86)\rec_ru_142\rec_ru_142.exe','32');
 DeleteFile('c:\program files (x86)\rec_ru_145\rec_ru_145.exe','32');
 DeleteFile('C:\Users\1\AppData\Local\Temp\8a0Mzx\runner.exe','32');
 DeleteFile('c:\users\1\appdata\local\03de0294-1449763435-05ff-5d06-a10700080009\snsqbd3a.tmp','32');
 DeleteFile('c:\users\1\appdata\roaming\softwebbar\softwebbar.exe','32');
 DeleteFile('c:\program files\sound+\sound+.exe','32');
 DeleteFile('c:\program files (x86)\spacesondpro_v53.11424\spacesondpro_service.exe','32');
 DeleteFile('c:\program files (x86)\sfk\ssfk.exe','32');
 DeleteFile('C:\Users\Public\Videos\Adobe\Reader\svchost.exe','32');
 DeleteFile('c:\users\1\appdata\local\gmsd_ru_005010195\upgmsd_ru_005010195.exe','32');
 DeleteFile('c:\programdata\twdmt\wdman.exe','32');
 DeleteFile('c:\program files\groover181220151147\xhawlapkou.exe','32');
 DeleteFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\BalanceComp.dll','32');
 DeleteFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\twhkxd.dll','32');
 DeleteFile('C:\Users\1\AppData\Local\Balance Comp\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\{AF4736D0-8782-556D-AC63-663BEF82E158}.dat','32');
 DeleteFile('C:\Windows\system32\Idiwvivuxu.dll','32');
 DeleteFile('C:\ProgramData\ApplicationHosting\ApplicationHosting.exe','32');
 DeleteFile('C:\Users\1\AppData\Roaming\SoriAdypugo\Eetagn.exe','32');
 DeleteFile('C:\Users\1\AppData\Local\Sailfase.exe','32');
 DeleteFile('C:\Program Files (x86)\Window Update\server Update\server.exe','32');
 DeleteFile('C:\Windows\system32\drivers\cherimoya.sys','32');
 DeleteFile('C:\Program Files (x86)\Zaxar\ZaxarGameBrowser.exe','32');
 DeleteFile('C:\Program Files (x86)\Zaxar\ZaxarLoader.exe','32');
 DeleteFile('C:\Users\1\AppData\Local\SmartWeb\SmartWebHelper.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','SmartWeb');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','IconRunner');
 DeleteFile('C:\Program Files (x86)\IconRunner\MoneyBot.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','upgmsd_ru_005010195.exe');
 DeleteFile('C:\Users\1\AppData\Local\ndILSmC\dTlBqSIx0.bat','32');
 DeleteFile('C:\ProgramData\qALvgSw\OPXFhJre5.bat','32');
 DeleteFile('C:\ProgramData\SookFBBV\dnGtKNWBBXZasmK2.bat','32');
 DeleteFile('C:\Users\1\AppData\Local\31169\Updater.exe','32');
 DeleteFile('C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe','32');
 DeleteFile('C:\Windows\Tasks\AmiUpdXp.job','32');
 DeleteFile('C:\Windows\Tasks\APSnotifierPP1.job','32');
 DeleteFile('C:\Windows\Tasks\APSnotifierPP2.job','32');
 DeleteFile('C:\Windows\Tasks\APSnotifierPP3.job','32');
 DeleteFile('C:\Users\1\AppData\Local\PPTAssist\notify.exe','32');
 DeleteFile('C:\Users\1\AppData\Local\PPTAssist\assistupdate.exe','32');
 DeleteFile('C:\Windows\Tasks\PPTAssistantUpdateTask_1.job','32');
 DeleteFile('C:\Windows\Tasks\PPTAssistantNotifyTask_1.job','32');
 DeleteFile('C:\Windows\system32\Tasks\AmiUpdXp','64');
 DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP1','64');
 DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP2','64');
 DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP3','64');
 DeleteFile('C:\Windows\system32\Tasks\Balance Comp','64');
 DeleteFile('C:\Windows\system32\Tasks\Balance Comp2','64');
 DeleteFile('C:\Users\1\AppData\Local\Form Cooking\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\FormCooking.dll','32');
 DeleteFile('C:\Users\1\AppData\Local\Form Cooking\{5F4EF9B5-9E55-BFFB-4E76-4E4FFDB32760}\gop.dll','32');
 DeleteFile('C:\Windows\system32\Tasks\Form Cooking2','64');
 DeleteFile('C:\Windows\system32\Tasks\Form Cooking','64');
 DeleteFile('C:\PROGRA~1\GROOVE~1\Lokza.bat','32');
 DeleteFile('C:\Windows\system32\Tasks\Idenlab','64');
 DeleteFile('C:\Windows\system32\Tasks\Internet Quick Access Updater','64');
 DeleteFile('C:\Windows\system32\Tasks\PPTAssistantNotifyTask_1','64');
 DeleteFile('C:\Windows\system32\Tasks\task Update','64');
 DeleteFile('C:\Program Files (x86)\Window Update\task Update\task.exe','32');
 DeleteFile('C:\Windows\system32\Tasks\WindowsUpdater4','64');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(15); 
RebootWindows(false);
end.

Будет выполнена перезагрузка компьютера.

Выполните скрипт в AVZ

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

c:\quarantine.zip отправьте по адресу newvirus@kaspersky.com

Полученный ответ сообщите здесь (с указанием номера KLAN)

Скачайте ClearLNK и сохраните архив с утилитой на Рабочем столе.

1. Распакуйте архив с утилитой в отдельную папку.

2. Перенесите Check_Browsers_LNK.log на ClearLNK как показано на рисунке

3. Отчет о работе ClearLNK-<Дата>.log будет сохранен в папке LOG.

4. Прикрепите этот отчет к своему следующему сообщению.

Выполните ЕЩЕ РАЗ правила и предоставьте НОВЫЕ логи

4 января, 2016

Вирусы удалил, но комп не перезагрузился сам. Вот лог ClearLNK ClearLNK-04.01.2016_07-25.log

И на всякий случай ещё раз AVZ прогнал CollectionLog-2016.01.04-07.42.zip

KLAN сообщу когда ответят

4 января, 2016

Выполните скрипт в AVZ (AVZ, Меню "Файл - Выполнить скрипт"):

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
 ClearQuarantine;
 TerminateProcessByName('c:\program files (x86)\common files\415c6520-c0da-4fcb-9597-9d03c710be54\updater.exe');
 TerminateProcessByName('c:\programdata\415c6520-c0da-4fcb-9597-9d03c710be54\plugincontainer.exe');
 TerminateProcessByName('c:\programdata\415c6520-c0da-4fcb-9597-9d03c710be54\plugins\7\plugin.exe');
 TerminateProcessByName('c:\programdata\dlohn\dlohn.exe');
 TerminateProcessByName('c:\programdata\airtop\airtop.exe');
 SetServiceStart('zonynebuzbt', 4);
 SetServiceStart('Zitenop', 4);
 SetServiceStart('Airtop', 4);
 SetServiceStart('dlohn', 4);
 SetServiceStart('Service Mgr ConstantFun', 4);
 SetServiceStart('Update Mgr ConstantFun', 4);
 StopService('Airtop');
 StopService('dlohn');
 StopService('Service Mgr ConstantFun');
 StopService('Update Mgr ConstantFun');
 QuarantineFile('C:\Program Files (x86)\Constant Fun\Extensions\9d6b19f5-4a89-4db4-b650-44222af825b0.dll','');
 QuarantineFile('C:\Windows\system32\dnsapi.dll','');
 QuarantineFile('C:\Program Files (x86)\03DE0294-1451183645-05FF-5D06-A10700080009\knsm4534.tmp','');
 QuarantineFile('C:\ProgramData\Zitenop\Zitenop.exe','');
 QuarantineFile('c:\program files (x86)\common files\415c6520-c0da-4fcb-9597-9d03c710be54\updater.exe','');
 QuarantineFile('c:\programdata\415c6520-c0da-4fcb-9597-9d03c710be54\plugincontainer.exe','');
 QuarantineFile('c:\programdata\415c6520-c0da-4fcb-9597-9d03c710be54\plugins\7\plugin.exe','');
 QuarantineFile('c:\programdata\dlohn\dlohn.exe','');
 QuarantineFile('c:\programdata\airtop\airtop.exe','');
 DeleteFile('c:\programdata\415c6520-c0da-4fcb-9597-9d03c710be54\plugins\7\plugin.exe','32');
 DeleteFile('C:\ProgramData\Airtop\Airtop.exe','32');
 DeleteFile('C:\ProgramData\dlohn\dlohn.exe','32');
 DeleteFile('C:\ProgramData\415c6520-c0da-4fcb-9597-9d03c710be54\plugincontainer.exe','32');
 DeleteFile('C:\Program Files (x86)\Common Files\415c6520-c0da-4fcb-9597-9d03c710be54\updater.exe','32');
 DeleteFile('C:\ProgramData\Zitenop\Zitenop.exe','32');
 DeleteFile('C:\Program Files (x86)\03DE0294-1451183645-05FF-5D06-A10700080009\knsm4534.tmp','32');
 DeleteFile('C:\Program Files (x86)\Constant Fun\Extensions\9d6b19f5-4a89-4db4-b650-44222af825b0.dll','32');
 DelBHO('9d6b19f5-4a89-4db4-b650-44222af825b0');
 DeleteService('zonynebuzbt');
 DeleteService('Zitenop');
 DeleteService('Airtop');
 DeleteService('dlohn');
 DeleteService('Service Mgr ConstantFun');
 DeleteService('Update Mgr ConstantFun');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

После выполнения скрипта компьютер перезагрузится.

Для создания архива с карантином выполните скрипт:

begin
DeleteFile('Qurantine.zip','');
ExecuteFile('7za.exe', 'a -tzip -mx=9 -pinfected Quarantine.zip .\Quarantine\*', 100, 0, true);
end.

Отправьте на проверку файл Quarantine.zip из папки AVZ через портал Kaspersky Virus Desk.

Порядок действий на портале Kaspersky Virus Desk::

1) Установите флажок Я хочу получить результаты проверки по электронной почте и укажите адрес своей электронной почты;

2) Нажмите на ссылку Выбрать файл и прикрепите архив карантина.

Важно: размер архива не должен превышать 12 МБ;

3) Убедившись в наличии строки Я хочу отправить на проверку Quarantine.zip, нажмите повторно на ссылку Выбрать файл.

4) Дождитесь ответа об успешной загрузке карантина.

Полученный через электронную почту ответ сообщите в этой теме.

Пофиксите в HijackThis (некоторых строк после выполнения первого скрипта AVZ может уже не быть):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yoursites123.com/?type=hp&ts=1449645984&z=d7809db2fd9e18e503abd5dgfz3zft4q3z5w0t2bbo&from=ient07021&uid=ST500DM002-1BD142_S2AWZCW1XXXXS2AWZCW1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3MFFm7cT1rWoL2oS-rylwNMiY5pG6n1pHbsi_9KNc-zHab4cSR22BjumEOB8S9QOv67jLjuP-n54Pz0UC2S0Wx44W3Fp6q-wBf_Jy60O0tqwHlRu8D0Hv4orh9QJzEi6xw-TRr3lAS0RLDux-8ZEej7JKxgd&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3MFFm7cT1rWoL2oS-rylwNMiY5pG6n1pHbsi_9KNc-zHab4cSR22BjumEOB8S9QOv67jLjuP-n54Pz0UC2S0Wx44W3Fp6q-wBf_Jy60O0tqwHlRu8D0Hv4orh9QJzEi6xw-TRr3lAS0RLDux-8ZEej7JKxgd&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3MFFm7cT1rWoL2oS-rylwNMiY5pG6n1pHbsi_9KNc-zHab4cSR22BjumEOB8S9QOv67jLjuP-n54Pz0UC2S0Wx44W3Fp6q-wBf_Jy60O0tqwHlRu8D0Hv4orh9QJzEi6xw-TRr3lAS0RLDux-8ZEej7JKxgd&q={searchTerms}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3MFFm7cT1rWoL2oS-rylwNMiY5pG6n1pHbsi_9KNc-zHab4cSR22BjumEOB8S9QOv67jLjuP-n54PzF7FbV63OYEUm65EXW9QKtUe6uLxMb2P0DoNx7h3MYkitzCw69AILFfMG-zKigtflI581deR2n847tZ
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yoursites123.com/?type=hp&ts=1449645984&z=d7809db2fd9e18e503abd5dgfz3zft4q3z5w0t2bbo&from=ient07021&uid=ST500DM002-1BD142_S2AWZCW1XXXXS2AWZCW1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursites123.com/web/?type=ds&ts=1449645984&z=d7809db2fd9e18e503abd5dgfz3zft4q3z5w0t2bbo&from=ient07021&uid=ST500DM002-1BD142_S2AWZCW1XXXXS2AWZCW1&q={searchTerms}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursites123.com/web/?type=ds&ts=1449645984&z=d7809db2fd9e18e503abd5dgfz3zft4q3z5w0t2bbo&from=ient07021&uid=ST500DM002-1BD142_S2AWZCW1XXXXS2AWZCW1&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoursites123.com/?type=hp&ts=1449645984&z=d7809db2fd9e18e503abd5dgfz3zft4q3z5w0t2bbo&from=ient07021&uid=ST500DM002-1BD142_S2AWZCW1XXXXS2AWZCW1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3MFFm7cT1rWoL2oS-rylwNMiY5pG6n1pHbsi_9KNc-zHab4cSR22BjumEOB8S9QOv67jLjuP-n54Pz0UC2S0Wx44W3Fp6q-wBf_Jy60O0tqwHlRu8D0Hv4orh9QJzEi6xw-TRr3lAS0RLDux-8ZEej7JKxgd&q={searchTerms}
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL (file missing)
O2 - BHO: Constant Fun - {9d6b19f5-4a89-4db4-b650-44222af825b0} - C:\Program Files (x86)\Constant Fun\Extensions\9d6b19f5-4a89-4db4-b650-44222af825b0.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{15FC92BE-3329-4D05-9F67-F9A01D32FD88}: NameServer = 104.197.191.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{15FC92BE-3329-4D05-9F67-F9A01D32FD88}: NameServer = 104.197.191.4

Сделайте новые логи по правилам (только пункт 2).

+ приложите лог AdwCleaтук и MBAM

http://forum.kasperskyclub.ru/index.php?showtopic=7611&do=findComment&comment=635158
http://forum.kasperskyclub.ru/index.php?showtopic=7611&do=findComment&comment=635256

Загрузка проца 100%

Рекомендуемые сообщения

regedt64

thyrex

regedt64

Roman_Five

Пожалуйста, войдите, чтобы комментировать

Обзор

Активность

Магазин

Поддержка

Kaspersky Support Forum