[решено] Вредоносное по на на китайском

thyrex · Конфигурация компьютера

Выполните скрипт в AVZ

Код:

begin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
 then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
QuarantineFile('C:\Users\Ильдарик\appdata\local\extension\chromeextensionupdater.exe','');
 QuarantineFile('C:\ProgramData\Kbupdater Utility\kbupdater-utility.exe','');
 QuarantineFile('C:\Users\Ильдарик\AppData\Roaming\newSI_1801\s_inst.exe','');
 QuarantineFile('C:\Users\Ильдарик\AppData\Local\ConvertAd\ConvertAd.exe','');
 DeleteFile('C:\Users\Ильдарик\AppData\Local\ConvertAd\ConvertAd.exe','32');
 DeleteFile('C:\Users\Ильдарик\AppData\Roaming\newSI_1801\s_inst.exe','32');
 DeleteFile('C:\ProgramData\Kbupdater Utility\kbupdater-utility.exe','32');
 DeleteFile('C:\Windows\system32\Tasks\Kbupdater Utility','32');
 DeleteFile('C:\Windows\Tasks\newSI_1801.job','32');
 DeleteFile('C:\Windows\system32\Tasks\newSI_1801','32');
 DeleteFile('C:\Users\Ильдарик\appdata\local\extension\chromeextensionupdater.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\baidu','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ConvertAd','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','baidusdTray');
DeleteFileMask('C:\Users\Ильдарик\AppData\Roaming\newSI_1801', '*', true);
DeleteDirectory('C:\Users\Ильдарик\AppData\Roaming\newSI_1801');
DeleteFileMask('C:\ProgramData\Kbupdater Utility', '*', true);
DeleteDirectory('C:\ProgramData\Kbupdater Utility');
 BC_ImportAll;
ExecuteSysClean;
BC_DeleteFile('c:\program files\common files\baidu\baiduhips\1.2.0.751\baiduhips.exe');
 BC_DeleteFile('c:\program files\common files\baidu\baiduprotect1.3\1.3.0.619\baiduprotect.exe');
 BC_DeleteFile('c:\program files\baidusd3.0\baidusd\3.0.0.4605\baidusdsvc.exe');
 BC_DeleteFile('c:\program files\common files\baidu\bddownload\108\bddownloader.exe');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\ad.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavArchive.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavCommon.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavEngine.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavFrame.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavOle.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavScanH.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavScanM.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavScanV.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BAV\BavUnpack.dll');
 BC_DeleteFile('C:\PROGRAM FILES\BAIDUSD3.0\BAIDUSD\3.0.0.4605\BDKVDOWNLOADPROTECT.DLL');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDLogicUtils.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\BDKitUtils.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\BDMAVCached.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\BDMAVEng.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\BDMPerfMon.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\bduf.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\bdmantivirus\TrustAndIso.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDMAVE.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDMDbSqlite.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDMFrameWork.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDMNet.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BDMReport.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\DriverManager.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\ntfsstrm.ppl');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\plugins\bdkvrtpplugins\FileMon.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\plugins\bdkvrtpplugins\HIPSClient.dll');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\plugins\bdkvrtpplugins\PrivacyProtect.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\ad.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHipsBusiness.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHipsCore.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduPrevUIn.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\bd0001.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDConfig.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDLogicUtils.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\bdmantivirus\BDKitUtils.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMAVCached.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMAVEng.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMBase.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMFrameWork.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMNet.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMReport.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMStringUtils.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BDMTinyXml.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\DriverManager.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\TrustAndIso.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\ad.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\dynplugins\ArKit.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\DriverManager.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\bdsg0001.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\BDMReport.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\BDMNet.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\dynplugins\AssistReportPlugin.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\dynplugins\FileUpdatePlugin.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\dynplugins\FixSePlugin.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\dynplugins\HostPlugin.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\plugins\BaiduRepair.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\plugins\HIPS.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\SafeBrowserDll.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BDDownload\108\bdcomproxy.dll');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BDDownload\108\dl.dll');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\bd0001.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\bd0002.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\bd0003.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\bd0004.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\BDArKit.sys');
 BC_DeleteFile('C:\Windows\system32\drivers\BDDefense.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\BDFileDefend.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\BDMWrench.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\BDSafeBrowser.sys');
 BC_DeleteFile('C:\Windows\system32\DRIVERS\BdSandBox.sys');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe');
 BC_DeleteFile('C:\Program Files\BaiduSd3.0\BaiduSd\3.0.0.4605\BaiduSdSvc.exe');
 BC_DeleteFile('C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\BaiduProtect.exe');
 BC_DeleteFile('C:\Program Files\baidu\BindEx.exe');
 BC_DeleteSvc('BaiduHips');
 BC_DeleteSvc('BDKVRTP');
 BC_DeleteSvc('BDSGRTP');
 BC_DeleteSvc('bd0001');
 BC_DeleteSvc('bd0002');
 BC_DeleteSvc('bd0003');
 BC_DeleteSvc('bd0004');
 BC_DeleteSvc('BDArKit');
 BC_DeleteSvc('BDDefense');
 BC_DeleteSvc('BDFileDefend');
 BC_DeleteSvc('BDMWrench');
 BC_DeleteSvc('BDSafeBrowser');
 BC_DeleteSvc('BdSandBox');
BC_Activate;
RebootWindows(false);
end.

Компьютер перезагрузится.

Выполните скрипт в AVZ

Код:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

Отправьте c:\quarantine.zip при помощи этой формы

Исправьте ярлыки, в которых прописался вредоносный сайт (смотрите в поле Объект, перед сохранением изменений уберите метку Только чтение на вкладке Общие)

Цитата:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\Users\Public\Desktop\Opera.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Game - Total Domination.lnk
C:\Users\Ильдарик\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plarium\Game - Total Domination.lnk

Сделайте новые логи

Скачайте ComboFix здесь и сохраните на Рабочий стол.

1. Внимание! Обязательно закройте все браузеры, временно выключите антивирус, firewall и другое защитное программное обеспечение. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет, пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.
2. Запустите combofix.exe, когда процесс завершится, файл C:\ComboFix.txt прикрепите к сообщению.
Примечание: В случае, если ComboFix не запускается, переименуйте combofix.exe в combo@fix.exe