Pokus o převzetí GMAIL účtu vzdáleným ovládáním PC

[Jaro0]

Dobrý den,

předem bych Vám chtěl moc poděkovat za váš čas.

Dnes odpoledne mi přišla sms zpráva s 2FA ověřovacím kódem od gmailu, kterou jsem si nevyžádal. Měl jsem v tu chvíli na PC otevřený v chrome gmail účet a když jsem se podíval na obrazovku, myš se mi sama hýbala a někdo se hrabal v nastavení gmail účtu. Nestihl jsem ani zkontrolovat co přesně se dělo protože jsem v panice rychle Alt+F4 všechno, vypnul počítač a odpojil od sítě. Nikdy jsem se s ničím takovým nesetkal a nepodařilo se mi ani vygooglit podobnou zkušenost.
Pak mi došlo, že včera se mi odpojila synchronizace Chrome s google účtem, kterou jsem už včera večer neřešil, ale dnes ráno jsem ji obnovil zadáním hesla. Vše vypadalo naprosto normálně a nepojal jsem žádné podezření, že bych heslo zadával na phishingovou kopii stránky.

Ještě jednou děkuji za pomoc a přeji pohodový víkend.

S pozdravem

Jaro

[Conder]

Ahoj

Urob v Malwarebytes uplny sken:

• Stiahni a nainstaluj Malwarebytes (MB/MBAM): https://www.malwarebytes.com/mwb-download/thankyou/
• Skusobnu verziu netreba aktivovat, staci bezplatna (free)
• Ovor Malwarebytes a klikni na "Vyhledavac"
• Klikni na "Pokrocile kontroly" a potom na "Nastavit kontrolu"
• Vpravo oznac vsetky disky v PC a vlavo oznac moznost "Skenovani na rootkity"
• Klikni na "Sken" a pockaj na dokoncenie
• Po dokonceni klikni na "Zobrazit zpravu" -> "Export" -> "Kopirovat do schranky"
• Skopirovany log vloz do dalsej odpovede

[Jaro0]

Děkuji za odpověď a omlouvám se za zpoždění.

Zde je log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/13/20
Scan Time: 8:40 AM
Log File: bb2cfd18-ad40-11ea-bef4-b888e374fdee.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.931
Update Package Version: 1.0.25464
License: Trial

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: JohnDoe-PC\John Doe

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 879160
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 14 hr, 12 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Backdoor.Agent.Generic, C:\USERS\JOHN DOE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\CMDL32.URL, No Action By User, 5592, 721987, 1.0.25464, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

[Conder]

Zdrzanie samozrejme nevadi, hlavne ked aj samotny sken trval niekolko hodin.

Poprosim o obidva nove logy z FRST.

[Jaro0]

Děkuji za rychlou odpověď a přikládám logy. Během toho co běžel FRST na mně vyskočil Malwerebytes s pár "Potentially Unwanted Program", tak do zipu přikládám i ten log z něj.

Přeji hezkou neděli

[Conder]

V Malwarebytes spusti rychly sken (cez modre tlacitko Sken na uvodnej obrazovke) a zmaz vsetky nalezy (presunut do karanteny). Po dokonceni posli opat log z tohto procesu mazania.

Otvor poznamkovy blok (Win+R -> notepad -> enter)

• Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

  Kód: Vybrat vše

  Start
  CloseProcesses:
  CreateRestorePoint:
  
  PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
  File: C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
  File: C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll
  File: C:\Program Files (x86)\Browny02\BrYNSvc.exe
  File: C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
  Folder: C:\Users\John Doe\AppData\LocalLow\IGDump
  Folder: C:\WINDOWS\ehome
  Folder: C:\Users\John Doe\cmdl32
  File: C:\Users\John Doe\cmdl32\cmdl32.vbs
  CMD: type "C:\Users\John Doe\cmdl32\cmdl32.vbs"
  
  GroupPolicy: Restriction ? <==== ATTENTION
  Task: {16AB90B5-E17D-4056-94B5-091549C2C6C2} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {199BACAC-60A4-440C-B9E7-54AF225A49E4} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {19F4FCA3-2549-4077-8CCE-4E11DB8B3EE5} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {2425CA00-6715-46CF-8A2A-4C1160A3DF04} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
  Task: {2E85FCC9-7AD6-4C0B-8759-104FDA75BACC} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
  Task: {30F94D8B-8871-46B3-A362-1398B1AEDD0A} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {4980829B-7355-455D-A68F-CD54A48BCAC3} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
  Task: {5627C68B-9183-4880-B278-9B6D9A81EC39} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
  Task: {56AACBE7-59BD-4DB9-B1DC-BF108E6EEAD4} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
  Task: {71541D3D-BD91-472D-9EDF-FC7927379764} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {879617BB-EAE6-47BC-A4F5-6B56C2DD4D16} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {8869D1B7-FF7B-4713-AF84-F7231FD751AB} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {8964E93F-3D31-46A4-9FE5-83148E1CEA9F} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {9253F892-83AE-4C62-9337-6AE5A37E64E3} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {A18008EA-5055-4D41-81B0-3BD03CDB2B07} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
  Task: {B24E3587-D32B-40A7-9E0F-0F61198E7A3E} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {CB849CA6-FEAB-4680-B3D7-8151E15BC132} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
  Task: {E34ABC27-986E-40B7-8088-36253728EC9B} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {F33FF581-7661-437C-BB65-CBA76E065D46} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {FD3E5E81-E284-42CE-9BED-C9522AF31F3A} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
  Task: {FDDAE3A1-38D6-4EE5-B3E7-215114819D4E} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
  CHR StartupUrls: Default -> "hxxp://www.google.com/ig/redirectdomain?brand=KMOH&bmod=KMOH","hxxp://search.gboxapp.com/"
  U3 idsvc; no ImagePath
  
