�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Sat, 15 Sep 2018 11:24:26 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
IASSRV.DLL - �� Win64/CoinMiner.NZ ��
15.09.2018 11:24:26, ��.

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Fri, 14 Sep 2018 20:56:41 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
�� IASSRV.DLL �� .
14.09.2018 20:56:41, ��.

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Fri, 14 Sep 2018 19:20:28 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
��.
14.09.2018 19:20:28, RP55 RP55.

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Fri, 14 Sep 2018 18:23:48 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
��, �� , �� . �� , �� (��).
�� ))
FRST.txt
Addition.txt
AdwCleaner[S03].txt
14.09.2018 18:23:48, �� .

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Fri, 14 Sep 2018 00:12:08 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
�� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====

;uVS v4.0.15 [http://dsrt.dyndns.org]
;Target OS: NTv10.0
v400c
OFFSGNSAVE
zoo %Sys32%\IASSRV.DLL
czoo
;---------command-block---------
delref HTTP://RU.4GAME.COM/POINTBLANK
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DMJBEPBHONBOJPOAENHCKJOCCHGFIAOFO%26INSTALLSOURCE%3DONDEMAND%26UC
delall %Sys32%\IASSRV.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\ASUS\AI SUITE III\DIP4\DIPAWAYMODE\DIPAWAYMODE.EXE
delref {9F2B0085-9218-42A1-88B0-9F0E65851666}\[CLSID]
delref {E984D939-0E00-4DD9-AC3A-7ACA04745521}\[CLSID]
delref {FE285C8C-5360-41C1-A700-045501C740DE}\[CLSID]
delref {9CDA66BE-3271-4723-8D35-DD834C58AD92}\[CLSID]
delref %SystemRoot%\SYSWOW64\MAPSTOASTTASK.DLL
delref %SystemRoot%\SYSWOW64\MAPSUPDATETASK.DLL
delref {DEF03232-9688-11E2-BE7F-B4B52FD966FF}\[CLSID]
delref %SystemRoot%\SYSWOW64\PEERDISTSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\TCPIP.SYS
delref %SystemRoot%\SYSWOW64\APPVETWCLIENTRES.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\MRXSMB.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBKMCLR.SYS
delref %SystemRoot%\SYSWOW64\W32TIME.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\NDIS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\USBXHCI.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SRV2.SYS
delref %SystemRoot%\SYSWOW64\RDPCORETS.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\DXGMMS2.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\HTTP.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\WINNAT.SYS
delref %SystemRoot%\SYSWOW64\UMPOEXT.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBUSR.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\DMVSC.SYS
delref %SystemRoot%\SYSWOW64\IPHLPSVC.DLL
delref %SystemRoot%\SYSWOW64\CSCSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\SMBDIRECT.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBKMCL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\REFS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SPACEPORT.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\FVEVOL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\AFD.SYS
delref %SystemRoot%\SYSWOW64\PNRPSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\PACER.SYS
delref %SystemRoot%\SYSWOW64\HVHOSTSVC.DLL
delref %SystemRoot%\SYSWOW64\LSM.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\SYNTH3DVSC.SYS
delref {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\[CLSID]
delref {166B1BCA-3F9C-11CF-8075-444553540000}\[CLSID]
delref {19916E01-B44E-4E31-94A4-4696DF46157B}\[CLSID]
delref {233C1507-6A77-46A4-9443-F871F945D258}\[CLSID]
delref {4063BE15-3B08-470D-A0D5-B37161CFFD69}\[CLSID]
delref {8AD9C840-044E-11D1-B3E9-00805F499D93}\[CLSID]
delref {CA8A9780-280D-11CF-A24D-444553540000}\[CLSID]
delref {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}\[CLSID]
delref %SystemRoot%\SYSWOW64\IE4UINIT.EXE
delref {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}\[CLSID]
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}\[CLSID]
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref {BBACC218-34EA-4666-9D7A-C78F2274A524}\[CLSID]
delref {5AB7172C-9C11-405C-8DD5-AF20F3606282}\[CLSID]
delref {A78ED123-AB77-406B-9962-2A5D9D2F7F30}\[CLSID]
delref {F241C880-6982-4CE5-8CF7-7085BA96DA5A}\[CLSID]
delref {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\[CLSID]
delref {9AA2F32D-362A-42D9-9328-24A483E2CCC3}\[CLSID]
delref {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\[CLSID]
delref %Sys32%\DRIVERS\VMBUSR.SYS
delref {A910D941-9DA9-4656-8933-AA1EAE01F76E}\[CLSID]
delref {E8C77137-E224-5791-B6E9-FF0305797A13}\[CLSID]
delref %Sys32%\DRIVERS\VNVDIMM.SYS
delref %Sys32%\HVSICONTAINERSERVICE.DLL
delref %Sys32%\DRIVERS\INVDIMM.SYS
delref %Sys32%\DRIVERS\NVDIMMN.SYS
delref %Sys32%\DRIVERS\UMDF\USBCCIDDRIVER.DLL
delref %Sys32%\UNP\UNPCAMPAIGNMANAGER.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\COMMON FILES\ADOBE\OOBE\PDAPP\CCM\UTILITIES\NPADOBEAAMDETECT64.DLL
delref %Sys32%\BLANK.HTM
delref %Sys32%\DRIVERS\HDAUDADDSERVICE.SYS
delref HELPSVC\[SERVICE]
delref SACSVR\[SERVICE]
delref TBS\[SERVICE]
delref VMMS\[SERVICE]
delref BROWSER\[SERVICE]
delref MESSENGER\[SERVICE]
delref RDSESSMGR\[SERVICE]
delref %Sys32%\DRIVERS\PORTTALK.SYS
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE_64.DLL
delref %Sys32%\TETHERINGSETTINGHANDLER.DLL
delref %Sys32%\QUICKACTIONSPS.DLL
delref %Sys32%\CHTADVANCEDDS.DLL
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
delref %SystemRoot%\SYSWOW64\TTLSEXT.DLL
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SPEECHRUNTIME.EXE
delref %SystemRoot%\SYSWOW64\TAPILUA.DLL
delref %SystemRoot%\SYSWOW64\WBEM\KEYBOARDFILTERWMI.DLL
delref %SystemRoot%\SYSWOW64\LOCATIONFRAMEWORK.DLL
delref %SystemRoot%\SYSWOW64\MAPSBTSVCPROXY.DLL
delref %SystemRoot%\SYSWOW64\EAPPCFGUI.DLL
delref %SystemRoot%\SYSWOW64\LISTSVC.DLL
delref %SystemRoot%\SYSWOW64\AUTHHOSTPROXY.DLL
delref %SystemRoot%\SYSWOW64\WBEM\NLMCIM.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\RMSROAMINGSECURITY.DLL
delref %SystemRoot%\SYSWOW64\SYSTEMSETTINGSBROKER.EXE
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SAPI_EXTENSIONS.DLL
delref %SystemRoot%\SYSWOW64\SMARTSCREEN.EXE
delref %SystemRoot%\SYSWOW64\GPSVC.DLL
delref %SystemRoot%\SYSWOW64\IDLISTEN.DLL
delref %SystemRoot%\SYSWOW64\WIFICONFIGSP.DLL
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAORA.DLL
delref %SystemDrive%\USERS\4MYGA\APPDATA\ROAMING\ACESTREAM\EXTENSIONS\AWE\FIREFOX\ACEWEBEXTENSION_UNLISTED.XPI
delref %SystemDrive%\USERS\4MYGA\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\ONEDRIVE.EXE
deltmp
restart
apply

