Зашифрованные рисунки с расширением xtbl

[as2120]

Зашифровались рисунки .2B85520967EC93C4193B.xtbl

 

CollectionLog-2016.02.01-18.48.zip

[thyrex]

Выполните скрипт в AVZ

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
 then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
 QuarantineFile('C:\Program Files\torrent search\ieef\ndedyt5dkc.dll','');
 QuarantineFile('C:\Program Files\torrent search\ieef\interfaces32.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\psuser.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\psmachine.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\npglobalupdateupdate4.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\goopdateres_en.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\goopdate.dll','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\globalupdateondemand.exe','');
 QuarantineFile('C:\Program Files\globalupdate\update\1.3.25.0\globalupdatebroker.exe','');
 QuarantineFile('C:\Users\USER\AppData\Local\SmartWeb\SmartWebHelper.exe','');
 QuarantineFile('C:\Users\USER\AppData\Local\Bubble Builder\Bin\BubbleBuilder.dll','');
 QuarantineFile('C:\Program Files\Torrent Search\NzfTy2k.exe','');
 QuarantineFile('C:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe','');
 QuarantineFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-5.exe','');
 QuarantineFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-11.exe','');
 QuarantineFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-10.exe','');
 QuarantineFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-7.exe','');
 QuarantineFile('C:\Users\USER\AppData\Local\30494\Updater.exe','');
 QuarantineFile('C:\Program Files\AnyProtectEx\AnyProtect.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-6.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-7.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-5.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-3.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-11.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-10.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-1-7.exe','');
 QuarantineFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-1-6.exe','');
 DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
 DelBHO('{03AE1B7B-A9E7-4D5A-9D34-89999C31B659}');
 QuarantineFile('C:\Program Files\Torrent Search\IEEF\ndEdYt5DKc.dll','');
 QuarantineFile('C:\Users\USER\AppData\Roaming\Browsers\exe.resworb.bat','');
 QuarantineFile('C:\iexplore.bat','');
 QuarantineFile('C:\Users\USER\AppData\Local\Kometa\kometaup.exe','');
 QuarantineFile('C:\Users\USER\AppData\Roaming\brsjrawe\gewcidar.exe','');
 DeleteService('QMUdisk');
 DeleteService('softaal');
 DeleteService('TS888');
 DeleteService('wsfd_vt_1_10_0_20');
 SetServiceStart('zemilymi', 4);
 DeleteService('zemilymi');
 SetServiceStart('zelolule', 4);
 DeleteService('zelolule');
 SetServiceStart('vicoqudu', 4);
 DeleteService('vicoqudu');
 SetServiceStart('jodijify', 4);
 DeleteService('jodijify');
 SetServiceStart('globalUpdate', 4);
 SetServiceStart('cijyvysy', 4);
 DeleteService('cijyvysy');
 QuarantineFile('C:\Users\USER\AppData\Local\03000200-1425898509-0500-0006-000700080009\inshB76A.tmp','');
 QuarantineFile('C:\Program Files\globalUpdate\Update\globalupdate.exe','');
 QuarantineFile('C:\Users\USER\AppData\Roaming\03000200-1435819879-0500-0006-000700080009\hnsfFDA2.tmp','');
 QuarantineFile('C:\Users\USER\AppData\Local\03000200-1425897910-0500-0006-000700080009\cnsz9057.tmp','');
 TerminateProcessByName('c:\program files\plushd_5.1v08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6.exe');
 QuarantineFile('c:\program files\plushd_5.1v08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6.exe','');
 DeleteFile('c:\program files\plushd_5.1v08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6.exe','32');
 DeleteFile('C:\Users\USER\AppData\Local\03000200-1425897910-0500-0006-000700080009\cnsz9057.tmp','32');
 DeleteFile('C:\Users\USER\AppData\Roaming\03000200-1435819879-0500-0006-000700080009\hnsfFDA2.tmp','32');
 DeleteFile('C:\Users\USER\AppData\Roaming\03000200-1425886822-0500-0006-000700080009\nsg5E43.tmpfs','32');
 DeleteFile('C:\Program Files\globalUpdate\Update\globalupdate.exe','32');
 DeleteFile('C:\Users\USER\AppData\Local\03000200-1425898509-0500-0006-000700080009\inshB76A.tmp','32');
 DeleteFile('C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMUdisk.sys','32');
 DeleteFile('C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\softaal.sys','32');
 DeleteFile('C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TS888.sys','32');
 DeleteFile('C:\Windows\system32\drivers\wsfd_vt_1_10_0_20.sys','32');
 DeleteFile('C:\Users\USER\AppData\Roaming\brsjrawe\gewcidar.exe','32');
 DeleteFile('C:\Users\USER\AppData\Local\Kometa\kometaup.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\kometaup','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Clients','command');
 DeleteFile('C:\iexplore.bat','32');
 DeleteFile('C:\Users\USER\AppData\Roaming\Browsers\exe.resworb.bat','32');
 DeleteFile('C:\Program Files\Torrent Search\IEEF\ndEdYt5DKc.dll','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-1-6.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-1-7.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-10_user.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-11.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-3.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-5.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-5_user.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-6.job','32');
 DeleteFile('C:\Windows\Tasks\488f143c-135c-4496-8322-566f753dbfb2-7.job','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-1-6.job','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-1-6.exe','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-1-7.exe','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-1-7.job','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-10.exe','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-10_user.job','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-11.job','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-11.exe','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-3.exe','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-3.job','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-5.job','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-5.exe','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-5_user.job','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-6.job','32');
 DeleteFile('C:\Windows\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-7.job','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-7.exe','32');
 DeleteFile('C:\Program Files\CiPlus-4.5vV14.07\68a27bbd-dd9b-434e-abdd-905082c30d60-6.exe','32');
 DeleteFile('C:\Windows\Tasks\AmiUpdXp.job','32');
 DeleteFile('C:\Windows\Tasks\APSnotifierPP1.job','32');
 DeleteFile('C:\Windows\Tasks\APSnotifierPP2.job','32');
 DeleteFile('C:\Program Files\AnyProtectEx\AnyProtect.exe','32');
 DeleteFile('C:\Users\USER\AppData\Local\30494\Updater.exe','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6.job','32');
 DeleteFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6.exe','32');
 DeleteFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-1-7.exe','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-1-7.job','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-10_user.job','32');
 DeleteFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-10.exe','32');
 DeleteFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-11.exe','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-11.job','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-5.job','32');
 DeleteFile('C:\Program Files\PlusHD_5.1V08.07\b7672d65-0301-436a-804f-3ab3fc98c9af-5.exe','32');
 DeleteFile('C:\Windows\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-5_user.job','32');
 DeleteFile('C:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe','32');
 DeleteFile('C:\Windows\Tasks\Crossbrowse.job','32');
 DeleteFile('C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job','32');
 DeleteFile('C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job','32');
 DeleteFile('C:\Program Files\Torrent Search\NzfTy2k.exe','32');
 DeleteFile('C:\Windows\Tasks\Update Service for Torrent Search.job','32');
 DeleteFile('C:\Windows\Tasks\Update Service for Torrent Search2.job','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-1-6','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-1-7','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-10_user','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-11','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-3','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-5','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-5_user','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-6','32');
 DeleteFile('C:\Windows\system32\Tasks\488f143c-135c-4496-8322-566f753dbfb2-7','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-1-6','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-1-7','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-10_user','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-11','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-3','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-5','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-5_user','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-6','32');
 DeleteFile('C:\Windows\system32\Tasks\68a27bbd-dd9b-434e-abdd-905082c30d60-7','32');
 DeleteFile('C:\Windows\system32\Tasks\AmiUpdXp','32');
 DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP1','32');
 DeleteFile('C:\Windows\system32\Tasks\APSnotifierPP2','32');
 DeleteFile('C:\Windows\system32\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-1-6','32');
 DeleteFile('C:\Windows\system32\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-1-7','32');
 DeleteFile('C:\Windows\system32\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-10_user','32');
 DeleteFile('C:\Windows\system32\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-11','32');
 DeleteFile('C:\Windows\system32\Tasks\b7672d65-0301-436a-804f-3ab3fc98c9af-5','32');
 DeleteFile('C:\Windows\system32\Tasks\Bubble Builder','32');
 DeleteFile('C:\Users\USER\AppData\Local\Bubble Builder\Bin\BubbleBuilder.dll','32');
 DeleteFile('C:\Windows\system32\Tasks\Crossbrowse','32');
 DeleteFile('C:\Windows\system32\Tasks\globalUpdateUpdateTaskMachineUA','32');
 DeleteFile('C:\Windows\system32\Tasks\globalUpdateUpdateTaskMachineCore','32');
 DeleteFile('C:\Windows\system32\Tasks\SmartWeb Upgrade Trigger Task','32');
 DeleteFile('C:\Windows\system32\Tasks\Update Service for Torrent Search','32');
 DeleteFile('C:\Windows\system32\Tasks\Update Service for Torrent Search2','32');
 DeleteFile('C:\Users\USER\AppData\Local\SmartWeb\SmartWebHelper.exe','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\globalupdatebroker.exe','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\globalupdateondemand.exe','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\goopdate.dll','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\goopdateres_en.dll','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\npglobalupdateupdate4.dll','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\psmachine.dll','32');
 DeleteFile('C:\Program Files\globalupdate\update\1.3.25.0\psuser.dll','32');
 DeleteFile('C:\Program Files\torrent search\ieef\interfaces32.dll','32');
 DeleteFile('C:\Program Files\torrent search\ieef\ndedyt5dkc.dll','32');
 BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.

Будет выполнена перезагрузка компьютера.

 

Выполните скрипт в AVZ

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

c:\quarantine.zip отправьте по адресу newvirus@kaspersky.com

Полученный ответ сообщите здесь (с указанием номера KLAN)

 

Скачайте ClearLNK и сохраните архив с утилитой на Рабочем столе.

1. Распакуйте архив с утилитой в отдельную папку.

2. Перенесите Check_Browsers_LNK.log на ClearLNK как показано на рисунке

 

 

3. Отчет о работе ClearLNK-<Дата>.log будет сохранен в папке LOG.

4. Прикрепите этот отчет к своему следующему сообщению.

 

Выполните правила ЕЩЕ РАЗ и предоставьте НОВЫЕ логи