Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
ClearQuarantineEx(true);
SetServiceStart('Kyubey', 4);
StopService('Kyubey');
QuarantineFileF('c:\program files\youtube adblock', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 , 0);
QuarantineFileF('c:\users\welcome\appdata\locallow\youtube adblock', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0 , 0);
QuarantineFile('C:\Users\welcome\AppData\Local\Temp\local32spl.dll', '');
QuarantineFile('C:\Users\welcome\AppData\Local\Temp_\local32spl.dll', '');
QuarantineFileF('C:\Program Files\Dumetain\', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFile('C:\Users\welcome\AppData\Roaming\Opera Software\Opera Stable\local32spl.dll', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Opera Software\Opera Stable_\local32spl.dll', '');
QuarantineFile('C:\Windows\Temp\local32spl.dll', '');
QuarantineFile('C:\Windows\Temp_\local32spl.dll', '');
QuarantineFile('D:\Program Files\MSUser.Default\Help_3\local32spl.dll', '');
QuarantineFile('C:\Windows\cidd_p\lsass.exe', '');
QuarantineFile('C:\Users\welcome\AppData\Local\ComDev\ComDev.exe', '');
QuarantineFile('C:\Program Files\Dumetain\kaeentthohodomCln.dll', '');
QuarantineFile('c:\users\welcome\appdata\roaming\winsapsvc\winsap.dll', '');
QuarantineFile('C:\local32spl.dll', '');
QuarantineFile('C:\_\local32spl.dll', '');
QuarantineFileF('C:\Users\welcome\AppData\Local\ComDev\', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFileF('C:\Users\welcome\AppData\Roaming\Kyubey\', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFile('D:\Program Files\MSUser.Default\Help_3_\local32spl.dll', '');
QuarantineFileF('C:\Program Files\MIO', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFile('D:\Program Files\MSUser.Default\Help_4\local32spl.dll', '');
QuarantineFileF('C:\Users\welcome\AppData\Roaming\WinSnare\', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFile('D:\Program Files\MSUser.Default\Help_4_\local32spl.dll', '');
QuarantineFile('D:\Program Files\MSUser.Default\Help_5\local32spl.dll', '');
QuarantineFile('D:\Program Files\MSUser.Default\Help_5_\local32spl.dll', '');
QuarantineFileF('c:\users\welcome\appdata\roaming\winsapsvc\', '*.exe, *.dll, *.sys, *.bat, *.vbs, *.js*, *.tmp*', true, '', 0, 0);
QuarantineFile('D:\Program Files\MSUser.Default\Help_6\local32spl.dll', '');
QuarantineFile('D:\Program Files\MSUser.Default\Help_6_\local32spl.dll', '');
QuarantineFile('C:\Program Files\Youtube AdBlock\local32spl.dll', '');
QuarantineFile('C:\Users\welcome\AppData\LocalLow\Youtube AdBlock\local32spl.dll', '');
QuarantineFile('"C:\Program Files\MIO\MIO.exe" -bindurl http://api.suibianmaimaicom.com/toshibaxmk6465gsx_51qsc1nvtxx51qsc1nvt.dat cmd=', '');
QuarantineFile('C:\Windows\configuration\configuration.exe', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехрlоrеr (Nо Аdd-оns).lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlоrеr.lnk', '');
QuarantineFile('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk', '');
QuarantineFile('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ореrа.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ICQ\Портал Mail.Ru.lnk', '');
QuarantineFile('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Proxy Switcher Standard\Setting Up Mozilla FireFox Tutorial.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Opera Internet Browser.lnk', '');
QuarantineFile('C:\Users\welcome\AppData\Local\Microsoft\Start Menu\Вoйти в Интeрнeт.lnk', '');
QuarantineFile('C:\Users\welcome\Favorites\Links\Интернет.url', '');
DeleteFile('C:\_\local32spl.dll', '32');
DeleteFile('C:\local32spl.dll', '32');
DeleteFile('c:\users\welcome\appdata\roaming\winsapsvc\winsap.dll', '32');
DeleteFile('C:\Users\welcome\AppData\Local\ComDev\ComDev.exe', '32');
DeleteFile('C:\Users\welcome\AppData\Local\Temp\local32spl.dll', '32');
DeleteFile('C:\Users\welcome\AppData\Local\Temp_\local32spl.dll', '32');
DeleteFile('C:\Users\welcome\AppData\Roaming\Opera Software\Opera Stable\local32spl.dll', '32');
DeleteFile('C:\Users\welcome\AppData\Roaming\Opera Software\Opera Stable_\local32spl.dll', '32');
DeleteFile('C:\Windows\Temp\local32spl.dll', '32');
DeleteFile('C:\Windows\Temp_\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_3\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_3_\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_4\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_4_\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_5\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_5_\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_6\local32spl.dll', '32');
DeleteFile('D:\Program Files\MSUser.Default\Help_6_\local32spl.dll', '32');
DeleteFile('C:\Program Files\Youtube AdBlock\local32spl.dll', '32');
DeleteFile('C:\Users\welcome\AppData\LocalLow\Youtube AdBlock\local32spl.dll', '32');
DeleteFile('"C:\Program Files\MIO\MIO.exe" -bindurl http://api.suibianmaimaicom.com/toshibaxmk6465gsx_51qsc1nvtxx51qsc1nvt.dat cmd=', '32');
DeleteFile('C:\Windows\configuration\configuration.exe', '32');
ExecuteFile('schtasks.exe', '/delete /TN "{5834A835-7541-4850-8BD8-B5E899E72321}" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "{4B5E2D5C-B79A-46E8-BA60-A1D497DF36C0}" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "ComDev" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "{7785B8DE-D1CF-41B6-9869-853EE2C1867F}" /F', 0, 15000, true);
ExecuteFile('schtasks.exe', '/delete /TN "Milimili" /F', 0, 15000, true);
DeleteService('Kyubey');
DeleteFileMask('C:\Users\welcome\AppData\Roaming\Kyubey\', '*', true);
DeleteFileMask('C:\Program Files\MIO', '*', true);
DeleteFileMask('C:\Users\welcome\AppData\Roaming\WinSnare\', '*', true);
DeleteFileMask('c:\users\welcome\appdata\roaming\winsapsvc\', '*', true);
DeleteFileMask('c:\program files\youtube adblock', '*', true);
DeleteFileMask('c:\users\welcome\appdata\locallow\youtube adblock', '*', true);
DeleteDirectory('C:\Users\welcome\AppData\Roaming\Kyubey\');
DeleteDirectory('C:\Program Files\MIO');
DeleteDirectory('C:\Users\welcome\AppData\Roaming\WinSnare\');
DeleteDirectory('c:\users\welcome\appdata\roaming\winsapsvc\');
DeleteDirectory('c:\program files\youtube adblock');
DeleteDirectory('c:\users\welcome\appdata\locallow\youtube adblock');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\WinSAPSvc\Parameters', 'ServiceDll');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\WinSnare\Parameters', 'ServiceDll');
RegKeyParamDel('HKEY_CURRENT_USER', 'Software\Microsoft\Windows\CurrentVersion\Run', 'tzxcqlkhfa');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lgusttezxj', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nnpkfspuvv', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rofzcamfya', 'command');
RegKeyParamDel('HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rpfqebuqdx', 'command');
BC_ImportALL;
ExecuteSysClean;
ExecuteRepair(3);
ExecuteRepair(4);
ExecuteWizard('SCU', 2, 3, true);
BC_Activate;
RebootWindows(true);
end.