Golden Keylogger jak usunac?

Dla specjalistów Bezpieczeństwo
#1

Zrobilem skan spybot i znowu mam syf :frowning: capture29lm.th.jpg

Prosze o sprawdzenie logow.

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ACTray" = "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" ["Lenovo"]

"ACWLIcon" = "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" ["Lenovo"]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"OWS Setup CmdLine" = ""C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"" [MS]

"Odkurzacz-MCD" = "C:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe" ["FranmoSoft"]

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

  - {HKLM...CLSID} = "Display Panning CPL Extension"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For People..."

  - {HKLM...CLSID} = "For People..."

                   \InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  - {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  - {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  - {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{5E2121EE-0300-11D4-8D3B-444553550000}" = "SimpleShlExt extension"

  - {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\GOLDEN~1\gftp.dll" [empty string]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  - {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

  - {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  - {HKLM...CLSID} = "Ctest Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  - {HKLM...CLSID} = "Ctest Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

SimpleShlExt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553550000}"

  - {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\GOLDEN~1\gftp.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Active Desktop web content:


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"FriendlyName" = ""

"Source" = ""

"SubscribedURL" = ""



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "andrzej" "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup

"Microsoft Office" - shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ac Profile Manager Service, AcPrfMgrSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe" [null data]

Access Connections Main Service, AcSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe" ["Lenovo"]

ACU Configuration Service, ACS, "C:\WINDOWS\system32\acs.exe" [null data]

EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]

IBM PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" [null data]

kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Lab"]

RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]

Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 35 seconds, including 18 seconds for message boxes)
#2

W logu jest czysto :slight_smile:

Widzę, że masz EWIDO, dlatego przeskanuj nim dysk :slight_smile:

Przeczyść rejestr (polecam do tego RegCleaner 4.3.0.780)

#3

karon znasz to ?? Wiesz od czego to jest ??

#4

To server ftp,robilem skan Ewido i znalazl ponad 40 zainfekowanych cookie,i tak jest za kazdym razem

#5

Cookie

to nic groźnego … :wink: