VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Avast našel rootkit

https://forum.viry.cz:443/viewtopic.php?t=140524

Stránka 3 z 3

Re: Avast našel rootkit

Napsal: 08 říj 2014 16:11
od Márty84
:arrow: Napiste mi velikost adresare plochy (C:\Users\Dan\Desktop)




:!: Jestli bude Avast rvat, ze to chce otevrit v sandboxu, nedovolte to! Vyberte moznost Otevrit normalne
:arrow: Znovu spustte OTL jako spravce
Do spodniho okna vlozte nasledujici text (vcetne te dvojtecky pred slovem commands)

Kód: Vybrat vše

:commands
[EMPTYTEMP]
[EMPTYFLASH]
[Purity]
[CreateRestorePoint]

:services
AdobeFlashPlayerUpdateSvc

:files
%windir%\system32\*.tmp.dll /s
%windir%\system32\SET*.tmp /s
%windir%\*.tmp
C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\tasks\SystemToolsDailyTest.job
C:\ProgramData\McAfee
C:\ProgramData\Malwarebytes' Anti-Malware (portable)
C:\Windows\system32\drivers\MBAMSwissArmy.sys
C:\Windows\system32\drivers\mbamchameleon.sys
C:\ProgramData\Malwarebytes

:otl
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{9E644027-4B5A-4AAF-8BCF-7F27BBD65FFA}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
IE - HKU\S-1-5-21-960529557-3528276582-3652460945-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-960529557-3528276582-3652460945-1001\..\SearchScopes\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2014.10.04 20:35:03 | 000,128,728 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014.10.04 20:35:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014.10.04 20:33:25 | 000,092,888 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014.10.04 20:33:21 | 000,000,000 | ---D | C] -- C:\Users\Dan\Desktop\mbar
[2014.10.04 20:31:25 | 014,349,744 | ---- | C] (Malwarebytes Corp.) -- C:\Users\Dan\Desktop\mbar-1.07.0.1012.exe
[2014.10.02 21:35:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
[2 C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\*.tmp files -> C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\*.tmp -> ]
[3 C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\*.tmp files -> C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\*.tmp -> ]

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
Kliknete na Opravit a nechte program pracovat. Pri otazce na restart souhlaste.
Po restartu se objevi novy log, ten sem dejte.

Re: Avast našel rootkit

Napsal: 08 říj 2014 17:30
od danek
Velikost adresáře plochy je 55,9MB a velikost na disku je 56 MB, 49 souborů, 6 složek

Re: Avast našel rootkit

Napsal: 08 říj 2014 18:24
od Márty84
danek píše:Velikost adresáře plochy je 55,9MB
:thumbsup:
Tak ted jeste OTL.

Re: Avast našel rootkit

Napsal: 08 říj 2014 21:42
od danek
Tak možná se vyskytl problém. Spustil jsem OTL, pak to chvilku skenovalo, pak se objevilo Creating restore point don't interrupt a dvě hodiny se nic nedělo. Tak jsem přes správce úloh vypnul počítač, objevilo se ukončování, strašně dlouho se nic nedělo, tak jsem to ukončil manuálně a po restartu se objevilo, jestli chci spustit OTL, tak jsem dal, že ne a spustil jsem ho z plochy a objevila se mi tato hláška:


Files\Folders moved on Reboot...
File move failed. C:\Users\Dan\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Zkusím to ještě jednou.

Re: Avast našel rootkit

Napsal: 08 říj 2014 21:51
od danek
Tak podruhé to bylo asi úspěšnější. Počítač se restartoval sám a po restartu se objevilo následující:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128 bytes
->FireFox cache emptied: 5394270 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6646 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5,00 mb


[EMPTYFLASH]

