�� esetnod32.ru [��: �� Todo Mysa, ok]

�� Todo Mysa, ok

Mon, 01 Apr 2019 13:45:32 +0300

�� Todo Mysa, ok � �� .
��,
�� , �� , �� %SystemDrive%\PROGRAM FILES\FONTEXPERT\FONTEXPERT.EXE. (�� )

�� .
https://forum.esetnod32.ru/forum9/topic13764//

� �� .
01.04.2019 13:45:32, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 13:41:25 +0300

�� Todo Mysa, ok � �� .
� �� DarkGalaxy.
��, �� , �� . �� , �� . ��

��, �� , �� . �� . �� . �� .

�� !
01.04.2019 13:41:25, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 13:26:55 +0300

�� Todo Mysa, ok � �� .
�� ____*

�� :

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.1.4 [http://dsrt.dyndns.org]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
;------------------------autoscript---------------------------

zoo %SystemDrive%\PROGRAM FILES\FONTEXPERT\FONTEXPERT.EXE
addsgn 6E8C9F9A556A4C2F8839A93CE913E9FADA0AC5F7867E5D7A85C303BD515DB467A67838A8C1DC1826D07F7B9EC389B20582525D91AE254F2D2B22F245876E2263 8 Win32/LockScreen.BAS 7

chklst
delvir

delref %SystemDrive%\USERS\�����\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\91YH7QU6.DEFAULT\EXTENSIONS\HELPER-SIG@SAVEFROM.NET.XPI
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DGKDKFNBDDPDPIDBPNLJCOCPJEAAFNGDB%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DMOIHLEDLMCHHOFENPACBHPHNBNPAKGMO%26INSTALLSOURCE%3DONDEMAND%26UC
apply

deltmp
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.34.7\RECOVERY\GURCF7E.TMP\GOOGLEUPDATESETUP.CRX3
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref %Sys32%\BLANK.HTM
delref %Sys32%\DRIVERS\89214746.SYS
delref %Sys32%\PSXSS.EXE
delref %SystemDrive%\PROGRAM FILES\ADOBE\ADOBE PREMIERE PRO CS6\WMENCODINGHELPER.EXE
delref D:\PROGRAM FILES\ADOBE\ADOBE AFTER EFFECTS CS5.5\SUPPORT FILES\AFTERFX.EXE
delref D:\PROGRAM FILES\ADOBE\ADOBE AFTER EFFECTS CS5.5\MOCHA\BIN\MOCHA4AE_ADOBE.EXE
;-------------------------------------------------------------

restart

=============
��, �� .
------------

====quote====
�� . (�� ). �� ?
=============

��, �� MS-17-010 �� .
01.04.2019 13:26:55, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 13:22:46 +0300

�� Todo Mysa, ok � �� .
�� _��_�� _______*

HitmanPro 3.8 � �� C:\PROGRAM FILES (X86)\TROJAN REMOVER\TRUPD.EXE ��, �� .
�� : �� , �� mbam, adwcleaner, FRST
01.04.2019 13:22:46, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 13:16:47 +0300

�� Todo Mysa, ok � �� .
��, �� . �� .
01.04.2019 13:16:47, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 12:42:34 +0300

�� Todo Mysa, ok � �� .
�� - �� TDSSKiller, �� . ��. �� 32. � �� .

�� . ��
�� . ��.
�� . ��
�� . ��

��. �� . �� 32 � �� . �� .
�� . (�� )
�� , �� . (�� )
�� - ��
�� . � �� -��

�� ! svhost �� 2 � ��

� �� . �� ... �� 11:43 ... �� 12 40

�� : �� . (�� ). �� ? �� . �� - ��
��_��_�� _______��-��_2019-04-01_11-12-10_v4.1.2.7z
�� ____��-��_2019-04-01_11-43-52_v4.1.2.7z

01.04.2019 12:42:34, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 11:30:58 +0300

�� Todo Mysa, ok � �� .
�� _��_��_��_____* �� ipsec ��.

