ComboFix 13-09-26.03 - piotr 2013-09-27 15:02:19.1.2 - x86 Uruchomiony z: d:\download\ComboFix.exe . [i] ADS - Windows: deleted 24 bytes in 1 streams. [/i] . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\IsUn0415.exe c:\windows\system32\tmpF160.tmp c:\windows\system32\tmpF180.tmp . . ((((((((((((((((((((((((( Pliki utworzone od 2013-08-27 do 2013-09-27 ))))))))))))))))))))))))))))))) . . 2013-09-26 08:34 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D6E5DBC-F70E-4111-987A-FFCF489A8F2E}\mpengine.dll 2013-09-25 08:32 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-24 07:26 . 2012-08-05 10:37 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-09-24 07:26 . 2011-12-03 20:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-12-07 202328] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-12 61440] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-13 6814240] "VolPanel"="c:\program files\Creative\Sound Blaster Play\Volume Panel\VolPanlu.exe" [2008-05-05 221300] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184] . c:\users\piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Winamp.lnk - c:\program files\Winamp\winamp.exe [2010-5-25 1552736] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\startupfolder\C:^Users^piotr^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk] path=c:\users\piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk backup=c:\windows\pss\regmonstd.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2012-10-11 20:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GarminExpressTrayApp] 2013-03-27 15:18 1098072 ----a-w- c:\program files\Garmin\Express Tray\ExpressTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GG] 2013-05-22 17:16 3365440 ----a-w- c:\users\piotr\AppData\Local\GG\Application\gghub.exe . S0 63478669;63478669;c:\windows\system32\DRIVERS\63478669.sys [2013-05-12 133208] . . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ yksvcs REG_MULTI_SZ yksvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPService REG_MULTI_SZ HPSLPSVC HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Zawartość folderu 'Zaplanowane zadania' . 2013-09-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-05 07:26] . 2013-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 13:13] . 2013-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 13:13] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=6C7F001E65365590&affID=119357&tsp=4985 mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: DhcpNameServer = 194.168.4.100 194.168.8.100 TCP: Interfaces\{1D6C6FB9-8F72-4A13-ABE8-6D2E5D438791}: NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 FF - ProfilePath - c:\users\piotr\AppData\Roaming\Mozilla\Firefox\Profiles\jz4d91q7.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - ExtSQL: !HIDDEN! 2009-09-03 12:17; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - USUNIĘTO PUSTE WPISY - - - - . BHO-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file) Toolbar-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file) c:\users\piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_63478669.lnk - c:\users\piotr\AppData\Local\Temp\_uninst_63478669.bat SafeBoot-WudfPf SafeBoot-WudfRd MSConfigStartUp-ctfmon32 - c:\progra~2\rundll32.exe AddRemove-SimCity 3000 - c:\windows\IsUn0415.exe . . . ************************************************************************** skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-2500472054-2611105895-1049644220-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00D84268-0BE2-92B0-51B5-C88A0B166F98}*] "jankhaahokjpplompmjc"=hex:64,61,69,6e,6b,64,6e,6e,00,01 "jankhacgbiiemnpmhfmp"=hex:68,62,6f,6e,61,69,6d,67,6b,61,69,68,69,62,65,66,67, 70,61,6f,6d,62,6a,69,62,6d,70,68,6b,64,6d,61,6d,6f,62,63,70,65,70,66,61,6c,\ . [HKEY_USERS\S-1-5-21-2500472054-2611105895-1049644220-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FA0EACC3-27AD-DE51-189B-26D19B676474}*] "nacmomccfjnehmifafekfldceajg"=hex:69,61,6e,61,6e,68,6d,70,69,6e,65,66,68,65, 62,70,62,67,00,77 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Microsoft Security Client\MsMpEng.exe c:\windows\system32\Ati2evxx.exe c:\program files\Creative\Shared Files\CTAudSvc.exe c:\windows\system32\Ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\AAWService.exe c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe c:\program files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe c:\program files\Samsung\Easy Display Manager\dmhkcore.exe c:\program files\Samsung\EBM\EasyBatteryMgr3.exe c:\program files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe c:\windows\servicing\TrustedInstaller.exe c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe c:\windows\system32\conime.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Microsoft Security Client\MpCmdRun.exe . ************************************************************************** . Czas ukończenia: 2013-09-27 15:19:30 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2013-09-27 14:18 . Przed: 314 073 088 bajtów wolnych Po: 351 264 768 bajtów wolnych . - - End Of File - - 589A8D4D29084DAF117E7F480783F52A 61A349592C4728853F4A90FF78F7628E