Trojan

[lipo]

Jdu do RogueKillera

[lipo]

Sken z RogueKilleru:
Program : RogueKiller Anti-Malware
Version : 15.2.0.0
x64 : Yes
Program Date : Jan 20 2022
Location : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium : No
Company : Adlice Software
Website : https://www.adlice.com/
Contact : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64-bit
64-bit OS : Yes
Startup : 0
WindowsPE : No
User : PC
User is Admin : Yes
Date : 2022/01/25 19:29:26
Type : Scan
Aborted : No
Scan Mode : Quick
Duration : 28
Found items : 0
Total scanned : 971
Signatures Version : 20220124_132125
Truesight Driver : Yes
Updates Count : 0
Arguments : -minimize

************************* Warnings *************************

************************* Processes *************************

************************* Modules *************************

************************* Services *************************

************************* Scheduled Tasks *************************

************************* Registry *************************

************************* WMI *************************

************************* Hosts File *************************
is_too_big : No
hosts_file_path : N/A


************************* Filesystem *************************

************************* Web Browsers *************************

************************* Antirootkit *************************

[lipo]

Sophos bohužel nejde, viz příloha printscreen

[lipo]

Každopádně mooooc děkuji, myslím, že můj problém byl vyřešen.
Příkazové řádky přestaly vyskakovat.
Mám ještě PC nějak otestovat, případně dát něčím do kondice?
Děkuji

[jaro3]

sophos zkus ještě jednou , spusť jako správce. Jsi přitom připojený k síti?

Ještě tohle:
Vypni antivir i firewall, RogueKiller, Malwarebytes Antimalware, windowsDefender
Stáhni Zoek.exe
http://download.bleepingcomputer.com/smeenk/zoek.exe
https://uloz.to/file/nFH1LwSrGioP/zoek1-rar

Zavři všechny ostatní programy , okna i prohlížeče.
Spusť Zoek.exe ( u win vista , win7, 8 klikni na něj pravým a vyber : „Spustit jako správce“
-pozor , náběh programu může trvat déle.
Do okna programu vlož skript níže:

Kód: Vybrat vše

autoclean;
resethosts;
emptyclsid;
IEdefaults;
FFdefaults;
CHRdefaults;
emptyIEcache;
emptyFFcache;
emptyCHRcache;
emptyalltemp;
emptyflash;
emptyjava;
emptyrecycle.bin; 

klikni na Run Script
Program provede sken , opravu, sken i oprava může trvat i více minut ,je třeba posečkat do konce. Do okna neklikej!
Program nabídne restart , potvrď .
Po restartu se může nějaký čas ukázat pouze černá plocha , to je normální. Je třeba počkat až se vytvoří log. Ten si můžeš uložit třeba do dokumentů , jinak se sám ukládá do:
C:\zoek-results.log Zkopíruj sem celý obsah toho logu.
Pokud budou problémy , spusť zoek v nouz. režimu.


Stáhni si Zemana AntiMalware Free z tohoto odkazu:
https://www.zemana.com/Download/AntiMal ... .Setup.exe
a ulož si ho na plochu.
Poklepej na tento soubor na ploše a postupuj podle pokynů k instalaci programu.
Přijmi licenci k používání programu EULA , pokud se nabídne.
Pokud je k dispozici aktualizace programu , klepni na tlačítko „Update now“ ( aktualizovat nyní).
Zavři všechny otevřené soubory, složky a prohlížeče
Neměň žádné nastavení. Klikni na „Skenovat nyní“.
Po skenu lze vidět , zda jsou nějaké nákazy. Klikni na „Vykonat“ ( vymazat). Nákazy budou přemístěny do karantény.
Když je skenování dokončeno, klikni vlevo na „zprávy“ a pak na „otevři zprávu“ a zkopíruj sem celý obsah té zprávy.

Vlož nový log z HJT + informuj o problémech

[lipo]

Bohužel nejde spustit ani jako správce, připojen jsem!

[lipo]

Zoek mi nejde také stáhnout, první odkaz nefunguje a druhý mě blokuje Chrom, hlásí Soubor zoek.rar je nebezpečný, vše ostatní jsem povypínal

[lipo]

Log z Zemana:
Informace o kontroly
Název produktu    :  Zemana AntiMalware
Stav kontroly    :  Dokončena
Datum kontroly    :  25. 1. 2022 21:22:01
Typ kontroly    :  Inteligentní kontrola
Čas trvání    :  00:00:53
Zkontrolované objekty    :  2018
Zjištěné objekty    :  1
Vyloučené objekty    :  0
Automatické odesílání    :  Ano
Operační systém    :  Windows 10 x64
Procesor    :  4X AMD Phenom(tm) II X4 965 Processor
Režim systému BIOS    :  UEFI
Informace o doméně    :  WORKGROUP,False,NetSetupWorkgroupName
CUID    :  122E5BA88CD10D8A18A1E5


Odhalení
MD5    :  
Stav    :  Zkontrolováno
Objekt    :  centrum.cz
Vydavatel    :  
Velikost    :  0
Odhalení    :  Hijack:Browser/FirefoxHomepage
Akce    :  Vymazat
-----------------------------------------------------------------------

[jaro3]

Není nebezpečný. Musíš jiným prohlížečem.

[lipo]

Tak se mě podařilo stáhnout a nainstalovat toho Sophose, teď provádím sken, pak ho dám sem.
Restartoval jsem PC a zase problikly dva rámečky příkazových řádků.
Nevím, dnes už ale musím končit, když tak zítra budu rád za pokračování.
Zatím moc díky!

[jaro3]

Jasně!

