Proces WmPrvSE.exe neúměrně vytěžuje procesor

[chodnik74]

A mrkneme,zda tam nemáme breberku

Malwarebytes' Anti-Malware

• Stáhneme,nainstalujeme a spustíme(pokud si nevíte rady jak,klikněte ZDE)
• Vybereme Úplná kontrola a klikneme na tlačítko Prohledat
• Program provede kontrolu počítače a na konci se vám objeví hláska,že bylo skenování dokončeno,tak potvrdíme tlačítkem OK
• Objeví se vám log,který mi sem vložte
• NIC NEMAZAT!!Program mívá občas falešné detekce,takže mazat budeme až po konzultaci

[j.benzo]

Combofix jsem stáhl a spustil,byl to takový zoufalý pokus. Asi dvacet minut se nic nedělo,nevyjel žádný log tak jsem restartnul počítač.
Vím, že jsem to asi takhle neměl dělat.Ale už se stalo.

Jinak log je zde.Start trval dlouho zase černá obrazovka a šipka.



All processes killed
========== OTL ==========
ADS C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6002.18005_none_b5c807ab2d93d829\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh deleted successfully.
Unable to delete ADS C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh .
Unable to delete ADS C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh .
Unable to delete ADS C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh .
ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E3.tmp\System.Deployment.dll deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E3.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP558F.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP706E.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8813.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD49.tmp\EnvDTE.dll deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD49.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4FA.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp folder deleted successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp folder deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC10F1.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC148B.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC18AB.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC1B5D.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC1FF0.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC20B5.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC21D2.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC331F.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC3572.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC367E.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC3E7E.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC4308.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC4470.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC4D16.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC4D21.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC4FE0.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC5541.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC5835.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC6402.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC6984.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC7745.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC7F94.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC7FAA.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC8147.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC81FB.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC846B.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC9421.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC9FDE.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACA12E.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACA14D.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACA61F.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACA813.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACA8AA.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACAFAF.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACB3E8.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACB88A.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACB9E5.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACBC1D.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACBC65.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACC098.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACC0BF.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACC2FE.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACD13F.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACD173.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACD1D1.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACD24D.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACD691.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACDA86.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACE215.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACE3FF.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACEB5.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACF1CD.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACF759.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACF95C.tmp deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACFEE7.tmp deleted successfully.
C:\Windows\twain_32\hpqgnds2.tmp deleted successfully.
C:\Users\Honza\AppData\Roaming\AVG\Rescue\PC Tuneup 2011 folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG\Rescue folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG\PC Tuneup 2011\User Reports folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG\PC Tuneup 2011 folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Honza\AppData\Roaming\AVG10 folder moved successfully.
Prefs.js: "Crawler Search" removed from browser.search.defaultenginename
Prefs.js: "Crawler Search" removed from browser.search.order.1
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Honza
->Temp folder emptied: 21415585 bytes
->Temporary Internet Files folder emptied: 1666339 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 13239997 bytes
->Google Chrome cache emptied: 110657929 bytes
->Flash cache emptied: 620 bytes

User: Honzík
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: OPLAYE7
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Péťa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Softpedia

User: user

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8430994 bytes
RecycleBin emptied: 16991080 bytes

Total Files Cleaned = 164,00 mb


OTL by OldTimer - Version 3.2.27.0 log created on 09022011_084432

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\gnserv.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\spserv.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[chodnik74]

Ostatní kroky provedeny?

Pokračujte MBAM

[j.benzo]

Tady je protokol od odbreberkovávače.
Nemám problém nakažené odinstalovat nebo smazat


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Verze databáze: 7635

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

2.9.2011 10:15:03
mbam-log-2011-09-02 (10-14-46).txt

Typ: Úplná kontrola (C:\|D:\|)
Kontrolované objekty: 340638
Uplynulý čas: 55 minut, 14 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 0
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 4

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\program files\intel\wifi\bin\langresources\deu\menu-diamond.gif (Extension.Mismatch) -> No action taken.
d:\Users\Honza\documents\video a foto\Stubs\7068c5d9563fe47078a3188067f01b63dcc26e\PhotoBee.exe (Trojan.Backdoor) -> No action taken.
d:\Users\Honza\downloads\video_editor_5.2.2.173\MPT\video editor 5.2.2.173\patch\avs4you.all.products.activator.v1.3b-mpt.exe (PUP.Hacktool.Patcher) -> No action taken.
d:\Users\Honza\Videos\sygic 8_16 android\sygic 8_16 android\sygickg_win.exe (Worm.AutoRun) -> No action taken.

[chodnik74]

Nalezené položky smazat

[chodnik74]

Odinstaloval jste ty programy,co jsem psal zde: http://www.viry.cz/forum/viewtopic.php? ... 6#p1029736

Jak se chová pc po restartu?

[j.benzo]

Programy odinstalovány.
Restart provedu až budu doma. Teď jsem připojen přes TeamViewer a nevím jestli se dostanu po restartu přes přihlašovací obrazovku. Tak za hodinku.

[chodnik74]

Pokud máte zapnutý teamviewer nastálo,aby byl pořád spuštěný,máte ID a nastavíte pevné heslo,tak se přihlásíte i na přihlašovací obrazovce ale já počkám

[j.benzo]

Tak start pokračuje po přihlášení zase černou obrazovkou a spuštění trvá cca5min,ale naběhne.
Win.defender hlásí blokované programy po spuštění.(ani nevím,že jsem ho aktivoval)
Možná je to tím, že jsem se přihlásil na dálku.
Proces WmPrvSE nevidím. Procesor odpočívá.

[chodnik74]

Zkusíme pak Combofix až budeš doma

Program nepoužívejte bez doporučení Rádce a pozorně se řiďte následujících pokynu,protože program netoleruje chyby a může dojít k úplnému poškození systému!!

• Stáhneme si Combofix
• Program uložíme nejlépe na Plochu
• Vypneme všechny rezidentní štíty.Jak antiviru,tak antispywaru a firewallu
• Vypneme všechny běžící aplikace (ICQ,prohlížeč,programy) a necháme pouze Combofix
• Spustíme Combofix.exe s administrátorským oprávněním
  U Windows XP se přihlásíme pod účtem správce
  Ve Windows 7 a Vista klikněte pravým tlačítkem myši na Combofix.exe a dejte ,,Spustit jako správce,,)
• Hned po startu programu na vás vyskočí licenční podmínky,tak potvrdíme tlačítkemANO
• Pokud vám Combofix nabídne instalaci Konzoly pro zotavení,tak souhlaste a nechte nainstalovat(zde je potřeba aktivní připojení na internet)
• Pokračujte dle pokynů programu a během skenování na nic neklikejte,na pc nepracujte(ICQ,jiné aplikace,internet..).Nechte počítač v klidu.
• Celý sken tvá mezi 5-15 min,ale pokud je v PC hodně havěti,tak se čas může lišit.
• Po skončení skenování(případném restartu počítače) se vám zobrazí log z Combofixu,který mi vložte sem(Kdyby se log nezobrazil,tak jej najdete zde: C:\ComboFix.txt
• (Pokud si nevíte rady s kterýmkoliv z výše uvedených kroků,tak se ptejte nebo mrkněte na detailnější návod včetně obrázků http://www.bleepingcomputer.com/combofi ... t-combofix )

[j.benzo]

ComboFix 11-09-02.02 - Honza 02.09.2011 20:39:56.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2045.1001 [GMT 2:00]
Spuštěný z: c:\users\Honza\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-08-02 do 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-02 19:20 . 2011-09-02 19:20 -------- d-----w- c:\users\Honza\AppData\Local\temp
2011-09-02 19:20 . 2011-09-02 19:20 -------- d-----w- c:\users\Péťa\AppData\Local\temp
2011-09-02 19:20 . 2011-09-02 19:20 -------- d-----w- c:\users\OPLAYE7\AppData\Local\temp
2011-09-02 07:14 . 2011-09-02 07:14 -------- d-----w- c:\users\Honza\AppData\Roaming\Malwarebytes
2011-09-02 07:13 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-02 07:13 . 2011-09-02 07:13 -------- d-----w- c:\programdata\Malwarebytes
2011-09-02 07:13 . 2011-09-02 07:14 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-02 07:13 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-02 07:11 . 2011-08-16 06:48 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{23D384A1-0881-4335-87B2-E129A1027AAE}\mpengine.dll
2011-09-01 15:15 . 2011-09-01 15:15 512 -c--a-w- C:\PhysicalMBR.bin
2011-08-31 17:56 . 2011-08-31 17:56 -------- dc----w- c:\program files\Microsoft IntelliPoint
2011-08-31 17:53 . 2011-08-31 17:53 -------- dc----w- c:\program files\Common Files\Java
2011-08-31 16:12 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-31 16:12 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-31 16:12 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-31 16:12 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-31 16:12 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-31 16:12 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-08-31 16:11 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-31 16:11 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-31 16:10 . 2011-08-31 16:10 -------- dc----w- c:\program files\AVAST Software
2011-08-31 16:10 . 2011-08-31 16:10 -------- d-----w- c:\programdata\AVAST Software
2011-08-31 08:21 . 2011-08-31 17:01 -------- dc----w- c:\program files\FileHippo.com
2011-08-31 06:47 . 2011-09-01 08:52 -------- dc----w- c:\program files\trend micro
2011-08-31 06:47 . 2011-08-31 06:48 -------- dc----w- C:\rsit
2011-08-30 21:35 . 2011-08-31 16:21 -------- dc----w- c:\program files\Spybot - Search & Destroy
2011-08-30 21:06 . 2011-08-30 21:06 -------- dc----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-08-30 21:06 . 2011-08-30 21:06 -------- dc----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-08-30 21:06 . 2011-08-30 21:06 -------- dc----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-08-30 21:02 . 2011-08-31 16:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-30 21:00 . 2011-08-30 21:01 -------- d-----w- c:\users\Honza\AppData\Roaming\GetRightToGo
2011-08-30 19:37 . 2011-08-30 19:37 -------- dc----w- C:\$AVG
2011-08-24 16:55 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-10 07:06 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-10 07:06 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 07:06 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 07:05 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 07:05 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 07:05 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-07 07:39 . 2011-08-07 07:39 -------- d-----w- c:\programdata\AVS4YOU
2011-08-07 07:39 . 2011-08-07 07:39 -------- d-----w- c:\users\Honza\AppData\Roaming\AVS4YOU
2011-08-07 07:36 . 2010-11-19 07:47 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-08-07 07:36 . 2010-11-19 07:47 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-08-07 07:35 . 2011-08-07 07:37 -------- dc----w- c:\program files\Common Files\AVSMedia
2011-08-07 07:35 . 2011-08-07 07:37 -------- dc----w- c:\program files\AVS4YOU
2011-08-07 07:35 . 2010-06-22 07:43 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-08-06 21:07 . 2011-08-06 21:18 -------- d-----w- c:\programdata\Pinnacle VideoSpin
2011-08-06 21:07 . 2011-08-06 21:07 -------- dc----w- c:\program files\Pinnacle
2011-08-06 21:07 . 2011-08-06 21:07 -------- dc----w- c:\program files\Common Files\Yahoo!
2011-08-06 21:03 . 2011-08-06 21:03 -------- d-----w- c:\programdata\Pinnacle
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 17:51 . 2010-12-19 22:25 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 19:08 . 2011-05-18 17:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-01 13:56 . 2011-08-01 13:56 45288 ----a-w- c:\windows\system32\drivers\dc3d.sys
2011-08-01 13:56 . 2011-08-01 13:56 40936 ----a-w- c:\windows\system32\drivers\point32.sys
2011-08-01 13:56 . 2011-08-01 13:56 395624 ----a-w- c:\windows\system32\ipcoin82.dll
2011-08-01 13:56 . 2011-08-01 13:56 21784 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2011-07-30 06:49 . 2011-07-30 06:49 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-06-21 21:23 . 2011-06-21 21:23 389136 ----a-w- c:\windows\system32\FTBSaver.scr
2011-06-16 20:29 . 2011-04-15 17:08 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-07-15 17:34 . 2011-03-23 21:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 -c--a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-12-14 192512]
"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2006-12-26 180224]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2007-03-28 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13605408]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2011-05-13 884584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-12-22 2049320]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0oodbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R1 mailKmd;mailKmd; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-08-27 30312]
R3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [x]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;c:\windows\system32\drivers\AVerFx2hbtv.sys [2009-12-08 437888]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-02-23 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-02-23 8456]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-10-25 36640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-07-26 137600]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-07-26 8576]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-08-27 96488]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-08-27 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-08-27 121576]
R3 SWNC8U00;Sierra Wireless MUX NDIS Driver (UMTS00);c:\windows\system32\DRIVERS\swnc8u00.sys [2007-03-12 102272]
R3 SWUMX00;Sierra Wireless USB MUX Driver (UMTS00);c:\windows\system32\DRIVERS\swumx00.sys [2007-03-12 72576]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\bin\fbguard.exe [2007-12-11 65536]
S2 IAStorDataMgrSvc;Úložná technologie Intel(R) Rapid;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 ScrybeUpdater;Aktualizátor aplikace Scrybe;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-01-14 1294848]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2008-07-10 328992]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-08-01 45288]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\bin\fbserver.exe [2007-12-11 1531989]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
S3 NETwLv32; Ovladač adaptéru řady Intel(R) Wireless WiFi Link 5000 pro systém Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-10-07 6639616]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2011-03-30 25088]
S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-17 118784]
S3 WSDPrintDevice;Podpora tisku WSD prostřednictvím funkce UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-18 16896]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
bthsvcs REG_MULTI_SZ BthServ
.
Obsah adresáře 'Naplánované úlohy'
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3961242829-2454810961-2216918179-1000Core.job
- c:\users\Honza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-19 06:15]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3961242829-2454810961-2216918179-1000UA.job
- c:\users\Honza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-19 06:15]
.
2011-08-31 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2011-08-01 13:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.10.1
FF - ProfilePath - c:\users\Honza\AppData\Roaming\Mozilla\Firefox\Profiles\9mc55dld.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.type - 0
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\Samsung\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 21:20
Windows 6.0.6002 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2011-09-02 21:24:38
ComboFix-quarantined-files.txt 2011-09-02 19:24
.
Před spuštěním: 6 559 944 704
Po spuštění: 6 400 868 352
.
- - End Of File - - A2D48D4CD0712DF87B4072963F8A1A50

[j.benzo]

Omlouvám se,ale koukám,že jsem přehlédl,že je zapnutý win defender

[chodnik74]

Udělejte log z Gmeru dle návodu : http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

[j.benzo]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-02 21:50:30
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000
Running: gmer.exe; Driver: C:\Users\Honza\AppData\Local\Temp\pwliafod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E3AA398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[chodnik74]

a ještě jeden log ten větší