VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

nekdo mi pouziva PC? - prosim o kontrolu

https://forum.viry.cz:443/viewtopic.php?t=157924

Stránka 1 z 1

nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 10:34
od tomasnikl
Ahoj,

mohl bych vas poprosit o pomoct?

jen strucne v bodech, co se stalo:
- nekdo na facebooku platil reklamy moji kartou. Nedoslo k zadnemu podezrelemu prihlaseni z jine IP, z jine zeme apod
- z chrome vyexportoval vsechna hesla do excelu, chtel jsem je projit a zrevidovat
- 2 dny po exportu hesel se nekdo snazil prihlasit do instituci jako mbank, coinbase, cex.io (crypto burzy atd). Mam telefon plny overovacich 2FA kodu a v mailu mam take tyto zaznamy o prihlaseni do uctu. K temto prihlasenim doslo v dobe, kdy byl PC zapnuty a doslo k nim z moji IP adresy (tvari se to tey, ze se nekdo prihlasuje skrze muj PC)
- PC jsem projel Avastem, Esetem a zadny z programu nic nenasel.

Kompletni logy:
davam sem a nebo do prilohy, nejdou mi kvuli maximalni delce pridat do prispevku:
RSIT log: https://gist.github.com/tomasnikl/57caa ... 05fc82424b
RSIT info: https://gist.github.com/tomasnikl/77b3e ... af4e967503
FRST log: https://gist.github.com/tomasnikl/fe073 ... 8f15fe92b2
FRST info: https://gist.github.com/tomasnikl/d90e6 ... 068361d843

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 14:03
od Rudy
Zdravím!
Spusťte tuto utilitu:
Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 14:13
od tomasnikl
zdravim! spusteno ale zajimave je, ze i pres to, ze program pise, ze problemy opravil tak pri dalsim pusteni tam jsou znovu :)

log prikladam nize:

# -------------------------------
# Malwarebytes AdwCleaner 8.1.0.0
# -------------------------------
# Build: 02-15-2021
# Database: 2021-03-03.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 03-05-2021
# Duration: 00:00:03
# OS: Windows 10 Pro
# Cleaned: 22
# Failed: 0


***** [ Services ] *****

Deleted Update service

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{00365D2D-A706-439A-9EB2-F6472E20D4C0}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{1BCDFE68-CF00-4277-92C6-4DF370C2F381}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7A439A49-0925-4EAE-8656-85618262744A}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7C69ABA5-400D-40D9-ACD8-650A9ABA225E}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{86B223A1-4648-45C0-9A8A-82F2BCAC31D5}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{96EC85CA-3D33-4372-B84A-C7DCE787BFF4}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B8832BAD-6F85-421E-A791-A16F5F3524C6}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{FDEFAB96-905B-4239-8841-2AE5D9B5C110}
Deleted HKLM\Software\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}
Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}

***** [ Chromium (and derivatives) ] *****

Deleted User-Agent Switcher for Chrome - djflhoibgkdhkhhcedjiklpkjnoahfmg

***** [ Chromium URLs ] *****

Deleted AVG Secure Search
Deleted banggood.com
Deleted blekko
Deleted http://isearch.avg.com/?cid={43C2ACA3-B ... g=0&sap=hp
Deleted http://search.babylon.com/?affID=112555 ... f06d3c1314
Deleted http://search.babylon.com/?affID=112555 ... f06d3c1314
Deleted http://search.conduit.com/?ctid=CT33149 ... &UP=&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... BFF7&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... FD14&SSPV=
Deleted http://search.conduit.com/?ctid=CT33149 ... FD14&SSPV=

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4261 octets] - [05/03/2021 14:12:02]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 14:52
od Rudy
OK. Dejte nové logy FRST+Addition.

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 15:25
od tomasnikl
odinstaloval jsem jeste radu programu a logy prikladam do prilohy nebo zde:
FRST: https://gist.github.com/tomasnikl/00367 ... 9d48a25170
FRST-Addition: https://gist.github.com/tomasnikl/ac291 ... cd92b37e68

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 16:04
od Rudy
Otevřte poznámkový blok a zkopírujte do něj:
Start

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {2199e05f-9616-11ea-b2b5-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {9abb4ff9-9800-11e9-b207-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {40E1F338-233C-4062-90FF-7996617A6C77} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {47FD5390-4D4F-4781-8E50-56DC21D4D1EA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {F95129DB-F56C-42F7-A33E-67ABC2BC2C02} - System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => C:\Windows\system32\deviceenroller.exe [557056 2021-02-10] (Microsoft Windows -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION
U1 aswbdisk; no ImagePath
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> [CC]{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers6: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
C:\Users\tomas\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`20hfm [0]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.designer.2 [366]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.photo.2 [320]
C:\Users\tomas\Downloads\setup_x86_x64_install.exe