  Hosts:
  EmptyTemp:
  End

• Uloz na plochu s nazvom fixlist.txt
• Spusti znovu FRST a klikni na Fix
• Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
• Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj

[Jaro0]

Zdravím,

vyžádané logy přiloženy.

Děkuji

[Conder]

Spusti este sken systemoveho disku cez ESET Online Scanner:

• Stiahni z tohto odkazu: https://download.eset.com/com/eset/tool ... canner.exe
• Vyber jazyk a klikni na Spustit
• Odsuhlas licencne podmienky a klikni na Spustit
• Mozes povolit posielanie anonymnych dat, zapni system spatnej vazby a klikni na Pokracovat
• Klikni na Prisposobena kontrola (cesky Volitelna kontrola)
• Oznac prve 2 moznosti (operacna pamat a umiestnenia automatickeho spustenia/soubory zavadene pri startu pocitace) a disky C:\ a E:\ (ostatne netreba)
• Klikni na Ulozit a pokracovat, povol detekciu potencialne nechcenych aplikacii (PUP) a klikni na Spustit kontrolu
• Pockaj na dokoncenie skenu
• Po dokonceni kontroly klikni na Ulozit protokol kontroly, napis nazov suboru napr. esetlog.txt a uloz na plochu
• Tento subor otvor a jeho obsah skopiruj a vloz do dalsej odpovede

[Jaro0]

Zde:

16.6.2020 17:21:27
Zkontrolováno souborů: 362147
Detekováno souborů: 0
Vyléčeno souborů: 0
Celkový čas kontroly: 00:38:21
Stav kontroly: Dokončeno

[Conder]

Stiahni AdwCleaner: https://toolslib.net/downloads/finish/1/

• Uloz na plochu a ukonci vsetky programy
• Spusti AdwCleaner ako spravca
• Odsuhlas licencne podmienky
• Klikni na Spustit skenovani a pockaj na dokoncenie
• V pripade nalezov nechaj vsetky nalezy oznacene a klikni na Karantena (ak nie su ziadne nalezy, tak na Spustit zakladni opravu)
• V pripade, ze sa detekuje aj "predinstalovany software", tieto programy mozes, ale nemusis zmazat (toto nie su skodlive programy, ale iba zbytocnosti)
• Potvrd vyzvu, pockaj na dokoncenie a potvrd restartovanie PC
• Po restartovani PC sa otvori AdwCleaner, klikni na Zobrazit soubor protokolu
• Otvori sa log, jeho obsah skopiruj a vloz do dalsej odpovede

Potom poprosim aj o obidva nove logy z FRST.

[Jaro0]

Zdravím,

ADWcleaner log níže a FRST+Add v zipu v příloze:

# -------------------------------
# Malwarebytes AdwCleaner 8.0.5.0
# -------------------------------
# Build: 05-25-2020
# Database: 2020-06-15.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 06-17-2020
# Duration: 00:00:21
# OS: Windows 10 Home
# Scanned: 31836
# Detected: 9


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy C:\Users\John Doe\AppData\Roaming\Tencent

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.LenovoEnergyManagement Folder C:\Program Files (x86)\LENOVO\ENERGY MANAGEMENT
Preinstalled.LenovoEnergyManagement Folder C:\Users\John Doe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LENOVO\ENERGY MANAGEMENT
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Energy Management
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|EnergyUtility
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Energy Management
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run|EnergyUtility
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}
Preinstalled.LenovoEnergyManagement Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{D0956C11-0F60-43FE-99AD-524E833471BB}



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

[Conder]

Otvor poznamkovy blok (Win+R -> notepad -> enter)

• Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

  Kód: Vybrat vše

  Start
  CloseProcesses:
  CreateRestorePoint:
  
  PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
  File: C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
  File: C:\WINDOWS\system32\V0790Ext.ax
  File: C:\Windows\system32\E_YLMBMEE.DLL
  File: C:\Program Files (x86)\Browny02\BrYNSvc.exe
  
  ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
  ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll -> No File
  C:\Users\John Doe\AppData\Roaming\Tencent
  
  Hosts:
  EmptyTemp:
  End

• Uloz na plochu s nazvom fixlist.txt
• Spusti znovu FRST a klikni na Fix
• Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
• Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj

[Jaro0]

Fix result of Farbar Recovery Scan Tool (x64) Version: 06-06-2020
Ran by John Doe (18-06-2020 09:12:13) Run:2
Running from C:\Users\John Doe\Desktop
Loaded Profiles: John Doe
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:

PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
File: C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
File: C:\WINDOWS\system32\V0790Ext.ax
File: C:\Windows\system32\E_YLMBMEE.DLL
File: C:\Program Files (x86)\Browny02\BrYNSvc.exe

ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll -> No File
C:\Users\John Doe\AppData\Roaming\Tencent

Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.

========= Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum =========



Count : 18
Average :
Sum : 11263607
Maximum :
Minimum :
Property : Length




========= End of Powershell: =========


========================= File: C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe ========================

C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
File not signed
MD5: 7F42FFCD6FF7CA558C2D95DADCD5EFA9
Creation and modification date: 2018-07-25 13:58 - 2010-06-10 13:42
Size: 002621440
Attributes: ----R
Company Name: Brother Industries, Ltd.
Internal Name: BrStMonW
Original Name: BrStMonW.exe
Product: Brother Status Monitor Application
Description: Brother Status Monitor Application
File Version: 1, 0, 1, 3
Product Version: 1, 0, 1, 3
Copyright: Copyright (C) 2005 - 2010 Brother Industries, Ltd.
VirusTotal: https://www.virustotal.com/gui/file/cd9 ... 1592290103

====== End of File: ======


========================= File: C:\WINDOWS\system32\V0790Ext.ax ========================

C:\WINDOWS\system32\V0790Ext.ax
Catalog: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem76.cat
File is digitally signed
MD5: E0BE7D57722701B00E9CEDB1F6122F15
Creation and modification date: 2020-04-05 19:09 - 2015-09-17 02:56
Size: 000130552
Attributes: ----A
Company Name: Microsoft Windows Hardware Compatibility Publisher -> Creative Technology Ltd.
Internal Name:
Original Name: V0790Ext.ax
Product:
Description: DirectShow/VFW Extension property page (64-bit)
File Version: 1.00.01.00
Product Version:
Copyright: Copyright (c) Creative Technology Ltd., 2013
VirusTotal: https://www.virustotal.com/gui/file/627 ... 1561903865

====== End of File: ======


========================= File: C:\Windows\system32\E_YLMBMEE.DLL ========================

C:\Windows\system32\E_YLMBMEE.DLL
File not signed
MD5: 56BF5337352CF984CB367D053C7B28E3
Creation and modification date: 2019-01-18 17:16 - 2013-12-06 04:05
Size: 000179712
Attributes: ----A
Company Name: SEIKO EPSON CORPORATION
Internal Name: EbpmonB
Original Name: EBPMONB.DLL
Product: EPSON Bi-directional Printer
Description: EPSON Bi-directional Monitor AMD64
File Version: 4,05,00, 0
Product Version: 4,05,00, 0
Copyright: Copyright (C) SEIKO EPSON CORPORATION 2005-2014. All rights reserved.
VirusTotal: https://www.virustotal.com/gui/file/738 ... 1560890208

====== End of File: ======


========================= File: C:\Program Files (x86)\Browny02\BrYNSvc.exe ========================

C:\Program Files (x86)\Browny02\BrYNSvc.exe
File not signed
MD5: EA7E57F87D6FEE5FD6C5F813C04E8CD2
Creation and modification date: 2018-07-25 13:58 - 2010-01-25 08:22
Size: 000245760
Attributes: ----N
Company Name: Brother Industries, Ltd.
Internal Name: BrYNSvc.exe
Original Name: BrYNSvc.exe
Product: BrYNCSvc
Description: BrYNCSvc
File Version: 1.0.0.10
Product Version: 1.0.0.10
Copyright: Copyright (C) 2009-2010 Brother Industries, Ltd.
VirusTotal: https://www.virustotal.com/gui/file/1eb ... 1592136559

====== End of File: ======

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => removed successfully
C:\Users\John Doe\AppData\Roaming\Tencent => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10248192 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11633504 B
Java, Flash, Steam htmlcache => 1083 B
Windows/system/drivers => 2966805 B
Edge => 0 B
Chrome => 293585397 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 58462 B
NetworkService => 63238 B
John Doe => 553267 B

RecycleBin => 0 B
EmptyTemp: => 304.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 09:12:28 ====

[Conder]

Pardon za zdrzanie.

Logy vyzeraju podla vsetkeho OK. Ako to momentalne vyzera s PC? Su nejake problemy?

[Jaro0]

Zdravím,

nic se neděje, děkuji mnohokrát za dosavadní pomoc!

Vypadá vše v pořádku. Měl by jste nějakou představu kam všude se s tím "backdorem" dostal? Když převzal kontrolu nad PC, tak se asi dá předpokládat, že mohl nepozorovaně krást data/informace/logovat stisky kláves/atp...?

Hezký víkend!