Preventívka

[psychoSVK]

Dobrý deň, poprosím o preventívnu kontrolu logu.
Logy prikladám v prílohe.
Ďakujem

[Conder]

Ahoj

Stiahni AdwCleaner: https://toolslib.net/downloads/finish/1/

• Uloz na plochu a ukonci vsetky programy
• Spusti AdwCleaner ako spravca
• Odsuhlas licencne podmienky
• Klikni na Spustit skenovani a pockaj na dokoncenie
• V pripade nalezov nechaj vsetky nalezy oznacene a klikni na Karantena (ak nie su ziadne nalezy, tak na Spustit zakladni opravu)
• V pripade, ze sa detekuje aj "predinstalovany software", tieto programy mozes, ale nemusis zmazat (toto nie su skodlive programy, ale iba zbytocnosti)
• Potvrd vyzvu, pockaj na dokoncenie a potvrd restartovanie PC
• Po restartovani PC sa otvori AdwCleaner, klikni na Zobrazit soubor protokolu
• Otvori sa log, jeho obsah skopiruj a vloz do dalsej odpovede

[psychoSVK]

# -------------------------------
# Malwarebytes AdwCleaner 8.0.7.0
# -------------------------------
# Build: 07-22-2020
# Database: 2020-07-20.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 08-06-2020
# Duration: 00:00:01
# OS: Windows 10 Pro
# Cleaned: 1
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

Deleted Preinstalled.SamsungSmartSwitch Folder C:\Users\Matúš Cehlár\AppData\Roaming\SAMSUNG\SMART SWITCH PC


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1479 octets] - [06/08/2020 11:40:50]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

[Conder]

Poprosim o obidva nove logy z FRST.

[psychoSVK]

Dobrý deň, logy prikladám v prílohe

[Conder]

Otvor poznamkovy blok (Win+R -> notepad -> enter)

• Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

  Kód: Vybrat vše

  Start
  CloseProcesses:
  CreateRestorePoint:
  
  PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
  File: C:\Program Files\HG9028 7.1 USB AUDIO CENTER\CPL\FaceLift_x64.exe
  File: C:\WINDOWS\System32\AutoWorkplace.exe
  CMD: dsregcmd /status
  CMD: gpresult /v
  CMD: type "C:\WINDOWS\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join"
  
  HKU\S-1-5-21-3036961284-2193080759-2993534940-1004\...\MountPoints2: {a522971d-6f45-11ea-82e3-fcaa145c5559} - "G:\SETUP95.EXE" 
  Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\WINDOWS\System32\AutoWorkplace.exe
  Task: {D9570AFE-2C6F-42F6-AD87-136DA5D40DD9} - System32\Tasks\Driver Booster SkipUAC (Matúš Cehlár) => C:\Program Files (x86)\IObit\Driver Booster\5.1.0\DriverBooster.exe
  2020-08-09 17:33 - 2020-08-09 17:33 - 000000000 ____D C:\Users\Matúš Cehlár\Desktop\FRST-OlderVersion
  ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
  ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
  ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
  ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
  ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
  ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
  FirewallRules: [{4EAC218A-7E90-4BBE-BD2E-7A4E5795AB9E}] => (Allow) C:\Users\Matúš Cehlár\AppData\Roaming\uTorrent\uTorrent.exe => No File
  FirewallRules: [{E28E12DF-6A0A-433C-9E98-2535D2E64C7E}] => (Allow) C:\Users\Matúš Cehlár\AppData\Roaming\uTorrent\uTorrent.exe => No File
  C:\Program Files (x86)\IObit
  
  Hosts:
  EmptyTemp:
  End

• Uloz na plochu s nazvom fixlist.txt
• Spusti znovu FRST a klikni na Fix
• Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
• Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj

[psychoSVK]

Fix result of Farbar Recovery Scan Tool (x64) Version: 09-08-2020
Ran by Matúš Cehlár (10-08-2020 12:43:03) Run:1
Running from C:\Users\Matúš Cehlár\Desktop
Loaded Profiles: Matúš Cehlár & postgres
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:

PowerShell: Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum
File: C:\Program Files\HG9028 7.1 USB AUDIO CENTER\CPL\FaceLift_x64.exe
File: C:\WINDOWS\System32\AutoWorkplace.exe
CMD: dsregcmd /status
CMD: gpresult /v
CMD: type "C:\WINDOWS\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join"

HKU\S-1-5-21-3036961284-2193080759-2993534940-1004\...\MountPoints2: {a522971d-6f45-11ea-82e3-fcaa145c5559} - "G:\SETUP95.EXE"
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\WINDOWS\System32\AutoWorkplace.exe
Task: {D9570AFE-2C6F-42F6-AD87-136DA5D40DD9} - System32\Tasks\Driver Booster SkipUAC (Matúš Cehlár) => C:\Program Files (x86)\IObit\Driver Booster\5.1.0\DriverBooster.exe
2020-08-09 17:33 - 2020-08-09 17:33 - 000000000 ____D C:\Users\Matúš Cehlár\Desktop\FRST-OlderVersion
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
FirewallRules: [{4EAC218A-7E90-4BBE-BD2E-7A4E5795AB9E}] => (Allow) C:\Users\Matúš Cehlár\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{E28E12DF-6A0A-433C-9E98-2535D2E64C7E}] => (Allow) C:\Users\Matúš Cehlár\AppData\Roaming\uTorrent\uTorrent.exe => No File
C:\Program Files (x86)\IObit

Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
Restore point was successfully created.

========= Get-ChildItem -Path "$ENV:USERPROFILE\Desktop" -Recurse -Force | Measure-Object -Property Length -Sum =========



Count : 2460
Average :
Sum : 11308325961
Maximum :
Minimum :
Property : Length




========= End of Powershell: =========


========================= File: C:\Program Files\HG9028 7.1 USB AUDIO CENTER\CPL\FaceLift_x64.exe ========================

C:\Program Files\HG9028 7.1 USB AUDIO CENTER\CPL\FaceLift_x64.exe
File not signed
MD5: 1B3DF3B9994055F6171F83E59CC1E0CE
Creation and modification date: 2019-01-24 14:41 - 2014-01-20 10:29
Size: 002326528
Attributes: ----N
Company Name:
Internal Name: Xear Audio Center
Original Name: FaceLift.exe
Product: Xear Audio Center
Description: Xear Audio Center
File Version: 1.0.0.3
Product Version: 1.0.0.3
Copyright: Copyright (C) 2014
VirusTotal: https://www.virustotal.com/gui/file/392 ... 1535171717

====== End of File: ======


========================= File: C:\WINDOWS\System32\AutoWorkplace.exe ========================

"C:\WINDOWS\System32\AutoWorkplace.exe" => not found
====== End of File: ======


========= dsregcmd /status =========


+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : NO

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : consumers
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F} (MicrosoftAccount)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision


========= End of CMD: =========


========= gpresult /v =========


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2019 Microsoft Corporation. All rights reserved.

Created on ?10.?08.?2020 at 12:43:18



RSOP data for MATUS-PC\MatŁç Cehl r on MATUS-PC : Logging Mode
---------------------------------------------------------------

OS Configuration: Standalone Workstation
OS Version: 10.0.18363
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\MatŁç Cehl r
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

Last time Group Policy was applied: 06.08.2020 at 11:42:54
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: MATUS-PC
Domain Type: <Local Computer>

Applied Group Policy Objects
-----------------------------
Lok lna skupinov  politika

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
System Mandatory Level

Resultant Set Of Policies for Computer
---------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
N/A

Audit Policy
------------
N/A

User Rights
-----------
N/A

Security Options
----------------
N/A

N/A

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A


USER SETTINGS
--------------

Last time Group Policy was applied: 10.08.2020 at 10:04:16
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: MATUS-PC
Domain Type: <Local Computer>

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Lok lna skupinov  politika
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
High Mandatory Level
Everyone
Lok lne konto a źlen skupiny Administrators
HomeUsers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
cehlar.matus@outlook.sk
Lok lne konto
LOCAL
Overenie cloudov‚ho konta

The user has the following security privileges
----------------------------------------------

Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set

Resultant Set Of Policies for User
-----------------------------------

Software Installations
----------------------
N/A

Logon Scripts
-------------
N/A

Logoff Scripts
--------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
N/A

Internet Explorer Connection
----------------------------
N/A

Internet Explorer URLs
----------------------
N/A

Internet Explorer Security
--------------------------
N/A

Internet Explorer Programs
--------------------------
N/A

========= End of CMD: =========


========= type "C:\WINDOWS\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join" =========

