VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Win32/CoinMiner na NASu Netgear

https://forum.viry.cz:443/viewtopic.php?t=157547

Stránka 1 z 1

Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 11:14
od Petr.Brezina
Zdravím vespolek,
rád bych poprosil o navedení kde a co udělat, protože mne už nic moc nenapadá.

Používám NAS Netgear R104, který je připojen přímo k routeru a následně je k němu přistupováno v rámci domácí sítě. S nepravidelnou pravidelností ne v adresářové struktuře objevuje šestice souborů – AV.lnk, AV.scr, Photo.lnk, Photo.scr, Video.lnk, Video.scr – když tyto soubory smažu, po čase se objeví znovu. Zároveň pozoruji rapidní snížení rychlosti nahrávání souborů na NAS, v případě jejich stahování na lokální PC se rychlost tak rapidně nesnižuje.

V rámci kontroly jsem použil Win Defender, ESET Online Scanner a Malwarebytes – na připojených PC nenalezly programy nic a kontrola přímo NASu buďto nenašla nic nebo není možná u síťových disků (MB). V rámci OS NASu byl kdysi přístupný jako rozšiřující doplněk také antivir, ten však již v nabídce není a tudíž nemám možnost spustit antivir přímo z operačního systému NASu.

Předpokládám proto, že “šmejd“ je někde na NASu, ovšem netuším, jak jej detekovat, aby dané soubory s železnou nepravidelností nevytvářel. Napadá někoho, jaký zvolit postup? Přikládám log FRST

Díky moc!

