usb kluce s divnymi subormi

Zpráva

herodeso · #1 Příspěvek od **herodeso** » 03 úno 2015 17:36

dobry den.
na usb kluci sa vytvaraju divne subory s odkazmi a scriptami: tmpBC62.tmp.vbs.lnk State.lnk

toto je obsah toho prveho suboru:
L Ŕ Fá@ ) PŕOĐ ę:i˘Ř +00ť /C:\ R 1 Windows < ďľ * W i n d o w s V 1 system32 > ďľ * s y s t e m 3 2 R 2 cmd.exe < ďľ * c m d . e x e > / c s t a r t S t a t e . e x e & e x p l o r e r / r o o t , " % C D % t m p B C 6 2 . t m p . v b s " & e x i t C : \ W i n d o w s \ S y s t e m 3 2 \ W S c r i p t . e x e %SystemRoot%\System32\WScript.exe % S y s t e m R o o t % \ S y s t e m 3 2 \ W S c r i p t . e x e % Ő wNÁç]N·D.±®Q·Ő ™ Ť 1SPSâŠXFĽL8C»ü“&mÎq / S - 1 - 5 - 2 1 - 2 6 6 8 0 6 8 7 3 0 - 3 7 4 4 8 9 5 5 3 0 - 4 0 2 7 7 1 6 4 0 6 - 1 0 0 2

tu j log:
info.txt logfile of random's system information tool 1.10 2015-02-03 17:28:13

======MBR======

0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD3BC573000000000200EEFFFFFF01000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000055AA

======Uninstall list======

-->MsiExec /X{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}
7-Zip 9.20 (x64 edition)-->MsiExec.exe /I{23170F69-40C1-2702-0920-000001000000}
Adobe Shockwave Player 11.6-->"C:\windows\SysWOW64\Adobe\Shockwave 11\uninstaller.exe"
AuthenTec TrueAPI 64-bit-->MsiExec.exe /I{EBC0CC3F-B7A1-4FC8-8014-4C7BFD3925E8}
Bonjour-->MsiExec.exe /X{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}
Cyberlink PhotoDirector-->"C:\Program Files (x86)\InstallShield Installation Information\{39337565-330E-4ab6-A9AE-AC81E0720B10}\Setup.exe" /z-uninstall
Cyberlink PhotoDirector-->"C:\Program Files (x86)\InstallShield Installation Information\{39337565-330E-4ab6-A9AE-AC81E0720B10}\Setup.exe" /z-uninstall
CyberLink PowerDirector 10-->"C:\Program Files (x86)\InstallShield Installation Information\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\setup.exe" /z-uninstall
CyberLink PowerDirector 10-->"C:\Program Files (x86)\InstallShield Installation Information\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\setup.exe" /z-uninstall
CyberLink YouCam-->"C:\Program Files (x86)\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\setup.exe" /z-uninstall
CyberLink YouCam-->"C:\Program Files (x86)\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\setup.exe" /z-uninstall
D3DX10-->MsiExec.exe /X{E09C4DB7-630C-4F06-A631-8EA7239923AF}
Energy Star-->MsiExec.exe /I{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}
Fotogalleriet-->MsiExec.exe /X{9F470E17-4FC3-4091-A508-D5347A16A2B9}
GIMP 2.8.14-->"C:\Program Files\GIMP 2\uninst\unins000.exe"
Google Chrome-->"C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.93\Installer\setup.exe" --uninstall --multi-install --chrome --system-level
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Hewlett-Packard ACLM.NET v1.2.1.1-->MsiExec.exe /I{6F340107-F9AA-47C6-B54C-C3A19F11553F}
HF Designer 5.2-->"C:\Program Files (x86)\HF Designer\unins000.exe"
HP 3D DriveGuard-->MsiExec.exe /X{AE2F1669-5B1F-47C5-B639-78D74DD0BCE4}
HP Connected Music (Meridian - installer)-->"C:\Program Files (x86)\HPConnectedMusic\Uninstall.exe"
HP CoolSense-->MsiExec.exe /I{11AF9A96-6D83-4C3B-8DCB-16EA2A358E3F}
HP Customer Experience Enhancements-->MsiExec.exe /X{07FA4960-B038-49EB-891B-9F95930AA544}
HP Documentation-->MsiExec.exe /X{0FEE0C28-850D-4AC0-92E7-57D214134102}
HP Postscript Converter-->MsiExec.exe /I{6E14E6D6-3175-4E1A-B934-CAB5A86367CD}
HP Recovery Manager-->MsiExec.exe /I{1AE37508-089E-41AC-95BD-99FF06887C2F}
HP Registration Service-->MsiExec.exe /X{D1E8F2D7-7794-4245-B286-87ED86C1893C}
HP SimplePass-->MsiExec.exe /X{34C821CA-6B55-44A0-8A9B-2EF471D6019E}
HP Support Assistant-->"C:\Program Files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe" -runfromtemp -l0x0409 -removeonly
HP System Event Utility-->MsiExec.exe /I{C27D60E4-3132-45A3-A71A-E3BD1DA3F794}
HP Utility Center-->MsiExec.exe /I{73237EBB-B26F-4628-8754-4EFE563D72E9}
HP Wireless Button Driver-->MsiExec.exe /X{941DE69D-6CEE-4171-8F1F-3D7E352AA498}
IDT Audio-->"C:\Program Files (x86)\InstallShield Installation Information\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}\Setup.exe" -remove -removeonly
Intel(R) Management Engine Components-->C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\Uninstall\setup.exe -uninstall
Intel(R) Processor Graphics-->C:\Program Files (x86)\Intel\Intel(R) Processor Graphics\Uninstall\setup.exe -uninstall
Intel(R) Rapid Storage Technology-->C:\ProgramData\Intel\Package Cache\{409CB30E-E457-4008-9B1A-ED1B9EA21140}\Setup.exe -uninstall
Intel(R) Rapid Storage Technology-->MsiExec.exe /I{9D859F0D-B405-4B1F-9084-13BBF5D3DB32}
Intel(R) SDK for OpenCL - CPU Only Runtime Package-->C:\Program Files (x86)\Intel\OpenCL SDK\3.0\Uninstall\setup.exe -uninstall
Intel(R) Smart Connect Technology 4.0 x64-->MsiExec.exe /X{DAAF1EAC-6667-43AB-829C-0F964430B106}
Intel® Trusted Connect Service Client-->MsiExec.exe /I{FA00A3CC-7440-4938-A271-F186F50DD40D}
Java 8 Update 25-->MsiExec.exe /I{26A24AE4-039D-4CA4-87B4-2F83218025F0}
Microsoft Office-->MsiExec.exe /X{90150000-0138-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022-->MsiExec.exe /X{350AA351-21FA-3270-8B7A-835434E766AD}
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148-->MsiExec.exe /X{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{6AFCA4E1-9B78-3640-8F72-A7BF33448200}
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219-->MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219-->MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727-->"C:\ProgramData\Package Cache\{15134cb0-b767-4960-a911-f2d16ae54797}\vcredist_x64.exe" /uninstall
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727-->MsiExec.exe /X{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727-->MsiExec.exe /X{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}
Moj CEWE FOTOSVET-->"C:\Program Files (x86)\Fotolab\Moj CEWE FOTOSVET\uninstall.exe"
Movie Maker-->MsiExec.exe /X{306C7AEF-16C7-428D-93AA-99D4A4090243}
Movie Maker-->MsiExec.exe /X{7E63F102-A9E9-4F4C-8004-BC62974736BF}
Movie Maker-->MsiExec.exe /X{8E6E8CBB-8E58-493C-943F-4664F5F2FEDB}
Movie Maker-->MsiExec.exe /X{BAD4B8FA-4BDA-4A59-BE64-9741031680C7}
Movie Maker-->MsiExec.exe /X{ED6C77F9-4D7E-447C-9EC0-9A212D075535}
MSVCRT-->MsiExec.exe /I{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}
MSVCRT110_amd64-->MsiExec.exe /I{E9FA781F-3E80-4399-825A-AD3E11C28C77}
MSVCRT110-->MsiExec.exe /I{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}
NVIDIA Graphics Driver 311.41-->"C:\Windows\SysWOW64\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.{58684BDB-823D-4CC2-847E-2DA452320D29}\NVI2.DLL",UninstallPackage Display.Driver
NVIDIA PhysX System Software 9.12.1031-->"C:\Windows\SysWOW64\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.{58684BDB-823D-4CC2-847E-2DA452320D29}\NVI2.DLL",UninstallPackage Display.PhysX
NVIDIA PhysX-->MsiExec.exe /I{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}
NVIDIA Update 1.11.3-->"C:\Windows\SysWOW64\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.{58684BDB-823D-4CC2-847E-2DA452320D29}\NVI2.DLL",UninstallPackage Display.Update
Photo Common-->MsiExec.exe /X{048C8498-C20B-4AF7-9978-7A79E567D74C}
Photo Common-->MsiExec.exe /X{49110532-D289-4BFF-807C-45B782E66A7C}
Photo Common-->MsiExec.exe /X{C7929038-EDFB-416D-A2C9-CC65416DA0DF}
Photo Common-->MsiExec.exe /X{EC33D375-5164-4374-9061-43F5C6073219}
Photo Gallery-->MsiExec.exe /X{30F99474-EBE3-4134-A02B-F6CD38CFE243}
Photo Gallery-->MsiExec.exe /X{63824BC0-B747-43F3-9863-1066D64AD919}
Photo Gallery-->MsiExec.exe /X{E0E0FB88-D570-463E-A98E-733B7B656867}
Ralink Bluetooth Stack64-->MsiExec.exe /X{25C4294E-DDA8-EE68-0E16-FA6BD9C8684B}
Ralink RT3290 802.11bgn Wi-Fi Adapter-->C:\Program Files (x86)\InstallShield Installation Information\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}\setup.exe -runfromtemp -l0x001d -removeonly
Realtek Ethernet Controller Driver-->C:\Program Files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -removeonly
Realtek PCIE Card Reader-->"C:\Program Files (x86)\InstallShield Installation Information\{C9661090-C134-46E8-90B2-76D72355C2A6}\setup.exe" -runfromtemp -removeonly
swMSM-->MsiExec.exe /I{612C34C7-5E90-47D8-9B5C-0F717DD82726}
Synaptics Pointing Device Driver-->rundll32.exe "%ProgramFiles%\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Total Commander 64-bit (Remove or Repair)-->C:\Program Files\totalcmd\tcunin64.exe
Validity WBF DDK-->MsiExec.exe /X{B80C52A3-7666-4068-A371-7867F51E68EB}
Valokuvavalikoima-->MsiExec.exe /X{C32F4F5A-C9FB-427C-9F6F-9DB157611FFF}
Windows Live Communications Platform-->MsiExec.exe /I{0454BB9A-2A7A-4214-BDFF-937F7A711A44}
Windows Live Essentials-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{49F068F2-4323-417B-AFC8-1E43F479D46C}
Windows Live Essentials-->MsiExec.exe /I{6CEA775F-E70A-4D72-A3B4-1EB3A5AD4B5C}
Windows Live Essentials-->MsiExec.exe /I{F1CA7DAE-F998-499C-8CA5-FC58CA2416EC}
Windows Live Installer-->MsiExec.exe /I{C424CD5E-EA05-4D3E-B5DA-F9F149E1D3AC}
Windows Live Photo Common-->MsiExec.exe /X{C9B6EFD0-4F01-4BBA-8374-39AD99A3ED72}
Windows Live PIMT Platform-->MsiExec.exe /I{6A8DB215-7BCD-4377-B015-2E4541A3E7C6}
Windows Live SOXE Definitions-->MsiExec.exe /I{8A642ACD-CE3A-4A23-A8B1-A0F7EB12B214}
Windows Live SOXE-->MsiExec.exe /I{FE7C0B3D-50B9-4951-BE78-A321CBF86552}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{0E1BB4B4-00FF-45B1-914B-AB8D8B9862B3}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{88809C3E-8C92-4454-AEB7-B26166E3D6CD}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{BA068968-594F-40BE-8EE8-99119123C991}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{F21F0424-B2FF-40BF-A984-9E0D7FB4C97E}
Windows Live UX Platform-->MsiExec.exe /I{4CCBD1F4-CEEC-452A-9CB8-46564B501315}
Windows Liven peruspaketti-->MsiExec.exe /I{28B2947F-FC0B-4450-80E3-6DF698E824A6}

======System event log======

Computer Name: Pc
Event Code: 4291
Message: The network adapter with hardware address 80-56-F2-63-53-8D has indicated packet coalescing capability without indicating support for one or more prerequisite receive filter capabilities (IPv4 0x00000000).
Record Number: 1222
Source Name: Tcpip
Time Written: 20140908114523.745274-000
Event Type: Warning
User:

Computer Name: Pc
Event Code: 11
Message: Načítavajú sa vlastné knižnice dynamických prepojení pre všetky aplikácie. Správca systému by mal skontrolovať zoznam knižníc a zistiť, či patria dôveryhodným aplikáciám. Ďalšie informácie sa nachádzajú na lokalite http://support.microsoft.com/kb/197571.
Record Number: 1220
Source Name: Microsoft-Windows-Wininit
Time Written: 20140908114505.854384-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Pc
Event Code: 264
Message: Viacdotykové zariadenie udalo nekonzistentné informácie o kontaktoch.
Record Number: 1217
Source Name: Win32k
Time Written: 20140908114454.276086-000
Event Type: Warning
User:

Computer Name: Pc
Event Code: 219
Message: The driver \Driver\WUDFRd failed to load for the device USB\VID_138A&PID_0050\241100206e1f.
Record Number: 1216
Source Name: Microsoft-Windows-Kernel-PnP
Time Written: 20140908114449.979127-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Pc
Event Code: 41
Message: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Record Number: 1193
Source Name: Microsoft-Windows-Kernel-Power
Time Written: 20140908114440.182075-000
Event Type: Critical
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Pc
Event Code: 100
Message: mDNSCoreReceiveResponse: Received from 192.168.0.222:5353 4 Pc.local. Addr 192.168.0.222
Record Number: 1059
Source Name: Bonjour Service
Time Written: 20140908114902.000000-000
Event Type: Error
User:

Computer Name: Pc
Event Code: 100
Message: Local Hostname Pc.local already in use; will try Pc-2.local instead
Record Number: 1031
Source Name: Bonjour Service
Time Written: 20140908114704.000000-000
Event Type: Error
User:

Computer Name: Pc
Event Code: 100
Message: mDNSCoreReceiveResponse: ProbeCount 2; will deregister 4 Pc.local. Addr 192.168.0.223
Record Number: 1030
Source Name: Bonjour Service
Time Written: 20140908114704.000000-000
Event Type: Error
User:

Computer Name: Pc
Event Code: 100
Message: mDNSCoreReceiveResponse: Received from 192.168.0.222:5353 4 Pc.local. Addr 192.168.0.222
Record Number: 1029
Source Name: Bonjour Service
Time Written: 20140908114704.000000-000
Event Type: Error
User:

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
18 user registry handles leaked from \Registry\User\S-1-5-21-2668068730-3744895530-4027716406-500:
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500
Process 784 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\CA
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\Disallowed
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\trust
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 784 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\Root
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Policies\Microsoft\SystemCertificates
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Policies\Microsoft\SystemCertificates
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Policies\Microsoft\SystemCertificates
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Policies\Microsoft\SystemCertificates
Process 652 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2668068730-3744895530-4027716406-500\Software\Microsoft\SystemCertificates\My

Record Number: 1011
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20140617073204.280411-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT instans
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 1479
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20140617073158.561659-000
Event Type: Audit Success
User:

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-SS9JPJKS1QQ$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Type: 5

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT instans
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x280
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 1478
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20140617073158.561659-000
Event Type: Audit Success
User:

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-2668068730-3744895530-4027716406-500
Account Name: Administrator
Domain Name: WIN-SS9JPJKS1QQ
Logon ID: 0x2F0ED
Record Number: 1477
Source Name: Microsoft-Windows-Eventlog
Time Written: 20140617073157.374147-000
Event Type: Audit Success
User:

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT instans
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 1476
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20140617073156.342838-000
Event Type: Audit Success
User:

Computer Name: WIN-SS9JPJKS1QQ
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-SS9JPJKS1QQ$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Type: 5

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT instans
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x280
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 1475
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20140617073156.342838-000
Event Type: Audit Success
User:

======Environment variables======

"FP_NO_HOST_CHECK"=NO
"USERNAME"=SYSTEM
"Path"=C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\HP SimplePass\;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Live\Shared;C:\Program Files (x86)\Intel\OpenCL SDK\3.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\3.0\bin\x64;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT
"ComSpec"=%SystemRoot%\system32\cmd.exe
"TMP"=%SystemRoot%\TEMP
"OS"=Windows_NT
"windir"=%SystemRoot%
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=8
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=3c03
"OnlineServices"=Online Services
"Platform"=MCD
"PCBRAND"=Pavilion

-----------------EOF-----------------

#2 Příspěvek od **vyosek** » 03 úno 2015 17:47

Zdravim

Dejte i log s nazvem log.txt, najdete jej v c:\rsit

herodeso · #3 Příspěvek od **herodeso** » 03 úno 2015 17:48

Logfile of random's system information tool 1.10 (written by random/random)
Run by User at 2015-02-03 17:28:07
Microsoft Windows 8
System drive C: has 654 GB (70%) free of 933 GB
Total RAM: 12220 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:28:12, on 3.2.2015
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v10.0 (10.00.9200.17183)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Users\User\AppData\Roaming\spoolsv.exe
C:\Users\User\AppData\Roaming\svchost.exe
C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe
C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe
C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\HP SimplePass\TouchControl.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\trend micro\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll
O2 - BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
O4 - HKLM\..\Run: [BtTray] "C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe"
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe
O4 - HKLM\..\Run: [HPMessageService] C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
O4 - HKLM\..\Run: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [tmpBC62] wscript.exe //B "C:\Users\User\AppData\Local\Temp\tmpBC62.tmp.vbs"
O4 - HKCU\..\Run: [System.object] "C:\Users\User\AppData\Roaming\spoolsv.exe" ..
O4 - HKCU\..\Run: [pV=sz§M!2C`] C:\Users\User\AppData\Local\chedule c orgin.exe
O4 - HKCU\..\Run: [State] "C:\Users\User\AppData\Roaming\svchost.exe" ..
O4 - HKUS\S-1-5-18\..\RunOnce: [Application Restart #0] C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe /Crashed (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Application Restart #0] C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe /Crashed (User 'Default user')
O4 - Startup: d25d0126f3bfb4d8247ee767e55ae862.exe
O4 - Startup: State.exe
O4 - Startup: System.object.exe
O4 - Startup: tmpBC62.tmp.vbs
O4 - Global Startup: iSCTsysTray.lnk = C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe
O9 - Extra button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWow64\skype4com.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: BlueSoleilCS - IVT Corporation - C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - IVT Corporation - C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: TrueSuiteService (FPLService) - HP - C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Služba Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: @oem20.inf,%hpservice_desc%;HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Intel(R) Capability Licensing Service Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: Intel(R) ME Service - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
O23 - Service: Intel(R) Smart Connect Technology Agent (ISCTAgent) - Unknown owner - C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10116 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: TrueAPI Service component (TrueService) - AuthenTec, Inc. - C:\Program Files\Common Files\AuthenTec\TrueService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Validity WBF Policy Service (valWBFPolicyService) - Unknown owner - C:\Windows\system32\valWBFPolicyService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10917 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
"C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe"
"C:\Windows\system32\nvvsvc.exe"
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
"C:\Program Files\IDT\WDM\STacSV64.exe"
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
"C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"
dashost.exe {8c20e4ac-17dd-4f35-9df815e54de93bdd}
"C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe"
"C:\Program Files\Intel\iCLS Client\HeciServer.exe"
"C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe"
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\valWBFPolicyService.exe
"C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe"
"C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe"
"C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe"
"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe"
"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe"
"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"
"C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe"
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-2f0d4a60-5554-49af-a87f-6955ec957555 -SystemEventPortName:HostProcess-3073c79e-56a2-4fd4-a2a0-713b8bc2965f -IoCancelEventPortName:HostProcess-cb207f81-0b5e-49ba-82b2-62831426bba8 -NonStateChangingEventPortName:HostProcess-456fc6c6-8a29-40ab-a724-d6e25929516d -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:e3bc705a-2672-4709-9383-4e372621868b -DeviceGroupId:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\System32\WinLogon.exe -SpecialSession
-hiberboot
"C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe"
C:\Windows\system32\nvvsvc.exe -session
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
taskhostex.exe
C:\Windows\Explorer.EXE
"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe" -ServerName:Microsoft.WindowsLive.Platform.Server
"C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe"
/QuitInfo:0000000000000E1C;0000000000000C34;
/loadhooks /Parent:0000000000001d70
"C:/Program Files/NVIDIA Corporation/Display/nvtray.exe" -user_has_logged_in 1
C:\Windows\System32\RuntimeBroker.exe -Embedding
"C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE"
"C:\Windows\System32\hkcmd.exe"
"C:\Windows\System32\igfxpers.exe"
"C:\Program Files\IDT\WDM\sttray64.exe"
"C:\Windows\System32\wscript.exe" //B "C:\Users\User\AppData\Local\Temp\tmpBC62.tmp.vbs"
C:\Users\User\AppData\Roaming\spoolsv.exe
C:\Users\User\AppData\Roaming\svchost.exe
"C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe"
"C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe"
"C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe"
"C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe"
"C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" -byrunkey
"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe"
"C:\Users\User\AppData\Roaming\server.exe"
C:\Windows\system32\wbem\unsecapp.exe -Embedding
"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-46d15d27-06cb-41cd-b2de-4c92fe7d07fa -SystemEventPortName:HostProcess-4cbcf79e-1d4d-48cf-b504-5b003ecb3987 -IoCancelEventPortName:HostProcess-524c2fd2-c973-4e7e-8917-4816c8eefbc8 -NonStateChangingEventPortName:HostProcess-84bf2a73-62be-4043-8eff-6c6719a67a4d -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:eae858f6-cda8-4b3f-a6bc-f8beacca61f5 -DeviceGroupId:WpdFsGroup
"C:\Program Files (x86)\HP SimplePass\TouchControl.exe"
C:\Windows\system32\svchost.exe -k WbioSvcGroup
"C:\Program Files\Common Files\AuthenTec\TrueService.exe"
/ChildServer
"C:\Program Files\totalcmd\TOTALCMD64.EXE"
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="5740.0.1595936481\493046688" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,18,39 --gpu-vendor-id=0x8086 --gpu-device-id=0x0416 --gpu-driver-vendor="Intel Corporation" --gpu-driver-version=9.18.10.3071 --ignored=" --type=renderer " /prefetch:822062411
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=sk --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group5 pct:10e stable:pp2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/MaterialDesignNTP/Default/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/NewSuggestType_A3_Stable_R1/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/ControlForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy31Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_66/UMA-Uniformity-Trial-10-Percent/default/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_14/UMA-Uniformity-Trial-50-Percent/default/VoiceTrigger/Install/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="5740.5.1252760876\918175839" /prefetch:673131151
C:\Windows\system32\msiexec.exe /V
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=sk --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group5 pct:10e stable:pp2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/MaterialDesignNTP/Default/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/NewSuggestType_A3_Stable_R1/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/ControlForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy31Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_66/UMA-Uniformity-Trial-10-Percent/default/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_14/UMA-Uniformity-Trial-50-Percent/default/VoiceTrigger/Install/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="5740.6.1415997870\16386121" /prefetch:673131151
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

"C:\Users\User\Downloads\RSITx64 (1).exe"

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-10-26 460712]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-26 172968]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}]
HP Network Check Helper - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2012-07-09 351136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2013-03-22 165872]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2013-03-22 407536]
"Persistence"=C:\Windows\system32\igfxpers.exe [2013-03-22 441840]
"SysTrayApp"=C:\Program Files\IDT\WDM\sttray64.exe [2013-02-05 1702912]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-04-24 3053808]
"Logitech Download Assistant"=C:\Windows\System32\LogiLDA.dll [2012-09-20 3933496]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"tmpBC62"=wscript.exe //B C:\Users\User\AppData\Local\Temp\tmpBC62.tmp.vbs []
"System.object"=C:\Users\User\AppData\Roaming\spoolsv.exe [2015-01-14 254976]
"pV=sz§M!2C`"=C:\Users\User\AppData\Local\chedule c orgin.exe [2015-01-14 599552]
"State"=C:\Users\User\AppData\Roaming\svchost.exe [2015-01-14 599552]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"BtTray"=C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe [2013-01-10 379904]
"AccelerometerSysTrayApplet"=C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [2013-03-01 77088]
""= []
"HPMessageService"=C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [2013-02-25 1045304]
"HP CoolSense"=C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2012-11-05 1343904]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2014-10-07 507776]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
iSCTsysTray.lnk - C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe

C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
d25d0126f3bfb4d8247ee767e55ae862.exe
State.exe
System.object.exe
tmpBC62.tmp.vbs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\Windows\system32\nvinitx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2013-03-20 434176]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"VIDC.YUY2"=msyuv.dll
"vidc.i420"=iyuv_32.dll
"msacm.msgsm610"=msgsm32.acm
"msacm.msg711"=msg711.acm
"VIDC.YVYU"=msyuv.dll
"VIDC.YVU9"=tsbyuv.dll
"wavemapper"=msacm32.drv
"midimapper"=midimap.dll
"VIDC.UYVY"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"vidc.msvc"=msvidc32.dll
"MSVideo8"=VfWWDM32.dll
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2015-02-03 17:28:07 ----D---- C:\rsit
2015-02-03 17:28:07 ----D---- C:\Program Files\trend micro
2015-02-03 17:15:50 ----D---- C:\Users\User\AppData\Roaming\GHISLER
2015-02-03 17:15:50 ----D---- C:\Program Files\totalcmd
2015-01-17 23:33:47 ----A---- C:\Windows\system32\WPRO_41_2001woem.tmp
2015-01-14 19:43:38 ----A---- C:\Users\User\AppData\Roaming\spoolsv.exe.tmp
2015-01-14 19:43:33 ----A---- C:\Users\User\AppData\Roaming\svchost.exe
2015-01-14 19:43:21 ----A---- C:\Users\User\AppData\Roaming\spoolsv.exe
2015-01-13 22:20:22 ----A---- C:\Windows\SYSWOW64\wuwebv.dll
2015-01-13 22:20:22 ----A---- C:\Windows\SYSWOW64\wudriver.dll
2015-01-13 22:20:22 ----A---- C:\Windows\SYSWOW64\wuapp.exe
2015-01-13 22:20:22 ----A---- C:\Windows\SYSWOW64\wuapi.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wuwebv.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\WUSettingsProvider.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wudriver.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wucltux.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wuaueng.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wuauclt.exe
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wuapp.exe
2015-01-13 22:20:22 ----A---- C:\Windows\system32\wuapi.dll
2015-01-13 22:20:22 ----A---- C:\Windows\system32\storewuauth.dll
2015-01-13 22:20:21 ----A---- C:\Windows\SYSWOW64\vbscript.dll
2015-01-13 22:20:21 ----A---- C:\Windows\system32\vbscript.dll
2015-01-13 22:20:06 ----A---- C:\Windows\system32\win32spl.dll
2015-01-13 22:20:06 ----A---- C:\Windows\system32\services.exe
2015-01-13 22:20:06 ----A---- C:\Windows\system32\localspl.dll
2015-01-13 22:20:05 ----A---- C:\Windows\system32\drivers\vhdmp.sys
2015-01-13 22:19:54 ----A---- C:\Windows\SYSWOW64\nlaapi.dll
2015-01-13 22:19:54 ----A---- C:\Windows\system32\profsvc.dll
2015-01-13 22:19:54 ----A---- C:\Windows\system32\nlasvc.dll
2015-01-13 22:19:54 ----A---- C:\Windows\system32\nlaapi.dll
2015-01-13 22:19:54 ----A---- C:\Windows\system32\ncsi.dll
2015-01-13 22:19:53 ----A---- C:\Windows\system32\wer.dll
2015-01-13 22:19:52 ----A---- C:\Windows\SYSWOW64\wer.dll
2015-01-13 22:19:52 ----A---- C:\Windows\system32\Faultrep.dll
2015-01-13 22:19:51 ----A---- C:\Windows\SYSWOW64\WerFaultSecure.exe
2015-01-13 22:19:51 ----A---- C:\Windows\SYSWOW64\Faultrep.dll
2015-01-13 22:19:51 ----A---- C:\Windows\system32\WerFaultSecure.exe
2015-01-13 22:19:51 ----A---- C:\Windows\system32\TSWbPrxy.exe
2015-01-13 22:19:51 ----A---- C:\Windows\system32\EncDump.dll
2015-01-13 22:19:51 ----A---- C:\Windows\system32\audiosrv.dll
2015-01-13 22:19:49 ----A---- C:\Windows\system32\ntoskrnl.exe
2015-01-13 22:19:45 ----A---- C:\Windows\system32\drivers\mrxdav.sys

======List of files/folders modified in the last 1 month======

2015-02-03 17:28:07 ----RD---- C:\Program Files
2015-02-03 17:19:59 ----D---- C:\Windows\Prefetch
2015-02-03 17:14:36 ----A---- C:\Windows\SYSWOW64\LOCALSERVICE.INI
2015-02-03 17:14:35 ----A---- C:\Windows\SYSWOW64\LOCALDEVICE.INI
2015-02-03 17:13:42 ----D---- C:\Windows\system32\sru
2015-02-03 05:40:24 ----A---- C:\Windows\SYSWOW64\REMOTEDEVICE.INI
2015-02-03 05:38:29 ----D---- C:\Windows\WinSxS
2015-02-03 05:38:28 ----SD---- C:\ProgramData\Microsoft
2015-02-03 05:38:08 ----D---- C:\Windows\system32\catroot2
2015-02-03 05:36:19 ----SHD---- C:\System Volume Information
2015-02-03 00:31:20 ----D---- C:\Windows\system32\config
2015-02-02 22:40:11 ----D---- C:\Windows\Temp
2015-02-02 22:37:58 ----D---- C:\Windows\Microsoft.NET
2015-02-02 22:30:45 ----RD---- C:\Windows\System32
2015-02-02 22:30:45 ----A---- C:\Windows\system32\PerfStringBackup.INI
2015-02-02 22:30:44 ----D---- C:\Windows\Inf
2015-01-31 00:39:49 ----A---- C:\Users\User\AppData\Roaming\server.exe
2015-01-29 05:46:49 ----D---- C:\Windows\SysWOW64
2015-01-24 21:20:14 ----A---- C:\Windows\SYSWOW64\FlashPlayerApp.exe
2015-01-22 22:00:12 ----D---- C:\Windows\CbsTemp
2015-01-19 22:49:31 ----A---- C:\Windows\SYSWOW64\bscs.ini
2015-01-17 13:00:04 ----D---- C:\Windows\system32\sk-SK
2015-01-17 13:00:04 ----D---- C:\Windows\system32\en-GB
2015-01-17 12:59:53 ----D---- C:\Windows\system32\Drivers
2015-01-17 12:59:52 ----D---- C:\Windows\system32\DriverStore
2015-01-16 02:56:31 ----D---- C:\Windows\system32\MRT
2015-01-16 02:54:11 ----A---- C:\Windows\system32\MRT.exe
2015-01-15 22:12:56 ----HD---- C:\Program Files\WindowsApps
2015-01-15 22:12:43 ----D---- C:\Windows\AUInstallAgent
2015-01-07 19:19:42 ----D---- C:\Windows\system32\NDF
2015-01-06 13:12:34 ----D---- C:\pracovná verzia videa

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 hpdskflt;@oem20.inf,%service_desc%;HP Filter; C:\Windows\system32\DRIVERS\hpdskflt.sys [2013-03-01 30520]
R0 iaStorA;iaStorA; C:\Windows\System32\drivers\iaStorA.sys [2013-04-06 653808]
R0 nvpciflt;nvpciflt; C:\Windows\system32\DRIVERS\nvpciflt.sys [2013-03-07 30496]
R1 vwififlt;@%SystemRoot%\System32\drivers\vwififlt.sys,-259; C:\Windows\system32\DRIVERS\vwififlt.sys [2012-07-26 64000]
R3 Accelerometer;@oem20.inf,%accelerometer_desc%;HP Mobile Data Protection Sensor; C:\Windows\system32\DRIVERS\Accelerometer.sys [2013-03-01 43320]
R3 BtAudioBusSrv;@oem16.inf,%SvcDesc%;Ralink Bluetooth Audio Bus Service; C:\Windows\System32\Drivers\BtAudioBus.sys [2012-06-15 23136]
R3 BthEnum;@bth.inf,%BthEnum.SVCDESC%;Bluetooth Enumerator Service; C:\Windows\System32\drivers\BthEnum.sys [2013-06-14 51712]
R3 BthL2caScoIfSrv;Bluetooth Profile Interface Driver Service; C:\Windows\System32\Drivers\BtL2caScoIf.sys [2012-07-19 56904]
R3 BthLEEnum;@bthleenum.inf,%BthLEEnum.SVCDESC%;Lågenergidrivrutin för Bluetooth; C:\Windows\system32\DRIVERS\BthLEEnum.sys [2012-07-26 202752]
R3 BthPan;@bthpan.inf,%BthPan.DisplayName%;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2012-07-26 119808]
R3 BTHUSB;@bth.inf,%BTHUSB.SvcDesc%;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2013-06-14 74752]
R3 btUrbFilterDrv;IVT URB Bluetooth Filter Driver Service; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [2013-02-26 49200]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [2013-03-20 4534784]
R3 ikbevent;Intel Upper keyboard Class Filter Driver; C:\Windows\system32\DRIVERS\ikbevent.sys [2013-02-13 21048]
R3 imsevent;Intel Upper Mouse Class Filter Driver; C:\Windows\system32\DRIVERS\imsevent.sys [2013-02-13 21048]
R3 ISCT;@oem24.inf,%ISCT.DeviceDesc%;Intel(R) Smart Connect Technology Device Driver; C:\Windows\System32\drivers\ISCTD64.sys [2013-02-13 46568]
R3 MEIx64;@oem10.inf,%HECI_SvcDesc%;Intel(R) Management Engine Interface ; C:\Windows\System32\drivers\HECIx64.sys [2013-02-16 64624]
R3 netr28x;@oem29.inf,%Generic.Service.DispName%;Ralink 802.11n Extensible Wireless Driver; C:\Windows\system32\DRIVERS\netr28x.sys [2013-12-04 2505904]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2013-03-07 11070752]
R3 RFCOMM;@tdibth.inf,%RFCOMM.DisplayName%;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\System32\drivers\rfcomm.sys [2013-03-01 156672]
R3 rtbth;@oem28.inf,%General.Service.DispName%;RTBTH Bluetooth Device Driver; C:\Windows\System32\drivers\rtbth.sys [2013-12-02 1204424]
R3 RTL8168;@oem25.inf,%rtl8168.Service.DispName%;Realtek 8168 NT Driver; C:\Windows\system32\DRIVERS\Rt630x64.sys [2012-12-28 760032]
R3 RTSPER;@oem27.inf,%Rts5227PER%;Realtek PCIE Card Reader - PER; C:\Windows\system32\DRIVERS\RtsPer.sys [2013-02-22 450632]
R3 SmbDrvI;SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [2013-04-24 33008]
R3 STHDA;@%SystemRoot%\system32\stlang64.dll,-10316; C:\Windows\system32\DRIVERS\stwrt64.sys [2013-02-05 544768]
R3 SynTP;@oem23.inf,%SynTP.SvcDesc%;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2013-04-24 495856]
R3 usbvideo;@usbvideo.inf,%USBVideo.SvcDesc%;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2013-07-05 210560]
R3 vwifimp;@%SystemRoot%\System32\drivers\vwifimp.sys,-261; C:\Windows\system32\DRIVERS\vwifimp.sys [2012-07-26 17920]
S3 BTHPORT;@bth.inf,%BTHPORT.SvcDesc%;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2013-03-01 1175040]
S3 dg_ssudbus;@oem32.inf,%ssud.Service.DeviceDesc%;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.); C:\Windows\system32\DRIVERS\ssudbus.sys [2014-01-22 108800]
S3 IntcDAud;@oem8.inf,%IntcDAud.SvcDesc%;Intel(R) Display Audio; C:\Windows\system32\DRIVERS\IntcDAud.sys [2013-03-20 442368]
S3 SmbDrv;SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [2013-04-24 29424]
S3 ssudmdm;@oem34.inf,%ssud.Service.Name%;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.); C:\Windows\system32\DRIVERS\ssudmdm.sys [2014-01-22 206080]
S3 WDC_SAM;@oem30.inf,%WDC_SAM_ServiceName%;WD SCSI Pass Thru driver; C:\Windows\System32\drivers\wdcsam64.sys [2008-05-06 14464]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2013-06-14 29696]
R2 BlueSoleilCS;BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [2013-01-31 1626872]
R2 Bonjour Service;Bonjour-tjänst; C:\Program Files\Bonjour\mDNSResponder.exe [2011-08-30 462184]
R2 FPLService;TrueSuiteService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [2013-02-07 1641768]
R2 HP Support Assistant Service;HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
R2 hpsrv;@oem20.inf,%hpservice_desc%;HP Service; C:\Windows\system32\Hpservice.exe [2013-03-01 43320]
R2 HPWMISVC;HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [2013-02-01 1039160]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-04-10 15344]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-12-10 732160]
R2 Intel(R) ME Service;Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2013-02-22 129848]
R2 ISCTAgent;Intel(R) Smart Connect Technology Agent; C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [2013-02-13 180200]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2013-02-22 167736]
R2 LMS;Intel(R) Management and Security Application Local Management Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [2013-02-22 364856]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2013-03-07 884512]
R2 nvUpdatusService;NVIDIA Update Service Daemon; C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2013-03-07 1260320]
R2 STacSV;@%SystemRoot%\system32\stlang64.dll,-10116; C:\Program Files\IDT\WDM\STacSV64.exe [2013-02-05 332800]
R2 valWBFPolicyService;Validity WBF Policy Service; C:\Windows\system32\valWBFPolicyService.exe [2013-03-19 28160]
R3 BsHelpCS;BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [2013-01-10 138752]
R3 FontCache3.0.0.0;@%SystemRoot%\system32\PresentationHost.exe,-3309; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2012-07-27 43616]
R3 hpqwmiex;HP Software Framework Service; C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe [2012-11-05 1001376]
R3 TrueService;TrueAPI Service component; C:\Program Files\Common Files\AuthenTec\TrueService.exe [2013-01-07 401856]
S2 gupdate;Služba Google Update (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-16 107912]
S3 aspnet_state;@%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_rc.dll,-1; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [2012-07-12 51648]
S3 cphs;Intel(R) Content Protection HECI Service; C:\Windows\SysWow64\IntelCpHeciSvc.exe [2013-03-22 279024]
S3 gupdatem;Služba Google Update (gupdatem); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-16 107912]
S3 Intel(R) Capability Licensing Service TCP IP Interface;Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2012-12-10 803872]
S3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2013-06-14 29696]
S4 BthAvrcpTg;@bthaudhid.inf,%BthAvrcpTg_SvcDesc%;Bluetooth Audio/Video Remote Control HID; C:\Windows\System32\drivers\BthAvrcpTg.sys [2013-06-01 37632]
S4 BthHFEnum;@bthhfenum.inf,%BthHFEnum.SVCDESC%;Bluetooth Hands-Free Audio and Call Control HID Enumerator; C:\Windows\System32\drivers\bthhfenum.sys [2012-07-26 51200]
S4 bthhfhid;@bthaudhid.inf,%BthAudioHFHid.SVCDESC%;Bluetooth Hands-Free Call Control HID; C:\Windows\System32\drivers\BthHFHid.sys [2013-06-14 29952]

-----------------EOF-----------------

#4 Příspěvek od **vyosek** » 03 úno 2015 17:53

Stahnete Malwarebytes Anti-Rootkit http://www.bleepingcomputer.com/downloa ... i-rootkit/

Ulozte nejlepe na Plochu a rozbalte
Spustte kliknutim na mbar
Nyni postupne kliknete na Next a Update
Po dokonceni update (aktualizace) databaze kliknete opet na Next
Nechte zaskrtnute vsechny tri moznosti a klinete na Scan cimz spustite prohledavani PC
Po dokonceni skenu (cca 5 minutek) zkontrolujte, zda-li je u vsech nalezu (samozrejme pokud budou) zatrzitko
Tez zkontrolujte, jetsli je zatrzitko u Create Restore point
Nyni kliknete na CleanUp cimz nalezenou infekci odstranime
PC bude restartovan
Slozka mbar by mela obsahovat log (a zrejme se i sam otevre) mbar-log-rok-mesic-den (hodina-minuta-sekunda).txt, ten mi sem dejte

herodeso · #5 Příspěvek od **herodeso** » 03 úno 2015 18:25

Malwarebytes Anti-Rootkit BETA 1.08.3.1004
www.malwarebytes.org

Database version:
main: v2015.02.03.06
rootkit: v2015.02.03.01

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.17183
User :: PC [administrator]

3.2.2015 17:59:54
mbar-log-2015-02-03 (17-59-54).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 366085
Time elapsed: 18 minute(s), 38 second(s)

Memory Processes Detected: 3
C:\Users\User\AppData\Roaming\spoolsv.exe (Trojan.MSIL.Bladabindi) -> 7552 -> Delete on reboot. [a66cc456fa90d1650add63943cc59c64]
C:\Users\User\AppData\Roaming\server.exe (Backdoor.XTRat) -> 3076 -> Delete on reboot. [957da6748208d06635a571e1f20ee020]
C:\Users\User\AppData\Roaming\svchost.exe (Trojan.Agent) -> 8052 -> Delete on reboot. [39d9928867234de96c4ef4aa46bd8080]

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE (Trojan.MSIL.Bladabindi) -> Delete on reboot. [a66cc456fa90d1650add63943cc59c64]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE (Trojan.MSIL.Bladabindi) -> Delete on reboot. [a66cc456fa90d1650add63943cc59c64]

Registry Values Detected: 2
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|System.object (Trojan.MSIL.Bladabindi) -> Data: "C:\Users\User\AppData\Roaming\spoolsv.exe" .. -> Delete on reboot. [a66cc456fa90d1650add63943cc59c64]
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|State (Trojan.Agent) -> Data: "C:\Users\User\AppData\Roaming\svchost.exe" .. -> Delete on reboot. [39d9928867234de96c4ef4aa46bd8080]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\User\AppData\Roaming\spoolsv.exe (Trojan.MSIL.Bladabindi) -> Delete on reboot. [a66cc456fa90d1650add63943cc59c64]
C:\Users\User\AppData\Roaming\server.exe (Backdoor.XTRat) -> Delete on reboot. [957da6748208d06635a571e1f20ee020]
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d25d0126f3bfb4d8247ee767e55ae862.exe (Backdoor.XTRat) -> Delete on reboot. [8f8393873f4b95a1904abf93639d21df]
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.object.exe (Trojan.MSIL.Bladabindi) -> Delete on reboot. [33dffe1c0783df577c6b1dda0df47c84]
C:\Users\User\AppData\Local\Temp\tmpF9F8.tmp.exe (Trojan.MSIL.Bladabindi) -> Delete on reboot. [00120713beccbd79f7f0aa4d61a046ba]
C:\Users\User\AppData\Roaming\svchost.exe (Trojan.Agent) -> Delete on reboot. [39d9928867234de96c4ef4aa46bd8080]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

#6 Příspěvek od **vyosek** » 03 úno 2015 22:24

Poprosim o FRST http://forum.viry.cz/viewtopic.php?f=13&t=133100

herodeso · #7 Příspěvek od **herodeso** » 05 úno 2015 20:04

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-02-2015 01
Ran by User (administrator) on PC on 05-02-2015 19:55:15
Running from C:\Users\User\Desktop
Loaded Profiles: UpdatusUser & User (Available profiles: UpdatusUser & User)
Platform: Windows 8 (X64) OS Language: Angličtina (Spojené kráľovstvo)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe
() C:\Windows\System32\valWBFPolicyService.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe
() C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Users\User\AppData\Roaming\svchost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(AuthenTec Inc.) C:\Program Files (x86)\HP SimplePass\TouchControl.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.exe
(Ghisler Software GmbH) C:\Program Files\totalcmd\TOTALCMD64.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(forum.viry.cz) C:\Users\User\Desktop\FRSTLauncher (1).exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1702912 2013-02-05] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3053808 2013-04-24] (Synaptics Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [BtTray] => C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe [379904 2013-01-10] (IVT Corporation)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-03-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-02-25] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [tmpBC62] => wscript.exe //B "C:\Users\User\AppData\Local\Temp\tmpBC62.tmp.vbs" <===== ATTENTION
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [pV=sz§M!2C`] => C:\Users\User\AppData\Local\chedule c orgin.exe [599552 2015-01-14] ()
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [State] => C:\Users\User\AppData\Roaming\svchost.exe [599552 2015-01-14] ()
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [394624 2014-06-11] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\iSCTsysTray.lnk
ShortcutTarget: iSCTsysTray.lnk -> C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe (Intel Corporation)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\State.exe ()
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpBC62.tmp.vbs ()
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
URLSearchHook: [S-1-5-21-2668068730-3744895530-4027716406-1001] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... earchTerms}
SearchScopes: HKLM-x32 -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... earchTerms}
SearchScopes: HKU\S-1-5-21-2668068730-3744895530-4027716406-1002 -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... earchTerms}
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-2668068730-3744895530-4027716406-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWow64\skype4com.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll (Adobe Systems, Inc.)
FF Plugin-x32: @authentec.com/ffwloplugin -> C:\Program Files (x86)\HP SimplePass\npffwloplugin.dll ( HP)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Prezentácie Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-16]
CHR Extension: (Dokumenty Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-16]
CHR Extension: (Disk Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-16]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-16]
CHR Extension: (Hľadať v Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-16]
CHR Extension: (Tabuľky Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-16]
CHR Extension: (Website Logon) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmbkhknacohfhbmmpnmbkgdffdbildof [2014-10-16]
CHR Extension: (Peňaženka Google) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-16]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-16]
CHR HKLM-x32\...\Chrome\Extension: [hmbkhknacohfhbmmpnmbkgdffdbildof] - C:\Program Files (x86)\HP SimplePass\tschrome.crx [2012-12-12]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1626872 2013-01-31] (IVT Corporation)
R3 BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [138752 2013-01-10] (IVT Corporation) [File not signed]
R2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-02-07] (HP)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [86528 2012-09-27] (Hewlett-Packard Company) [File not signed]
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-02-01] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-04-10] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129848 2013-02-22] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [180200 2013-02-13] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [167736 2013-02-22] (Intel Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [332800 2013-02-05] (IDT, Inc.) [File not signed]
S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [28160 2013-03-19] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 BlueletAudio; C:\Windows\System32\Drivers\BlueletAudio.sys [33968 2012-12-19] (IVT Corporation)
R3 BtAudioBusSrv; C:\Windows\System32\Drivers\BtAudioBus.sys [23136 2012-06-15] (IVT Corporation)
U4 BthAvrcpTg; No ImagePath
U4 BthHFEnum; No ImagePath
U4 bthhfhid; No ImagePath
R3 BthL2caScoIfSrv; C:\Windows\System32\Drivers\BtL2caScoIf.sys [56904 2012-07-19] (Ralink Corporation)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
R3 btUrbFilterDrv; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [49200 2013-02-26] (Ralink Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21048 2013-02-13] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21048 2013-02-13] ()
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-02-13] ()
R3 rtbth; C:\Windows\System32\drivers\rtbth.sys [1204424 2013-12-02] (Ralink Technology, Corp.)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [450632 2013-02-22] (RTS Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [29424 2013-04-24] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [33008 2013-04-24] (Synaptics Incorporated)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2015-02-03] ()
U5 BlueletAudio; C:\Windows\SysWOW64\Drivers\BlueletAudio.sys [33968 2012-12-19] (IVT Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 19:55 - 2015-02-05 19:55 - 00017281 _____ () C:\Users\User\Desktop\FRST.txt
2015-02-05 19:53 - 2015-02-05 19:55 - 00000000 ____D () C:\FRST
2015-02-05 19:52 - 2015-02-05 19:52 - 00112640 _____ (forum.viry.cz) C:\Users\User\Downloads\FRSTLauncher (1).exe
2015-02-05 19:52 - 2015-02-05 19:52 - 00112640 _____ (forum.viry.cz) C:\Users\User\Desktop\FRSTLauncher (1).exe
2015-02-05 19:51 - 2015-02-05 19:48 - 02131968 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2015-02-05 19:48 - 2015-02-05 19:48 - 02131968 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2015-02-05 19:48 - 2015-02-05 19:48 - 00112640 _____ (forum.viry.cz) C:\Users\User\Downloads\Nepotvrdené 739996.crdownload
2015-02-03 18:22 - 2015-01-14 19:43 - 00599552 _____ () C:\Users\User\AppData\Roaming\svchost.exe
2015-02-03 18:21 - 2015-02-03 18:21 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2015-02-03 17:59 - 2015-02-03 18:22 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-02-03 17:59 - 2015-02-03 17:59 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 17:59 - 2015-02-03 17:59 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-03 17:58 - 2015-02-03 18:18 - 00000000 ____D () C:\Users\User\Desktop\mbar
2015-02-03 17:58 - 2015-02-03 17:58 - 00097496 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-03 17:57 - 2015-02-03 17:56 - 16466552 _____ (Malwarebytes Corp.) C:\Users\User\Desktop\mbar-1.08.3.1004.exe
2015-02-03 17:56 - 2015-02-03 17:56 - 16466552 _____ (Malwarebytes Corp.) C:\Users\User\Downloads\mbar-1.08.3.1004.exe
2015-02-03 17:28 - 2015-02-03 17:28 - 01222144 _____ () C:\Users\User\Downloads\RSITx64 (1).exe
2015-02-03 17:28 - 2015-02-03 17:28 - 00000000 ____D () C:\rsit
2015-02-03 17:28 - 2015-02-03 17:28 - 00000000 ____D () C:\Program Files\trend micro
2015-02-03 17:26 - 2015-02-03 17:26 - 01222144 _____ () C:\Users\User\Downloads\RSITx64.exe
2015-02-03 17:19 - 2015-02-03 17:19 - 00000000 ____D () C:\Users\User\AppData\Local\GHISLER
2015-02-03 17:15 - 2015-02-03 17:16 - 00000000 ____D () C:\Users\User\AppData\Roaming\GHISLER
2015-02-03 17:15 - 2015-02-03 17:15 - 04448488 _____ (Ghisler Software GmbH) C:\Users\User\Downloads\tcmd851ax64.exe
2015-02-03 17:15 - 2015-02-03 17:15 - 00001016 _____ () C:\Users\User\Desktop\Total Commander 64 bit.lnk
2015-02-03 17:15 - 2015-02-03 17:15 - 00000000 ____D () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander
2015-02-03 17:15 - 2015-02-03 17:15 - 00000000 ____D () C:\Program Files\totalcmd
2015-02-03 05:36 - 2014-04-16 19:20 - 00029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2015-02-03 05:36 - 2014-04-16 19:20 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2015-01-14 19:43 - 2015-02-03 18:19 - 00002330 _____ () C:\Users\User\AppData\Roaming\spoolsv.exe.tmp
2015-01-14 19:43 - 2015-01-14 19:43 - 00599552 _____ () C:\Users\User\AppData\Local\chedule c orgin.exe
2015-01-13 22:20 - 2014-11-27 03:40 - 00600576 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-01-13 22:20 - 2014-11-27 02:28 - 00523264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-01-13 22:20 - 2014-11-15 07:06 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-01-13 22:20 - 2014-11-15 06:13 - 03286016 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 01623552 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 00253440 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-01-13 22:20 - 2014-11-15 06:13 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-01-13 22:20 - 2014-11-15 06:12 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\storewuauth.dll
2015-01-13 22:20 - 2014-11-15 04:54 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-01-13 22:20 - 2014-11-15 04:53 - 00630272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-01-13 22:20 - 2014-11-15 04:53 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-01-13 22:20 - 2014-11-15 04:53 - 00086528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-01-13 22:20 - 2014-11-05 07:40 - 00733184 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2015-01-13 22:20 - 2014-11-05 07:39 - 01024512 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2015-01-13 22:20 - 2014-11-01 07:28 - 00417280 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-01-13 22:20 - 2014-10-29 15:21 - 00499008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vhdmp.sys
2015-01-13 22:20 - 2014-10-27 23:10 - 00390841 _____ () C:\Windows\system32\ApnDatabase.xml
2015-01-13 22:19 - 2014-12-19 07:48 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 22:19 - 2014-12-19 05:35 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 22:19 - 2014-12-11 08:35 - 06973248 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 22:19 - 2014-12-11 07:51 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 22:19 - 2014-12-06 08:53 - 00458240 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2015-01-13 22:19 - 2014-12-06 08:53 - 00026112 _____ (Microsoft Corporation) C:\Windows\system32\WerFaultSecure.exe
2015-01-13 22:19 - 2014-12-06 08:52 - 00384000 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-13 22:19 - 2014-12-06 08:52 - 00357376 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 22:19 - 2014-12-06 08:52 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-13 22:19 - 2014-12-06 08:51 - 00370688 _____ (Microsoft Corporation) C:\Windows\system32\Faultrep.dll
2015-01-13 22:19 - 2014-12-06 08:51 - 00267264 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-01-13 22:19 - 2014-12-06 08:50 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-01-13 22:19 - 2014-12-06 07:10 - 00355840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2015-01-13 22:19 - 2014-12-06 07:10 - 00023552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
2015-01-13 22:19 - 2014-12-06 07:09 - 00332800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
2015-01-13 22:19 - 2014-12-06 07:09 - 00055296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 19:48 - 2013-03-04 15:30 - 00000983 _____ () C:\Windows\SysWOW64\bscs.ini
2015-02-05 19:48 - 2012-07-26 08:28 - 00942994 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-05 19:45 - 2014-06-13 09:59 - 00003620 _____ () C:\Windows\SysWOW64\LOCALSERVICE.INI
2015-02-05 19:45 - 2014-06-13 09:59 - 00000043 _____ () C:\Windows\SysWOW64\LOCALDEVICE.INI
2015-02-05 19:45 - 2012-07-26 09:12 - 00000000 ____D () C:\Windows\system32\sru
2015-02-05 16:24 - 2014-06-17 08:28 - 00000381 _____ () C:\Windows\SysWOW64\REMOTEDEVICE.INI
2015-02-04 22:46 - 2014-10-16 15:34 - 00000950 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-04 22:25 - 2014-09-08 12:46 - 01639772 _____ () C:\Windows\WindowsUpdate.log
2015-02-03 20:00 - 2013-06-14 00:22 - 00000000 ___HD () C:\HP
2015-02-03 18:36 - 2014-09-08 12:57 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2668068730-3744895530-4027716406-1002
2015-02-03 18:23 - 2014-10-16 15:34 - 00000946 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-03 18:21 - 2014-06-13 09:59 - 00034752 _____ () C:\Windows\system32\Drivers\WPRO_41_2001.sys
2015-02-03 18:21 - 2012-07-26 08:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-03 18:20 - 2012-08-03 23:23 - 00507330 _____ () C:\Windows\PFRO.log
2015-02-03 18:20 - 2012-07-26 06:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-03 17:57 - 2014-10-21 17:34 - 00454144 ___SH () C:\Users\User\Downloads\Thumbs.db
2015-02-03 05:38 - 2012-07-26 08:59 - 00000000 ____D () C:\Windows\CbsTemp
2015-02-02 22:29 - 2012-07-26 08:21 - 00051120 _____ () C:\Windows\setupact.log
2015-01-27 21:46 - 2014-10-16 15:52 - 00002202 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-24 21:20 - 2014-11-17 11:12 - 00714176 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-24 21:20 - 2014-11-17 11:12 - 00106432 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-17 13:00 - 2012-07-26 09:12 - 00000000 ____D () C:\Windows\system32\sk-SK
2015-01-17 13:00 - 2012-07-26 09:12 - 00000000 ____D () C:\Windows\system32\en-GB
2015-01-16 02:56 - 2014-10-21 17:33 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-16 02:54 - 2014-10-21 17:33 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-15 22:12 - 2012-07-26 09:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2015-01-07 19:19 - 2012-07-26 09:12 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-06 13:12 - 2014-10-17 13:37 - 00000000 ____D () C:\pracovná verzia videa

==================== Files in the root of some directories =======

2015-01-14 19:43 - 2015-02-03 18:19 - 0002330 _____ () C:\Users\User\AppData\Roaming\spoolsv.exe.tmp
2015-02-03 18:22 - 2015-01-14 19:43 - 0599552 _____ () C:\Users\User\AppData\Roaming\svchost.exe
2015-01-14 19:43 - 2015-01-14 19:43 - 0599552 _____ () C:\Users\User\AppData\Local\chedule c orgin.exe
2014-11-28 06:09 - 2014-11-28 06:09 - 0010197 _____ () C:\Users\User\AppData\Local\recently-used.xbel

Some content of TEMP:
====================
C:\Users\User\AppData\Local\Temp\tmp32DC.tmp.exe
C:\Users\User\AppData\Local\Temp\~convert8018805214418078611.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-01 21:20

===***===***===***=== Extract of Additional scan result of Farbar Recovery Scan Tool ===***===***===***===

==================== Drive and Memory info ===================

Drive c: (Windows) (Fixed) (Total:911.12 GB) (Free:637.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:19.62 GB) (Free:1.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (SAMSUNG) (Fixed) (Total:298 GB) (Free:87.06 GB) FAT32
Drive g: (CORSAIR) (Removable) (Total:29.84 GB) (Free:29.83 GB) FAT32

Available physical RAM: 10374.45 MB
Total physical RAM: 12220.02 MB
Percentage of memory in use: 15%

==================== MBR and Partition Table ==================

Disk: 0 (Size: 931.5 GB) (Disk ID: 73C53BBD)
Disk: 1 (Size: 298.1 GB) (Disk ID: 2F2DFD59)
Partition 1: (Active) - (Size=298.1 GB) - (Type=0C)
Disk: 2 (MBR Code: Windows XP) (Size: 29.8 GB) (Disk ID: AEBA8ABE)
Partition 1: (Not Active) - (Size=29.8 GB) - (Type=0C)

==================== Scheduled Tasks (whitelisted) ==================

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Alternate Data Streams (whitelisted) ==================

==================== Security Center ==================

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

===***===***===***=== Supplementary Scan createdy by FRSTLauncher ===***===***===***===
Posledni aktualizace FRSTLauncheru: 25_11_2013 (01)
Posledni aktualizace Modifikacniho skriptu: 30_09_2013 (01)

***** Velikost "Plochy" *****

Velikost slozky "C:\Users\User\Desktop" je 48 MB.

***** Startup Programs *****

***** Firewall rules *****

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

***** System Restore *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000
"Generalize_DisableSR"=dword:00000000

==================== End Of Log ==============================

#8 Příspěvek od **vyosek** » 06 úno 2015 15:59

Tvorba fixlistu pro FRST

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

Start
CloseProcesses:
CreateRestorePoint:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [tmpBC62] => wscript.exe //B "C:\Users\User\AppData\Local\Temp\tmpBC62.tmp.vbs" <===== ATTENTION
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [pV=sz§M!2C`] => C:\Users\User\AppData\Local\chedule c orgin.exe [599552 2015-01-14] ()
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\...\Run: [State] => C:\Users\User\AppData\Roaming\svchost.exe [599552 2015-01-14] ()
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\State.exe ()
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpBC62.tmp.vbs ()
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON13/11
HKU\S-1-5-21-2668068730-3744895530-4027716406-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON13/11
URLSearchHook: [S-1-5-21-2668068730-3744895530-4027716406-1001] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... -keywords={searchTerms}
SearchScopes: HKLM-x32 -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... -keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2668068730-3744895530-4027716406-1002 -> {F612434C-8175-4223-8049-9FF15ABC44E6} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... -keywords={searchTerms}
Toolbar: HKU\S-1-5-21-2668068730-3744895530-4027716406-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

2015-02-05 19:55 - 2015-02-05 19:55 - 00017281 _____ () C:\Users\User\Desktop\FRST.txt
2015-02-05 19:52 - 2015-02-05 19:52 - 00112640 _____ (forum.viry.cz) C:\Users\User\Downloads\FRSTLauncher (1).exe
2015-02-05 19:52 - 2015-02-05 19:52 - 00112640 _____ (forum.viry.cz) C:\Users\User\Desktop\FRSTLauncher (1).exe
2015-02-03 18:22 - 2015-01-14 19:43 - 00599552 _____ () C:\Users\User\AppData\Roaming\svchost.exe
2015-02-03 18:21 - 2015-02-03 18:21 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2015-02-03 17:59 - 2015-02-03 18:22 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-02-03 17:59 - 2015-02-03 17:59 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 17:59 - 2015-02-03 17:59 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-03 17:58 - 2015-02-03 18:18 - 00000000 ____D () C:\Users\User\Desktop\mbar
2015-02-03 17:58 - 2015-02-03 17:58 - 00097496 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-03 17:57 - 2015-02-03 17:56 - 16466552 _____ (Malwarebytes Corp.) C:\Users\User\Desktop\mbar-1.08.3.1004.exe
2015-02-03 17:56 - 2015-02-03 17:56 - 16466552 _____ (Malwarebytes Corp.) C:\Users\User\Downloads\mbar-1.08.3.1004.exe
2015-02-03 17:28 - 2015-02-03 17:28 - 01222144 _____ () C:\Users\User\Downloads\RSITx64 (1).exe
2015-02-03 17:28 - 2015-02-03 17:28 - 00000000 ____D () C:\rsit
2015-02-03 17:28 - 2015-02-03 17:28 - 00000000 ____D () C:\Program Files\trend micro
2015-02-03 17:26 - 2015-02-03 17:26 - 01222144 _____ () C:\Users\User\Downloads\RSITx64.exe
2015-01-14 19:43 - 2015-02-03 18:19 - 0002330 _____ () C:\Users\User\AppData\Roaming\spoolsv.exe.tmp
2015-02-03 18:22 - 2015-01-14 19:43 - 0599552 _____ () C:\Users\User\AppData\Roaming\svchost.exe
2015-01-14 19:43 - 2015-01-14 19:43 - 0599552 _____ () C:\Users\User\AppData\Local\chedule c orgin.exe
2014-11-28 06:09 - 2014-11-28 06:09 - 0010197 _____ () C:\Users\User\AppData\Local\recently-used.xbel

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Hosts:
EmptyTemp:
Reboot:
End

Ulozte vytvoreny TXT jako fixlist.txt
Presunte vytvoreny fixlist vedle FRST

Spustte znovu FRST.exe

Kliknete na Fix
Probehne oprava a vytvori log Fixlog.txt

Restart PC a dejte mi sem fixlog.txt

VIRY.CZ

usb kluce s divnymi subormi

usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi

Re: usb kluce s divnymi subormi