Niestety, loga z SilentRunners nie mogłem wstawić ponieważ nie uruchamia mi się Scripting Host
Więc Log z HiJackThis:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:04:57, on 2007-03-31
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gran Paradiso\firefox.exe
D:\Programy\Do windowsa xp\Inne\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1960408961-113007714-682003330-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 3375 bytes
Log z VBG:
[03/31/2007, 13:56:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Maciej\Pulpit\VirtumundoBeGone.exe" )
[03/31/2007, 13:56:30] - Detected System Information:
[03/31/2007, 13:56:30] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[03/31/2007, 13:56:30] - Current Username: Maciej (Admin)
[03/31/2007, 13:56:30] - Windows is in NORMAL mode.
[03/31/2007, 13:56:30] - Searching for Browser Helper Objects:
[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} ()
[03/31/2007, 13:56:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/31/2007, 13:56:30] - Checking for HKLM\...\Winlogon\Notify\pmkjk
[03/31/2007, 13:56:30] - Found: HKLM\...\Winlogon\Notify\pmkjk - This is probably Virtumundo.
[03/31/2007, 13:56:30] - Assigning {8D598351-260F-4351-9B57-AD82AB1CC606} MSEvents Object
[03/31/2007, 13:56:30] - BHO list has been changed! Starting over...
[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} (MSEvents Object)
[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!
[03/31/2007, 13:56:30] - BHO 3: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} ()
[03/31/2007, 13:56:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/31/2007, 13:56:30] - Checking for HKLM\...\Winlogon\Notify\khfgdaa
[03/31/2007, 13:56:30] - Found: HKLM\...\Winlogon\Notify\khfgdaa - This is probably Virtumundo.
[03/31/2007, 13:56:30] - Assigning {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} MSEvents Object
[03/31/2007, 13:56:30] - BHO list has been changed! Starting over...
[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} (MSEvents Object)
[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!
[03/31/2007, 13:56:30] - BHO 3: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)
[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!
[03/31/2007, 13:56:30] - BHO 4: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[03/31/2007, 13:56:30] - Finished Searching Browser Helper Objects
[03/31/2007, 13:56:30] - *** Detected MSEvents Object
[03/31/2007, 13:56:30] - Trying to remove MSEvents Object...
[03/31/2007, 13:56:31] - Terminating Process: IEXPLORE.EXE
[03/31/2007, 13:56:31] - Terminating Process: RUNDLL32.EXE
[03/31/2007, 13:56:31] - Disabling Automatic Shell Restart
[03/31/2007, 13:56:32] - Terminating Process: EXPLORER.EXE
[03/31/2007, 13:56:32] - Suspending the NT Session Manager System Service
[03/31/2007, 13:56:32] - Terminating Windows NT Logon/Logoff Manager
[03/31/2007, 13:56:32] - Re-enabling Automatic Shell Restart
[03/31/2007, 13:56:32] - File to disable: C:\WINDOWS\system32\pmkjk.dll
[03/31/2007, 13:56:32] - Renaming C:\WINDOWS\system32\pmkjk.dll -> C:\WINDOWS\system32\pmkjk.dll.vir
[03/31/2007, 13:56:32] - File successfully renamed!
[03/31/2007, 13:56:32] - Removing HKLM\...\Browser Helper Objects\{8D598351-260F-4351-9B57-AD82AB1CC606}
[03/31/2007, 13:56:32] - Removing HKCR\CLSID\{8D598351-260F-4351-9B57-AD82AB1CC606}
[03/31/2007, 13:56:32] - Adding Kill Bit for ActiveX for GUID: {8D598351-260F-4351-9B57-AD82AB1CC606}
[03/31/2007, 13:56:32] - Deleting ATLEvents/MSEvents Registry entries
[03/31/2007, 13:56:32] - Removing HKLM\...\Winlogon\Notify\pmkjk
[03/31/2007, 13:56:32] - Searching for Browser Helper Objects:
[03/31/2007, 13:56:32] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[03/31/2007, 13:56:32] - BHO 2: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)
[03/31/2007, 13:56:32] - ALERT: Found MSEvents Object!
[03/31/2007, 13:56:32] - BHO 3: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[03/31/2007, 13:56:32] - Finished Searching Browser Helper Objects
[03/31/2007, 13:56:32] - *** Detected MSEvents Object
[03/31/2007, 13:56:32] - Trying to remove MSEvents Object...
[03/31/2007, 13:56:33] - Terminating Process: IEXPLORE.EXE
[03/31/2007, 13:56:33] - Terminating Process: RUNDLL32.EXE
[03/31/2007, 13:56:33] - Disabling Automatic Shell Restart
[03/31/2007, 13:56:33] - Terminating Process: EXPLORER.EXE
[03/31/2007, 13:56:34] - Suspending the NT Session Manager System Service
[03/31/2007, 13:56:34] - Terminating Windows NT Logon/Logoff Manager
[03/31/2007, 13:56:34] - Re-enabling Automatic Shell Restart
[03/31/2007, 13:56:34] - File to disable: C:\WINDOWS\system32\khfgdaa.dll
[03/31/2007, 13:56:34] - Renaming C:\WINDOWS\system32\khfgdaa.dll -> C:\WINDOWS\system32\khfgdaa.dll.vir
[03/31/2007, 13:56:34] - File successfully renamed!
[03/31/2007, 13:56:34] - Removing HKLM\...\Browser Helper Objects\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[03/31/2007, 13:56:34] - Removing HKCR\CLSID\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[03/31/2007, 13:56:34] - Adding Kill Bit for ActiveX for GUID: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69}
[03/31/2007, 13:56:34] - Deleting ATLEvents/MSEvents Registry entries
[03/31/2007, 13:56:34] - Removing HKLM\...\Winlogon\Notify\khfgdaa
[03/31/2007, 13:56:34] - Searching for Browser Helper Objects:
[03/31/2007, 13:56:34] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[03/31/2007, 13:56:34] - BHO 2: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[03/31/2007, 13:56:34] - Finished Searching Browser Helper Objects
[03/31/2007, 13:56:34] - Finishing up...
[03/31/2007, 13:56:34] - A restart is needed.
[03/31/2007, 13:56:34] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/31/2007, 13:56:35] - Attempting to Restart via STOP error (Blue Screen!)
Log z FixVundo:
Symantec Trojan.Vundo Removal Tool 1.5.0
C:\System Volume Information: (not scanned)
D:\System Volume Information: (not scanned)
Trojan.Vundo has not been found on your computer.
Log z VundoFix:
VundoFix V4.2.22
Scan started at 13:44:21 2007-03-31
Listing files found while scanning....
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.ini
Attempting to delete C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!
Performing Repairs to the registry.
Done!
Log z ComboFix:
"Maciej" - 07-03-31 13:35:05 Dodatek Service Pack 2