[lipo]

Zdravím.
Tak dnes snad úspěšně
Včera jsem tedy skenoval Sophosem a výsledky žádné, log přidám.
Teď jsem provedl sken vybraných Zoekem, log zde:

Zoek.exe v5.0.0.2 Updated 03-May-2018(Online Version)
Tool run by PC on st 26. 01. 2022 at 7:38:42,28.
Microsoft Windows 10 Home 10.0.19042 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\PC\AppData\Local\Temp\Rar$EXa0.762\zoek1\zoek (1).exe [Scan all users] [Script inserted]

==== System Restore Info ======================

26. 1. 2022 7:46:06 Zoek.exe System Restore Point Created Successfully.

==== Reset Hosts File ======================

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
::1 localhost

==== Empty Folders Check ======================

C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\GIGABYTE deleted successfully
C:\Program Files\GIGABYTE deleted successfully
C:\PROGRA~3\Lavasoft deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\PROGRA~3\ssh deleted successfully
C:\Users\PC\AppData\Roaming\MPC-HC deleted successfully
C:\Users\PC\AppData\Local\GHISLER deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{53707962-6F74-2D53-2644-206D7942484F} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0CFBB1D0-6EC5-4A6D-8EF6-79E0EE0ABC50} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2B52FD21-BFA9-484F-89D8-E6A10AD22011} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{370BD13A-F6AA-4ECE-8B1A-EFB85964C123} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D0B041D-C330-4ED2-9B8E-7CC81F790CC4} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{411AEC64-9C69-46CF-BFFB-90C6B04ED549} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4ACA2FCF-A8AF-4F29-A974-558822DC4794} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4AD52A50-97C2-4D11-89FD-37A4D75869EF} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4B5E3E84-1ECF-4F17-A5FC-A970FEBEAD33} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5211A5FA-5675-4B69-9182-2355CBD8CC32} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5692EEDC-0348-42D8-B64E-C2806FEBF9A2} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BFB0594-DE7E-46FC-8062-DD2025DCDFC7} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ECD950B-42B1-4BB0-A543-671722975228} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62B61CFF-517A-420A-A661-661D1B4E97E8} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{67967BAD-8756-436D-A74D-9D6B3AE163A6} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CD598CC-2AE8-45DD-A001-18B7F6AEF6F5} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6EF39583-26A5-4D27-9E49-8A849275A60B} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F7CF076-5464-4479-8B45-1EF8C21ACAE6} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{729F532D-414A-4A73-946D-29CA35FB28D7} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75942395-4712-47FF-A03B-324E87623C3C} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7769B7D6-D596-4FC4-92BB-27A375240B3B} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{79D0ED53-6C24-4059-B55F-009896CDE668} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D089241-BB53-410F-8666-0E17E17028B1} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F3A90BD-B85C-4556-BCA6-89B3591231E8} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80CA1806-5635-4235-98DA-DA44239B65BE} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8278B2CF-1864-4B2A-87C3-8A3673386F9B} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84A290ED-2A97-41AC-A334-0B808F744201} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87DE36E4-C340-43FE-8FFC-C6873369B4DB} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89E55731-9C8F-4474-B61B-C5DFBF827BEB} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90DD1696-D0C2-4B1D-9B3C-E3686D39FD85} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9483435A-A443-477E-A52C-079FF8F5F3C4} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94ECE33A-B092-4ACE-A10A-D9E1C63CAC11} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{96FF50CB-92AB-4181-8B74-CC93B43AAB12} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9A4F5F8C-2050-46BC-9B3E-E701AE72FDBA} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A1124755-548E-4FD6-A538-A5B5D96ED000} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3256360-6E93-4A33-89E1-A3894F8B99AB} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A395D15E-EBD0-458B-B3A6-5D3E4EF6067B} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A432DD62-9901-47C5-9D4D-856456D64A1C} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A84047F5-FCE5-4B9E-965A-988E6E5FC1CC} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B0207226-983D-4D4E-91BE-675479CBB95D} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1054CA3-40C0-4732-9CC7-D9BCF7598491} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B6153FF6-117F-48B9-80CA-279BCC427FDB} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BD40B267-5B24-4AB8-9343-94F5320EBC6E} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C23D6406-F41D-462A-A05C-75FC4EF4ACF1} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C5CABC9B-96F4-4DDF-9D49-3B5E68CC0A3A} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C68EB65C-C803-4935-A58F-7151B34EB184} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C96F19A4-A83F-4D53-B79C-0D636BAAE58D} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE4FB9B-CB67-40D2-8B61-9ECD3D48774B} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D073CF85-A06C-4C54-8F68-7731EE797CC0} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D255F0AD-0EF9-4DA2-926F-3D78CDDAA673} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5680916-E763-4C82-AF47-4E4A67C0D597} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DF98FB9C-547F-4C55-AB5B-B41E4FB8CD28} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DFAC7232-7C75-49FB-9675-EB1B8EF0D134} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E18EDFA4-409B-4C19-869F-F4DFFB90E586} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ED4BEA65-10C9-44AB-B196-147AE2BCFBE2} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE16EBD6-1758-40C3-879F-EEB8A18D719F} deleted successfully
HKEY_USERS\S-1-5-21-2292173371-2852632103-4251059972-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FD46EDD4-FCEE-46AD-9FAD-DB20971CC19D} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\aywsrjoi.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.search.defaultenginename", "Bing ");
user_pref("browser.search.selectedEngine", "Bing ");
user_pref("keyword.URL", "http://www.bing.com/search?FORM=SK216DF&PC=SK216&q=");

Added to C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\aywsrjoi.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\aywsrjoi.default

user.js not found
---- FireFox user.js and prefs.js backups ----