VIRY.CZ

Dobrý den,
kolegyně mi opět přinesla notebook, který ji občas zlobí, tentokrát s tím že Eset píše, že Eset nefunguje...
V zipu posílám náhledy z Esetu, u kterého Rezidentní ochrana souborového systému není funkční. Zkoušel jsem ji zapnout, ale zapnutá je. Po vypnutí a opětovném zapnutí to zůstane stejné, stav Esetu se nezmění. Posílám taky náhled z Protokolů, kde jde vidět, že některé ochrany Esetu se "samy od sebe" vypínají a zapínají...
Posílám taky výpis z Esetu o zachyceném šmejdovi a logy z FRST.
Prosím o pomoc s nápravou stavu notebooku a již předem za pomoc děkuji.
S pozdravem Pavel Papežík

Zdravím!
Spusťte tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

# -------------------------------
# Malwarebytes AdwCleaner 8.2.0.0
# -------------------------------
# Build: 03-22-2021
# Database: 2021-04-01.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 04-07-2021
# Duration: 00:00:07
# OS: Windows 10 Pro
# Scanned: 31984
# Detected: 5


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.LenovoServiceBridge Folder C:\Users\papepa\AppData\Local\PROGRAMS\LENOVO\LENOVO SERVICE BRIDGE
Preinstalled.LenovoServiceBridge Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2C74547D-EF88-47F4-85F5-BE46A31E26B7}_is1
Preinstalled.LenovoUpdate Folder C:\Program Files (x86)\LENOVO\SYSTEM UPDATE
Preinstalled.LenovoUpdate Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{03C6CC92-68F2-4961-9A73-CAECA350BD08}
Preinstalled.LenovoUpdate Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\TVSU_is1


AdwCleaner[S00].txt - [1696 octets] - [13/11/2020 12:43:46]
AdwCleaner[S01].txt - [1757 octets] - [07/12/2020 13:15:26]
AdwCleaner[S02].txt - [1931 octets] - [22/03/2021 14:12:51]
AdwCleaner[S03].txt - [1992 octets] - [22/03/2021 14:13:44]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S04].txt ##########

Preinstalled můžete ponechat, jsou to neškodné utility od Lenovo. Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {2795268D-E3EE-4DFE-AA53-CA3171A65CD6} - System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\papepa@zs-vsechovice.local\Report update status => %SYSTEMROOT%\System32\RUNDLL32 tsworkspace,WorkspaceStatusNotify2
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION
Task: {354C9B68-93A8-4113-BB4A-315DF85A16C8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2020-09-25] (Google Inc -> Google LLC)
Task: {7FE0E3DE-12A8-4042-9CDE-E9BB6A86FC61} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2020-09-25] (Google Inc -> Google LLC)
Task: {B1155B2A-2B04-4E0E-925B-C32B4603D821} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2282896 2021-03-17] (Microsoft Corporation -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File

EmptyTemp:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-04-2021
Ran by papepa (07-04-2021 17:14:30) Run:1
Running from C:\Users\papepa\Desktop
Loaded Profiles: papepa & lokadmin
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {2795268D-E3EE-4DFE-AA53-CA3171A65CD6} - System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\papepa@zs-vsechovice.local\Report update status => %SYSTEMROOT%\System32\RUNDLL32 tsworkspace,WorkspaceStatusNotify2
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION
Task: {354C9B68-93A8-4113-BB4A-315DF85A16C8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2020-09-25] (Google Inc -> Google LLC)
Task: {7FE0E3DE-12A8-4042-9CDE-E9BB6A86FC61} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154920 2020-09-25] (Google Inc -> Google LLC)
Task: {B1155B2A-2B04-4E0E-925B-C32B4603D821} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2282896 2021-03-17] (Microsoft Corporation -> Microsoft Corporation)
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File

EmptyTemp:
End
*****************

Processes closed successfully.
C:\ProgramData\NTUSER.pol => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2795268D-E3EE-4DFE-AA53-CA3171A65CD6}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2795268D-E3EE-4DFE-AA53-CA3171A65CD6}" => removed successfully
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\papepa@zs-vsechovice.local\Report update status => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteApp and Desktop Connections Update\papepa@zs-vsechovice.local\Report update status" => removed successfully
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{354C9B68-93A8-4113-BB4A-315DF85A16C8}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{354C9B68-93A8-4113-BB4A-315DF85A16C8}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7FE0E3DE-12A8-4042-9CDE-E9BB6A86FC61}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FE0E3DE-12A8-4042-9CDE-E9BB6A86FC61}" => removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B1155B2A-2B04-4E0E-925B-C32B4603D821}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1155B2A-2B04-4E0E-925B-C32B4603D821}" => removed successfully
C:\Windows\System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\OfficeTelemetryAgentLogOn2016" => removed successfully
"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION" => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7382656 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 539190 B
Edge => 4096 B
Chrome => 18925358 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 2560 B
ProgramData => 2560 B
Public => 2560 B
systemprofile => 2560 B
systemprofile32 => 2560 B
LocalService => 2560 B
NetworkService => 5948792 B
papepa => 6173911 B
kocima => 55292736 B
papead => 56288013 B
lokadmin => 56394421 B

RecycleBin => 0 B
EmptyTemp: => 207.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:14:44 ====

OneDrive se tam podle data instalace aplikace dnes nainstalovalo a dal jsem ho odinstalovat už někdy kolem poledne.

ESET se už tváří normálně.
Co s tím bylo? Co bylo příčinou?
...pls aspoň stručně...

Nyní jsem si během čekání 2x všimnul, že procesor zvýšil na nějakou dobu svoji aktivitu na 100 %. Asi tak na minutu...

Přesně nevím, problém zmizel s vyčištěním. Podle logu tam nebylo žádné malware. Snad resetem do dřívějšího nastavení se problém odstranil. Reset dělá RSIT automaticky (bez zvl. příkazu ve fixlistu). Ostatní mazání byly jen zbytečnosti.

OK. Pokud by se to znovu opakovalo, otevřte správce úloh a zjistěte, který proces to způsobuje.

Už se mi nepodařilo ulovit ten nejaktivnější proces,
to, co je v příloze jsou asi jen běžné procesy, ale Vy to určitě posoudíte lépe.
Děkuji za pomoc, opět něco pošlu Pavel

Ten NT kernel je dost vysoko. Zkusíme ještě sken AVPTool: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 . V odkazu je popis starší verze. Utilitu stáhněte, spusťte nechte pracovat a po ukončení akce smažte vše, co eventuálně najde.

Rudy, moc děkuji za pomoc, už to nic nenašlo. Patrně to už bude v pohodě.
Ještě jednou děkuji za Tvůj čas, ochotu a obětavost.

Chci Ti nabídnout své oblíbené knihy:
https://www.adventorion.cz/ke-stazeni/zobrazit/791 Touha věků je moje nejoblíbenější
https://www.adventorion.cz/ke-stazeni/zobrazit/795 Kornelius Novak patří k mým oblíbeným současným autorům a tato brožurka je malá do kapsy...

Děkuji Rudy

Rádo se stalo a děkuji za nabídku!