nekdo mi pouziva PC? - prosim o kontrolu

[tomasnikl]

Ahoj,

mohl bych vas poprosit o pomoct?

jen strucne v bodech, co se stalo:
- nekdo na facebooku platil reklamy moji kartou. Nedoslo k zadnemu podezrelemu prihlaseni z jine IP, z jine zeme apod
- z chrome vyexportoval vsechna hesla do excelu, chtel jsem je projit a zrevidovat
- 2 dny po exportu hesel se nekdo snazil prihlasit do instituci jako mbank, coinbase, cex.io (crypto burzy atd). Mam telefon plny overovacich 2FA kodu a v mailu mam take tyto zaznamy o prihlaseni do uctu. K temto prihlasenim doslo v dobe, kdy byl PC zapnuty a doslo k nim z moji IP adresy (tvari se to tey, ze se nekdo prihlasuje skrze muj PC)
- PC jsem projel Avastem, Esetem a zadny z programu nic nenasel.

Kompletni logy:
davam sem a nebo do prilohy, nejdou mi kvuli maximalni delce pridat do prispevku:
RSIT log: https://gist.github.com/tomasnikl/57caa ... 05fc82424b
RSIT info: https://gist.github.com/tomasnikl/77b3e ... af4e967503
FRST log: https://gist.github.com/tomasnikl/fe073 ... 8f15fe92b2
FRST info: https://gist.github.com/tomasnikl/d90e6 ... 068361d843

[Rudy]

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

[tomasnikl]

zdravim! spusteno ale zajimave je, ze i pres to, ze program pise, ze problemy opravil tak pri dalsim pusteni tam jsou znovu

log prikladam nize:

# -------------------------------
# Malwarebytes AdwCleaner 8.1.0.0
# -------------------------------
# Build: 02-15-2021
# Database: 2021-03-03.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 03-05-2021
# Duration: 00:00:03
# OS: Windows 10 Pro
# Cleaned: 22
# Failed: 0


***** [ Services ] *****

Deleted Update service

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{00365D2D-A706-439A-9EB2-F6472E20D4C0}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{1BCDFE68-CF00-4277-92C6-4DF370C2F381}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7A439A49-0925-4EAE-8656-85618262744A}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7C69ABA5-400D-40D9-ACD8-650A9ABA225E}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{86B223A1-4648-45C0-9A8A-82F2BCAC31D5}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{96EC85CA-3D33-4372-B84A-C7DCE787BFF4}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B8832BAD-6F85-421E-A791-A16F5F3524C6}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FDEFAB96-905B-4239-8841-2AE5D9B5C110}
Deleted HKLM\Software\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}
Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}

***** [ Chromium (and derivatives) ] *****

Deleted User-Agent Switcher for Chrome - djflhoibgkdhkhhcedjiklpkjnoahfmg

***** [ Chromium URLs ] *****

Deleted AVG Secure Search
Deleted banggood.com
Deleted blekko
Deleted http://isearch.avg.com/?cid={43C2ACA3-B ... g=0&sap=hp
Deleted http://search.babylon.com/?affID=112555 ... f06d3c1314
Deleted http://search.babylon.com/?affID=112555 ... f06d3c1314
Deleted http://search.conduit.com/?ctid=CT33149 ... &UP=&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... BFF7&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... FD14&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... FD14&SSPV=

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4261 octets] - [05/03/2021 14:12:02]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

[Rudy]

OK. Dejte nové logy FRST+Addition.

[tomasnikl]

odinstaloval jsem jeste radu programu a logy prikladam do prilohy nebo zde:
FRST: https://gist.github.com/tomasnikl/00367 ... 9d48a25170
FRST-Addition: https://gist.github.com/tomasnikl/ac291 ... cd92b37e68

[Rudy]

Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {2199e05f-9616-11ea-b2b5-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {9abb4ff9-9800-11e9-b207-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {40E1F338-233C-4062-90FF-7996617A6C77} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {47FD5390-4D4F-4781-8E50-56DC21D4D1EA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {F95129DB-F56C-42F7-A33E-67ABC2BC2C02} - System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => C:\Windows\system32\deviceenroller.exe [557056 2021-02-10] (Microsoft Windows -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION
U1 aswbdisk; no ImagePath
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> [CC]{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers6: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
C:\Users\tomas\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`20hfm [0]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.designer.2 [366]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.photo.2 [320]
C:\Users\tomas\Downloads\setup_x86_x64_install.exe

EmptyTemp:
Hosts:
End

Uložte do C:\Users\tomas\Downloads jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

[tomasnikl]

Dekuji! fix jsem provedl, prikladam log.. koukam, ze obcas tam je "not found".. napr u toho javaupdateru... to asi budou veci, ktere jsem pred par hodinama odinstalovaval.

Log zde:

Fix result of Farbar Recovery Scan Tool (x64) Version: 28-02-2021
Ran by tomas (05-03-2021 16:13:17) Run:1
Running from C:\Users\tomas\Downloads
Loaded Profiles: tomas
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {2199e05f-9616-11ea-b2b5-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {9abb4ff9-9800-11e9-b207-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {40E1F338-233C-4062-90FF-7996617A6C77} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {47FD5390-4D4F-4781-8E50-56DC21D4D1EA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {F95129DB-F56C-42F7-A33E-67ABC2BC2C02} - System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => C:\Windows\system32\deviceenroller.exe [557056 2021-02-10] (Microsoft Windows -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION
U1 aswbdisk; no ImagePath
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> [CC]{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers6: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
C:\Users\tomas\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`20hfm [0]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.designer.2 [366]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.photo.2 [320]
C:\Users\tomas\Downloads\setup_x86_x64_install.exe

EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => not found
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched" => not found
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2199e05f-9616-11ea-b2b5-3c6aa7f536f5} => removed successfully
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9abb4ff9-9800-11e9-b207-3c6aa7f536f5} => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{40E1F338-233C-4062-90FF-7996617A6C77}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40E1F338-233C-4062-90FF-7996617A6C77}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{47FD5390-4D4F-4781-8E50-56DC21D4D1EA}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47FD5390-4D4F-4781-8E50-56DC21D4D1EA}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F95129DB-F56C-42F7-A33E-67ABC2BC2C02}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F95129DB-F56C-42F7-A33E-67ABC2BC2C02}" => removed successfully
C:\Windows\System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client" => removed successfully
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION" => not found
HKLM\System\CurrentControlSet\Services\aswbdisk => could not remove, key could be protected
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA" => not found
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore" => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco1 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco2 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco3 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => could not remove, key could be protected
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKLM\Software\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\AccExt => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\AccExt => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
HKU\.DEFAULT\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
C:\Users\tomas\AppData\Local\Temp => moved successfully
C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`20hfm" ADS removed successfully
"C:\Users\tomas\AppData\Local\Temp" => ":com.affinity.designer.2" ADS not found.
"C:\Users\tomas\AppData\Local\Temp" => ":com.affinity.photo.2" ADS not found.
"C:\Users\tomas\Downloads\setup_x86_x64_install.exe" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 13131776 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17031621 B
Java, Flash, Steam htmlcache => 445660170 B
Windows/system/drivers => 116425529 B
Edge => 36916 B
Chrome => 96359680 B
Firefox => 9543292 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 168 B
LocalService => 4974 B
NetworkService => 29915604 B
tomas => 39912068 B

RecycleBin => 0 B
EmptyTemp: => 732.4 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 05-03-2021 16:17:49)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\aswbdisk => could not remove, key could be protected
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => could not remove, key could be protected

==== End of Fixlog 16:17:49 ====

[Rudy]

Zřejmě ano. Nastala nějaká změna?

[tomasnikl]

Zřejmě ano. Nastala nějaká změna?

nevim jakou zmenu mam pozorovat. Ani v dobe, kdy byla zneuzita karta na Facebooku nic neindikovalo nejaky bordel v PC. Ani vcera pri tech pokusech o prihlaseni jsem nemel zadne podezreni a i tak se to stalo to z me IP adresy. Avast jsem ted pustil a porad se to tvari vse v poradku stejne jako rano. Prosel jsem log z routeru a ani tam nejsou zadne pokusy o prihlaseni do nej, takze i nejakou diru zde jsem vyloucil (hesla na prvcich site mam dlouha a silna, firmware na vsech zarizenich aktualni (aktualizoval jsem cca tyden zpet). Jak rikam, nikdy jsem nemel podezreni na nejaky virus nebo podobnou havet, takze nevim jakym zpusobem poznat, zda ke zmene doslo nebo ne.

Trochu me to desi, protoze zadny antivir nedetekoval problem a i tak doslo k pokusum o prihlaseni z me IP na stranky, kde mam ulozene finance a v dobe, kdy byl muj PC zapnuty. Nemam tuseni kde nejaka dira muze byt a zda se timto opravila ci ne.

[Rudy]

Váš PC bude nejspíše v pořádku. FB vám mohl někdo hacknout přímo, aniž by použil vaše PC. Pokud by se problém opakoval, nahlešte to přímo jejich podpoře. Bankovní účet vám nikdo nehackne, pokud nesdělíte přístupové údaje a v PC jsem nenašel žádný backdoor, který by mohl někam něco posílat.

[tomasnikl]

Dekuji za odpoved.

FB hacknuty naprimo se mi zda velmi nepravdepodobne vzhledem k tomu, ze mam zaple 2FA overeni a heslo vygenerovane Chromem. Dokonce jsem si zacatkem roku nechal vydat novou kartu (puvodni expirovala) a na FB jsem nikdy nic neplatil a reklamy uz vubec, tzn. ze ani par mesicu stara karta na FB nikdy pridana nebyla a penize byly strzeny touto kartou pres muj FB, ktery mam zabezpeceny pomoci 2FA Kdyz jsem to rano zjistil a na FB koukl, byl jsem v prohlizeci odhlaseny a po prihlaseni jsem ho mel v anglictine

A ta druha vec, ze doslo k pokusum o prihlaseni den po exportu hesel z prohlizece do citelne podoby je take hodne podezrela.

Cele to je velmi zvlastni asi pro jistotu cely pocitac smazu a preinstaluju. Neumim si to vysvetlit a docela me to desi.

Dokonce zde mam email ze vcerejsiho vecera, kdy doslo k pokusu o login na bittrex:

Location: CZ
IP Address: 185.64.40.38
Device Name: Chrome on Windows
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Ta verze prohlizece je naprosto totozna s tou, kterou ja v PC mam. IP adresa taktez moje.

Mam v domacnosti na wifi i zarizeni jako: Google Home, Xiaomi roboticky vysavac, AEG troubu, chytre zasuvky/relle od firmy Shelly, TV Samsung, tiskarnu HP a pote nejaka Apple zarizeni. Muze byt teoreticky problem v nich? Napr vysavac, shelly zasuvky se daji totiz ovladat i vzdalene pres cloud. Nevite nekdo o nejakych aktualni bezpecnostitch dirach?

Dekuju vam za ochotu a cas, ktery jste zkoumani logu venoval.

[Rudy]

PC nemusí být příčinou vašeho problému. U těch chytrých zařízení problém být může, s tím vám ale neporadím, my se tu zabýváme jen oper. systémem Windows. Další místo, kde by problém mohl být je wifi router. Ten opravíte tak, že ho resetnete do tov. nastavení a znovu nastavíte. To se týká především zařízení TP-Link.

[tomasnikl]

Dekuji za odpoved uz jsem to resil i s poskytovatelem a bylo mi sdeleno, ze policie resi v teto dobe na jeho siti zneuziti karet, mhze to s tim souviset, az ted jsem si totiz vsiml, ze k pokusum o prihlaseni doalo z IP koncici na 38 ale moje konci 18. Tudiz jina cast mesta. Pokud je to problem az za routerem tak s tim asi nic moc neudelam. Dekuji jeste jednou

[Rudy]

OK a nemáte zač!