Log

[Gość: autor]

Witam. Pomagałem znajomemu usunąć SpySherifa i inny syf. Skanowaliśmy:
Microsoft Antispyware, Kasperskym i Spybootem, naprawiliśmy pulpit. Niby
wszystko jest ok, ale pisze mi gość, że mu się otwierają same strony.
Tak wygląda log:

Logfile of HijackThis v1.99.1
Scan saved at 17:06:11, on 2005-11-27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Documents and Settings\Agnieszka\Pulpit\hijackthis\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łšcza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common
Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] svhost1.exe
O4 - HKLM\..\Run: [Microsoft System Update] sysupdate.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky
Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svhost1.exe
O4 - HKLM\..\RunServices: [Microsoft System Update] sysupdate.exe
O4 - HKCU\..\Run: [Microsoft System Update] sysupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web
Folders\ibm00003.exe"
O4 - HKCU\..\Run: [klop] C:\WINDOWS\B.tmp
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: skaner.mks.com.pl
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\l8n4li5q18.dll
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

PS Wiem, że piracki Windows, wiem że Opera...

[Gość: k]

No pewnie, ze sie otwieraja bo ma look2me..

W hijackthis usun:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html <- usun plik
O4 - HKLM\..\Run: [Microsoft Update Machine] svhost1.exe
O4 - HKLM\..\Run: [Microsoft System Update] sysupdate.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe <- opis
usuwania tutaj:
www.searchengines.pl/phpbb203/index.php?
showtopic=12510&pid=188758&mode=threaded&show=&st=30&#entry188758
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svhost1.exe <- usun plik
O4 - HKLM\..\RunServices: [Microsoft System Update] sysupdate.exe
O4 - HKCU\..\Run: [Microsoft System Update] sysupdate.exe <- usun plik
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web
Folders\ibm00003.exe" <- usun plik
O4 - HKCU\..\Run: [klop] C:\WINDOWS\B.tmp <- faktycznie klop, jeden wielki
klop, usun go..
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\l8n4li5q18.dll <-
look2me, sporbuj uninstallera stad:
www.pchell.com/support/look2me.shtml
Jak nie zadziala to na searchengines masz opis usuwania lub wklej tam log z
l2mfix.exe


:PS Wiem, że piracki Windows, wiem że Opera...

Moze i piracki ale SP1 ma i nawet aktualizacje IE, ale Opera i tak sie przyda
skoro uzytkownik ma dwie lewe rence do internetu ;-)