zdravím, prosím o kontrolu logu, při každém zapnutí pc mi avg hlasí napadení souboru vmmlog32.dll virem backdoor.generic3.ekv, takže je někde něco zalezené a nemůžu to najít, prosím o radu, co s tím. Díky
Logfile of HijackThis v1.99.1
Scan saved at 7:19:03, on 30.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Servant Salamander 2.0\salamand.exe
F:\install\Antiviry\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
mwav hlásí:
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\ICQPhone.SipxPhoneManager" refers to invalid object "{82308D15-1A2C-416A-A5BE-21DAF85DDB75}". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""G:\data\cdw32.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\LF\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ACDSee.exe" refers to invalid object "ACDSee.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\BitComet.exe" refers to invalid object "E:\Program Files\BitComet\BitComet.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\BitLord.exe" refers to invalid object "E:\Program Files\BitLord\BitLord.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\RegCloneDVD2.exe" refers to invalid object "C:\Program Files\Elaborate Bytes\CloneDVD2\RegCloneDVD2.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Installer\{AC76BA86-1033-C470-7760-CE0000000001}\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".2001-11-14". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".256". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".age3scn". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".big". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cue". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dbf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dff". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dld". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dta". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".fsh". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gtk-bookmarks". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gxt". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ipl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mdf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mds". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ram". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".srt". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".svc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ubr". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xs". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".zoo". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ztd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB893803". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Operation Flashpoint". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "RadLight_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Zoo Tycoon CZ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-1033-C470-7760-CE0000000001}". Action Taken: No Action Taken.
prosím o kontrol logu, nevím, co s tím
V logu z HJT nic škodlivého nemáš. Jenom obvyklé zbytečnosti při startu, které můžeš fixnout:
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Ohledně logu z MWAV - nedal jsi tam závěrečnou tabulku, takže není poznat, jestli ti tam něco neuteklo. Ty první 2 řádky ukazují, že ti zůstaly v registrech záznamy po smazaném adware WhenU. Zbytek jsou chybné odkazy v registrech.
Soubor vmmlog32.dll je šmejd, tak se ho pokus najít na disku a smazat. Musíš mít zapnuté zobrazování skrytých souborů.
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Ohledně logu z MWAV - nedal jsi tam závěrečnou tabulku, takže není poznat, jestli ti tam něco neuteklo. Ty první 2 řádky ukazují, že ti zůstaly v registrech záznamy po smazaném adware WhenU. Zbytek jsou chybné odkazy v registrech.
Soubor vmmlog32.dll je šmejd, tak se ho pokus najít na disku a smazat. Musíš mít zapnuté zobrazování skrytých souborů.
Znáte pravidla?
Tipy a triky ve Windows XP
Návody: HijackThis, MWAV, CCleaner (THX to mijaja)
Problémy, které chcete vyřešit pište sem do fóra. Neposílejte je emailem ani po ICQ!
Tipy a triky ve Windows XP
Návody: HijackThis, MWAV, CCleaner (THX to mijaja)
Problémy, které chcete vyřešit pište sem do fóra. Neposílejte je emailem ani po ICQ!
Přidávám aktuální log hijackthis a mwav včetně závěrečné tabulky. Bohužel je někde něco zalezené, protože když vmmlog32.dll dám do trezoru a ten pak vyprázdním, tak už ho ve složce Windows nikde nenajdu. Při zapnutí pc se ale opět vytvoří a avg hlásí znovu jeho napadení.
A co adresář WinSxS, který je ve Windowsu? Nějak se mi nezdají jeho soubory. Může být něco zde?
Aktuální HiJackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:20:47, on 2.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Servant Salamander 2.0\salamand.exe
F:\install\Antiviry\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
MWAV
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu.1" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\VIDEOEDIT.VideoEditCtrl.1" refers to invalid object "{57D9AF4C-23BA-47EC-A40B-2DA79641B285}". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""G:\data\cdw32.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ACDSee.exe" refers to invalid object "ACDSee.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uha". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".viv". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Toronto Raptors Court & Stadium 06". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WinUHA_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Šetřič Cimrman 1". Action Taken: No Action Taken.
File F:\install\Přehrávače\RAD\RadLight3.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.ag". Action Taken: No Action Taken.
File F:\install\Codecs\GDiVX1.9.5.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.w". Action Taken: No Action Taken.
