VIRY.CZ

Zdravím,
hľadám pomoc s odstránením tohto backdooru.
Skenované a odstránené cez Malwarebytes, po reštarte PC je znovu aktívny (aj po offline reštarte). Je to v registroch, jeden nález ako kľúč databázy, druhý ako hodnota.
V prílohe zbalené výpisy logov z FRST a nižšie screen zo skenu Malwarebytes.
Ďakujem za pomoc.

Desktop.zip: (33.93 KiB) Staženo 91 x

Ahoj

Urob v Malwarebytes uplny sken:

Otvor Malwarebytes a klikni na "Skener"
Klikni na "Rozsirene skenery" a potom na "Nakonfigurovat skenovanie"
Vpravo oznac vsetky disky v PC a vlavo oznac moznost "Vyhladavat rootkity"
Klikni na "Skenovat" a pockaj na dokoncenie
Po dokonceni klikni na "Zobrazit spravu" -> "Exportovat" -> "Skopirovat do schranky"
Skopirovany log vloz do dalsej odpovede

Tu je výpis z Malwarebytes:

Malwarebytes
www.malwarebytes.com

-Podrobnosti denníka-
Dátum skenovania: 17. 12. 2020
Čas skenovania: 18:45
Súbor denníka: b7c30e8c-408f-11eb-a4d9-3c7c3fd7cfdf.json

-Údaje o softvéri-
Verzia: 4.3.0.98
Verzia súčastí: 1.0.1130
Aktualizovať verziu balíka: 1.0.34463
Licencia: Skúšobná verzia

-Systémové informácie-
OS: Windows 10 (Build 19041.685)
Procesor: x64
Systém súborov: NTFS
Používateľ: MARIAN-PC\Marian

-Zhrnutie skenovania-
Typ skenovania: Vlastné skenovanie
Skenovanie bolo spustené: Manuálne
Výsledok: Dokončené
Preskenované objekty: 941607
Zistené hrozby: 2
Hrozby umiestnené do karantény: 0
Uplynulý čas: 1 h, 7 min, 48 s

-Možnosti skenovania-
Pamäť: Povolené
Spúšťanie: Povolené
Systém súborov: Povolené
Archívy: Povolené
Rootkity: Povolené
Heuristika: Povolené
PUP: Zistiť
PUM: Zistiť

-Podrobnosti skenovania-
Proces: 0
(Nezistili sa nijaké škodlivé položky)

Modul: 0
(Nezistili sa nijaké škodlivé položky)

Kľúč databázy Registry: 1
Backdoor.NetWiredRC.E, HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\SOFTWARE\NETWIRE, Bez zásahu používateľa, 8721, 778974, 1.0.34463, , ame, , ,

Hodnota databázy Registry: 1
Backdoor.NetWiredRC.E, HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\SOFTWARE\NETWIRE|HOSTID, Bez zásahu používateľa, 8721, 778974, 1.0.34463, , ame, , ,

Údaje databázy Registry: 0
(Nezistili sa nijaké škodlivé položky)

Prúd údajov: 0
(Nezistili sa nijaké škodlivé položky)

Priečinok: 0
(Nezistili sa nijaké škodlivé položky)

Súbor: 0
(Nezistili sa nijaké škodlivé položky)

Fyzický sektor: 0
(Nezistili sa nijaké škodlivé položky)

WMI: 0
(Nezistili sa nijaké škodlivé položky)

(end)

Sprav este sken cez KVRT: https://www.kaspersky.com/downloads/tha ... moval-tool
Stiahni cez cervene tlacitko "Download Now" a stiahnuty program spusti ako spravca
Klikni na "Change Parameters" a oznac moznost "System Drive"
Klikin na "Start Scan" a pockaj na dokoncenie
V pripade nalezov urob screenshot/snimku obrazovky - stlac klavesu Print Screen, otvor program Malovani / Skicar, stlac Ctrl+V a uloz obrazok na plochu (KVRT neumoznuje vytvorit skopirovatelny log)
Nalezy nechaj zmazat - klikni na "Neutralize all" a nasledne na "Continue" (moze byt tiez nutne restartovat PC)
Vytvoreny obrazok posli ako prilohu k dalsiemu prispevku alebo ho nahraj na nejake webove ulozisko a posli odkaz

Tak update, podarilo sa mi toho zbaviť už predvčerom... Kaspersky našiel nejaké dll-ko, to som zmazal, bohužiaľ som to nescreenshotol pre účely dokumentácie.
Následne som ešte raz zmazal tie dve veci z registrov cez Malwarebytes, predtým som sa pre istotu dal offline a zmazal som aj všetky staršie body obnovy systému.
Po reštarte vyzerá byť všetko čisté, preskenované Kasperskym aj Malwarebytes. Priebežne kontrolujem a budem to sledovať.
Ak by sa niečo zmenilo, ozvem sa. Dík za ochotu každopádne.

Islo o Kaspersky Virus Removal Tool? Detekovane a zmazane subory by sa mali dat zobrazit cez moznost Quarantine alebo Report.

Hej, bolo to KVRT, konkretne na screene, teda nie dll, ale au3. Nejaký skript ak dobre chápem.

Obrázek

OK, malware uz zrejme nie je aktivny, ale v PC este ostali nejake pozostatky tohto malwaru, ktore je potrebne docistit rucne - poprosim teda o obidva nove logy z FRST.

Logy v zipe v prílohe, ďakujem.

FRST.zip: (33.84 KiB) Staženo 76 x

Otvor poznamkovy blok (Win+R -> notepad -> enter)

Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

Kód: Vybrat vše

Start
CloseProcesses:
CreateRestorePoint:

PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
File: C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AIOFanSDK\ArmouryAIOFanServer.exe
File: C:\Program Files\ACD Systems\ACDSee Ultimate\10.0\ACDSeeCommanderUltimate10.exe
File: C:\Users\maria\AppData\Roaming\4kDownload\Backup files\CorelRun.exe
File: C:\Windows\System32\drivers\BthA2dp.sys
Folder: C:\Users\maria\AppData\Roaming\winini
Folder: C:\Windows\winini

2020-12-16 12:27 - 2020-12-17 18:25 - 000000000 ____D C:\Users\maria\AppData\Roaming\winini
2020-12-16 00:46 - 2020-12-17 21:47 - 000000000 ____D C:\Windows\winini

HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\...\MountPoints2: E - "E:\Autoplay.exe" -auto
HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\...\MountPoints2: G - "G:\setup.exe" 
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
AlternateDataStreams: C:\ProgramData\TEMP:4FC01C57 [140]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\02455493.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\02455493.sys => ""="Driver"

Hosts:
EmptyTemp:
End

Uloz na plochu s nazvom fixlist.txt
Spusti znovu FRST a klikni na Fix
Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah skopiruj a vloz do dalsej odpovede

Fixlist nizsie...

Kód: Vybrat vše

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-12-2020
Ran by Marian (30-12-2020 18:59:31) Run:1
Running from C:\Users\maria\Desktop
Loaded Profiles: Marian
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:

PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
File: C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AIOFanSDK\ArmouryAIOFanServer.exe
File: C:\Program Files\ACD Systems\ACDSee Ultimate\10.0\ACDSeeCommanderUltimate10.exe
File: C:\Users\maria\AppData\Roaming\4kDownload\Backup files\CorelRun.exe
File: C:\Windows\System32\drivers\BthA2dp.sys
Folder: C:\Users\maria\AppData\Roaming\winini
Folder: C:\Windows\winini

2020-12-16 12:27 - 2020-12-17 18:25 - 000000000 ____D C:\Users\maria\AppData\Roaming\winini
2020-12-16 00:46 - 2020-12-17 21:47 - 000000000 ____D C:\Windows\winini

HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\...\MountPoints2: E - "E:\Autoplay.exe" -auto
HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\...\MountPoints2: G - "G:\setup.exe" 
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
AlternateDataStreams: C:\ProgramData\TEMP:4FC01C57 [140]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\02455493.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\02455493.sys => ""="Driver"

Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
Restore point was successfully created.

========= Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum =========



Count    : 49
Average  : 
Sum      : 24627377
Maximum  : 
Minimum  : 
Property : Length




========= End of Powershell: =========


========================= File: C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AIOFanSDK\ArmouryAIOFanServer.exe ========================

C:\Program Files (x86)\ASUS\ArmouryDevice\dll\AIOFanSDK\ArmouryAIOFanServer.exe
File not signed
MD5: 55F58960BA0EC63608BB8D0D56D8F6B6
Creation and modification date: 2020-11-28 21:28 - 2020-11-10 11:41
Size: 001039360
Attributes: ----A
Company Name: TODO: <Company name>
Internal Name: AacAIOFa.exe
Original Name: AacAIOFa.exe
Product: TODO: <Product name>
Description: ArmouryAIOFanServer.exe
File Version: 1.0.0.1
Product Version: 1.0.0.1
Copyright: Copyright (C) 2020
VirusTotal: https://www.virustotal.com/gui/file/d415de4c38efb72749a1dbc44453455cb55786aaf4d9d99b827c0468374b58fe/detection/f-d415de4c38efb72749a1dbc44453455cb55786aaf4d9d99b827c0468374b58fe-1609266597

====== End of File: ======


========================= File: C:\Program Files\ACD Systems\ACDSee Ultimate\10.0\ACDSeeCommanderUltimate10.exe ========================

