VIRY.CZ

Dobrý den, ahoj,
ačkoliv je stroj nový chvíli, při hledání jedné appky se mi povedlo omylem natáhnout nejspíš nezvaného návštěvníka/minera/celou bandu. Jeden web mi poslal mail, že někdo z Thaiwanu se logl na onu službu. Uvědomil jsem si chybu hned a pomocí malwarebytes 3.5.1 jsem se jej pokusil deratizovat, nicméně do teď mi píše, že je zablokován web. https://gyazo.com/6595b867738b31b169c9b ... a091824661 Hlavní co je otravné je, že to vyskakuje při otevření jakéhokoliv webu jako info, že odchod na IP byl zablokován. Chtěl bych přeheslovat používané služby, ale ideálně s čistým strojem, který by hned nevytroubil nové údaje k nepovolaným očím.

Log FRST přikládám níže.

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

# -------------------------------
# Malwarebytes AdwCleaner 7.2.3.1
# -------------------------------
# Build: 09-03-2018
# Database: 2018-09-13.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 09-13-2018
# Duration: 00:00:01
# OS: Windows 10 Pro
# Cleaned: 11
# Failed: 1


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\Users\ficon\AppData\Local\XService
Deleted C:\Users\ficon\AppData\Local\WhiteClick

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF1F1901-098E-4B7E-BDAB-BBAD7AEC2086}
Deleted HKCU\Software\Conduit
Deleted HKLM\Software\Wow6432Node\Conduit
Deleted HKCU\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|JServicesManager
Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|JServicesManager

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted levneucebnice.cz
Not Deleted slunecnice.cz
Deleted Softonic EN

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2158 octets] - [13/09/2018 17:11:42]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Omlouvám se za double post. Ale možná jsem si uvědomil, co by to mohlo byt. Konkrétně se jedná o doplněk do chromu proti pop up oknům a já ho považoval za havěť, protože mi to vyskakovalo z malwarebytu.

https://gyazo.com/48fd9d82c97c1ef31ad9520fdf8770ca Ale zajímalo by mě, či jej považujete za opravdové riziko, nebo je to jenom potencionální riziko.

Pokud se jedná o regulérní doplněk, považujeme ho za korketní. Je ale vidět, že ADW smazal nějaké AdWary. Ještě dočistíme, dejte nový log FRST.

V příloze.

Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [601424 2018-07-07] (Oracle Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3729285627-2482725458-3480958094-1001\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [1384840 2018-08-08] (Nota Inc.)
CHR Extension: (Gyazo) - C:\Users\ficon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdaeeijbbijklfcpahbghahojgfgebo [2018-07-05]
S1 grmvmsic; \??\C:\Windows\system32\drivers\grmvmsic.sys [X]
C:\Windows\{0C69FADD-7716-4819-9C40-ED20F950E1F6}
C:\Users\ficon\AppData\Roaming\0dqwquntpvd
C:\Program Files\a.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000178688 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\UaZIcInA.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000060416 ____N (Microsoft Corporation) C:\Users\ficon\AppData\Roaming\oSEaYm.exe
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {15DC852F-B97C-423B-97BD-AC7C1A28D25E} - System32\Tasks\GyazoUpdateTaskMachineDaily => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2018-08-08] (Nota Inc.)
Task: {2D8AEFDC-E099-4335-93B0-23FBB00D93ED} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-05] (Google Inc.)
Task: {50439A46-481F-4ED0-BA42-60302DC6CE2D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-05] (Google Inc.)
Task: {CFE42D32-8702-465A-BAB8-B714C8A1A1DD} - System32\Tasks\GyazoUpdateTaskMachine => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2018-08-08] (Nota Inc.)

EmptyTemp:
Hosts:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Fix result of Farbar Recovery Scan Tool (x64) Version: 09.09.2018
Ran by ficon (13-09-2018 22:13:54) Run:1
Running from C:\Users\ficon\Desktop
Loaded Profiles: ficon (Available Profiles: ficon)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [601424 2018-07-07] (Oracle Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3729285627-2482725458-3480958094-1001\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [1384840 2018-08-08] (Nota Inc.)
CHR Extension: (Gyazo) - C:\Users\ficon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdaeeijbbijklfcpahbghahojgfgebo [2018-07-05]
S1 grmvmsic; \??\C:\Windows\system32\drivers\grmvmsic.sys [X]
C:\Windows\{0C69FADD-7716-4819-9C40-ED20F950E1F6}
C:\Users\ficon\AppData\Roaming\0dqwquntpvd
C:\Program Files\a.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000178688 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\UaZIcInA.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000060416 ____N (Microsoft Corporation) C:\Users\ficon\AppData\Roaming\oSEaYm.exe
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {15DC852F-B97C-423B-97BD-AC7C1A28D25E} - System32\Tasks\GyazoUpdateTaskMachineDaily => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2018-08-08] (Nota Inc.)
Task: {2D8AEFDC-E099-4335-93B0-23FBB00D93ED} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-05] (Google Inc.)
Task: {50439A46-481F-4ED0-BA42-60302DC6CE2D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-05] (Google Inc.)
Task: {CFE42D32-8702-465A-BAB8-B714C8A1A1DD} - System32\Tasks\GyazoUpdateTaskMachine => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2018-08-08] (Nota Inc.)

EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched" => removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected
"HKU\S-1-5-21-3729285627-2482725458-3480958094-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Gyazo" => removed successfully
CHR Extension: (Gyazo) - C:\Users\ficon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdaeeijbbijklfcpahbghahojgfgebo [2018-07-05] => Error: No automatic fix found for this entry.
"HKLM\System\CurrentControlSet\Services\grmvmsic" => removed successfully
grmvmsic => service removed successfully
C:\Windows\{0C69FADD-7716-4819-9C40-ED20F950E1F6} => moved successfully
C:\Users\ficon\AppData\Roaming\0dqwquntpvd => moved successfully
C:\Program Files\a.exe => moved successfully
C:\Program Files (x86)\Common Files\UaZIcInA.exe => moved successfully
C:\Users\ficon\AppData\Roaming\oSEaYm.exe => moved successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg" => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{15DC852F-B97C-423B-97BD-AC7C1A28D25E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15DC852F-B97C-423B-97BD-AC7C1A28D25E}" => removed successfully
C:\Windows\System32\Tasks\GyazoUpdateTaskMachineDaily => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GyazoUpdateTaskMachineDaily" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2D8AEFDC-E099-4335-93B0-23FBB00D93ED}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D8AEFDC-E099-4335-93B0-23FBB00D93ED}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{50439A46-481F-4ED0-BA42-60302DC6CE2D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50439A46-481F-4ED0-BA42-60302DC6CE2D}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CFE42D32-8702-465A-BAB8-B714C8A1A1DD}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CFE42D32-8702-465A-BAB8-B714C8A1A1DD}" => removed successfully
C:\Windows\System32\Tasks\GyazoUpdateTaskMachine => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GyazoUpdateTaskMachine" => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 9986048 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15215952 B
Java, Flash, Steam htmlcache => 52697857 B
Windows/system/drivers => 451844 B
Edge => 354357 B
Chrome => 709735828 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 26692 B
NetworkService => 0 B
ficon => 128854833 B

RecycleBin => 13139256 B
EmptyTemp: => 887.4 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-09-2018 22:14:59)


Result of scheduled keys to remove after reboot:

"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully

==== End of Fixlog 22:14:59 ====

Smazáno, nastala nějaká změna?