User: All Users

User: Dan
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0,00 mb

System Restore Service not available.
========== SERVICES/DRIVERS ==========
Service AdobeFlashPlayerUpdateSvc stopped successfully!
Service AdobeFlashPlayerUpdateSvc deleted successfully!
========== FILES ==========
File/Folder C:\Windows\system32\*.tmp.dll not found.
File/Folder C:\Windows\system32\SET*.tmp not found.
File/Folder C:\Windows\*.tmp not found.
C:\Windows\tasks\Adobe Flash Player Updater.job moved successfully.
C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job moved successfully.
C:\Windows\tasks\SystemToolsDailyTest.job moved successfully.
C:\ProgramData\McAfee\MCLOGS\SecurityScanner\mcuicnt folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\SecurityScanner folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\PartnerCustom\SSScheduler folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\PartnerCustom\SecurityScan_Release folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\PartnerCustom\mcuicnt folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\PartnerCustom\McCHSvc folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\PartnerCustom folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\McUICnt\mcuicnt folder moved successfully.
C:\ProgramData\McAfee\MCLOGS\McUICnt folder moved successfully.
C:\ProgramData\McAfee\MCLOGS folder moved successfully.
C:\ProgramData\McAfee folder moved successfully.
C:\ProgramData\Malwarebytes' Anti-Malware (portable) folder moved successfully.
File\Folder C:\Windows\system32\drivers\MBAMSwissArmy.sys not found.
File\Folder C:\Windows\system32\drivers\mbamchameleon.sys not found.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine folder moved successfully.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware folder moved successfully.
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Quarantine folder moved successfully.
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs folder moved successfully.
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Configuration folder moved successfully.
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware folder moved successfully.
C:\ProgramData\Malwarebytes folder moved successfully.
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9E644027-4B5A-4AAF-8BCF-7F27BBD65FFA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E644027-4B5A-4AAF-8BCF-7F27BBD65FFA}\ not found.
Registry key HKEY_USERS\S-1-5-21-960529557-3528276582-3652460945-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-960529557-3528276582-3652460945-1001\Software\Microsoft\Internet Explorer\SearchScopes\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFD08979-7A8C-470E-8C45-0F1FD572B07B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
C:\Windows\SysNative\drivers\MBAMSwissArmy.sys moved successfully.
Folder C:\ProgramData\Malwarebytes' Anti-Malware (portable)\ not found.
C:\Windows\SysNative\drivers\mbamchameleon.sys moved successfully.
C:\Users\Dan\Desktop\mbar\Plugins folder moved successfully.
C:\Users\Dan\Desktop\mbar\Languages folder moved successfully.
C:\Users\Dan\Desktop\mbar\imageformats folder moved successfully.
C:\Users\Dan\Desktop\mbar\Data\Configuration folder moved successfully.
C:\Users\Dan\Desktop\mbar\Data folder moved successfully.
C:\Users\Dan\Desktop\mbar folder moved successfully.
C:\Users\Dan\Desktop\mbar-1.07.0.1012.exe moved successfully.
Folder C:\ProgramData\Malwarebytes\ not found.
C:\Program Files (x86)\GUM3C25.tmp\GoogleUpdate.exe deleted successfully.
C:\Program Files (x86)\GUM3C25.tmp folder deleted successfully.
C:\Program Files (x86)\GUT3C26.tmp deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB221.tmp\TaskScheduler.dll deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB221.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp folder deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ not found.

OTL by OldTimer - Version 3.2.69.0 log created on 10082014_224543

Files\Folders moved on Reboot...
C:\Users\Dan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Re: Avast našel rootkit

Napsal: 09 říj 2014 09:15
od Márty84
:!: Vsechny tyto programy - vcetne pripadne instalace - spoustejte jako spravce (kliknete na ne pravym mysidlem a zvolte - Spustit jako spravce)

:arrow: Prejmenujte ComboFix na Uninstall a spustte ho. CF by se mel odinstalovat.

:arrow:
vyosek píše: :arrow: T-Cleaner http://tharifas.sweb.cz/T-Cleaner.exe
  • Stahnete a spustte
  • Pro potvrzeni volby mackejte A, Enter
  • Po pouziti utilitu smazte
  • Antiviry mohou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)
:arrow: Stahnete OTC http://oldtimer.geekstogo.com/OTC.exe , ulozte a spustte.
Kliknete na napis CleanUp a pote OK - Po uklidu dojde k restartu pc.

:arrow: Stahnete Ccleaner http://www.filehippo.com/download_ccleaner a spustte.
Pri instalaci pozor na toolbar (ci jine doplnky), jestli vam nabidne jeho instalaci, tak zruste zatrzitko.
Po spusteni se ocitnete ve funkci Cistic. Vlevo je spousta zatrzitek. Pozor dejte hlavne na kos, pokud nechate zatrzene, vzdy ho vysype.
Dale, podle toho jak je nastaven, smaze vsechna hesla ulozena na netu!!! Takze jestli mate nastavene, at si pocitac hesla pamatuje (coz neni pro bezpecnost dobre), budete je muset pak napsat znova rucne (napr mail, facebook, ruzna fora atd.)
Kliknete na Analyzovat a az dokonci analyzu, kliknete na Spustit Cleaner.
Potom kliknete vlevo na funkci Registry
Kliknete na Hledej problemy, kdyz najde, kliknete na Opravit problemy. Nabidne Vam zalohu, tu udelejte a ulozte ji tak, at ji v pripade potreby najdete.
Funkce Nastroje umoznuje odinstalovani programu. Je dukladnejsi nez samotny windows!
(Pokud je v pc vice uzivatelskych uctu, pouzijte program i v nich)

:arrow: Defragmentujte disk(y) (SSD Disky ne!)
Stahnete program Defraggler http://www.stahuj.centrum.cz/utility_a_ ... efraggler/
Pri instalaci opet pozor na toolbar
Po nainstalovani program spustte a kliknete na Analyzovat, po analyze kliknete na Defragmentovat a programek odvede svou praci.




:arrow: Pak napiste, jak je na tom pc.

Re: Avast našel rootkit

Napsal: 10 říj 2014 06:44
od danek
Tak jsem to všechno udělal, jak jste psal a zdá se, že PC je na tom o hodně líp. Problémy s myší a klávesnicí zmizely a zdá se mi, že systém pracuje mnohem rychleji. Chtěl bych vám moc poděkovat za Vaší pomoc.

S pozdravem, Dan.

Re: Avast našel rootkit

Napsal: 10 říj 2014 09:43
od Márty84
To jsem rad :)

Nemate zac! ;-)

Mejte se a treba zase nekdy :bye:

:closed:
Všechny časy jsou v UTC+01:00
Stránka 3 z 3

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz