VIRY.CZ

Dobrý den,

útočník měl fyzicky přístup k počítači, změnil heslo uživatele windows a heslo pro přístup do databáze SQL. Jelikož bylo heslo do databáze prakticky ihned, co jsem ho přenastavil, opět změněno, mám vážné podezření na keylogger. Ve výjimkách firewallu jsou podezřelé záznamy @firewallApi.dll,-80201 a @firewallApi.dll,-80206, což mě v tom jen utvrzuje. Děkuji za pomoc.

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

Děkuji.
Našlo to jen nastavení ikon od cloudu Mega, ale nechal jsem je radši odebrat. Možnost Clean and Repair mi to nenabídlo.

# -------------------------------
# Malwarebytes AdwCleaner 7.4.2.0
# -------------------------------
# Build: 10-21-2019
# Database: 2019-11-19.3 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 11-20-2019
# Duration: 00:00:01
# OS: Windows 10 Pro
# Cleaned: 4
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending
Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced
Deleted HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending
Deleted HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner_Debug.log - [19121 octets] - [20/11/2019 08:36:07]
AdwCleaner[S00].txt - [1933 octets] - [20/11/2019 08:36:34]
AdwCleaner[S01].txt - [1995 octets] - [20/11/2019 10:33:44]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

Dejte nové logy FRST+Addition.

Tady jsou

Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
Task: {2240BE0F-9FAC-4CB5-9D2B-E7F9E7E924A4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-07-12] (Google Inc -> Google Inc.)
Task: {C2E89C95-AC3B-4589-9E5F-1886EB3F210D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-07-12] (Google Inc -> Google Inc.)
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
FirewallRules: [{7819FCBB-F7C7-4390-87F9-A1DCAF558AF2}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{BF634543-FE40-4864-BE45-50B57A77304F}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{467CE921-49EC-4B71-BE1C-2C30DDAA85A6}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{BEC834EC-4CB9-4C67-AF8E-6908B49D3B90}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{A2C86532-CE79-4B12-86C2-2593315F1EF5}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{6BC58E4B-54F9-4E30-8CB3-CCFAAD7CBD24}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{44AF95DD-21E8-45EF-9B91-99F4D8FF9D9D}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{9D2B50E9-FB30-47DD-9025-2F62B5E15CA5}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{A2C9C0F6-BB85-45CE-9C19-FC3BBCBB3C1F}] => (Allow) %ProgramFiles%\Microsoft SQL Server\MSSQL13.SQL2016\MSSQL\Binn\sqlservr.exe No File
FirewallRules: [{AA81D75D-5621-4F11-BF41-AAE5B7C8A23E}] => (Allow) %ProgramFiles% (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe No File
FirewallRules: [{F3281BB6-F459-4E21-B89E-02270F7B7346}] => (Allow) %ProgramFiles% (x86)\SDServer\SDServer.exe No File
FirewallRules: [{A6F82E38-405C-410B-AC6A-5C73BEB1510F}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File
FirewallRules: [{33697AD6-4CFD-424B-AC44-56B291460680}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File
FirewallRules: [{34BAA8A1-4E70-4A38-8AF7-BFE57852CD8D}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File

EmptyTemp:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Můžu mít nejprve dotaz, proč odebíráme tato pravidla? Neorouter chápu, už v počítači ani není a pro nastavení VPN to není dobrá možnost. Kdysi jsem to zkoušel. Ale Helios, SD server a SQL server se používá. Nejsem si tedy jistý, jestli jsou tato pravidla pro jejich fungovaní nutná, ale ty soubory existují. Možná se vám nelíbí, že jsou některá pravidla i pro veřejné sítě. To proto, že nám často vypadává proud, po nahození se síť přenastaví na veřejnou a tím pádem není z jiného počítače přístup na SQL server a sdílené složky, dokud se nenastaví zpět na privátní. Byl jsem tedy nucen nastavit pravidlo i pro veřejné sítě.
Mám k vám plnou důvěru a tak se omlouvám, pokud je dotaz hloupý.

Je tam uvedeno "No file". To je informace o tom, že chybí soubor. Pravidlo zůstalo, leč nemá vztah k ničemu, co máte v PC. Kdyby se někdy v budoucnu soubor objevil a dožadoval se o přístup na síť, pravidlo se znovu vytvoří.

To mě právě mátlo, protože těch posledních 6 souborů na disku je, kontroloval jsem to, ale neva. Kdyžtak přidám znova.

