windows 10 1. empty window "form1" 2. defender repeatedly detect PUA

[PSYOLOT]

windows 10 1.empty window "form1" 2.defender repeatedly detect PUA

1. empty window at active desktop overview "form1" when clicked does not appear and cannot be closed.

2. win-defender repeatedly detects "PUA: Win32 / Presenoker" in win / temp folder.

3. Occasional crashes, maybe driver conflict graphic board.

p.s.: AUTOLOGGER does not reboot system in process! (is that ok?) CollectionLog-2021.07.11-10.24.zip

[Sandor-Helper]

Hello and welcome,

Did you install cFosSpeed 11.10 by yourself? If even so, temporarilly uninstall it.

Download AdwCleaner (by Malwarebytes) and save it to Desktop. Run (it should be run by right-clicking as Administrator), press "Scan" and wait. At the end of the scan log will be found at: C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt (where x is any digit). Attach it to your next post here.

[PSYOLOT]

hi, thanks 4 u fast reaktion.

the program comes with the MSI DRAGON CENTER toolkit which was included in the graphics card package. That's why I uninstalled the complete package right away.

then adwarecleaner like you said 01 AdwCleaner[C00].txt

coz of the deinstallation the hole kit, again autologger as performed.

CollectionLog-2021.07.12-19.04.zip

then again adwarecleaner. AdwCleaner[S02].txt

hope that was ok

here the logs in this order

just let u know, i`m back at my computer at Friday.

[Sandor-Helper]

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please attach the logs back here.

[dragokas]

Closed. Reason: no answer for 10 days. If you still need our help, please, execute the last steps, requested by a helper. Also, download again AutoLogger, prepare new CollectionLog, and write what problems remained.

[PSYOLOT]

sorry again 4 late reaktion. hope still not be mad with me.

Farbar Recovery Scan Too: Addition.txt FRST.txt

[PSYOLOT]

AutoLogger: CollectionLog-2021.07.31-06.03.zip

[Sandor-Helper]

Temporarily turn off any antivirus. Highlight following code:

Start::
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Beschränkung <==== ACHTUNG
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicy\User: Beschränkung ? <==== ACHTUNG
Policies: C:\ProgramData\NTUSER.pol: Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Policies\Microsoft\Edge: Beschränkung <==== ACHTUNG
Task: {24889400-58C6-4285-9655-9B2ADB97FBE0} - kein Dateipfad
Task: {41ED8001-A23A-4D4F-A9CC-AAE1369F970D} - kein Dateipfad
Task: {DDC5A789-63FB-4EE3-A922-6F779CCD5666} - System32\Tasks\cFos\Registration Tasks\Open Browser => c:\program files (x86)\microsoft\edge\application\msedge.exe [3278224 2021-06-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {f476606b-cd7a-469b-857c-eb256dd7fae9} - kein Dateipfad
FF user.js: detected! => C:\Users\schre\AppData\Roaming\Mozilla\Firefox\Profiles\n2ha0ya6.default-release\user.js [2021-07-17]
FirewallRules: [{8CB43BB4-7435-4088-86C5-A8743C222989}] => (Allow) LPort=32682
FirewallRules: [{AFD51244-1BC4-4A2D-9371-3D416FE43E07}] => (Allow) LPort=1980
FirewallRules: [{769FE836-1147-411D-B182-3E9540F4667A}] => (Allow) LPort=1900
FirewallRules: [{42E2E513-D417-41C4-9AAC-876130BBEE49}] => (Allow) LPort=1900
FirewallRules: [{CDF0B670-E770-4124-A891-81FBCE9C9F81}] => (Allow) LPort=8792
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

[PSYOLOT]

Fixlog.txt

[Sandor-Helper]

AUTOLOGGER does not reboot system in process! (is that ok?)

It is ok for 64-bit systems. What now whith your problems?

[PSYOLOT]

-defender found: Misleading:Win32/Lodi in a bios updatetool.exe witch i never used. I del the exe by win.defender

-window at active desktop overview "form1" still there. see on screenshot file attached.

[Sandor-Helper]

Please get new CollectionLog.zip by Autologger.

[PSYOLOT]

CollectionLog-2021.08.16-01.42.zip

get new defender note:

Microsoft Defender Antivirus hat Maßnahmen ergriffen, um den Computer vor Schadsoftware oder anderer potenziell unerwünschter Software zu schützen. Weitere Informationen: https://go.microsoft.com/fwlink/?linkid=37020&name=PUA:Win32/Presenoker&threatid=242420&enterprise=0 Name: PUA:Win32/Presenoker ID: 242420 Schweregrad: Niedrig Kategorie: Potenziell unerwünschte Software Pfad: file:_C:\Windows\Temp\89a66d52-29b1-0674-ce3d-3df7f6c382e9\115cd106-e10f-2383-52af-383b4ec56dc5.exe; file:_C:\Windows\Temp\fda1118f-abe6-559d-ed87-a931ac046dad\032ddc6c-7c31-256a-35fd-906019deb7f1.exe Erkennungsursprung: Lokaler Computer Erkennungstyp: Konkret Erkennungsquelle: Echtzeitschutz Benutzer: XXX Prozessname: C:\Program Files (x86)\nodejs\node.exe

[PSYOLOT]

i found out window "Form1" ! it is prob : C:\Program Files (x86)\Gigabyte\CloudStation\RemoteContro Prozessname: grckm.exe (32 Bit)

and comes with mainboard SOFTWARE "app control" what i do need for my CPU_FAN control

but don´t need CloudStation

[Sandor-Helper]

i found out window "Form1" !

That's great! But I'm afraid that we can't help to split up these progs. Perhaps you can write to tech support of this program or try to find separate one program to cpu fan contol. Fresh logs are clean.

[PSYOLOT]

okay, so lat us stay focus:

new defender alert:

[Sandor-Helper]

Try not to do such long gaps between your answers. Now delete old and get new FRST.txt and Addition.txt logs by FRST.

[PSYOLOT]

because of the large gaps: I am so happy about your help, it is priceless for me, so once again a big thank you to all of you!

unfortunately I have to work from my pc in an incalculable way. but try as soon as possible.

i see cfosspeed in the text file. I thought we'd already removed them? FRST.txt Addition.txt

[Sandor-Helper]

new defender alert

Is that occures once or often? I didn't see any malicious traces in logs.

i see cfosspeed in the text file. I thought we'd already removed them?

Yes we did. What you see is record showing switching off startups via msconfig. This record is harmless.

[PSYOLOT]

Is that occures once or often? often! see screenshot:

[PSYOLOT]

What you see is record showing switching off startups via msconfig. This record is harmless. i wish to clean it competly but not 4 now, try to stay focus

[PSYOLOT]

PUA:Win32/Presenoker Warnstufe: Niedrig Status: Aktiv Datum: 23.08.21 22:47 Kategorie: Potenziell unerwünschte Software Details: Das Verhalten dieses Programms ist potenziell unerwünscht. file: C:\Windows\Temp\368df4b5-168f-4572-aa26-d9cffe574046\76ed0112-b9ee-160a-640f-6be0ab3c5f2f.exe file: C:\Windows\Temp\91c9d5b9-473c-635d-01f3-d76a87f3a61b\222b9887-1699-6777-d75c-9d2716cfeabe.exe

I didn't see any malicious traces in logs<

i did "ERASE" as action b4. and i "quarantined" the new two.

[Sandor-Helper]

Please send these files to Microsoft using this guide. Result please post here.

[dragokas]

Closed. Reason: no answer for 10 days. If you still need our help, please, execute the last steps, requested by a helper. Also, download again AutoLogger, prepare new CollectionLog, and write what problems remained.