VIRY.CZ

Zdravím,

mám problém s trojany, které se i po odebrání ve Windows Defenderu po chvíli znova povolí.
- Trojan:Script/Wacatac.B!ml
- Trojan:Win32/Casur.A!cl
- Behavior:Win32/Execution.LR!ml
atd. (je jich 10)

Logy jsou v příloze.

Předem děkuji za pomoc.

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

Malvarebytes našel nějaké hrozby a odebral viz Scanreport1 a Scanreport2.

Avšak ve Windows Defenderu, mám stále povolené hrozby (viz obrázek). Ty hrozby mohu zakázat, ale když to udělám, tak se po chvíli opět zobrazí v povolených hrozbách. Toto je v pořádku?

Dále jsem znovu spustil FRST a přidal logy.

Je vidět, že windows defender není plnohodnotný antivir. Ten by neměl dovolit, aby min. vážné hrozby běžely na vašem PC (pokud to ovšem není falešný poplach). Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {4BE17FB8-8F39-4D34-B6B3-5A1131EC509F} - System32\Tasks\kJdGmrYBfUPzgOEJh => C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe <==== ATTENTION
Task: {5BBEACA8-F230-4E0A-8C1E-4CE3C941C1ED} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-11-03] (Google LLC -> Google LLC)
C:\Windows\Temp\oNmaQRTdqdgSfwxw
Task: {0954EC4E-BC4E-42E2-B4DB-90EC439D8A03} - System32\Tasks\FriuGGTkRHAbYL => rundll32 "C:\Program Files (x86)\UIuZPIhUFafU2\iBbzbFgknjhbx.dll",#1
C:\Program Files (x86)\UIuZPIhUFafU2\iBbzbFgknjhbx.dll
Task: {5F692989-389B-439F-872F-05FBEAE5E906} - System32\Tasks\SENaPjFsBEwzYJWgl2 => rundll32 "C:\Program Files (x86)\dDfMVsGHIpKHwiglbAR\fXlpOBx.dll",#1
C:\Program Files (x86)\dDfMVsGHIpKHwiglbAR\fXlpOBx.dll
Task: {839502C8-4D61-4740-9755-7A19794B9772} - System32\Tasks\bfVdUeYceEZsFkwoQbz2 => rundll32 "C:\Program Files (x86)\LsApxKgZVyAKC\vcoWdEM.dll",#1
Task: {83E4910B-847E-43CE-873E-E5AE557CA690} - System32\Tasks\FmlQKFUIsOJUGRw2 => rundll32 "C:\Program Files (x86)\ZAFgvPfvU\BzFkjb.dll",#1
C:\Program Files (x86)\LsApxKgZVyAKC\vcoWdEM.dll
C:\Program Files (x86)\ZAFgvPfvU\BzFkjb.dll
Task: {F85F8DDA-49B8-4B77-9EEC-E84BD450A17F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-11-03] (Google LLC -> Google LLC)
Task: C:\Windows\Tasks\kJdGmrYBfUPzgOEJh.job => C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe
C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe
C:\Windows\LastGood.Tmp
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
D:\NiceHash Miner\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\bins\16.0\NBMiner_Win\nbminer.exe
D:\NiceHash Miner\app_3.0.6.5\app_nhm.exe
C:\Users\xschi\Desktop\NiceHashQuickMinerInstaller.exe
D:\NiceHashQuickMinerInstaller.exe


EmptyTemp:
Hosts:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Spuštěno, avšak po restartu je stále v povolených hrozbách vidím. Je možné že to bude falešný poplach, ale tam mi přijde divné že se to po zakázání vždy objeví zpět.

Zde je log:
Fix result of Farbar Recovery Scan Tool (x64) Version: 17-04-2021
Ran by xschi (21-04-2021 15:14:42) Run:1
Running from C:\Users\xschi\Desktop
Loaded Profiles: xschi & SQLTELEMETRY & MSSQLFDLauncher & MSSQLSERVER
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {4BE17FB8-8F39-4D34-B6B3-5A1131EC509F} - System32\Tasks\kJdGmrYBfUPzgOEJh => C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe <==== ATTENTION
Task: {5BBEACA8-F230-4E0A-8C1E-4CE3C941C1ED} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-11-03] (Google LLC -> Google LLC)
C:\Windows\Temp\oNmaQRTdqdgSfwxw
Task: {0954EC4E-BC4E-42E2-B4DB-90EC439D8A03} - System32\Tasks\FriuGGTkRHAbYL => rundll32 "C:\Program Files (x86)\UIuZPIhUFafU2\iBbzbFgknjhbx.dll",#1
C:\Program Files (x86)\UIuZPIhUFafU2\iBbzbFgknjhbx.dll
Task: {5F692989-389B-439F-872F-05FBEAE5E906} - System32\Tasks\SENaPjFsBEwzYJWgl2 => rundll32 "C:\Program Files (x86)\dDfMVsGHIpKHwiglbAR\fXlpOBx.dll",#1
C:\Program Files (x86)\dDfMVsGHIpKHwiglbAR\fXlpOBx.dll
Task: {839502C8-4D61-4740-9755-7A19794B9772} - System32\Tasks\bfVdUeYceEZsFkwoQbz2 => rundll32 "C:\Program Files (x86)\LsApxKgZVyAKC\vcoWdEM.dll",#1
Task: {83E4910B-847E-43CE-873E-E5AE557CA690} - System32\Tasks\FmlQKFUIsOJUGRw2 => rundll32 "C:\Program Files (x86)\ZAFgvPfvU\BzFkjb.dll",#1
C:\Program Files (x86)\LsApxKgZVyAKC\vcoWdEM.dll
C:\Program Files (x86)\ZAFgvPfvU\BzFkjb.dll
Task: {F85F8DDA-49B8-4B77-9EEC-E84BD450A17F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [155592 2020-11-03] (Google LLC -> Google LLC)
Task: C:\Windows\Tasks\kJdGmrYBfUPzgOEJh.job => C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe
C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe
C:\Windows\LastGood.Tmp
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
D:\NiceHash Miner\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\bins\16.0\NBMiner_Win\nbminer.exe
D:\NiceHash Miner\app_3.0.6.5\app_nhm.exe
C:\Users\xschi\Desktop\NiceHashQuickMinerInstaller.exe
D:\NiceHashQuickMinerInstaller.exe


EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4BE17FB8-8F39-4D34-B6B3-5A1131EC509F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4BE17FB8-8F39-4D34-B6B3-5A1131EC509F}" => removed successfully
C:\Windows\System32\Tasks\kJdGmrYBfUPzgOEJh => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\kJdGmrYBfUPzgOEJh" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5BBEACA8-F230-4E0A-8C1E-4CE3C941C1ED}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BBEACA8-F230-4E0A-8C1E-4CE3C941C1ED}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"C:\Windows\Temp\oNmaQRTdqdgSfwxw" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0954EC4E-BC4E-42E2-B4DB-90EC439D8A03}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0954EC4E-BC4E-42E2-B4DB-90EC439D8A03}" => removed successfully
C:\Windows\System32\Tasks\FriuGGTkRHAbYL => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FriuGGTkRHAbYL" => removed successfully
"C:\Program Files (x86)\UIuZPIhUFafU2\iBbzbFgknjhbx.dll" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5F692989-389B-439F-872F-05FBEAE5E906}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F692989-389B-439F-872F-05FBEAE5E906}" => removed successfully
C:\Windows\System32\Tasks\SENaPjFsBEwzYJWgl2 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SENaPjFsBEwzYJWgl2" => removed successfully
"C:\Program Files (x86)\dDfMVsGHIpKHwiglbAR\fXlpOBx.dll" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{839502C8-4D61-4740-9755-7A19794B9772}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{839502C8-4D61-4740-9755-7A19794B9772}" => removed successfully
C:\Windows\System32\Tasks\bfVdUeYceEZsFkwoQbz2 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bfVdUeYceEZsFkwoQbz2" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{83E4910B-847E-43CE-873E-E5AE557CA690}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83E4910B-847E-43CE-873E-E5AE557CA690}" => removed successfully
C:\Windows\System32\Tasks\FmlQKFUIsOJUGRw2 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FmlQKFUIsOJUGRw2" => removed successfully
"C:\Program Files (x86)\LsApxKgZVyAKC\vcoWdEM.dll" => not found
"C:\Program Files (x86)\ZAFgvPfvU\BzFkjb.dll" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F85F8DDA-49B8-4B77-9EEC-E84BD450A17F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F85F8DDA-49B8-4B77-9EEC-E84BD450A17F}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
C:\Windows\Tasks\kJdGmrYBfUPzgOEJh.job => moved successfully
"C:\Windows\Temp\oNmaQRTdqdgSfwxw\oQLBqOEujNAsUQB\KDPJzBN.exe" => not found
C:\Windows\LastGood.Tmp => moved successfully
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA" => not found
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore" => not found
"D:\NiceHash Miner\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\bins\16.0\NBMiner_Win\nbminer.exe" => not found
"D:\NiceHash Miner\app_3.0.6.5\app_nhm.exe" => not found
"C:\Users\xschi\Desktop\NiceHashQuickMinerInstaller.exe" => not found
"D:\NiceHashQuickMinerInstaller.exe" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 11034624 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 22513964 B
Java, Flash, Steam htmlcache => 368324191 B
Windows/system/drivers => 40913857 B
Edge => 0 B
Chrome => 3820085113 B
Firefox => 10057501 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 25468355 B
xschi => 1103392697 B
SQLTELEMETRY => 1106673136 B
MSSQLFDLauncher => 1110327691 B
MSSQLSERVER => 1113971499 B
DefaultAppPool => 1113971499 B

RecycleBin => 130061 B
EmptyTemp: => 9.2 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 15:17:33 ====

Dejte ještě logy FRST+Addition. Odstranili jsme služby, které je tam vracely zpět (Tasks).

Logy jsou v příloze.

OK. Udělejte sken AVPTool: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 . Utilitu stáhněte, spusťte, nechte pracovat a po skončení akce smažte vše, co najde. Návod v odkazu je jen informativní, je pro starší verzi.

Je to zvláštní, ale nic to nenašlo Povolené hrozby jsou v defenderu stále vidět, po zakázání opět naskočí zpět.

zaskocim:
skus pouzit https://www.stahuj.cz/utility_a_ostatni ... dsskiller/

Opět nic nenašlo, nevím zda mám správně vybrané preference?

Ještě vybrané preference.

Odinstaluj Spybot a vycisti PCs Ccleanerom vcetne registrov
Restart
Ak problemy pretrvaju vloz aktualne logy Frst