log Addition

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by petrb (01-11-2020 11:18:57)
Running from C:\Users\petrb\Desktop
Windows 10 Pro Version 2009 19042.610 (X64) (2020-07-20 07:00:10)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1520699381-1464880648-3029145606-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1520699381-1464880648-3029145606-503 - Limited - Disabled)
Guest (S-1-5-21-1520699381-1464880648-3029145606-501 - Limited - Disabled)
petrb (S-1-5-21-1520699381-1464880648-3029145606-1001 - Administrator - Enabled) => C:\Users\petrb
WDAGUtilityAccount (S-1-5-21-1520699381-1464880648-3029145606-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4K YouTube to MP3 3.10 (HKLM\...\{C6C89131-2764-42F3-9821-A40B39831DB5}) (Version: 3.10.1.3255 - Open Media LLC)
7-Zip 19.00 (x64) (HKLM\...\7-Zip) (Version: 19.00 - Igor Pavlov)
Acer Quick Access (HKLM\...\{8BBF04F1-C68A-441C-B5EF-446EE9960EAF}) (Version: 2.01.3028 - Acer Incorporated)
Acronis Disk Director 12 (HKLM-x32\...\{AE372858-B1BD-49EF-8308-648322846008}) (Version: 12.0.3223 - Acronis)
Adobe Acrobat Reader DC - Czech (HKLM-x32\...\{AC76BA86-7AD7-1029-7B44-AC0F074E4100}) (Version: 20.012.20048 - Adobe Systems Incorporated)
Adobe Photoshop CC 2019 (HKLM-x32\...\PHSP_20_0_5) (Version: 20.0.5 - Adobe Systems Incorporated)
AIMP (HKLM-x32\...\AIMP) (Version: v4.60.2161, 28.11.2019 - AIMP DevTeam)
Amazon Send to Kindle (HKLM-x32\...\SendToKindle) (Version: 1.1.1.250 - Amazon)
Aplikace Intel® PROSet/Wireless (HKLM-x32\...\{8c595286-0f9e-42de-a0d4-969aba282637}) (Version: 20.50.0 - Intel Corporation)
Backup and Sync from Google (HKLM\...\{86E7EC52-41D9-4573-951C-FB7AC339A251}) (Version: 3.52.3372.2621 - Google, Inc.)
calibre 64bit (HKLM\...\{01C0BC16-C227-42EC-8B59-1CC7676EE8C0}) (Version: 4.12.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.71 - Piriform)
CrystalDiskInfo 8.4.0 (HKLM\...\CrystalDiskInfo_is1) (Version: 8.4.0 - Crystal Dew World)
CrystalDiskMark 7.0.0h (HKLM\...\CrystalDiskMark7_is1) (Version: 7.0.0h - Crystal Dew World)
České (Typographical) (HKLM\...\{0D5FE444-7415-47E0-B5C0-D0F6EBF010BD}) (Version: 1.0.3.40 - Wiz-Art)
DisplayLink Graphics Driver (HKLM\...\{0C19663B-E144-4B41-B842-8EE0BEE3BDD8}) (Version: 8.0.644.0 - DisplayLink Corp.)
Documentation Manager (HKLM\...\{885E5716-698F-47E6-9ABD-87260B6C80F7}) (Version: 21.80.2.1 - Intel Corporation) Hidden
Dropbox (HKLM-x32\...\Dropbox) (Version: 108.4.453 - Dropbox, Inc.)
Dropbox Update Helper (HKLM-x32\...\{099218A5-A723-43DC-8DB5-6173656A1E94}) (Version: 1.3.335.1 - Dropbox, Inc.) Hidden
Excel (1) (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\35a1ccd137af911bcb6dc4a776a99174) (Version: 1.0 - Excel (1))
Excel (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\1fc5b090eab9aa41f8a2f5987367e6da) (Version: 1.0 - Excel)
Glary Utilities 5.134 (HKLM-x32\...\Glary Utilities 5) (Version: 5.134.0.160 - Glarysoft Ltd)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.36.31 - Google LLC) Hidden
HiSuite (HKLM-x32\...\Hi Suite) (Version: 11.0.0.360 - Huawei Technologies Co., Ltd.)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
I.CA Maintenance (HKLM-x32\...\{A26EE07C-9196-4BB9-BB81-1608D0A99887}) (Version: 1.3.2.0 - První certifikační autorita, a.s.) Hidden
I.CA Maintenance (HKLM-x32\...\I.CA Maintenance 1.3.2.0) (Version: 1.3.2.0 - První certifikační autorita, a.s.)
I.CA PKIServiceHost (HKLM\...\{1E6A84FD-CFF9-41F3-8C9C-21891B80F6F9}) (Version: 1.3.7.0 - První certifikační autorita, a.s.) Hidden
I.CA PKIServiceHost (HKLM-x32\...\I.CA PKIServiceHost 1.3.7.0) (Version: 1.3.7.0 - První certifikační autorita, a.s.)
Intel(R) Computing Improvement Program (HKLM\...\{D98C2DF9-C731-4322-A5F0-D897300216EE}) (Version: 2.4.05718 - Intel Corporation)
Intel(R) Network Connections 20.4.307.0 (HKLM\...\PROSetDX) (Version: 20.4.307.0 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4550 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.8.16.1063 - Intel Corporation)
Intel(R) Wireless Bluetooth(R) (HKLM-x32\...\{00000070-0210-1029-84C8-B8D95FA3C8C3}) (Version: 21.70.0.3 - Intel Corporation)
Intel® Chipset Device Software (HKLM-x32\...\{fb610cea-ba50-4d4b-a717-cf025419035c}) (Version: 10.1.1.13 - Intel(R) Corporation) Hidden
Intel® Software Installer (HKLM-x32\...\{45fc2606-7c3b-4963-966b-b6e0eae08246}) (Version: 21.80.2.1 - Intel Corporation) Hidden
Java 8 Update 231 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180231F0}) (Version: 8.0.2310.11 - Oracle Corporation)
Logitech Options (HKLM\...\LogiOptions) (Version: 8.34.82 - Logitech)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 86.0.622.58 - Microsoft Corporation)
Microsoft Edge Update (HKLM-x32\...\Microsoft Edge Update) (Version: 1.3.137.99 - )
Microsoft Keyboard Layout Creator 1.4 (HKLM-x32\...\{99E66BC9-E4B6-485F-ABFC-31EFCE36DFDF}) (Version: 1.4.6000 - Microsoft Corp.)
Microsoft Office Professional Plus 2016 - cs-cz (HKLM\...\ProPlusRetail - cs-cz) (Version: 16.0.13231.20390 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\OneDriveSetup.exe) (Version: 20.169.0823.0008 - Microsoft Corporation)
Microsoft Teams (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\Teams) (Version: 1.3.00.26064 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.15.26706 (HKLM-x32\...\{95ac1cfa-f4fb-4d1b-8912-7f9d5fbb140d}) (Version: 14.15.26706.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (HKLM-x32\...\{7e9fae12-5bbf-47fb-b944-09c49e75c061}) (Version: 14.15.26706.0 - Microsoft Corporation)
MPC-BE x64 1.5.4.4969 (HKLM\...\{FE09AF6D-78B2-4093-B012-FCDAF78693CE}_is1) (Version: 1.5.4.4969 - MPC-BE Team)
Nik Collection (HKLM-x32\...\Nik Collection) (Version: 1.2.18 - DxO)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.13231.20126 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.13231.20126 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.13231.20200 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0405-0000-0000000FF1CE}) (Version: 16.0.13231.20126 - Microsoft Corporation) Hidden
Opera Stable 72.0.3815.148 (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\Opera 72.0.3815.148) (Version: 72.0.3815.148 - Opera Software)
Oracle VM VirtualBox 6.1.0 (HKLM\...\{B9B53CFE-C4E3-47FB-9BC0-8022F0AB6814}) (Version: 6.1.0 - Oracle Corporation)
Outlook (1) (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\f42c72521bca47863b0c6b497cb01342) (Version: 1.0 - Outlook (1))
Outlook (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\6b0f23e57a39ebfbf2814acb1a24293d) (Version: 1.0 - Outlook)
Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 3.9.1.11103 - Grinding Gear Games) Hidden
Path of Exile (HKLM-x32\...\{a96508d8-4e97-4a6e-a45f-5addcc142282}) (Version: 3.9.1.11103 - Grinding Gear Games)
PicPick (HKLM-x32\...\PicPick) (Version: 5.0.7 - NGWIN)
PowerPoint (1) (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\1f6d7c2045d0e984f46a5779d00bd03f) (Version: 1.0 - PowerPoint (1))
PowerPoint (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\319814cb56b667dff88f54e08be8f51f) (Version: 1.0 - PowerPoint)
Qualcomm Atheros 11ac Wireless LAN Installer (HKLM-x32\...\{20CA507E-24AA-4741-87CF-CC1B250790B7}) (Version: 11.0.10388 - Qualcomm Atheros)
Qualcomm Atheros Bluetooth Installer (64) (HKLM\...\{628988B4-3FA5-4EA6-BAA3-DA640F6718BD}) (Version: 10.0.0.278 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10240.29090 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7989 - Realtek Semiconductor Corp.)
Software602 Form Filler (HKLM-x32\...\{9210AEE3-6ECB-4271-A125-1039E94A6A51}) (Version: 4.75 - Software602 a.s.)
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM-x32\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.06.0080 - ST Microelectronics)
Stardock Fences 3 (HKLM-x32\...\Stardock Fences 3) (Version: 3.09 - Stardock Software, Inc.)
Stickies 10.0a (HKLM-x32\...\ZhornStickies) (Version: - Zhorn Software)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.1.3.9 - Synaptics Incorporated)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.10.5 - TeamViewer)
Total Commander 64+32-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 9.50 - Ghisler Software GmbH)
TP-LINK USB Printer Controller (HKLM-x32\...\{3EC900B5-28EE-4472-A9FF-B11A879EC838}) (Version: 1.12.0927 - TP-LINK)
WirelessDock (HKLM\...\{065A2AB8-E504-438C-B108-8BE79F970E78}) (Version: 2.0.0.89 - Qualcomm Atheros Inc.) Hidden
WirelessDock (HKLM-x32\...\InstallShield_{065A2AB8-E504-438C-B108-8BE79F970E78}) (Version: 2.0.0.89 - Qualcomm Atheros Inc.)
Word (1) (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\f3599346063c9afede925c6eb5c87f5c) (Version: 1.0 - Word (1))
Word (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\1b837d0bf93d01407352736c91b7bf50) (Version: 1.0 - Word)
Xerox PowerENGAGE (HKLM-x32\...\{171BF116-713F-43AA-B236-D6188522E609}) (Version: 2.52.0016 - Xerox Inc.)
Youtube Downloader HD v. 3.1 (HKLM-x32\...\Youtube Downloader HD_is1) (Version: - YoutubeDownloaderHD.com)
Zoner Photo Studio X CS (HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\ZPS X) (Version: 19.2009.2.277 - ZONER software)

