Удалите программу YoutubeAdBlock.
Скачайте, распакуйте и запустите утилиту ClearLNK. Скопируйте текст ниже в окно утилиты и нажмите "Лечить".
Код:
>>> "C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk" -> ["C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" =>> %SNP%]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk" -> ["C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" =>> %SNP%]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk" -> ["C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" =>> %SNP%]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk" -> ["C:\Program Files\Mozilla Firefox\firefox.exe" =>> %SNF%]
>>> "C:\Users\varyaginna\Desktop\Google Chrome.lnk" -> ["C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" =>> %SNP%]
>>> "C:\Users\varyaginna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk" -> ["C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" =>> %SNP%]
>>> "C:\Users\grishenyaey.IT\Desktop\РС\Страрое с РС\Tor Browser\Start Tor Browser.lnk" -> ["C:\Users\grishenyaey.IT\Desktop\Tor Browser\Browser\firefox.exe"]
>>> "C:\Users\grishenyaey.IT\AppData\Roaming\My-top-apps\Ali Express.lnk" -> ["C:\Users\grishenyaey.IT\AppData\Roaming\My-top-apps\10\Ali Express.exe" =>> hxxp://my-top-apps.com/client/postback/guid/4BEB6FBB-08C0-428D-A1FA-B73D2978F0CF/creativeid/10]
>>> "C:\Users\grishenyaey.IT\AppData\Roaming\My-top-apps\Найти.lnk" -> ["C:\Users\grishenyaey.IT\AppData\Roaming\My-top-apps\37\Найти.exe" =>> hxxp://my-top-apps.com/client/postback/guid/4BEB6FBB-08C0-428D-A1FA-B73D2978F0CF/creativeid/37]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x264vfw\Configure x264vfw64.lnk" -> ["C:\Windows\System32\rundll32.exe" =>> x264vfw64.dll,Configure] -> ( is missing)
>>> "C:\Users\grishenyaey.IT\Desktop\РС\EPSON Scan.lnk" -> ["C:\Windows\twain_32\escndv\escndv.exe"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nextcloud.lnk" -> ["C:\Program Files (x86)\Nextcloud\nextcloud.exe"]
>>> "C:\Users\Public\Desktop\Nextcloud.lnk" -> ["C:\Program Files (x86)\Nextcloud\nextcloud.exe"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Application Controller\Smart Application Controller.lnk" -> ["C:\Program Files (x86)\Smart Application Controller\smappscontroller.exe"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HAL\HAL.lnk" -> ["C:\Users\popovichav\AppData\Local\HAL\HAL.exe"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Adobe Photoshop CC 2017.lnk" -> ["C:\Program Files\Adobe\Adobe Photoshop CC 2017\Photoshop.exe"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Adobe Illustrator CC 2015.lnk" -> ["C:\Program Files\Adobe\Adobe Illustrator CC 2015\Support Files\Contents\Windows\Illustrator.exe"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Windows\SendTo\Skype.lnk" -> ["C:\Program Files (x86)\Skype\Phone\Skype.exe" =>> /sendto:]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Colours\Colours.lnk" -> ["C:\Program Files (x86)\Colours\Colours.exe"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Colours\Сайт Colours в Интернете.lnk" -> ["C:\Program Files (x86)\Colours\Colours.url"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Colours\Деинсталлировать Colours.lnk" -> ["C:\Program Files (x86)\Colours\unins000.exe"]
>>> "C:\Users\grishenyaey\AppData\Roaming\Microsoft\Windows\Start Menu\Надстройки Excel\FillDocuments.lnk" -> ["C:\Users\grishenyaey\Desktop\FillDocuments.xla"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WebPlugins\Device Web Plugin\Device Browser Ocx.lnk" -> ["C:\Users\popovichav\AppData\Roaming\WebPlugins\Device\IEFFChrome\RSWebHybridDVR.ocx"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WebPlugins\Device Web Plugin\Device Browser Plugin.lnk" -> ["C:\Users\popovichav\AppData\Roaming\WebPlugins\Device\IEFFChrome\npNvrRsVideo.dll"]
>>> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WebPlugins\Device Web Plugin\Uninstall Device Browser Plugin.lnk" -> ["C:\Users\popovichav\AppData\Roaming\WebPlugins\Device\IEFFChrome\unins000.exe"]
Отчёт о работе прикрепите.