��, �� :
�� killer-�� (�� ) � �� , �� mbr �� .
�� ,
� �� (�� uVS) �� .
--------

�� , �� .
01.04.2019 11:30:58, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 11:04:00 +0300

�� Todo Mysa, ok � �� .
�� ..... �� . �� 32 ...... �� , �� , ��. �� , �� , �� .
��_��_��_��_____��-��_2019-04-01_10-52-25_v4.1.2.7z
01.04.2019 11:04:00, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 10:48:21 +0300

�� Todo Mysa, ok � �� .
====code====

10:21:06.0719 0x0f78  ============================================================
10:21:06.0719 0x0f78  Scan finished
10:21:06.0719 0x0f78  ============================================================
10:21:06.0730 0x0ec8  Detected object count: 2
10:21:06.0730 0x0ec8  Actual detected object count: 2
10:24:43.0945 0x0ec8  System memory - cured
10:24:43.0945 0x0ec8  System memory ( MEM:Rootkit.Win64.DarkGalaxy.a ) - User select action: Cure 
10:24:44.0685 0x0ec8  \Device\Harddisk0\DR0\# - copied to quarantine
10:24:44.0685 0x0ec8  \Device\Harddisk0\DR0 - copied to quarantine
10:24:44.0711 0x0ec8  \Device\Harddisk0\DR0 ( Rootkit.Boot.DarkGalaxy.a ) - will be cured on reboot
10:24:44.0713 0x0ec8  \Device\Harddisk0\DR0 - ok
10:24:44.0713 0x0ec8  \Device\Harddisk0\DR0 ( Rootkit.Boot.DarkGalaxy.a ) - User select action: Cure

=============

�� tdsskiller,
�� ,

� �� tdsskiller, � �� (�� )

�� MS-17-010 �� ,
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
01.04.2019 10:48:21, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 10:45:02 +0300

�� Todo Mysa, ok � �� .
�� . �� . �� uVS�� . TDSSKiller �� . 0 ��

�� 32 �� (�� "�� )

��

01.04.2019 10:45:02, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 10:35:57 +0300

�� Todo Mysa, ok � �� .
� �� . TDSSKILLER ��. �� .. �� . ��
�� TDSSKiller.txt

01.04.2019 10:35:57, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 10:27:24 +0300

�� Todo Mysa, ok � �� .
�� , �� MBR#0 [149,0GB] �� .
(�� )

�� tdsskiller

====quote====
�� ,
http://media.kaspersky.com/utilities/VirusUtilities/RU/tdsskiller.exe
�� . (�� -�� )
=============
+

�� uVS

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.1.3 [http://dsrt.dyndns.org]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
regt 26
regt 27
QUIT

=============
�� , �� .
01.04.2019 10:27:24, santy.

�� Todo Mysa, ok

Mon, 01 Apr 2019 10:19:46 +0300

�� Todo Mysa, ok � �� .
�� , ��. �� , �� . �� 10, �� . �� (�� 4 �� , �� - �� ) ... �� - ��, �� . �� , ��
��

�� , �� . ��

�� . �� TDSSKiller-�� ... �� . �� - DarkGalaxy. ... ��
MWB_�� .txt
�� ____��-��_2019-04-01_10-10-32_v4.1.2.7z
�� TDSSKiller.txt

01.04.2019 10:19:46, �� .

�� Todo Mysa, ok

Mon, 01 Apr 2019 08:46:20 +0300

�� Todo Mysa, ok � �� .
�� , �� :
Trojan.BitCoinMiner, C:\WINDOWS\TEMP\CONHOST.EXE, �� , [609], [589425],1.0.9940

�� Windows (WMI): 3
Hijack.BitCoinMiner.WMI, \\��-��\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"fuckyoumm4\"",Filter="__EventFilter.Name=\"fuckyoumm3\"", �� , [14548], [621747],1.0.9940
Hijack.BitCoinMiner.WMI, \\��-��\ROOT\subscription:__EventFilter.Name="fuckyoumm3", �� , [14548], [621747],1.0.9940
Hijack.BitCoinMiner.WMI, \\��-��\ROOT\subscription:CommandLineEventConsumer.Name="fuckyoumm4", �� , [14548], [621747],1.0.9940

�� IPSec ��
Active IPSec Policy [Local]: SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{7dc75e5e-a9d9-443e-8d2d-e8b216c9090c}
--------------
� �� BOOT.DarkGalaxy, (� �� MBR)

�� ,
�� ,
��

+
�� ,
http://media.kaspersky.com/utilities/VirusUtilities/RU/tdsskiller.exe
�� . (�� -�� )
01.04.2019 08:46:20, santy.

