VIRY.CZ

Ahoj,

poprosil bych o kontrolu přiložených logů.
Dnes mi ESET smart security zahlásil smazání podezřelého souboru. O to víc jsem překvapen že z adresáře c:\intepub (IIS nemám instalováno).

01.10.2020 15:18:05;Rezidentní ochrana souborového systému;soubor;C:\inetpub\00-3483356.doc;VBA/TrojanDropper.Agent.AUN trojský kůň;vyléčen smazáním;Tato událost nastala při pokusu o přístup k souboru aplikace: C:\Windows\System32\RuntimeBroker.exe (7AE43B9B9DF5C5B8C0B26C36FF02557CEEF13E27).;BF67D37BC07AC941ABE2866B394823080823775F;11.02.2020 13:11:42

Nic jsem v tu dobu nedělal, tedy nic co by mělo ohrozit mé PC. Tušim jsem si četl nějaké zprávy na seznamu.

děkuji za případnou reakci.

T

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

zde je log. nenašlo to nic pro vyčištění a nechtělo ani restart.

děkuju
T

Toto je OK. Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-4038866813-1698164822-354589963-1002\...\MountPoints2: {3ad1d00a-8207-11e9-8445-f4d108537590} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Task: {079CD921-921A-4488-BF49-B7E0F914505D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156456 2019-04-29] (Google Inc -> Google LLC)
Task: {F5C03172-5101-4ECA-9501-A78C3E09212F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156456 2019-04-29] (Google Inc -> Google LLC)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
FirewallRules: [{07434CF5-968E-4F79-8441-76351D009784}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe => No File
FirewallRules: [{74EF8AC9-C45B-4DE6-B9E8-CB3218EDEDA5}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe => No File
FirewallRules: [{EF5BBDAA-1060-4FFB-BE4E-C06D237A0DE7}] => (Allow) C:\Users\Ladislav Prochazka\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{6F537DDE-6E0C-4F42-BFB3-3962FA862FD0}] => (Allow) C:\Program Files (x86)\Java\jre1.8.0_251\bin\java.exe => No File
FirewallRules: [{C2C98050-526D-4B32-B944-C4934841238D}] => (Allow) C:\Program Files (x86)\Java\jre1.8.0_251\bin\java.exe => No File

EmptyTemp:
Hosts:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

zde to je.

děkuji
T

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-09-2020
Ran by Ladislav Prochazka (01-10-2020 21:10:14) Run:1
Running from C:\Users\Ladislav Prochazka\Desktop
Loaded Profiles: Ladislav Prochazka
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-4038866813-1698164822-354589963-1002\...\MountPoints2: {3ad1d00a-8207-11e9-8445-f4d108537590} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Task: {079CD921-921A-4488-BF49-B7E0F914505D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156456 2019-04-29] (Google Inc -> Google LLC)
Task: {F5C03172-5101-4ECA-9501-A78C3E09212F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156456 2019-04-29] (Google Inc -> Google LLC)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
FirewallRules: [{07434CF5-968E-4F79-8441-76351D009784}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe => No File
FirewallRules: [{74EF8AC9-C45B-4DE6-B9E8-CB3218EDEDA5}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe => No File
FirewallRules: [{EF5BBDAA-1060-4FFB-BE4E-C06D237A0DE7}] => (Allow) C:\Users\Ladislav Prochazka\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{6F537DDE-6E0C-4F42-BFB3-3962FA862FD0}] => (Allow) C:\Program Files (x86)\Java\jre1.8.0_251\bin\java.exe => No File
FirewallRules: [{C2C98050-526D-4B32-B944-C4934841238D}] => (Allow) C:\Program Files (x86)\Java\jre1.8.0_251\bin\java.exe => No File

EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched" => removed successfully
HKU\S-1-5-21-4038866813-1698164822-354589963-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ad1d00a-8207-11e9-8445-f4d108537590} => removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{079CD921-921A-4488-BF49-B7E0F914505D}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{079CD921-921A-4488-BF49-B7E0F914505D}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F5C03172-5101-4ECA-9501-A78C3E09212F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5C03172-5101-4ECA-9501-A78C3E09212F}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`28hfm" ADS removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{07434CF5-968E-4F79-8441-76351D009784}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{74EF8AC9-C45B-4DE6-B9E8-CB3218EDEDA5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EF5BBDAA-1060-4FFB-BE4E-C06D237A0DE7}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6F537DDE-6E0C-4F42-BFB3-3962FA862FD0}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2C98050-526D-4B32-B944-C4934841238D}" => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 862463653 B
Java, Flash, Steam htmlcache => 1110 B
Windows/system/drivers => 26883031 B
Edge => 64862470 B
Chrome => 296281544 B
Firefox => 1320446961 B
Opera => 26236899 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 6656 B
ProgramData => 6656 B
Public => 6656 B
systemprofile => 6656 B
systemprofile32 => 6656 B
LocalService => 452934 B
NetworkService => 471948 B
Ladislav Prochazka => 1303634708 B

RecycleBin => 13011 B
EmptyTemp: => 3.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:15:12 ====

Smazáno, log je již OK. Byly tam víceméně zbytečnosti.

Děkuju,

mě hlavně vrtá v hlavě, co to ten Eset vlastně zachytil.

díky
T

Nějakého šmejda v soubou *.doc. Tyto soubory mohou být infikovány. Byl to troják a soubor byl smazán.