Запустите HijackThis, расположенный в папке Autologger (в Windows Vista/7/8/10 необходимо запускать через правую кнопку мыши Запуск от имени администратора))и пофиксите только эти строки:
Код:
R0 - HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\Main: [Search Bar] = https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKA1VtC1mRJr0-ErU7DQvze26qMhqdJyFR41UjJS5JW0QvtJPM09eS0wSYRg7kvrj-zOv7T-g5KtPy54gIyKiA7-Xnh7DMPAZVDJbDWSZrk3ytOeoiZFX_HBra0BaGamNlZGYkIdIdHUEhQWmtICuV4ue1K3MTG8ZmRKhiLsZHoHRp_QDR0PyKnP&q={searchTerms}
R0 - HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\Main: [Search Page] = https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKA1VtC1mRJr0-ErU7DQvze26qMhqdJyFR41UjJS5JW0QvtJPM09eS0wSYRg7kvrj-zOv7T-g5KtPy54gIyKiA7-Xnh7DMPAZVDJbDWSZrk3ytOeoiZFX_HBra0BaGamNlZGYkIdIdHUEhQWmtICuV4ue1K3MTG8ZmRKhiLsZHoHRp_QDR0PyKnP&q={searchTerms}
R0 - HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\Main: [Start Page] = http://mail.ru/cnt/10445?gp=834423
R0 - HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\Search: [Default_Search_URL] = https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKA1VtC1mRJr0-ErU7DQvze26qMhqdJyFR41UjJS5JW0QvtJPM09eS0wSYRg7kvrj-zOv7T-g5KtPy54gIyKiA7-Xnh7DMPAZVDJbDWSZrk3ytOeoiZFX_HBra0BaGamNlZGYkIdIdHUEhQWmtICuV4ue1K3MTG8ZmRKhiLsZHoHRp_QDR0PyKnP&q={searchTerms}
R1 - HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\Main: [SearchAssistant] = https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKA1VtC1mRJr0-ErU7DQvze26qMhqdJyFR41UjJS5JW0QvtJPM09eS0wSYRg7kvrj-zOv7T-g5KtPy54gIyKiA7-Xnh7DMPAZVDJbDWSZrk3ytOeoiZFX_HBra0BaGamNlZGYkIdIdHUEhQWmtICuV4ue1K3MTG8ZmRKhiLsZHoHRp_QDR0PyKnP&q={searchTerms}
R4 - SearchScopes: HKU\S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}: [URL] = https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKA1VtC1mRJr0-ErU7DQvze26qMhqdJyFR41UjJS5JW0QvtJPM09eS0wSYRg7kvrj-zOv7T-g5KtPy54gIyKiA7-Xnh7DMPAZVDJbDWSZrk3ytOeoiZFX_HBra0BaGamNlZGYkIdIdHUEhQWmtICuV4ue1K3MTG8ZmRKhiLsZHoHRp_QDR0PyKnP&q={searchTerms} - Search the web
Выполните скрипт в AVZ:
Код:
begin
SetServiceStart('Itcscrpt64', 4);
SetServiceStart('Itcsids64', 4);
SetServiceStart('Itcsrf', 4);
DeleteFile('C:\WINDOWS\system32\DRIVERS\Itcscrpt64.Sys', '64');
DeleteFile('C:\WINDOWS\system32\DRIVERS\Itcsids64.Sys', '64');
DeleteFile('C:\WINDOWS\system32\DRIVERS\Itcsrfv64.Sys', '64');
DeleteService('IplirControl');
DeleteService('Itcscrpt64');
DeleteService('Itcsids64');
DeleteService('itcsnatp');
DeleteService('Itcsrf');
DeleteService('ivpserver');
DeleteService('Rfacnmgr');
DeleteService('rfmanager');
DeleteService('ViPNetLn');
DeleteService('vipnetswagent');
DelBHO('{8E8F97CD-60B5-456F-A201-73065652D099}');
DelCLSID('{49D0F1D7-DD59-11D3-920D-009027A2B34E}');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'Software\Microsoft\Windows\CurrentVersion\Run', 'IPLIR', 'x32');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'Software\Microsoft\Windows\CurrentVersion\Run', 'RfAgent', 'x64');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved', '{49D0F1D7-DD59-11D3-920D-009027A2B34E}', 'x32');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved', '{49D0F1D7-DD59-11D3-920D-009027A2B34E}', 'x64');
RegKeyParamDel('HKEY_USERS', 'S-1-5-21-2488715770-4235817966-3563374635-3191\Software\Microsoft\Windows\CurrentVersion\Run', 'Nextcloud', 'x64');
RegKeyDel('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\Eventlog\ViPNet Security\PSWDKEYS', 'x64');
RegKeyDel('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\Eventlog\ViPNet Security\SECSERV', 'x64');
DeleteSchedulerTask('MailRuUpdater');
ExecuteWizard('SCU', 2, 2, true);
RebootWindows(false);
end.
Компьютер перезагрузится.
Скачайте утилиту Universal Virus Sniffer отсюда и сделайте полный образ автозапуска uVS.