Packages:
=========
HP Smart -> C:\Program Files\WindowsApps\AD2F1837.HPPrinterControl_121.1.192.0_x64__v10z8vjag6ke6 [2020-10-28] (HP Inc.)
Netflix -> C:\Program Files\WindowsApps\4DF9E0F8.Netflix_6.97.752.0_x64__mcm4njqhnhss8 [2020-07-15] (Netflix, Inc.)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32 -> C:\Users\petrb\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20244.4\x64\Microsoft.Teams.AddinLoader.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001_Classes\CLSID\{233525e0-5434-46ef-b464-fd7e45e2e145}\localserver32 -> "C:\Program Files (x86)\Intel\Driver and Support Assistant\DSATray.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001_Classes\CLSID\{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}\InprocServer32 -> C:\Users\petrb\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20244.4\x64\Microsoft.Teams.AddinLoader.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001_Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A} -> [Dropbox] => D:\Dropbox [2019-12-29 23:34]
ShellIconOverlayIdentifiers: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync64.dll [2020-10-14] (Google LLC -> Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync64.dll [2020-10-14] (Google LLC -> Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync64.dll [2020-10-14] (Google LLC -> Google)
ShellIconOverlayIdentifiers-x32: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
ContextMenuHandlers1: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ContextMenuHandlers1: [FencesShellExt] -> {1984DD45-52CF-49cd-AB77-18F378FEA264} => C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll [2018-05-25] (Stardock Corporation -> Stardock)
ContextMenuHandlers1: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files\Google\Drive\contextmenu64.dll [2020-10-14] (Google LLC -> Google)
ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2019-12-23] (Glarysoft LTD -> Glarysoft Ltd)
ContextMenuHandlers2: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2019-12-23] (Glarysoft LTD -> Glarysoft Ltd)
ContextMenuHandlers3: [STKContextMenu] -> {90DD7445-E924-4c6e-92AC-01F8C3A7E0C7} => C:\Program Files (x86)\Amazon\SendToKindle\stkContextMenu_250.dll [2019-12-29] (Amazon Services LLC -> Amazon.com, Inc.)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ContextMenuHandlers4: [FencesShellExt] -> {1984DD45-52CF-49cd-AB77-18F378FEA264} => C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll [2018-05-25] (Stardock Corporation -> Stardock)
ContextMenuHandlers4: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files\Google\Drive\contextmenu64.dll [2020-10-14] (Google LLC -> Google)
ContextMenuHandlers5: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.46.0.dll [2020-10-06] (Dropbox, Inc -> Dropbox, Inc.)
ContextMenuHandlers5: [FencesShellExt] -> {1984DD45-52CF-49cd-AB77-18F378FEA264} => C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll [2018-05-25] (Stardock Corporation -> Stardock)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2017-01-05] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2019-02-21] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
ContextMenuHandlers6: [FencesShellExt] -> {1984DD45-52CF-49cd-AB77-18F378FEA264} => C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll [2018-05-25] (Stardock Corporation -> Stardock)
ContextMenuHandlers6: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2019-12-23] (Glarysoft LTD -> Glarysoft Ltd)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Excel (1).lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=leffmjdabcgaflkikcefahmlgpodjkdm --app-url=hxxps://excel.office.com/
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Excel.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=leffmjdabcgaflkikcefahmlgpodjkdm
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Outlook (1).lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=bjhmmnoficofgoiacjaajpkfndojknpb --app-url=hxxps://outlook.com/
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Outlook.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=bjhmmnoficofgoiacjaajpkfndojknpb
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PowerPoint (1).lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=opfacbhaojodjaojgocnibmklknchehf --app-url=hxxps://powerpoint.office.com/
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=opfacbhaojodjaojgocnibmklknchehf
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Word (1).lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=hikhggiobiflkdfdgdajcfklmcibbopi --app-url=hxxps://word.office.com/
ShortcutWithArgument: C:\Users\petrb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Word.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe (Microsoft Corporation) -> --profile-directory=Default --app-id=hikhggiobiflkdfdgdajcfklmcibbopi