�� Todo Mysa, ok

Sun, 31 Mar 2019 19:25:19 +0300

�� Todo Mysa, ok � �� .
�� . �� .

��
�� -��. � �� - "45.58.135.106
103.213.246.23
ok.mymyxmra.ru
18.218.14.96
74.222.14.61
78.142.29.152
"
�� , ��

� �� 32 - "egui" = ""C:\Program Files\ESET\ESET Security\ecmds.exe" /launch /hide" �� . �� .. � �� . � �� , � � xpdown.dat � ��

��
��-��.txt
��-��-2.txt
31.03.2019 19:25:19, �� .

�� Todo Mysa, ok

Sun, 31 Mar 2019 15:19:33 +0300

�� Todo Mysa, ok � �� .
��

�� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====

;uVS v4.1.2 [http://dsrt.dyndns.org]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
deltmp
regt 26
restart
;---------command-block---------
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DDHDGFFKKEBHMKFJOJEJMPBLDMPOBFKFO%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DDMPOJJILDDEFGNHIICJCMHBKJGBBCLOB%26INSTALLSOURCE%3DONDEMAND%26UC
delref %SystemDrive%\PROGRAM FILES (X86)\TROJAN REMOVER\TRANTIHJ.EXE
delref %SystemRoot%\SYSWOW64\TBSSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\NDIS.SYS
delref %SystemRoot%\SYSWOW64\UMPO.DLL
delref %SystemRoot%\SYSWOW64\IPHLPSVC.DLL
delref %SystemRoot%\SYSWOW64\PNRPSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\PACER.SYS
delref %SystemRoot%\SYSWOW64\LSM.EXE
delref {166B1BCA-3F9C-11CF-8075-444553540000}\[CLSID]
delref {233C1507-6A77-46A4-9443-F871F945D258}\[CLSID]
delref {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}\[CLSID]
delref {D27CDB6E-AE6D-11CF-96B8-444553540000}\[CLSID]
delref %SystemRoot%\SYSWOW64\WIN32K.SYS
delref %SystemDrive%\PROGRAM FILES (X86)\OPERA\LAUNCHER.EXE
delref {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}\[CLSID]
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\63.0.3239.84\INSTALLER\CHRMSTP.EXE
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\73.0.3683.86\INSTALLER\CHRMSTP.EXE
delref %Sys32%\BLANK.HTM
delref APPMGMT\[SERVICE]
delref HELPSVC\[SERVICE]
delref SACSVR\[SERVICE]
delref VMMS\[SERVICE]
delref MESSENGER\[SERVICE]
delref RDSESSMGR\[SERVICE]
delref %Sys32%\ATI2EVXX.EXE
delref %SystemDrive%\USERS\08E7~1\APPDATA\LOCAL\TEMP\GPU-Z.SYS
delref %Sys32%\DRIVERS\PFC.SYS
delref %SystemDrive%\PROGRAM FILES (X86)\COMMON FILES\CONIME.EXE
delref %Sys32%\PSXSS.EXE
delref %SystemDrive%\PROGRAM FILES\AUTODESK\3DS MAX 2016\INVENTOR SERVER\BIN\TESTSERVER.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\BLUESTACKS\BSTKSVC.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.23\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.28.1\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.28.15\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\BLUESTACKS\BSTKC.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.17\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.5\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES\ADOBE\ADOBE PREMIERE PRO CS6\WMENCODINGHELPER.EXE
delref %Sys32%\SHAREMEDIACPL.CPL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.23\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.28.1\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.28.15\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.17\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\CREATIVE\SHAREDLL\PFMOD.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.5\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.7\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\ADOBESUPPORT FILES\CONTENTS\WINDOWS\ILLUSTRATOR.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.33.23\GOOGLEUPDATEBROKER.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\ADOBE\ADOBE ILLUSTRATOR CS6\ADOBE ILLUSTRATOR CS6\SUPPORT FILES\CONTENTS\WINDOWS\ILLUSTRATOR.EXE
delref K:\AUTORUN\CDRUN.EXE
delref G:\AUTORUN.EXE
delref %SystemDrive%\USERS\�����\APPDATA\LOCAL\PROGRAMS\OPERA\LAUNCHER.EXE
delref {92780B25-18CC-41C8-B9BE-3C9C571A8263}\[CLSID]
delref D:\PROGRAM FILES\ADOBE\ADOBE AFTER EFFECTS CS5.5\SUPPORT FILES\AFTERFX.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\LOOKSBUILDER\LOOKSBUILDERPL.EXE
delref %SystemRoot%\INSTALLER\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\APPLESOFTWAREUPDATEICO.EXE
delref D:\PROGRAM FILES\ADOBE\ADOBE AFTER EFFECTS CS5.5\MOCHA\BIN\MOCHA4AE_ADOBE.EXE
delref %SystemRoot%\INSTALLER\{5783F2D7-7001-0419-0102-0060B0CE6BBA}\ACAD162_ICON.EXE
delref %SystemDrive%\PROGRAM FILES\AUTODESK\3DS MAX DESIGN 2010\3DSMAX.EXE
delref %SystemDrive%\PROGRAM FILES\AUTODESK\3DS MAX DESIGN 2010\JSR\M3GPLAYER.EXE
delref %SystemDrive%\PROGRAM FILES\AUTODESK\3DS MAX DESIGN 2010\MAXFIND.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\UNINSTALL\INSTALLER.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\VRLSERVICE.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\SETVRLSERVICE.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\STARTVRLSERVICE.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\TOOLS\FILTER_GENERATOR.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\TOOLS\IMAPVIEWER.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\TOOLS\LENS_ANALYZER.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\TOOLS\VRMESH_VIEWER.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\V-RAY\3DSMAX 2010 FOR X64\UNINSTALL\WININSTALLER.EXE
delref %SystemDrive%\PROGRAM FILES\AUTODESK\3DS MAX DESIGN 2010\VRAYSPAWNER2010.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\V-RAY\RT FOR 3DS MAX 2010 FOR X64\BIN\VRAYRTSPAWNER.EXE
delref %SystemDrive%\PROGRAM FILES\CHAOS GROUP\V-RAY\RT FOR 3DS MAX 2010 FOR X64\BIN\OCLDEVICESELECT.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\XLICONS.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\WORDICON.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\MSPICONS.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\OISICON.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\MISC.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\CAGICON.EXE
delref %SystemRoot%\INSTALLER\{90110419-6000-11D3-8CFE-0150048383C9}\OPWICON.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\STREAMTRANSPORT\HELP.URL
delref %SystemDrive%\PROGRAMDATA\APPDATA\LOCAL\UMMYVIDEODOWNLOADER\UMMYVIDEODOWNLOADER.EXE
delall %SystemDrive%\USERS\�����\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\91YH7QU6.DEFAULT\EXTENSIONS\HELPER-SIG@SAVEFROM.NET.XPI
apply

=============

+
�� (�� ) �� Malwarebytes
http://forum.esetnod32.ru/forum9/topic10688/

�� : �� .
�� ( � �� ).
�� .txt ( �� )
31.03.2019 15:19:33, RP55 RP55.

�� Todo Mysa, ok

Sun, 31 Mar 2019 08:33:57 +0300

�� Todo Mysa, ok � �� .
�� Smart Security (�� Todo Mysa, ok)
� �� - "egui" = ""C:\Program Files\ESET\ESET Security\ecmds.exe" /launch /hide" ��
��-��_2019-03-31_08-24-42_v4.1.2.7z
SysInspector-��-��-190331-083439.zip
31.03.2019 08:33:57, �� .

����� esetnod32.ru [����: ����� ������ ������� Todo Mysa, ok]

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

����� ������ ������� Todo Mysa, ok

�� esetnod32.ru [��: �� Todo Mysa, ok]

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok

�� Todo Mysa, ok