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-11-2019
Ran by pc (20-11-2019 19:12:58) Run:1
Running from C:\Users\pc\Desktop
Loaded Profiles: pc & 22hlav & MSSQLFDLauncher$SQL2016 & SQLTELEMETRY$SQL2016 & MSSQL$SQL2016 & ReportServer$SQL2016 & MSSQLLaunchpad$SQL2016 (Available Profiles: pc & stroj & 22hlav & Host & MSSQLFDLauncher$SQL2016 & SQLTELEMETRY$SQL2016 & MSSQL$SQL2016 & ReportServer$SQL2016 & MSSQLLaunchpad$SQL2016)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
Task: {2240BE0F-9FAC-4CB5-9D2B-E7F9E7E924A4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-07-12] (Google Inc -> Google Inc.)
Task: {C2E89C95-AC3B-4589-9E5F-1886EB3F210D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-07-12] (Google Inc -> Google Inc.)
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
FirewallRules: [{7819FCBB-F7C7-4390-87F9-A1DCAF558AF2}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{BF634543-FE40-4864-BE45-50B57A77304F}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{467CE921-49EC-4B71-BE1C-2C30DDAA85A6}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{BEC834EC-4CB9-4C67-AF8E-6908B49D3B90}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{A2C86532-CE79-4B12-86C2-2593315F1EF5}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{6BC58E4B-54F9-4E30-8CB3-CCFAAD7CBD24}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRService.exe No File
FirewallRules: [{44AF95DD-21E8-45EF-9B91-99F4D8FF9D9D}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{9D2B50E9-FB30-47DD-9025-2F62B5E15CA5}] => (Allow) C:\Program Files (x86)\ZebraNetworkSystems\NeoRouter\NRServer.exe No File
FirewallRules: [{A2C9C0F6-BB85-45CE-9C19-FC3BBCBB3C1F}] => (Allow) %ProgramFiles%\Microsoft SQL Server\MSSQL13.SQL2016\MSSQL\Binn\sqlservr.exe No File
FirewallRules: [{AA81D75D-5621-4F11-BF41-AAE5B7C8A23E}] => (Allow) %ProgramFiles% (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe No File
FirewallRules: [{F3281BB6-F459-4E21-B89E-02270F7B7346}] => (Allow) %ProgramFiles% (x86)\SDServer\SDServer.exe No File
FirewallRules: [{A6F82E38-405C-410B-AC6A-5C73BEB1510F}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File
FirewallRules: [{33697AD6-4CFD-424B-AC44-56B291460680}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File
FirewallRules: [{34BAA8A1-4E70-4A38-8AF7-BFE57852CD8D}] => (Allow) %ProgramFiles% (x86)\LCS International\Helios IQ\Helios.EXE No File

EmptyTemp:
End
*****************

Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2240BE0F-9FAC-4CB5-9D2B-E7F9E7E924A4}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2240BE0F-9FAC-4CB5-9D2B-E7F9E7E924A4}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C2E89C95-AC3B-4589-9E5F-1886EB3F210D}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2E89C95-AC3B-4589-9E5F-1886EB3F210D}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA" => not found
"C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore" => not found
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7819FCBB-F7C7-4390-87F9-A1DCAF558AF2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BF634543-FE40-4864-BE45-50B57A77304F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{467CE921-49EC-4B71-BE1C-2C30DDAA85A6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BEC834EC-4CB9-4C67-AF8E-6908B49D3B90}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A2C86532-CE79-4B12-86C2-2593315F1EF5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6BC58E4B-54F9-4E30-8CB3-CCFAAD7CBD24}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{44AF95DD-21E8-45EF-9B91-99F4D8FF9D9D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9D2B50E9-FB30-47DD-9025-2F62B5E15CA5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A2C9C0F6-BB85-45CE-9C19-FC3BBCBB3C1F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AA81D75D-5621-4F11-BF41-AAE5B7C8A23E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F3281BB6-F459-4E21-B89E-02270F7B7346}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A6F82E38-405C-410B-AC6A-5C73BEB1510F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{33697AD6-4CFD-424B-AC44-56B291460680}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{34BAA8A1-4E70-4A38-8AF7-BFE57852CD8D}" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 10248192 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 50115354 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 18611204855 B
Edge => 2211307 B
Chrome => 323311893 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 281750 B
pc => 1508991578 B
stroj => 1600804208 B
22hlav => 1686672487 B
Host => 1765509194 B
sadmin => 1765521651 B
MSSQLFDLauncher$SQL2016 => 1765521651 B
SQLTELEMETRY$SQL2016 => 1765521651 B
MSSQL$SQL2016 => 1765521651 B
ReportServer$SQL2016 => 1765521651 B
MSSQLLaunchpad$SQL2016 => 1765528819 B

RecycleBin => 210807 B
EmptyTemp: => 33.7 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:15:52 ====

Smazáno. Nastala nějaká změna?

No heslo do databáze už nikdo nezměnil a když nad tím tak přemýšlím, je dost pravděpodobné, že jsem jen ráno zapomněl, jaké heslo jsem večer nastavil a vyšiloval jsem tedy zbytečně. Musel jsem znovu přidat pravidla pro SQL server do firewallu a jinak žádný problém.
Jestli tedy podle vás nic nenasvědčuje přítomnosti keyloggeru, byl to planý poplach. Omlouvám se a děkuji za kontrolu.

Žádný keylogger jsem v systému neviděl. Nic se nesalo a nemáte zač.