Szpieg

tadek49 · 23 Grudzień 2005 23:26

Jak pozbyć się programu szpiegującego? Skanowałem programami Spy Sweeper,Ad-Aware Professional i Scan Spyware,ale żaden program nie pokazywał szpiega.Dopiero gdy przeskanowałem Pandą Active Skan dowiedziałem się,że mam program szpiegowski w lokalizacji Windows Registry i jest to Spyware/Searchcentrix i jest niewyleczalny. jak się tego pozbyć/ proszę o poradę.

Gutek · 23 Grudzień 2005 23:43

dokłądna lokalizacja -log z hijacka wklej

tadek49 · 23 Grudzień 2005 23:52

Mam loga,ale nie wiem jak go wkleić?Jestem początkujący.

Gutek · 24 Grudzień 2005 00:02

Zobacz http://forum.dobreprogramy.pl/viewtopic.php?t=36654

tadek49 · 24 Grudzień 2005 00:18

Wklejam log.Logfile of HijackThis v1.99.1

Scan saved at 19:03:17, on 2005-12-23

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PROGRA~1\Wapster\AQQ\AQQ.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\ServiceLayer.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Tray Helper_Tadek\Tray_helper.exe

C:\Program Files\AntiVirenKit\AVKService.exe

C:\Program Files\AntiVirenKit\AVKWCtl.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Tadek\Pulpit\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [Lexmark X1100 Series] “C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe”

O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [AVK Mail Checker] “C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE”

O4 - HKLM…\Run: [spySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /startintray

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [iZSoftTrayHelper] C:\Program Files\Tray Helper_Tadek\launch.exe

O4 - HKCU…\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU…\Run: [AQQ] C:\PROGRA~1\Wapster\AQQ\AQQ.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Pobierz używając Download &Express’a - C:\Program Files\Download Express\Add_Url.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 4387063109

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirenKit\AVKService.exe

O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Gutek · 24 Grudzień 2005 00:31

No jest czysto - daj screena ze Scanera Pandy - jak wrzucac screeny - http://forum.dobreprogramy.pl/viewtopic.php?t=46412

tadek49 · 24 Grudzień 2005 00:42

Zdarzenie Status Lokalizacja

Spyware:spyware/searchcentrix Nie wyleczalny Windows Registry

Wysyłam opis Pandy

Gutek · 24 Grudzień 2005 00:51

No nic mi to nie mówi zawsze pokazany jest docelowy element - zobacz http://vil.mcafeesecurity.com/vil/content/v_101217.htm

Dlaczego mówię co jeszcze jest - zobacz temat http://www.searchengines.pl/phpbb203/in … 172&st=100 tzw. walka z wiatrakami gdzie jest?

tadek49 · 24 Grudzień 2005 01:02

Ale skanując Pandą Active Scan można tylko zapisać raport i właśnie to był raport.Wysyłam jeszcze loga z Silenta,może on coś pomoże?“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”]

“IZSoftTrayHelper” = “C:\Program Files\Tray Helper_Tadek\launch.exe” [empty string]

“IncrediMail” = “C:\Program Files\IncrediMail\bin\IncMail.exe /c” [“IncrediMail, Ltd.”]

“AQQ” = “C:\PROGRA~1\Wapster\AQQ\AQQ.exe” [“AQQ Sp z o.o.”]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]

“Lexmark X1100 Series” = ““C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe”” [“Lexmark International, Inc.”]

“DataLayer” = “C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [“Nokia Mobile Phones Ltd.”]

“PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray” [“Nokia”]

“SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“AVK Mail Checker” = ““C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE”” [“G DATA Software AG”]

“SpySweeper” = ““C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /startintray” [“Webroot Software, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{00000000-5736-4205-0100-75ff97ac5007}” = “Steganos Internet Trace Destructor 7”

-> {CLSID}\InProcServer32(Default) = “c:\program files\steganos internet trace destructor 7\itd7se.dll” [null data]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a˛ Context Menu Shell Extension”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL” [null data]

“{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS]

“{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS]

“{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [“Siemens AG”]

“{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device ContextMenuHandler”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [“Siemens AG”]

“{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens SX1 PropertySheetHandler”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [“Siemens AG”]

“{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”]

“{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”]

“{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”]

“{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\Webroot\Spy Sweeper\SSCtxMnu.dll” [“Webroot Software, Inc.”]

HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! “BootExecute” = “autocheck autochk * SsiEfr.e” [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WRNotifier\DLLName = “WRLogonNTF.dll” [“Webroot Software, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AVK9CM(Default) = “{CAF4C320-32F5-11D3-A222-004095200FF2}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\AntiVirenKit\ShellExt.dll” [empty string]

IMMenuShellExt(Default) = “{F8984111-38B6-11D5-8725-0050DA2761C4}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\IncrediMail\bin\IMShExt.dll” [“IncrediMail, Ltd.”]

Steganos Internet Trace Destructor 7(Default) = “{00000000-5736-4205-0100-75ff97ac5007}”

-> {CLSID}\InProcServer32(Default) = “c:\program files\steganos internet trace destructor 7\itd7se.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

Steganos Internet Trace Destructor 7(Default) = “{00000000-5736-4205-0100-75ff97ac5007}”

-> {CLSID}\InProcServer32(Default) = “c:\program files\steganos internet trace destructor 7\itd7se.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2ContMenu(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL” [null data]

AVK9CM(Default) = “{CAF4C320-32F5-11D3-A222-004095200FF2}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\AntiVirenKit\ShellExt.dll” [empty string]

SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\Webroot\Spy Sweeper\SSCtxMnu.dll” [“Webroot Software, Inc.”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Tadek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Startup items in “Tadek” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 12

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

AVK Service, AVKService, “C:\Program Files\AntiVirenKit\AVKService.exe” [empty string]

LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”]

Strażnik AVK, AVKWCtl, “C:\Program Files\AntiVirenKit\AVKWCtl.exe” [empty string]

Webroot Spy Sweeper Engine, svcWRSSSDK, “C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe” [“Webroot Software, Inc.”]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = “LEXLMPM.DLL” [file not found]

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 26 seconds, including 4 seconds for message boxes)

n coś pomoże

Gutek · 24 Grudzień 2005 09:00

Proszę otworzyć edytor rejestru Start >>> Uruchom >>> regedit i przejść do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Tam kliknąć podwójnie na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *.

tadek49 · 24 Grudzień 2005 09:49

Zrobiłem według zalecenia.Było 1 autocheck autochk*

2 SsiEfr.c-todrugie usunąłem i zacząłem skanować Pandą,ale niestety nadal oprogramowanie szpiegowskie jest.