EmptyTemp:
Hosts:
End
Uložte do C:\Users\tomas\Downloads jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Re: nekdo mi pouziva PC - prosim o kontrolu

Napsal: 05 bře 2021 16:20
od tomasnikl
Dekuji! fix jsem provedl, prikladam log.. koukam, ze obcas tam je "not found".. napr u toho javaupdateru... to asi budou veci, ktere jsem pred par hodinama odinstalovaval.

Log zde:
Fix result of Farbar Recovery Scan Tool (x64) Version: 28-02-2021
Ran by tomas (05-03-2021 16:13:17) Run:1
Running from C:\Users\tomas\Downloads
Loaded Profiles: tomas
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {2199e05f-9616-11ea-b2b5-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\...\MountPoints2: {9abb4ff9-9800-11e9-b207-3c6aa7f536f5} - "E:\HiSuiteDownLoader.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {40E1F338-233C-4062-90FF-7996617A6C77} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {47FD5390-4D4F-4781-8E50-56DC21D4D1EA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2019-06-07] (Google Inc -> Google LLC)
Task: {F95129DB-F56C-42F7-A33E-67ABC2BC2C02} - System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => C:\Windows\system32\deviceenroller.exe [557056 2021-02-10] (Microsoft Windows -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION
U1 aswbdisk; no ImagePath
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> [CC]{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers6: [AccExt] -> [CC]{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
C:\Users\tomas\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`20hfm [0]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.designer.2 [366]
AlternateDataStreams: C:\Users\tomas\AppData\Local\Temp:com.affinity.photo.2 [320]
C:\Users\tomas\Downloads\setup_x86_x64_install.exe

EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => not found
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched" => not found
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2199e05f-9616-11ea-b2b5-3c6aa7f536f5} => removed successfully
HKU\S-1-5-21-434153615-1448201401-3235158447-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9abb4ff9-9800-11e9-b207-3c6aa7f536f5} => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{40E1F338-233C-4062-90FF-7996617A6C77}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40E1F338-233C-4062-90FF-7996617A6C77}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{47FD5390-4D4F-4781-8E50-56DC21D4D1EA}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47FD5390-4D4F-4781-8E50-56DC21D4D1EA}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F95129DB-F56C-42F7-A33E-67ABC2BC2C02}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F95129DB-F56C-42F7-A33E-67ABC2BC2C02}" => removed successfully
C:\Windows\System32\Tasks\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt\6C5A9F00-50DE-4392-8402-A5151D3CF5EC\OS Edition Upgrade event listener created by enrollment client" => removed successfully
"C:\Windows\System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up" was unlocked. <==== ATTENTION" => not found
HKLM\System\CurrentControlSet\Services\aswbdisk => could not remove, key could be protected
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA" => not found
"C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore" => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco1 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco2 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco3 => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => could not remove, key could be protected
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKLM\Software\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\AccExt => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\AccExt => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
HKU\.DEFAULT\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKU\.DEFAULT\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
C:\Users\tomas\AppData\Local\Temp => moved successfully
C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`20hfm" ADS removed successfully
"C:\Users\tomas\AppData\Local\Temp" => ":com.affinity.designer.2" ADS not found.
"C:\Users\tomas\AppData\Local\Temp" => ":com.affinity.photo.2" ADS not found.
"C:\Users\tomas\Downloads\setup_x86_x64_install.exe" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 13131776 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17031621 B
Java, Flash, Steam htmlcache => 445660170 B
Windows/system/drivers => 116425529 B
Edge => 36916 B
Chrome => 96359680 B
Firefox => 9543292 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 168 B
LocalService => 4974 B
NetworkService => 29915604 B
tomas => 39912068 B

RecycleBin => 0 B
EmptyTemp: => 732.4 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 05-03-2021 16:17:49)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\aswbdisk => could not remove, key could be protected
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => could not remove, key could be protected

==== End of Fixlog 16:17:49 ====

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 16:51
od Rudy
Zřejmě ano. Nastala nějaká změna?