==================== Loaded Modules (Whitelisted) =============

2020-10-30 08:23 - 2020-10-30 08:23 - 000114176 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_ctypes.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000172544 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_elementtree.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 002250240 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_hashlib.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000032256 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_multiprocessing.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000046080 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_psutil_windows.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000047616 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_socket.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 002819584 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_ssl.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000026112 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\_yappi.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000080896 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\bz2.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000016384 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\common.time34.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000007680 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\hashobjs_ext.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000301568 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\PIL._imaging.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000168448 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\pyexpat.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 001084416 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\pysqlite2._sqlite.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000548864 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\pythoncom27.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 000137728 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\pywintypes27.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 000010752 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\select.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000020992 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\thumbnails_ext.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000689664 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\unicodedata.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000119808 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\usb_ext.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000128512 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32api.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000438784 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32com.shell.shell.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000011776 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32crypt.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000023040 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32event.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000149504 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32file.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000223232 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32gui.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000048128 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32inet.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000029696 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32pdh.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000027648 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32pipe.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000044032 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32process.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000020480 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32profile.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000136192 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32security.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000026624 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\win32ts.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000034816 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\windows.conditional.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000038400 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\windows.connectivity.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000071680 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\windows.device_monitor.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000109056 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\windows.volumes.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000020480 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\windows.winwrap.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 001325056 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._controls_.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 001489408 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._core_.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 001007104 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._gdi_.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000103424 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._html2.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 000916992 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._misc_.pyd
2020-10-30 08:23 - 2020-10-30 08:23 - 001039872 _____ () [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wx._windows_.pyd
2019-12-29 18:58 - 2019-02-21 17:00 - 000078336 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll
2020-05-25 07:38 - 2020-05-25 07:38 - 000000000 ____L (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Root\Office16\AppVIsvSubsystems32.dll
2020-05-25 07:38 - 2020-05-25 07:38 - 000000000 ____L (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Root\Office16\c2r32.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 003043328 _____ (Python Software Foundation) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\python27.dll
2020-03-10 09:31 - 2020-03-10 09:31 - 001631744 _____ (Robert Simpson, et al.) [File not signed] C:\Program Files\Intel\SUR\QUEENCREEK\x64\SQLite.Interop.dll
2020-03-10 09:31 - 2020-03-10 09:31 - 001918464 _____ (SQLite Development Team) [File not signed] C:\Program Files\Intel\SUR\QUEENCREEK\sqlite3.DLL
2020-03-10 09:31 - 2020-03-10 09:31 - 001918464 _____ (SQLite Development Team) [File not signed] C:\Program Files\Intel\SUR\QUEENCREEK\x64\sqlite3.dll
2013-05-11 04:47 - 2013-05-11 04:47 - 000061440 _____ (VMProtect Software) [File not signed] C:\Program Files (x86)\PicPick\ppkgr.dll
2012-03-08 23:59 - 2012-03-08 23:59 - 000009216 _____ (Wiz-Art) [File not signed] C:\WINDOWS\system32\fnwTypo.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 000202240 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxbase30u_net_vc90_x64.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 002831872 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxbase30u_vc90_x64.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 001654784 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxmsw30u_adv_vc90_x64.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 006542336 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxmsw30u_core_vc90_x64.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 000773632 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxmsw30u_html_vc90_x64.dll
2020-10-30 08:23 - 2020-10-30 08:23 - 000137216 _____ (wxWidgets development team) [File not signed] C:\Users\petrb\AppData\Local\Temp\_MEI46842\wxmsw30u_webview_vc90_x64.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.cz/
SearchScopes: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2020-09-12] (Microsoft Corporation -> Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll => No File
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll => No File
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2020-09-12] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_231\bin\ssv.dll [2019-12-29] (Oracle America, Inc. -> Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_231\bin\jp2ssv.dll [2019-12-29] (Oracle America, Inc. -> Oracle Corporation)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll No File
Toolbar: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll No File
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2020-10-03] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2020-10-03] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2020-10-03] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2020-10-03] (Microsoft Corporation -> Microsoft Corporation)

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.capgemini.com -> hxxp://*.capgemini.com
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.capgemini.com -> hxxps://*.capgemini.com
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.csob.cz -> hxxps://*.csob.cz
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.csob.sk -> hxxps://*.csob.sk
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.erasvet.cz -> hxxps://*.erasvet.cz
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.ica.cz -> hxxp://*.ica.cz
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.ica.cz -> hxxps://*.ica.cz
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.postovnisporitelna.cz -> hxxps://*.postovnisporitelna.cz
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.proebiz.com -> hxxp://*.proebiz.com
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\*.proebiz.com -> hxxps://*.proebiz.com
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\onlineregister.com -> hxxp://onlineregister.com
IE trusted site: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\onlineregister.com -> hxxps://onlineregister.com

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2020-01-03 16:10 - 2020-01-03 16:10 - 000001027 _____ C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 activate.adobe.com

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files (x86)\Common Files\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;%SYSTEMROOT%\System32\OpenSSH\;C:\Program Files (x86)\Wireless Docking\;C:\Program Files\Calibre2\;C:\Program Files (x86)\Common Files\Acronis\SnapAPI\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\petrb\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\old_paper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

Network Binding:
=============
Ethernet: VirtualBox NDIS6 Bridged Networking Driver -> oracle_VBoxNetLwf (enabled)
Wi-Fi 3: VirtualBox NDIS6 Bridged Networking Driver -> oracle_VBoxNetLwf (enabled)

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run32: => "Intel Driver & Support Assistant"
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\StartupApproved\StartupFolder: => "Poslat do aplikace OneNote.lnk"
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\StartupApproved\StartupFolder: => "Acronis Disk Director 12.lnk"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [UDP Query User{2ECED928-24AE-4F50-94A2-60C56555F30F}C:\users\petrb\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\petrb\appdata\roaming\utorrent\utorrent.exe (uTorrent.CZ -> BitTorrent, Inc.) [File not signed]
FirewallRules: [TCP Query User{86E12471-1B6B-4C03-B62A-995B91D650DE}C:\users\petrb\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\petrb\appdata\roaming\utorrent\utorrent.exe (uTorrent.CZ -> BitTorrent, Inc.) [File not signed]
FirewallRules: [{DD1926E3-1109-4698-966B-C0F7D918588A}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B18B85A8-DD32-438D-88C2-ADCA8F4CCFB1}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [UDP Query User{374B19F7-FD3F-482A-A88E-58FC8EDBBF92}C:\program files (x86)\tp-link\usb printer controller\usb printer controller.exe] => (Allow) C:\program files (x86)\tp-link\usb printer controller\usb printer controller.exe () [File not signed]
FirewallRules: [TCP Query User{9DB9F12E-43D1-40A1-A70A-9CDEAF4FC23D}C:\program files (x86)\tp-link\usb printer controller\usb printer controller.exe] => (Allow) C:\program files (x86)\tp-link\usb printer controller\usb printer controller.exe () [File not signed]
FirewallRules: [{88FA1467-8CB9-42C4-8EFE-C750B558D7AC}] => (Allow) LPort=7437
FirewallRules: [{B0295BAE-4ADA-4B6B-B401-338453E0A0C9}] => (Allow) C:\Program Files (x86)\TP-LINK\USB Printer Controller\USB Printer Controller.exe () [File not signed]
FirewallRules: [{977E7E1D-0A4B-4C67-A77F-1C5C751A641B}] => (Allow) C:\Program Files (x86)\TP-LINK\USB Printer Controller\USB Printer Controller.exe () [File not signed]
FirewallRules: [UDP Query User{54C8F466-6D5D-47C5-BB10-DA289603AA77}C:\users\petrb\appdata\local\raidar\raidar.exe] => (Allow) C:\users\petrb\appdata\local\raidar\raidar.exe (NETGEAR) [File not signed]
FirewallRules: [TCP Query User{87A31424-8264-4784-A755-57DF6DBA6C5A}C:\users\petrb\appdata\local\raidar\raidar.exe] => (Allow) C:\users\petrb\appdata\local\raidar\raidar.exe (NETGEAR) [File not signed]
FirewallRules: [UDP Query User{A1374B23-8A02-42D5-AB72-E393A0441EBC}C:\program files (x86)\tftpd32\tftpd32.exe] => (Allow) C:\program files (x86)\tftpd32\tftpd32.exe => No File
FirewallRules: [TCP Query User{08A18098-1AB7-4254-B97E-93D26146451C}C:\program files (x86)\tftpd32\tftpd32.exe] => (Allow) C:\program files (x86)\tftpd32\tftpd32.exe => No File
FirewallRules: [{B152F015-3C76-43C6-B0AB-BD39E31FE0CB}] => (Allow) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel(R) Software Development Products -> )
FirewallRules: [{3716D542-FA9F-4043-BCF2-17654D22E850}] => (Allow) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel(R) Software Development Products -> )
FirewallRules: [{0996F949-632E-404F-B612-FFA3D2BB3318}] => (Block) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel(R) Software Development Products -> )
FirewallRules: [{D6E1A266-6F13-4BD4-BF98-BBCCB3D79ED5}] => (Block) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel(R) Software Development Products -> )
FirewallRules: [{7B9843F8-E0B2-41D0-A833-5D8516171F49}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe (Intel Corporation -> )
FirewallRules: [UDP Query User{305EB486-AE02-4A8B-9E06-F7E0800C5BDF}C:\users\petrb\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\petrb\appdata\roaming\utorrent\utorrent.exe (uTorrent.CZ -> BitTorrent, Inc.) [File not signed]
FirewallRules: [TCP Query User{819D668F-57B6-42DE-9EFA-CF0368DC697D}C:\users\petrb\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\petrb\appdata\roaming\utorrent\utorrent.exe (uTorrent.CZ -> BitTorrent, Inc.) [File not signed]
FirewallRules: [{83AE4CA8-76F4-45D2-AB44-11EA3C2F05F7}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0BB88727-6860-479B-9B0B-2F1F857A0087}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{A6D2A328-5375-4B06-93FE-75BD3A70809F}] => (Allow) C:\Program Files (x86)\Common Files\soft602\langserv.exe (Software602 a.s. -> ) [File not signed]
FirewallRules: [{B5ACC715-66E7-4510-BFEE-0B9627E90A81}] => (Allow) C:\Program Files (x86)\Common Files\soft602\langserv.exe (Software602 a.s. -> ) [File not signed]
FirewallRules: [UDP Query User{9AF1C45E-EE87-4B57-B7BE-5FD58CBE8AE6}C:\users\petrb\appdata\local\programs\opera\65.0.3467.78_0\opera.exe] => (Allow) C:\users\petrb\appdata\local\programs\opera\65.0.3467.78_0\opera.exe => No File
FirewallRules: [TCP Query User{17627D65-F6B7-457B-9949-BA24880832A9}C:\users\petrb\appdata\local\programs\opera\65.0.3467.78_0\opera.exe] => (Allow) C:\users\petrb\appdata\local\programs\opera\65.0.3467.78_0\opera.exe => No File
FirewallRules: [{3D50CFAA-7EC2-45EA-822D-CB439DDD229F}] => (Allow) LPort=19540
FirewallRules: [{AC2EDEB9-C904-4194-9BDE-8761E7E79215}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{994327BD-C0A4-4732-96FC-1B69F9308FD6}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{C0747E38-1997-40D1-AB8A-CDE3A68C91BC}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{47AB03E7-C81D-47F6-B66B-FA0C5D5FA1E5}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{0EFC6A31-C93A-4D22-B8F5-DA23693D4FAD}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{00C047AE-3A35-45C3-9C32-E9D5029E5275}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{0A13FEC4-5EDE-49EE-9ACA-9916ADA1150E}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{36845FA6-308A-4E87-A28F-2FCD75A86028}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{FC21CCDD-FA4B-4A04-860B-8E0304F86E62}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{BC6CA189-075C-4B6B-8470-1C8A361A2F9B}] => (Allow) C:\Users\petrb\AppData\Local\Programs\Opera\71.0.3770.284\opera.exe (Opera Software AS -> Opera Software)
FirewallRules: [{53552661-67B5-49C1-9CB3-EF595BD6B162}] => (Allow) C:\Users\petrb\AppData\Local\Programs\Opera\72.0.3815.148\opera.exe (Opera Software AS -> Opera Software)
FirewallRules: [{56EF6802-9E27-4CFE-AA20-D7613B676D78}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe (Dropbox, Inc -> Dropbox, Inc.)
FirewallRules: [{03FB01FD-5636-4E03-B297-9E3EA6C26589}] => (Allow) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.EXE (Logitech Inc -> Logitech, Inc.)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:118.02 GB) (Free:37.86 GB) (32%)

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (10/30/2020 08:23:29 AM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: BREZINA-ACER)
Description: Nelze otevřít objekt výkonu služby serveru. Vrácený kód stavu představují první čtyři bajty (DWORD) datové části.