=============

+
1) �� uVS (� �� , �� ,
��: 2010-10-04_13-30-55.rar/7z)
... �� sendvirus2011@gmail.com ;
*** �� , �� ZOO � �� infected

2) �� AdwCleaner
http://forum.esetnod32.ru/forum9/topic7084/

�� :
�� Mail.Ru � Yandex �� ( �� )
�� :
�� (Folders) �� Mail.Ru � Yandex �� [V]

�� AdwCleaner �� (Clean), ��
� ��

3) �� FRST: http://forum.esetnod32.ru/forum9/topic2798/
14.09.2018 00:12:08, RP55 RP55.

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

Thu, 13 Sep 2018 18:55:16 +0300

�� = svchost.exe(2432);�� Win64/CoinMiner.DN � �� .
��. �� Win64/CoinMiner.DN. �� 4-5 ��
�� , �� ;��;�� = svchost.exe(2432);�� Win64/CoinMiner.DN �� ;�� ;;;D42D41FC375EE887229CCDEE9317A7DE6E0E37F6; �� 5 �� , �� . �� NOD32, drWeb Cure IT,Malwarebytes �� . �� , �� . �� , �� .
DESKTOP-6R2HLSF_2018-09-13_19-39-25.7z
13.09.2018 18:55:16, �� .

����� esetnod32.ru [����: ����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN]

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

����������� ������ = svchost.exe(2432);���������������� Win64/CoinMiner.DN

�� esetnod32.ru [��: �� = svchost.exe(2432);�� Win64/CoinMiner.DN]

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

�� = svchost.exe(2432);�� Win64/CoinMiner.DN

�� = svchost.exe(2432);�� Win64/CoinMiner.DN