Asi problém s virem update-client a V2

[Terror755]

Dobrý den,
potřeboval bych poradit nebo spíš pomoc nevím proč ale pořad se ze souboru update-client na doménu xmrpool.eu snaží jít odchozí nějaká odezva a soubor viz.

Výstřižek.JPG (31.27 KiB) Zobrazeno 1691 x

příloha nejde odstranit a když jde znovu se objeví používám jak je vidět viz příloha program Malwarebytes dřív mi odebíral procesor skoro na 50% těď jak ho program blokuje tak nic ale pořád nevím jak se toho hlášení zbavit nebo spíše zamezit předem děkuji za rady a pomoc.

[Rudy]

Zdravím!
Je to soubor od HP, takže by neměl být nebezpečný. Dejte logy FRST+Addition: https://forum.viry.cz/viewtopic.php?f=13&t=154679 .

[Terror755]

Tady viz příloha

[Rudy]

Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

[Terror755]

Děkuji a tady je v rar. i text

# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 02-18-2019
# Duration: 00:00:01
# OS: Windows 10 Home
# Cleaned: 11
# Failed: 2


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

Deleted C:\Windows\System32\drivers\swdumon.sys

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\Software\Wow6432Node\SlimWare Utilities Inc

***** [ Chromium (and derivatives) ] *****

Deleted AVG Secure Search
Deleted Seznam doplněk - Email
Deleted Seznam doplněk - Esko

***** [ Chromium URLs ] *****

Deleted http://mysearch.avg.com?cid={4B9503D6-8 ... 2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
Deleted http://mysearch.avg.com?cid={4B9503D6-8 ... 2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
Not Deleted AVG Secure Search
Not Deleted AVG Secure Search
Deleted http://mysearch.avg.com?cid={4B9503D6-8 ... 2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
Deleted http://mysearch.avg.com?cid={4B9503D6-8 ... 2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
Deleted AVG Secure Search
Deleted AVG Secure Search

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4437 octets] - [18/02/2019 13:54:11]
AdwCleaner[C00].txt - [4091 octets] - [18/02/2019 13:54:47]
AdwCleaner[S01].txt - [2921 octets] - [18/02/2019 14:10:40]
AdwCleaner[C01].txt - [2845 octets] - [18/02/2019 14:10:52]
AdwCleaner[S02].txt - [2998 octets] - [18/02/2019 16:17:14]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C02].txt ##########

[Rudy]

Dejte nový log FRST.

[Terror755]

tady nový

[Rudy]

Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
C:\Users\oldaz\appdata\roaming\system\update-client.exe
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin-x32: @google.com/zxwebplugin -> C:\WINDOWS\system32\npzxwebplugin.dll [No File]
CHR HomePage: Default -> hxxp://mysearch.avg.com?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp","hxxps://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://mysearch.avg.com/search?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.0.5.292&pid=safeguard&sg=&sap=dsp&q={searchTerms}
CHR DefaultSearchKeyword: Default -> mysearch.avg.com_
CHR DefaultNewTabURL: Default -> hxxps://mysearch.avg.com/chroment?espv=2&cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&pr=fr&d=2014-04-02 17:10:53&v=18.1.0.443&pid=safeguard&sg=
CHR DefaultSuggestURL: Default -> hxxp://toolbar.avg.com/acp?q={searchTerms}&o=1
R2 Bonjour Service; C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe [390504 2017-12-17] (Apple Inc. -> Apple Inc.)
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
C:\Users\oldaz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {45EFF576-67C7-4E4B-A9B1-4ED8D6250EE3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Inc -> Google Inc.)
Task: {9A4B7F50-1604-4184-A2C0-04C9485CDE73} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {E1FEAB55-C056-41FE-A665-49DC73999858} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Inc -> Google Inc.)

EmptyTemp:
End

Uložte do C:\Users\oldaz\Downloads jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

[Terror755]

Chtěl bych se pozeptat když ještě pc dělá test... Když mám ještě notebook a dělá to samé? A také bych se chtěl zeptat co to vlastně je v tom PC virus? Nebo nějaké dolování a děkuji

[Terror755]

po skonceni se mi restartoval pc a nemohl jsem nic dělat a spustil se mi AVG test bios a ten FRST nemam je tohle co se dopsalo do toho Fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version: 17.02.2019
Ran by oldaz (18-02-2019 18:25:06) Run:1
Running from C:\Users\oldaz\Downloads
Loaded Profiles: defaultuser0 & oldaz (Available Profiles: defaultuser0 & oldaz)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
C:\Users\oldaz\appdata\roaming\system\update-client.exe
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin-x32: @google.com/zxwebplugin -> C:\WINDOWS\system32\npzxwebplugin.dll [No File]
CHR HomePage: Default -> hxxp://mysearch.avg.com?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.1.9.786&pid=safeguard&sg=&sap=hp","hxxps://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://mysearch.avg.com/search?cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-02 17:10:53&v=18.0.5.292&pid=safeguard&sg=&sap=dsp&q={searchTerms}
CHR DefaultSearchKeyword: Default -> mysearch.avg.com_
CHR DefaultNewTabURL: Default -> hxxps://mysearch.avg.com/chroment?espv=2&cid={4B9503D6-85F6-49BA-A2EC-71164DD6E4F6}&mid=141d51aaef9d47d2a6a3d16c64cfa861-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=cs&ds=AVG&pr=fr&d=2014-04-02 17:10:53&v=18.1.0.443&pid=safeguard&sg=
CHR DefaultSuggestURL: Default -> hxxp://toolbar.avg.com/acp?q={searchTerms}&o=1
R2 Bonjour Service; C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe [390504 2017-12-17] (Apple Inc. -> Apple Inc.)
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
C:\Users\oldaz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {45EFF576-67C7-4E4B-A9B1-4ED8D6250EE3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Inc -> Google Inc.)
Task: {9A4B7F50-1604-4184-A2C0-04C9485CDE73} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {E1FEAB55-C056-41FE-A665-49DC73999858} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Inc -> Google Inc.)

EmptyTemp:
End
*****************

Processes closed successfully.
"C:\Users\oldaz\appdata\roaming\system\update-client.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} => removed successfully
HKLM\Software\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} => removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => removed successfully
HKLM\Software\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => not found
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => not found
HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/zxwebplugin => removed successfully
"Chrome HomePage" => removed successfully
"Chrome StartupUrls" => removed successfully
"Chrome DefaultSearchURL" => removed successfully
"Chrome DefaultSearchKeyword" => removed successfully
"Chrome DefaultNewTabURL" => removed successfully
"Chrome DefaultSuggestURL" => removed successfully
Bonjour Service => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Bonjour Service => removed successfully
Bonjour Service => service removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
C:\Users\oldaz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\00avg => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{45EFF576-67C7-4E4B-A9B1-4ED8D6250EE3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{45EFF576-67C7-4E4B-A9B1-4ED8D6250EE3}" => removed successfully
"C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9A4B7F50-1604-4184-A2C0-04C9485CDE73}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A4B7F50-1604-4184-A2C0-04C9485CDE73}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E1FEAB55-C056-41FE-A665-49DC73999858}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1FEAB55-C056-41FE-A665-49DC73999858}" => removed successfully
"C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 9199616 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 640936606 B
Java, Flash, Steam htmlcache => 375846604 B
Windows/system/drivers => 961300 B
Edge => 21407 B
Chrome => 362798493 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
defaultuser0 => 0 B
oldaz => 2236251 B

RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:25:32 ====

[Rudy]

To zatím nevím, poznáme. Ten soubor patrně něco tahá, nebo se někam připojuje.

[Terror755]

co mam teda ted delat kdyz se spustil ten test a ja ten FRST nemam koukal jsem i do souboru a ten cas tam vubec neni

[Terror755]

tak jsem udelal novy

[Terror755]

poslal jsem Vám příspěvek 300 Kč za Váš čas

[Rudy]

Za příspěvek děkujeme. Bylo smazáno a teď bych ještě potřeboval vědět, jestli je vše v pořádku.