Error: (10/29/2020 09:26:24 AM) (Source: VSTO 4.0) (EventID: 4096) (User: )
Description: Customization URI: file:///C:/ProgramData/Logishrd/LogiOptions/Plugins/ca7c0911-fbf7-4e87-9c23-25987358303b/Content/publish/LogiOptionsWordAddin.vsto
Exception: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.


************** Exception Text **************
Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstallerException: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(ClickOnceAddInDeploymentManager clickOnceAddInDeploymentManager, OfficeAddInDeploymentManager officeAddInDeploymentManager, AddInInformation& info)
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(Boolean uninstall, Boolean silent, Uri manifest, Int32& errorCode, String& errorMessage)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Office.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Office.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Office.Runtime.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4220.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4200.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Hosting
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Hosting/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Hosting.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.ServerDocument
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.ServerDocument/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll
----------------------------------------
mscorlib.resources
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_cs_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------
System.Deployment
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Deployment/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Deployment.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Runtime.dll
----------------------------------------

Error: (10/29/2020 09:26:22 AM) (Source: VSTO 4.0) (EventID: 4096) (User: )
Description: Customization URI: file:///C:/ProgramData/Logishrd/LogiOptions/Plugins/abc9594a-1092-4a3a-8a1d-d05e602a10b8/Content/publish/LogiOptionsPowerPointAddin.vsto
Exception: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.


************** Exception Text **************
Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstallerException: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(ClickOnceAddInDeploymentManager clickOnceAddInDeploymentManager, OfficeAddInDeploymentManager officeAddInDeploymentManager, AddInInformation& info)
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(Boolean uninstall, Boolean silent, Uri manifest, Int32& errorCode, String& errorMessage)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Office.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Office.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Office.Runtime.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4220.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4200.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Hosting
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Hosting/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Hosting.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.ServerDocument
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.ServerDocument/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll
----------------------------------------
mscorlib.resources
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_cs_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------
System.Deployment
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Deployment/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Deployment.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Runtime.dll
----------------------------------------

Error: (10/29/2020 09:26:19 AM) (Source: VSTO 4.0) (EventID: 4096) (User: )
Description: Customization URI: file:///C:/ProgramData/Logishrd/LogiOptions/Plugins/4caa44eb-cdf0-4ecd-b823-38b28187e59a/Content/publish/LogiOptionsExcelAddin.vsto
Exception: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.


************** Exception Text **************
Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstallerException: Attempting to uninstall a customization that has not been installed on this computer or has already been uninstalled from this computer. Please correct the parameter values and try again.
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(ClickOnceAddInDeploymentManager clickOnceAddInDeploymentManager, OfficeAddInDeploymentManager officeAddInDeploymentManager, AddInInformation& info)
v Microsoft.VisualStudio.Tools.Office.Runtime.SolutionInstaller.ProcessInstallerOperation(Boolean uninstall, Boolean silent, Uri manifest, Int32& errorCode, String& errorMessage)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Office.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Office.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Office.Runtime.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4220.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4200.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Hosting
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Hosting/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Hosting.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4250.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.ServerDocument
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.ServerDocument/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll
----------------------------------------
mscorlib.resources
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4084.0 built by: NET48REL1
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_cs_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------
System.Deployment
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Deployment/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Deployment.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Runtime
Assembly Version: 10.0.0.0
Win32 Version: 10.0.60828.0
CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Runtime/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Runtime.dll
----------------------------------------

Error: (10/28/2020 11:09:43 AM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: BREZINA-ACER)
Description: Nelze otevřít objekt výkonu služby serveru. Vrácený kód stavu představují první čtyři bajty (DWORD) datové části.

Error: (10/26/2020 09:28:50 PM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: BREZINA-ACER)
Description: Nelze otevřít objekt výkonu služby serveru. Vrácený kód stavu představují první čtyři bajty (DWORD) datové části.

Error: (10/24/2020 07:15:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Název chybující aplikace: utorrent.exe, verze: 3.1.3.26837, časové razítko: 0x4f5934c0
Název chybujícího modulu: GDI32.dll, verze: 10.0.19041.546, časové razítko: 0x9a24d4df
Kód výjimky: 0xc000041d
Posun chyby: 0x00005d67
ID chybujícího procesu: 0x3a7c
Čas spuštění chybující aplikace: 0x01d6aa2fd5b42dd2
Cesta k chybující aplikaci: C:\Users\petrb\AppData\Roaming\uTorrent\utorrent.exe
Cesta k chybujícímu modulu: C:\WINDOWS\System32\GDI32.dll
ID zprávy: 50aa70d2-d652-41ee-9ebe-776ee1854d27
Úplný název chybujícího balíčku:
ID aplikace související s chybujícím balíčkem:

Error: (10/24/2020 02:31:35 PM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: BREZINA-ACER)
Description: Nelze otevřít objekt výkonu služby serveru. Vrácený kód stavu představují první čtyři bajty (DWORD) datové části.


System errors:
=============
Error: (10/31/2020 10:39:24 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (10/31/2020 01:20:45 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (10/30/2020 01:46:53 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (10/30/2020 08:22:13 AM) (Source: DCOM) (EventID: 10010) (User: BREZINA-ACER)
Description: Server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} se v daném časovém limitu neregistroval u služby DCOM.

Error: (10/30/2020 08:22:13 AM) (Source: DCOM) (EventID: 10010) (User: BREZINA-ACER)
Description: Server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} se v daném časovém limitu neregistroval u služby DCOM.

Error: (10/30/2020 08:22:13 AM) (Source: DCOM) (EventID: 10010) (User: BREZINA-ACER)
Description: Server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} se v daném časovém limitu neregistroval u služby DCOM.

Error: (10/30/2020 08:22:13 AM) (Source: DCOM) (EventID: 10010) (User: BREZINA-ACER)
Description: Server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} se v daném časovém limitu neregistroval u služby DCOM.

Error: (10/30/2020 08:22:13 AM) (Source: DCOM) (EventID: 10010) (User: BREZINA-ACER)
Description: Server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} se v daném časovém limitu neregistroval u služby DCOM.


Windows Defender:
===================================
Date: 2020-11-01 09:59:30.7570000Z
Description:
Prohledávání Antivirová ochrana v programu Microsoft Defender bylo zastaveno před dokončením.
ID prohledávání: {44D2B6E0-B213-4C7F-8058-C55D26D5C8EB}
Typ prohledávání: Antimalwarový program
Parametry prohledávání: Rychlé prohledávání
Uživatel: NT AUTHORITY\SYSTEM

Date: 2020-10-31 10:00:28.3400000Z
Description:
Prohledávání Antivirová ochrana v programu Microsoft Defender bylo zastaveno před dokončením.
ID prohledávání: {55E448EE-6CB5-4153-9C8B-57960D43E791}
Typ prohledávání: Antimalwarový program
Parametry prohledávání: Rychlé prohledávání
Uživatel: NT AUTHORITY\SYSTEM

Date: 2020-10-28 09:23:45.0240000Z
Description:
Prohledávání Antivirová ochrana v programu Microsoft Defender bylo zastaveno před dokončením.
ID prohledávání: {997E1AA8-6C06-4F08-B4BE-3FF3D5597BD2}
Typ prohledávání: Antimalwarový program
Parametry prohledávání: Rychlé prohledávání
Uživatel: NT AUTHORITY\SYSTEM

Date: 2020-10-26 20:50:01.2350000Z
Description:
Antivirová ochrana v programu Microsoft Defender zjistil malware nebo jiný potenciálně nežádoucí software.
Další informace:
https://go.microsoft.com/fwlink/?linkid ... terprise=0
Název: Trojan:Script/Foretype.A!ml
ID: 2147724345
Závažnost: Vážné
Kategorie: Trojský kůň
Cesta: file:_D:\Google Drive\zaloha_P30L_26_10_2020\HUAWEI P30 lite_2020-10-26 20.44.13\com.google.android.apps.docs.editors.slides&split_config.cs.apk
Původ detekce: Místní počítač
Typ detekce: FastPath
Zdroj detekce: Ochrana v reálném čase
Uživatel: BREZINA-ACER\petrb
Název procesu: C:\Program Files (x86)\HiSuite\HiSuite.exe
Verze bezpečnostních informací: AV: 1.325.1458.0, AS: 1.325.1458.0, NIS: 1.325.1458.0
Verze modulu: AM: 1.1.17500.4, NIS: 1.1.17500.4

Date: 2020-10-26 08:57:47.6260000Z
Description:
Prohledávání Antivirová ochrana v programu Microsoft Defender bylo zastaveno před dokončením.
ID prohledávání: {B4CB80B8-ABCA-4E54-A838-1F2010DE0647}
Typ prohledávání: Antimalwarový program
Parametry prohledávání: Rychlé prohledávání
Uživatel: NT AUTHORITY\SYSTEM

CodeIntegrity:
===================================

Date: 2020-10-30 08:19:18.8120000Z
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wininit.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\fnwTypo.dll that did not meet the Windows signing level requirements.

Date: 2020-10-30 08:19:13.5660000Z
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\GUBootStartup.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2020-10-30 08:16:01.8920000Z
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wininit.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\fnwTypo.dll that did not meet the Windows signing level requirements.

Date: 2020-10-30 08:15:53.9900000Z
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\GUBootStartup.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2020-10-28 11:05:37.5930000Z
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wininit.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\fnwTypo.dll that did not meet the Windows signing level requirements.

Date: 2020-10-28 11:05:31.3350000Z
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\GUBootStartup.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2020-10-26 21:24:44.5760000Z
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wininit.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\fnwTypo.dll that did not meet the Windows signing level requirements.

Date: 2020-10-26 21:24:36.2080000Z
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\GUBootStartup.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

BIOS: Insyde Corp. V1.25 06/11/2018
Motherboard: Acer BAD40_SL
Processor: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
Percentage of memory in use: 95%
Total physical RAM: 20337.91 MB
Available physical RAM: 837.28 MB
Total Virtual: 27505.91 MB
Available Virtual: 5336.89 MB

==================== Drives ================================

Drive c: (system) (Fixed) (Total:118.02 GB) (Free:37.86 GB) NTFS
Drive d: (data) (Fixed) (Total:119.24 GB) (Free:21.75 GB) NTFS
Drive e: () (Removable) (Total:7.41 GB) (Free:5.83 GB) FAT32

\\?\Volume{ecf05fed-0394-46be-9ee8-ef0466d1830d}\ (Obnovení) (Fixed) (Total:0.52 GB) (Free:0.5 GB) NTFS
\\?\Volume{4a0b808c-d28b-4d6b-be7b-d68720927c83}\ () (Fixed) (Total:0.59 GB) (Free:0.08 GB) NTFS
\\?\Volume{32e024a0-c963-4685-8f6f-546301db628e}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: E4EF5D31)

Partition: GPT.

==========================================================
Disk: 1 (Protective MBR) (Size: 7.4 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 11:24
od Rudy
Zdravím!
To nevíme ani my. Můžeme vám jen zkontrolovat PC, neboť všechny naše postupy fungují pouze na nejpoužívanější platformě, tj. Windows. Pokud chceta zkontrolovat PC, dejte logy FRST+Addition: https://forum.viry.cz/viewtopic.php?f=13&t=154679 .

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 11:28
od Petr.Brezina
zde oba logy FRST
frst.zip
(42.02 KiB) Staženo 71 x

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 12:32
od Rudy
Spusťte tuto utilitu:
Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 14:10
od Petr.Brezina
zde je

# -------------------------------
# Malwarebytes AdwCleaner 8.0.8.0
# -------------------------------
# Build: 10-08-2020
# Database: 2020-09-29.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 11-01-2020
# Duration: 00:00:02
# OS: Windows 10 Pro
# Cleaned: 6
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

Deleted Preinstalled.AcerQuickAccess Folder C:\Program Files\ACER\ACER QUICK ACCESS
Deleted Preinstalled.AcerQuickAccess Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DC7642B1-E7CF-47D5-BD15-3A4124361BBD}
Deleted Preinstalled.AcerQuickAccess Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Quick Access
Deleted Preinstalled.AcerQuickAccess Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{8BBF04F1-C68A-441C-B5EF-446EE9960EAF}
Deleted Preinstalled.AcerQuickAccess Task C:\Windows\System32\Tasks\QUICK ACCESS
Deleted Preinstalled.AcerUpdater Folder C:\ProgramData\ACER\ACER UPDATER


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2490 octets] - [19/09/2020 08:14:14]
AdwCleaner[C00].txt - [1976 octets] - [19/09/2020 08:16:26]
AdwCleaner[S01].txt - [2156 octets] - [01/11/2020 14:05:31]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 17:32
od Rudy
Dejte nové logy FRST+Addition.

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 18:12
od Petr.Brezina
zde jsou
FRST.zip
(41.75 KiB) Staženo 73 x

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 19:09
od Rudy
Otevřte poznámkový blok a zkopírujte do něj:
Start

CloseProcesses:
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\MountPoints2: {8a147863-d86f-11ea-93fd-e470b8b4eb90} - "F:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\MountPoints2: {8b1aa8e0-17c2-11eb-941b-e470b8b4eb90} - "F:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Task: {73FF23F6-E92B-455A-8CD1-21909272A4F3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2019-12-29] (Google LLC -> Google LLC)
Task: {D08C83BB-9EC8-4E77-B6F9-B4FC6573C2B1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2019-12-29] (Google LLC -> Google LLC)
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
C:\Users\petrb\AppData\Local\Temp
SearchScopes: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

EmptyTemp:
Hosts:
End
Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 19:21
od Petr.Brezina
zde log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by petrb (01-11-2020 19:17:14) Run:1
Running from C:\Users\petrb\Desktop
Loaded Profiles: petrb
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\MountPoints2: {8a147863-d86f-11ea-93fd-e470b8b4eb90} - "F:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\...\MountPoints2: {8b1aa8e0-17c2-11eb-941b-e470b8b4eb90} - "F:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Task: {73FF23F6-E92B-455A-8CD1-21909272A4F3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2019-12-29] (Google LLC -> Google LLC)
Task: {D08C83BB-9EC8-4E77-B6F9-B4FC6573C2B1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2019-12-29] (Google LLC -> Google LLC)
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll -> No File
C:\Users\petrb\AppData\Local\Temp
SearchScopes: HKU\S-1-5-21-1520699381-1464880648-3029145606-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a147863-d86f-11ea-93fd-e470b8b4eb90} => removed successfully
HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b1aa8e0-17c2-11eb-941b-e470b8b4eb90} => removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{73FF23F6-E92B-455A-8CD1-21909272A4F3}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73FF23F6-E92B-455A-8CD1-21909272A4F3}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D08C83BB-9EC8-4E77-B6F9-B4FC6573C2B1}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D08C83BB-9EC8-4E77-B6F9-B4FC6573C2B1}" => removed successfully
C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA" => not found
"C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore" => not found
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Adobe.Acrobat.ContextMenu => removed successfully
HKLM\Software\Classes\CLSID\{A6595CD1-BF77-430A-A452-18696685F7C7} => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Adobe.Acrobat.ContextMenu => removed successfully
C:\Users\petrb\AppData\Local\Temp => moved successfully
"HKU\S-1-5-21-1520699381-1464880648-3029145606-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 88237795 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 21142389 B
Edge => 123904 B
Chrome => 0 B
Firefox => 0 B
Opera => 420093611 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 6656 B
ProgramData => 6656 B
Public => 6656 B
systemprofile => 6656 B
systemprofile32 => 6656 B
LocalService => 13312 B
NetworkService => 97636 B
petrb => 3065276 B

RecycleBin => 322033 B
EmptyTemp: => 518.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:17:49 ====

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 19:49
od Rudy
Smazáno. Nastala nějaká změna?

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 20:13
od Petr.Brezina
Díky, změnu asi posoudím časem, nicméně v mezidobí jsem promazal všechny zmíněné soubory na NASu, ten restartoval a zatím se neobjevily, plus následný přenos souborů již byl standardní rychlostí.

Mohu se zeptat, co bylo součástí opravy? Ze zápisu odhaduju ukončení nebo oprava ukončení nějakých aktualizačních služeb? Považuju se za mírně pokročilého uživatele pc, proto by mne to alespoň principielně zajímalo.

Díky za čas!

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 20:55
od Rudy
Přesně to nemohu říci. PC byl vyčištěn, jednotlivé položky nejsou nebezpečné, jen zbytečné a zatěžují systém. Byl resetován soubor Hosts (hostitelé) na default (byly tam položky - URL adresy, které tam být nemusí). Mohlo se z nich něco stahovat. Byl vyčištěn dočasný adresář internetu, kde mohl být uložen nějaký šmejd. FRST nespecifikuje smazané soubory.

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 21:10
od Petr.Brezina
Díky moc aspoň takto. myslím, že vlákno můžete zamknout, pokud by se problém objevil znovu, ozval bych se.

Re: Win32/CoinMiner na NASu Netgear

Napsal: 01 lis 2020 21:49
od Rudy
OK a nemáte zač! :)
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz