VIRY.CZ

Dobry den.
Mam nasledujici problem. c:\windows\temp\ se mi plni bordelem, ktery ruzne antiviry detekuji ruzne. Vsechny ale nasli jen tento bordel, nikdy jsem ale nenasel pricinu.

BitDefender: Gen:Variant.Barys.52413
Kaspersky: Trojan-Dropper.Win32.FrauDrop.ajalu
MalwereBytes: Trojan.Agent.Msil

v priloze v zipu zasilam logy z combofixu, kterym snad mel probehnout pokus o napravu, z FRST, a z RSIT.

Po combofixu mam pocit, ze se to prestalo projevovat, nasel jsem vsak dalsi infikaci v jinem adresari, pro zmenu v C:\Users\milda\AppData\Local\Temp\tmp00005ca4\ ale byl to ojedinely vyskyt a nemnozi se to, jako predtim.

Tak bych chtel mit jistotu, predevsim proto, ze jsem neprisel na to, co to zpusobovalo.

Predem dekuji

Zdravím!
Spusťte tuto utilitu:

Stáhněte AdwCleaner https://toolslib.net/downloads/viewdown ... dwcleaner/
Uložte na plochu
Ukončete všechny programy
Klikněte nejprve na >Scan<(hledání) a pak na >Clean< (mazání).
Proběhne skenováni a pak se objeví log, který sem vložte.

# AdwCleaner 7.0.4.0 - Logfile created on Sun Nov 19 11:26:41 2017
# Updated on 2017/27/10 by Malwarebytes
# Database: 11-17-2017.1
# Running on Windows 7 Professional (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [952 B] - [2017/11/19 10:55:59]
C:/AdwCleaner/AdwCleaner[S1].txt - [1020 B] - [2017/11/19 11:16:37]


########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ##########

Jen bych chtěl podtknout, že spuštění skeneru ComboFix laiky může vést k poškození systému. CF je určen pouze profesionálům.

Otevřte poznámkový blok a zkopírujte do něj:

Start
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
C:\Users\milda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
c:\windows\temp
Task: {437FFB07-486A-4AF1-92E5-F0638A18FA14} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-13] (Google Inc.)
Task: {F719E735-C8B7-425F-A7AA-C98A8C313C94} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-13] (Google Inc.)

EmptyTemp:
End

Uložte do D:\milda\downloads jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Beru na vedomi, k poskozeni systemu nastesti nedoslo.

fixlog:


Fix result of Farbar Recovery Scan Tool (x64) Version: 18-11-2017
Ran by milda (19-11-2017 12:59:22) Run:1
Running from D:\milda\downloads
Loaded Profiles: milda & UpdatusUser (Available Profiles: milda & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
C:\Users\milda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
c:\windows\temp
Task: {437FFB07-486A-4AF1-92E5-F0638A18FA14} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-13] (Google Inc.)
Task: {F719E735-C8B7-425F-A7AA-C98A8C313C94} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-13] (Google Inc.)

EmptyTemp:
End
*****************

HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
C:\Users\milda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully

"c:\windows\temp" folder move:

Could not move "c:\windows\temp" => Scheduled to move on reboot.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{437FFB07-486A-4AF1-92E5-F0638A18FA14} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{437FFB07-486A-4AF1-92E5-F0638A18FA14} => key removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F719E735-C8B7-425F-A7AA-C98A8C313C94} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F719E735-C8B7-425F-A7AA-C98A8C313C94} => key removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17099601 B
Java, Flash, Steam htmlcache => 343 B
Windows/system/drivers => 534904 B
Edge => 0 B
Chrome => 170330 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66356 B
systemprofile32 => 249582 B
LocalService => 0 B
NetworkService => 9284 B
milda => 46328487 B
UpdatusUser => 0 B

RecycleBin => 0 B
EmptyTemp: => 69.5 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 19-11-2017 13:01:44)

"c:\windows\temp" => Could not move

==== End of Fixlog 13:01:46 ====

Smazáno. Nastala nějaká změna?