�� esetnod32.ru [��: �� Win64 / Adware.PBot]

�� Win64 / Adware.PBot

Mon, 14 Jan 2019 20:22:46 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��.
�� :
https://forum.esetnod32.ru/forum9/topic13764/
14.01.2019 20:22:46, RP55 RP55.

�� Win64 / Adware.PBot

Mon, 14 Jan 2019 20:21:22 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� , �� , �� , �� . �� .
14.01.2019 20:21:22, �� .

�� Win64 / Adware.PBot

Mon, 14 Jan 2019 19:44:53 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� .[FILE ID=109672]

14.01.2019 19:44:53, �� .

�� Win64 / Adware.PBot

Mon, 14 Jan 2019 06:45:03 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� ESET ��: Antivirus �� Internet Security?
14.01.2019 06:45:03, santy.

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 22:05:38 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� , �� , �� [FILE ID=109654]

13.01.2019 22:05:38, �� .

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 21:55:15 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� https://www.virustotal.com/#/file/16a49c8afb007269af653e5301dd5d2e22b1507f6ffdac190af7065b8095f4ff/d...
https://www.virustotal.com/#/file/16a49c8afb007269af653e5301dd5d2e22b1507f6ffdac190af7065b8095f4ff/d...

�� ....
13.01.2019 21:55:15, �� .

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 10:53:09 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� http://virustotal.com � ��

C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\71.0.3578.98\CHROME.DLL
+
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.1.2 [http://dsrt.dyndns.org]
;Target OS: NTv10.0
v400c
OFFSGNSAVE
;------------------------autoscript---------------------------

zoo %Sys32%\DRIVERS\ITSTTNSMRAGH.SYS
addsgn BABF20D2D686243A800DE63C597BEBFADAC671EBA5F81F78B60ACA0BD4EF054B2317A515B7518401A84186F9C3D63C103552FD7F56DAB065A6BC4C1E3AF9DD3B 64 Win64/Capcom.A 7

chklst
delvir

delref %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\EVERYDAYHOLIDAY\PYTHON\PYTHONW.EXE
delref LOAD.PYC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DGNDOICAPFDALDIOKBCDNLLFHNAPOKCBK%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DIKPCPGKLMEFNCBFGBDIFKAPHBAAPGAFH%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DMDHPACFHLJHCOMBKALCMKAHKHODPKBIM%26INSTALLSOURCE%3DONDEMAND%26UC
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DKEKDLKMDPIPIHONAPOLEOPFEKMAPADH\2.0.2.15_1\��������� � ������
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MDHPACFHLJHCOMBKALCMKAHKHODPKBIM\15.1.13.1_0\����� MAIL.RU
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\YANDEX\YANDEXBROWSER\USER DATA\DEFAULT\EXTENSIONS\NEHAPOFAKGHLJOPFEGJOGPGPELJKHJJN\8.24.0_0\����� � ��������� � ������
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DDKEKDLKMDPIPIHONAPOLEOPFEKMAPADH%26INSTALLSOURCE%3DONDEMAND%26UC
apply

deltmp
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\YANDEX_BROWSER_BITS_8064_26306\RESPONSE
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\CHROME_BITS_7392_11471\4907_ALL_CRL-SET-8442666315293413759.DATA.CRX3
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\CHROME_BITS_7012_592\32.0.0.114_WIN_PEPPERFLASHPLAYER.CRX3
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\CHROME_BITS_9972_4242\4909_ALL_CRL-SET-3005835740647420984.DATA.CRX3
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {23170F69-40C1-278A-1000-000100020000}\[CLSID]
delref {4A7C4306-57E0-4C0C-83A9-78C1528F618C}\[CLSID]
delref %Sys32%\BLANK.HTM
delref MBAMSERVICE\[SERVICE]
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\E_S73E.TMP
;-------------------------------------------------------------

restart

=============
��, �� .
------------
13.01.2019 10:53:09, santy.

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 10:15:01 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��
DESKTOP-S9CRD6I_2019-01-13_10-06-01_v4.1.2.7z
13.01.2019 10:15:01, �� .

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 09:49:14 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��
13.01.2019 09:49:14, santy.

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 08:47:55 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��, �� [FILE ID=109642]

�� , �� 10.

13.01.2019 08:47:55, �� .

�� Win64 / Adware.PBot

Sun, 13 Jan 2019 08:46:44 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��.

�� . �� [FILE ID=109641]

�� , � �� URL-�� ( zei) � �� . �� .

13.01.2019 08:46:44, �� .

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 14:18:04 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� _�� .
12.01.2019 14:18:04, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 14:14:02 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
Fixlog.txt
Fixlog.txt
12.01.2019 14:14:02, �� .

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 14:02:01 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� fixlist.txt � �� Farbar Recovery Scan Tool:
...
�� FRST � �� Fix � ��.

====code====

  

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
Task: {B2F4AC84-A8D0-4524-9363-BFF5A5911A00} - \Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask -> No File <==== ATTENTION
HKU\S-1-5-21-2860636378-2279114448-4052714680-1001\...\Run: [AdobeBridge] => [X]
GroupPolicy\User: Restriction ? <==== ATTENTION

EmptyTemp:
Reboot:

=============
�� FRST �� -�� (Fixlog.txt). ��, �� !
��, �� ...
�
�� _�� .
12.01.2019 14:02:01, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 13:45:04 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
FRST: �� .
12.01.2019 13:45:04, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 13:39:03 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��[TABLE][TR][TD]AdwCleaner[C00].txt[/TD][/TR][/TABLE]�� FRST.txt � Addition.txt.
AdwCleaner[S02].txt
AdwCleaner[S01].txt
AdwCleaner[S00].txt
AdwCleaner[C00].txt
AdwCleaner[C02].txt
FRST.txt
Addition.txt
12.01.2019 13:39:03, �� .

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 13:25:49 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� Malwarebytes - �� ( �� )

�� AdwCleaner
http://forum.esetnod32.ru/forum9/topic7084/

�� :
�� Mail.Ru � Yandex �� ( �� )
�� :
�� (Folders) �� Mail.Ru � Yandex �� [V]

�� AdwCleaner �� (Clean), ��
� ��

�� FRST: http://forum.esetnod32.ru/forum9/topic2798/
12.01.2019 13:25:49, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 13:18:55 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��
�� .txt
12.01.2019 13:18:55, �� .

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 12:56:20 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
�� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====


;uVS v4.1.2 [http://dsrt.dyndns.org]
;Target OS: NTv10.0
v400c
OFFSGNSAVE
bl 25175B36F3CC974065E2077582D9B878 606208
uidel "C:\Users\venia\AppData\Roaming\SchedTaskSetup\unins000.exe"
deltmp
restart
;---------command-block---------
delref START.PYC
delall %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\SCHEDTASKSETUP\SCHED.EXE
delref %Sys32%\DRIVERS\KRNSBNOKSNRS.SYS
del %Sys32%\DRIVERS\KRNSBNOKSNRS.SYS
delref HTTP://WWW.BING.COM/SEARCH?Q={SEARCHTERMS}&SRC=IE-SEARCHBOX&FORM=IESR02
delall %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\YOUTUBEDOWNLOADER\PYTHON\_CTYPES.PYD
delall %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\YOUTUBEDOWNLOADER\PYTHON\PYTHONW.EXE
delall %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\YOUTUBEDOWNLOADER_UPD\PYTHON\PYTHONW.EXE
delref %SystemRoot%\SYSWOW64\HASPLMS.EXE
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\CHROME_BITS_1568_23157\4907_ALL_CRL-SET-8442666315293413759.DATA.CRX3
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\TEMP\CHROME_BITS_1392_23049\4907_ALL_CRL-SET-8442666315293413759.DATA.CRX3
delref %SystemDrive%\PROGRAMDATA\BLUESTACKS\CLIENT\HELPER\BLUESTACKSHELPER.EXE
delref {E984D939-0E00-4DD9-AC3A-7ACA04745521}\[CLSID]
delref %SystemRoot%\SYSWOW64\MAPSTOASTTASK.DLL
delref %SystemRoot%\SYSWOW64\MAPSUPDATETASK.DLL
delref %SystemRoot%\SYSWOW64\PEERDISTSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\TCPIP.SYS
delref %SystemRoot%\SYSWOW64\APPVETWCLIENTRES.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\MRXSMB.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBKMCLR.SYS
delref %SystemRoot%\SYSWOW64\W32TIME.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\NDIS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\USBXHCI.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SRV2.SYS
delref %SystemRoot%\SYSWOW64\RDPCORETS.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\DXGMMS2.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\HTTP.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\WINNAT.SYS
delref %SystemRoot%\SYSWOW64\UMPOEXT.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBUSR.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\DMVSC.SYS
delref %SystemRoot%\SYSWOW64\IPHLPSVC.DLL
delref %SystemRoot%\SYSWOW64\CSCSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBKMCL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\REFS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SPACEPORT.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\FVEVOL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\AFD.SYS
delref %SystemRoot%\SYSWOW64\PNRPSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\PACER.SYS
delref %SystemRoot%\SYSWOW64\HVHOSTSVC.DLL
delref %SystemRoot%\SYSWOW64\LSM.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\SYNTH3DVSC.SYS
delref %SystemRoot%\SYSWOW64\IE4UINIT.EXE
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}\[CLSID]
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref {23170F69-40C1-278A-1000-000100020000}\[CLSID]
delref {4A7C4306-57E0-4C0C-83A9-78C1528F618C}\[CLSID]
delref %Sys32%\DRIVERS\VMBUSR.SYS
delref %Sys32%\HVSICONTAINERSERVICE.DLL
delref %Sys32%\DRIVERS\UMDF\USBCCIDDRIVER.DLL
delref %Sys32%\BLANK.HTM
delref {FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\[CLSID]
delref %Sys32%\DRIVERS\HDAUDADDSERVICE.SYS
delref HELPSVC\[SERVICE]
delref SACSVR\[SERVICE]
delref TBS\[SERVICE]
delref VMMS\[SERVICE]
delref MESSENGER\[SERVICE]
delref MPSSVC\[SERVICE]
delref RDSESSMGR\[SERVICE]
delref %Sys32%\DRIVERS\KADPDPDNMISH.SYS
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.17\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE_64.DLL
delref %Sys32%\TETHERINGSETTINGHANDLER.DLL
delref %Sys32%\QUICKACTIONSPS.DLL
delref %Sys32%\CHTADVANCEDDS.DLL
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
delref %SystemRoot%\SYSWOW64\TTLSEXT.DLL
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SPEECHRUNTIME.EXE
delref %SystemRoot%\SYSWOW64\TAPILUA.DLL
delref %SystemRoot%\SYSWOW64\WBEM\KEYBOARDFILTERWMI.DLL
delref %SystemRoot%\SYSWOW64\LOCATIONFRAMEWORK.DLL
delref %SystemRoot%\SYSWOW64\MAPSBTSVCPROXY.DLL
delref %SystemRoot%\SYSWOW64\EAPPCFGUI.DLL
delref %SystemRoot%\SYSWOW64\LISTSVC.DLL
delref %SystemRoot%\SYSWOW64\AUTHHOSTPROXY.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.17\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\WBEM\NLMCIM.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\RMSROAMINGSECURITY.DLL
delref %SystemRoot%\SYSWOW64\SYSTEMSETTINGSBROKER.EXE
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SAPI_EXTENSIONS.DLL
delref %SystemRoot%\SYSWOW64\SMARTSCREEN.EXE
delref %SystemRoot%\SYSWOW64\GPSVC.DLL
delref %SystemRoot%\SYSWOW64\IDLISTEN.DLL
delref %SystemRoot%\SYSWOW64\WIFICONFIGSP.DLL
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAORA.DLL
delref H:\LENOVO_SUITE.EXE
delref H:\AUTORUN.EXE
delref %SystemDrive%\USERS\VENIA\DESKTOP\CHROME-WIN32\CHROME.EXE
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\PROGRAMS\OPERA\LAUNCHER.EXE
delref %SystemDrive%\USERS\VENIA\APPDATA\LOCAL\YANDEX\YANDEXBROWSER\APPLICATION\BROWSER.EXE
delref %SystemRoot%\TEMP\E_SD37C.TMP
delref {0AFC3C9A-22C8-4A22-AA33-BEEB423E2075}\[CLSID]
delref {263F09EA-853A-4F1A-BEFA-339D8467B909}\[CLSID]
delref %SystemDrive%\USERS\VENIA\APPDATA\ROAMING\JIVOSITE INC\JIVOSITE\JIVOSITE.EXE
apply

=============

+
�� (�� ) �� Malwarebytes
http://forum.esetnod32.ru/forum9/topic10688/

�� : �� .
�� ( � �� ).
�� .txt ( �� )
12.01.2019 12:56:20, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 12:20:39 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
��

�� uVS
http://forum.esetnod32.ru/forum9/topic2687/
12.01.2019 12:20:39, RP55 RP55.

�� Win64 / Adware.PBot

Sat, 12 Jan 2019 12:16:00 +0300

�� Win64 / Adware.PBot NOD32 �� Win64 / Adware.PBot � ��  � �� .
NOD32 �� Win64 / Adware.PBot � ��

�� https://my-files.ru/ep7m6i
12.01.2019 12:16:00, �� .

����� esetnod32.ru [����: ������ Win64 / Adware.PBot]

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

������ Win64 / Adware.PBot

�� esetnod32.ru [��: �� Win64 / Adware.PBot]

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot

�� Win64 / Adware.PBot