C:\Program Files\ACD Systems\ACDSee Ultimate\10.0\ACDSeeCommanderUltimate10.exe
File not signed
MD5: C9197D8B1BB2764BA5D85B60EFD295E9
Creation and modification date: 2017-04-25 05:04 - 2017-05-07 08:49
Size: 003427272
Attributes: ----A
Company Name: ACD Systems International -> ACD Systems
Internal Name: ACDSee Commander Ultimate 10
Original Name: ACDSeeCommanderUltimate10.exe
Product: ACDSee Commander Ultimate 10
Description: ACDSee Commander Ultimate 10
File Version: 10,4,0,912
Product Version: 10,4,0,912
Copyright: Copyright (c) 2016
VirusTotal: 0

====== End of File: ======


========================= File: C:\Users\maria\AppData\Roaming\4kDownload\Backup files\CorelRun.exe ========================

C:\Users\maria\AppData\Roaming\4kDownload\Backup files\CorelRun.exe
File not signed
MD5: 2AA83DF02C3703461EAE74DE9548CE97
Creation and modification date: 2020-11-29 10:37 - 2020-08-09 01:40
Size: 004640826
Attributes: ----A
Company Name: Admin
Internal Name: Corel Draw
Original Name: CorelRun.exe
Product: Corel Draw
Description: Runtime Broker
File Version: 1.0.0.0
Product Version: 1.0.0
Copyright: Admin
VirusTotal: 0

====== End of File: ======


========================= File: C:\Windows\System32\drivers\BthA2dp.sys ========================

C:\Windows\System32\drivers\BthA2dp.sys
File not signed
MD5: 7F09708B8C651A0C0E2A2725136BA254
Creation and modification date: 2019-12-07 10:07 - 2019-12-07 10:07
Size: 000279040
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: btha2dp.sys
Original Name: btha2dp.sys
Product: Microsoft® Windows® Operating System
Description: Bluetooth A2DP Driver
File Version: 10.0.19041.1 (WinBuild.160101.0800)
Product Version: 10.0.19041.1
Copyright: © Microsoft Corporation. All rights reserved.
VirusTotal: https://www.virustotal.com/gui/file/0442a18bbed4e323265c66561c8f8c171d8e934e9089c12b94d1dfdbb057b737/detection/f-0442a18bbed4e323265c66561c8f8c171d8e934e9089c12b94d1dfdbb057b737-1609349560

====== End of File: ======


========================= Folder: C:\Users\maria\AppData\Roaming\winini ========================

2020-12-16 12:27 - 2020-12-16 23:09 - 000014303 ____A [1FE6F3FF975D2F63A80D51B4CFD7352E] () C:\Users\maria\AppData\Roaming\winini\16-12-2020
2020-12-17 18:25 - 2020-12-17 20:28 - 000001741 ____A [4D8963DC5E3C0AAD5A2929E7F40CAE50] () C:\Users\maria\AppData\Roaming\winini\17-12-2020

====== End of Folder: ======


========================= Folder: C:\Windows\winini ========================

2020-12-16 00:46 - 2020-11-13 04:44 - 000156672 ____A [4503240A78160799926022C4B1F327F4] () C:\Windows\winini\2.exe
2020-12-16 00:46 - 2018-03-15 06:17 - 000971944 ____A [5324F6F00C2055139DA89E3B93629878] (AutoIt Team) C:\Windows\winini\main_dll.exe

====== End of Folder: ======

C:\Users\maria\AppData\Roaming\winini => moved successfully
C:\Windows\winini => moved successfully
HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E => removed successfully
HKU\S-1-5-21-4254316458-2841474531-1994623767-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\PowerISO => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO => removed successfully
C:\ProgramData\TEMP => ":4FC01C57" ADS removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\02455493.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\02455493.sys => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 9199616 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 486337686 B
Java, Flash, Steam htmlcache => 405123120 B
Windows/system/drivers => 29458985 B
Edge => 0 B
Chrome => 966101828 B
Firefox => 72796017 B
Opera => 417413161 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 432 B
LocalService => 130392 B
NetworkService => 333012 B
maria => 716825850 B
Marián => 716825850 B

RecycleBin => 0 B
EmptyTemp: => 3.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:00:15 ====

Tak zmazane. Su s PC este nejake problemy?

Ak ne, tak este upraceme po pouzitych nastrojoch:

Stiahni DelFix: https://toolslib.net/downloads/finish/2-delfix/
Uloz na plochu a spusti
Nechaj oznacenu moznost "Remove disinfection tools"
Klikni na "Run"

Vykonané.

Kód: Vybrat vše

# DelFix v1.013 - Logfile created 02/01/2021 at 12:35:54
# Updated 17/04/2016 by Xplode
# Username : Marian - MARIAN-PC
# Operating System : Windows 10 Enterprise  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST

########## - EOF - ##########

S PC nie sú žiadne problémy odkedy som postol ten príspevok o zmazaní z 19.12.
Vďaka ešte raz za pomoc.

Nie je zaco, rad som pomohol

VIRY.CZ

Backdoor.NetWiredRC.E

Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E

Re: Backdoor.NetWiredRC.E