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 17:19
od tomasnikl
Rudy píše: 05 bře 2021 16:51 Zřejmě ano. Nastala nějaká změna?
nevim jakou zmenu mam pozorovat. Ani v dobe, kdy byla zneuzita karta na Facebooku nic neindikovalo nejaky bordel v PC. Ani vcera pri tech pokusech o prihlaseni jsem nemel zadne podezreni a i tak se to stalo to z me IP adresy. Avast jsem ted pustil a porad se to tvari vse v poradku stejne jako rano. Prosel jsem log z routeru a ani tam nejsou zadne pokusy o prihlaseni do nej, takze i nejakou diru zde jsem vyloucil (hesla na prvcich site mam dlouha a silna, firmware na vsech zarizenich aktualni (aktualizoval jsem cca tyden zpet). Jak rikam, nikdy jsem nemel podezreni na nejaky virus nebo podobnou havet, takze nevim jakym zpusobem poznat, zda ke zmene doslo nebo ne.

Trochu me to desi, protoze zadny antivir nedetekoval problem a i tak doslo k pokusum o prihlaseni z me IP na stranky, kde mam ulozene finance a v dobe, kdy byl muj PC zapnuty. Nemam tuseni kde nejaka dira muze byt a zda se timto opravila ci ne.

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 17:55
od Rudy
Váš PC bude nejspíše v pořádku. FB vám mohl někdo hacknout přímo, aniž by použil vaše PC. Pokud by se problém opakoval, nahlešte to přímo jejich podpoře. Bankovní účet vám nikdo nehackne, pokud nesdělíte přístupové údaje a v PC jsem nenašel žádný backdoor, který by mohl někam něco posílat.

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 18:12
od tomasnikl
Dekuji za odpoved.

FB hacknuty naprimo se mi zda velmi nepravdepodobne vzhledem k tomu, ze mam zaple 2FA overeni a heslo vygenerovane Chromem. Dokonce jsem si zacatkem roku nechal vydat novou kartu (puvodni expirovala) a na FB jsem nikdy nic neplatil a reklamy uz vubec, tzn. ze ani par mesicu stara karta na FB nikdy pridana nebyla a penize byly strzeny touto kartou pres muj FB, ktery mam zabezpeceny pomoci 2FA :) Kdyz jsem to rano zjistil a na FB koukl, byl jsem v prohlizeci odhlaseny a po prihlaseni jsem ho mel v anglictine :)

A ta druha vec, ze doslo k pokusum o prihlaseni den po exportu hesel z prohlizece do citelne podoby je take hodne podezrela.

Cele to je velmi zvlastni :) asi pro jistotu cely pocitac smazu a preinstaluju. Neumim si to vysvetlit a docela me to desi.

Dokonce zde mam email ze vcerejsiho vecera, kdy doslo k pokusu o login na bittrex:
Location: CZ
IP Address: 185.64.40.38
Device Name: Chrome on Windows
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Ta verze prohlizece je naprosto totozna s tou, kterou ja v PC mam. IP adresa taktez moje. :)

Mam v domacnosti na wifi i zarizeni jako: Google Home, Xiaomi roboticky vysavac, AEG troubu, chytre zasuvky/relle od firmy Shelly, TV Samsung, tiskarnu HP a pote nejaka Apple zarizeni. Muze byt teoreticky problem v nich? Napr vysavac, shelly zasuvky se daji totiz ovladat i vzdalene pres cloud. Nevite nekdo o nejakych aktualni bezpecnostitch dirach?

Dekuju vam za ochotu a cas, ktery jste zkoumani logu venoval.

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 18:58
od Rudy
PC nemusí být příčinou vašeho problému. U těch chytrých zařízení problém být může, s tím vám ale neporadím, my se tu zabýváme jen oper. systémem Windows. Další místo, kde by problém mohl být je wifi router. Ten opravíte tak, že ho resetnete do tov. nastavení a znovu nastavíte. To se týká především zařízení TP-Link.

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 19:22
od tomasnikl
Dekuji za odpoved :) uz jsem to resil i s poskytovatelem a bylo mi sdeleno, ze policie resi v teto dobe na jeho siti zneuziti karet, mhze to s tim souviset, az ted jsem si totiz vsiml, ze k pokusum o prihlaseni doalo z IP koncici na 38 ale moje konci 18. Tudiz jina cast mesta. Pokud je to problem az za routerem tak s tim asi nic moc neudelam. Dekuji jeste jednou 😉

Re: nekdo mi pouziva PC? - prosim o kontrolu

Napsal: 05 bře 2021 19:48
od Rudy
OK a nemáte zač!
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz