ComboFix 18-03-14.01 - Domek 2018-04-12 23:33:18.1.4 - x64 Microsoft Windows 7 Ultimate 6.1.7600.0.1250.48.1045.18.12253.10441 [GMT 2:00] Uruchomiony z: m:\_install\_Utilites\[vir]HijackCombofix\ComboFix2018.exe AV: Panda Protection *Enabled/Updated* {46AEFD02-ACA3-E038-1FA5-4A15EFD361E0} FW: Panda Firewall *Disabled* {7E957C27-E6CC-E160-34FA-E3201100269B} SP: Panda Protection *Enabled/Updated* {FDCF1CE6-8A99-EFB6-2515-716794542B5D} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Utworzono nowy punkt przywracania . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Domek\AppData\Roaming\Folder c:\users\Domek\yTAa.exe . . ((((((((((((((((((((((((( Pliki utworzone od 2018-03-12 do 2018-04-12 ))))))))))))))))))))))))))))))) . . 30598-05-30 09:27 . 30598-05-30 09:27 73216 ------w- c:\program files (x86)\Common Files\kyOWYuA.exe 30598-05-30 09:27 . 30598-05-30 09:27 186368 ------w- c:\windows\SysWow64\EyiOgDuYe.exe 2018-04-12 21:38 . 2018-04-12 21:38 -------- d-----w- c:\users\Domek\AppData\Local\temp 2018-04-12 21:38 . 2018-04-12 21:38 -------- d-----w- c:\users\Default\AppData\Local\temp 2018-04-12 21:09 . 2016-08-08 09:00 70360 ----a-w- c:\windows\system32\drivers\PSKMAD.sys 2018-04-12 18:21 . 2018-04-12 18:21 -------- d-----w- c:\users\Domek\AppData\Roaming\FastDataX 2018-04-12 18:20 . 2018-04-12 18:20 -------- d-----w- c:\program files (x86)\NordVPN 2018-04-12 18:20 . 2016-05-05 10:23 537784 --sha-r- c:\windows\SysWow64\swscale-lav-4.dll 2018-04-12 18:20 . 2016-05-05 10:23 556216 --sha-r- c:\windows\SysWow64\avutil-lav-55.dll 2018-04-12 18:20 . 2016-05-05 10:22 160440 --sha-r- c:\windows\SysWow64\avresample-lav-3.dll 2018-04-12 18:20 . 2016-05-05 10:22 1699000 --sha-r- c:\windows\SysWow64\avformat-lav-57.dll 2018-04-12 18:20 . 2016-05-05 10:22 188088 --sha-r- c:\windows\SysWow64\avfilter-lav-6.dll 2018-04-12 18:20 . 2016-05-05 10:22 10766520 --sha-r- c:\windows\SysWow64\avcodec-lav-57.dll 2018-04-12 18:19 . 2018-04-12 18:19 -------- d-----w- c:\users\Domek\AppData\Roaming\SystemHealer . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2018-03-18 06:07 . 2016-01-09 12:48 804352 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2018-03-18 06:07 . 2016-01-09 12:48 144896 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2014-03-07 10:03 3109520 --sha-r- c:\windows\SysWOW64\avcodec-lav-55.dll 2016-05-05 10:22 10766520 --sha-r- c:\windows\SysWOW64\avcodec-lav-57.dll 2014-03-07 10:03 98960 --sha-r- c:\windows\SysWOW64\avfilter-lav-4.dll 2016-05-05 10:22 188088 --sha-r- c:\windows\SysWOW64\avfilter-lav-6.dll 2014-03-07 10:03 550032 --sha-r- c:\windows\SysWOW64\avformat-lav-55.dll 2016-05-05 10:22 1699000 --sha-r- c:\windows\SysWOW64\avformat-lav-57.dll 2009-09-27 08:39 415744 --sh--w- c:\windows\SysWOW64\avisynth.dll 2014-03-07 10:03 59536 --sha-r- c:\windows\SysWOW64\avresample-lav-1.dll 2016-05-05 10:22 160440 --sha-r- c:\windows\SysWOW64\avresample-lav-3.dll 2005-07-14 11:31 32256 --sh--w- c:\windows\SysWOW64\AVSredirect.dll 2014-03-07 10:03 181392 --sha-r- c:\windows\SysWOW64\avutil-lav-52.dll 2016-05-05 10:23 556216 --sha-r- c:\windows\SysWOW64\avutil-lav-55.dll 2004-02-22 09:11 764416 --sh--w- c:\windows\SysWOW64\devil.dll 2004-01-24 23:00 70656 --sh--w- c:\windows\SysWOW64\i420vfw.dll 2016-05-05 10:23 405176 --sha-r- c:\windows\SysWOW64\IntelQuickSyncDecoder.dll 2016-05-05 10:23 276152 --sha-r- c:\windows\SysWOW64\libbluray.dll 2014-03-07 10:03 118416 --sha-r- c:\windows\SysWOW64\swscale-lav-2.dll 2016-05-05 10:23 537784 --sha-r- c:\windows\SysWOW64\swscale-lav-4.dll 2004-01-24 23:00 70656 --sh--w- c:\windows\SysWOW64\yv12vfw.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="d:\_programyw7\RoboForm7\RoboTaskBarIcon.exe" [2016-09-02 110376] "MiPhoneManager"="c:\users\Domek\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe" [2016-03-11 157624] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="d:\_programyw7\Office2007Ent\Office12\GrooveMonitor.exe" [2006-10-26 31016] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "PSUAMain"="c:\program files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" [2017-02-22 141760] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "MaxGPOScriptWait"= 600 (0x258) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService] @="Service" . R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\Drivers\fwdrv.sys;c:\windows\SYSNATIVE\Drivers\fwdrv.sys [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x] R2 wCpYx9gGumUX Updater;wCpYx9gGumUX Updater;c:\program files (x86)\wCpYx9gGumUX Updater\wCpYx9gGumUX Updater.exe;c:\program files (x86)\wCpYx9gGumUX Updater\wCpYx9gGumUX Updater.exe [x] R3 ampa;ampa;c:\windows\system32\ampa.sys;c:\windows\SYSNATIVE\ampa.sys [x] R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x] R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x] R3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys;c:\windows\SYSNATIVE\DRIVERS\qcusbser.sys [x] R3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys;c:\program files (x86)\MSI Afterburner\RTCore64.sys [x] R3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM10664.sys;c:\windows\SYSNATIVE\drivers\CM10664.sys [x] S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x] S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x] S1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSAlpc.sys [x] S1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttp.sys [x] S1 NNSHTTPS;NNSHTTPS;c:\windows\system32\DRIVERS\NNSHttps.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttps.sys [x] S1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys;c:\windows\SYSNATIVE\DRIVERS\NNSIds.sys [x] S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys;c:\windows\SYSNATIVE\DRIVERS\NNSNAHSL.sys [x] S1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPicc.sys [x] S1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPihsw.sys [x] S1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPop3.sys [x] S1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys;c:\windows\SYSNATIVE\DRIVERS\NNSProt.sys [x] S1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPrv.sys [x] S1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSSmtp.sys [x] S1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys;c:\windows\SYSNATIVE\DRIVERS\NNSStrm.sys [x] S1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSTlsc.sys [x] S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys;c:\windows\SYSNATIVE\DRIVERS\psinknc.sys [x] S2 NanoServiceMain;Panda Protection Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [x] S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x] S2 PandaAgent;Panda Devices Agent;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [x] S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINAflt.sys [x] S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys;c:\windows\SYSNATIVE\DRIVERS\PSINFile.sys [x] S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProc.sys [x] S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProt.sys [x] S2 PSINReg;PSINReg;c:\windows\system32\DRIVERS\PSINReg.sys;c:\windows\SYSNATIVE\DRIVERS\PSINReg.sys [x] S2 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [x] S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x] S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x] S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x] S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x] S3 PSKMAD;PSKMAD;c:\windows\system32\DRIVERS\PSKMAD.sys;c:\windows\SYSNATIVE\DRIVERS\PSKMAD.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S4 PsBoot;Panda boot driver;c:\windows\system32\Drivers\PsBoot.sys;c:\windows\SYSNATIVE\Drivers\PsBoot.sys [x] . . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cm106Sound"="c:\windows\Syswow64\cm106.dll" [2009-12-22 8151040] "LogiOptions"="c:\program files\Logitech\LogiOptions\LogiOptions.exe" [2017-07-11 2110584] "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-12-12 7560296] . ------- Skan uzupełniający ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&ksportuj do programu Microsoft Excel - d:\_progr~2\OFFICE~1\Office12\EXCEL.EXE/3000 IE: Pasek Narzędzi RoboForm - file://D:/_ProgramyW7/RoboForm7/RoboFormComShowToolbar.html IE: Personalizuj menu - file://D:/_ProgramyW7/RoboForm7/RoboFormComCustomizeIEMenu.html IE: Wypełnij Pola - file://D:/_ProgramyW7/RoboForm7/RoboFormComFillForms.html IE: Zapisz Pola - file://D:/_ProgramyW7/RoboForm7/RoboFormComSavePass.html LSP: %windir%\system32\vsocklib.dll TCP: Interfaces\{59077C27-0E39-4B26-91F8-CCE90D4B0291}: NameServer = 82.163.142.8,95.211.158.136 TCP: Interfaces\{61389881-6AF1-44EC-8759-6A11276DC1EE}: NameServer = 82.163.142.8,95.211.158.136 TCP: Interfaces\{625026C2-6ACE-4D2B-94C3-8D64E07307AC}: NameServer = 82.163.142.8,95.211.158.136 FF - ProfilePath - c:\users\Domek\AppData\Roaming\Mozilla\Firefox\Profiles\0zatc5oi.default\ . - - - - USUNIĘTO PUSTE WPISY - - - - . AddRemove-{8E2A29F2-96BF-8859-4DB7-5C16C91728A3}_is1 - c:\program files (x86)\eRightSoft\SUPER\unins000.exe AddRemove-{1EAC1D02-C6AC-4FA6-9A44-96258C37C812eu}_is1 - m:\gry\WOT_w77\unins000.exe . . . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\RxDeliveryStamp\{57C7DD3D-2E9C-4F3B-A270-391E8AEDF0C4}\Parameter****0D411D579080] @Allowed: (B 1 4 5 6) (Administrators) "DataA"=hex:01,17,43,66,bb,a6,a5,00,10,54,68,c2,58,50,84,20,b5,e1,79,ff,3b,9d, d1,01,bf,21,8b,01,80,f8,ff,ff . Czas ukończenia: 2018-04-12 23:40:41 ComboFix-quarantined-files.txt 2018-04-12 21:40 . Przed: 9 202 941 952 bajtów wolnych Po: 9 454 489 600 bajtów wolnych . - - End Of File - - F5FE5378493A9A69A46911A96CB7E38F A36C5E4F47E84449FF07ED3517B43A31