<?xml version="1.0" encoding="UTF-16"?>
<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<SecurityDescriptor>D:AI(A;;FA;;;NS)(A;;GA;;;SY)(A;ID;FA;;;BA)(A;ID;GRGX;;;AU)</SecurityDescriptor>
<Description>$(@%SystemRoot%\system32\AutoWorkplaceN.dll,-101)</Description>
<URI>\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join</URI>
</RegistrationInfo>
<Principals>
<Principal>
<GroupId>S-1-5-11</GroupId>
</Principal>
</Principals>
<Settings>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<Enabled>false</Enabled>
<ExecutionTimeLimit>PT5M</ExecutionTimeLimit>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
</Settings>
<Triggers>
<LogonTrigger>
<Delay>PT5M</Delay>
</LogonTrigger>
</Triggers>
<Actions>
<Exec>
<Command>%SystemRoot%\System32\AutoWorkplace.exe</Command>
<Arguments>join</Arguments>
</Exec>
</Actions>
</Task>
========= End of CMD: =========

HKU\S-1-5-21-3036961284-2193080759-2993534940-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a522971d-6f45-11ea-82e3-fcaa145c5559} => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{352E6CA0-7314-4DF4-89C4-682368D80D57}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{352E6CA0-7314-4DF4-89C4-682368D80D57}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D9570AFE-2C6F-42F6-AD87-136DA5D40DD9}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9570AFE-2C6F-42F6-AD87-136DA5D40DD9}" => removed successfully
C:\WINDOWS\System32\Tasks\Driver Booster SkipUAC (Matúš Cehlár) => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Booster SkipUAC (Matúš Cehlár)" => removed successfully
"C:\Users\Matúš Cehlár\Desktop\FRST-OlderVersion" => not found
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4EAC218A-7E90-4BBE-BD2E-7A4E5795AB9E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E28E12DF-6A0A-433C-9E98-2535D2E64C7E}" => removed successfully
"C:\Program Files (x86)\IObit" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10772480 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31718292 B
Java, Flash, Steam htmlcache => 390693637 B
Windows/system/drivers => 4093775 B
Edge => 2013817 B
Chrome => 387856636 B
Firefox => 478841640 B
Opera => 285798110 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 89722 B
NetworkService => 89722 B
Matúš Cehlár => 25347853 B
postgres => 25347853 B

RecycleBin => 65029834 B
EmptyTemp: => 1.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:45:00 ====

[Conder]

Plocha ma cca 10 GB, co je vela. Odporucam presunut vsetky subory a zlozky z plochy do dokumentov a na ploche nechat iba odkazy/zastupcov. Prilis velka velkost plochy moze sposobit spomalenie systemu.

V prehliadaci Chrome su nainstalovane 2 blokovace reklam - Adblock a AdBlock Plus, v prehliadaci Firefox zas uBlock Origin a AdBlock Plus. Je viacmenej zbytocne mat zapnute obidva blokovace naraz. Z logu ale nevidim, ci su v prehliadacoch povolene obidva blokovace naraz, ale ak ano, odporucam jeden z nich uplne vypnut (alebo odstranit) a teda ponechat zapnuty len jeden. Osobne mozem odporucit ponechat skor uBlock Origin (je dostupny pre Firefox aj Chrome).

Inak to vyzera to OK. Su s PC nejake problemy?

[psychoSVK]

Ďakujem, za rady.
Nie s PC niesu žiadne problémy, jednalo sa čisto o preventívnu kontrolu.

[Conder]

Tak este upraceme po pouzitych nastrojoch:

• Stiahni DelFix: https://toolslib.net/downloads/finish/2-delfix/
• Uloz na plochu a spusti
• Nechaj oznacenu moznost "Remove disinfection tools"
• Klikni na "Run"

[psychoSVK]

# DelFix v1.013 - Logfile created 17/08/2020 at 13:32:38
# Updated 17/04/2016 by Xplode
# Username : Matúš Cehlár - MATUS-PC
# Operating System : Windows 10 Enterprise (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Matúš Cehlár\Desktop\Addition.txt
Deleted : C:\Users\Matúš Cehlár\Desktop\adwcleaner_8.0.7.exe
Deleted : C:\Users\Matúš Cehlár\Desktop\FRST.txt
Deleted : C:\Users\Matúš Cehlár\Desktop\FRST64.exe

########## - EOF - ##########

[Conder]

Toto je OK.