Sat Sep 02 14:01:07 2006 => ***** Scanning complete. *****
Sat Sep 02 14:01:07 2006 => Total Objects Scanned: 151049
Sat Sep 02 14:01:07 2006 => Total Critical Objects: 2
Sat Sep 02 14:01:07 2006 => Total Disinfected Objects: 0
Sat Sep 02 14:01:07 2006 => Total Objects Renamed: 0
Sat Sep 02 14:01:07 2006 => Total Deleted Objects: 0
Sat Sep 02 14:01:07 2006 => Total Errors: 34
Sat Sep 02 14:01:07 2006 => Time Elapsed: 01:33:06
Sat Sep 02 14:01:07 2006 => Virus Database Date: 8/24/2006
Sat Sep 02 14:01:07 2006 => Virus Database Count: 217872
Sat Sep 02 14:01:07 2006 => Scan Completed.
A co adresář WinSxS, který je ve Windowsu? Nějak se mi nezdají jeho soubory. Může být něco zde?
Aktuální HiJackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:20:47, on 2.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Servant Salamander 2.0\salamand.exe
F:\install\Antiviry\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
MWAV
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu.1" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\VIDEOEDIT.VideoEditCtrl.1" refers to invalid object "{57D9AF4C-23BA-47EC-A40B-2DA79641B285}". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""G:\data\cdw32.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ACDSee.exe" refers to invalid object "ACDSee.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uha". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".viv". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Toronto Raptors Court & Stadium 06". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WinUHA_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Šetřič Cimrman 1". Action Taken: No Action Taken.
File F:\install\Přehrávače\RAD\RadLight3.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.ag". Action Taken: No Action Taken.
File F:\install\Codecs\GDiVX1.9.5.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.w". Action Taken: No Action Taken.
Sat Sep 02 14:01:07 2006 => ***** Scanning complete. *****
Sat Sep 02 14:01:07 2006 => Total Objects Scanned: 151049
Sat Sep 02 14:01:07 2006 => Total Critical Objects: 2
Sat Sep 02 14:01:07 2006 => Total Disinfected Objects: 0
Sat Sep 02 14:01:07 2006 => Total Objects Renamed: 0
Sat Sep 02 14:01:07 2006 => Total Deleted Objects: 0
Sat Sep 02 14:01:07 2006 => Total Errors: 34
Sat Sep 02 14:01:07 2006 => Time Elapsed: 01:33:06
Sat Sep 02 14:01:07 2006 => Virus Database Date: 8/24/2006
Sat Sep 02 14:01:07 2006 => Virus Database Count: 217872
Sat Sep 02 14:01:07 2006 => Scan Completed.
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
v logu HJT a mwav nic není vidět. Zkus otestovat tyto dva soubory buď na Virustotal nebo Jotti's scan
F:\install\Přehrávače\RAD\RadLight3.exe
F:\install\Codecs\GDiVX1.9.5.exe
jestli si pamatuji tak RadLight3 v sobě obsahoval reklamní systémy
V jakém adresáři se ti přesně objevuje ten soubot vmmlog32.dll není náhodou v c:\WINDOWS
Zkus si stáhnout Black light
Překopířuj ho např soubor do D:\test
Ještě ho nespouštěj.
Běz do Start -> Spustit... a vlož tam cestu nebo ji tam napiš
d:\test\blbeta.exe /expert (bude se to lišit podle toho kam si ten soubor umístíš)
Klikni na ok nebo zmáčkni enter, klikni na scan -> až doběhne scan klikni na next potom exit. Vytvoří se ti log a ten sem vlož.
F:\install\Přehrávače\RAD\RadLight3.exe
F:\install\Codecs\GDiVX1.9.5.exe
jestli si pamatuji tak RadLight3 v sobě obsahoval reklamní systémy
V jakém adresáři se ti přesně objevuje ten soubot vmmlog32.dll není náhodou v c:\WINDOWS
Zkus si stáhnout Black light
Překopířuj ho např soubor do D:\test
Ještě ho nespouštěj.
Běz do Start -> Spustit... a vlož tam cestu nebo ji tam napiš
d:\test\blbeta.exe /expert (bude se to lišit podle toho kam si ten soubor umístíš)
Klikni na ok nebo zmáčkni enter, klikni na scan -> až doběhne scan klikni na next potom exit. Vytvoří se ti log a ten sem vlož.
Tvoje problémy s "reinkarnací" může způsobovat i Obnovení systému, takže ho vypni (pravé myšítko na Tento počítač/Vlastnosti/Obnovení systému).
Adresář WinSxS je v pořádku, protože jsou tu uložené různé knihovny a vizualizace. Jsou to nové verze, které nemůžou nahradit ty starší, protože s nima nespolupracují všechny aplikace.
Adresář WinSxS je v pořádku, protože jsou tu uložené různé knihovny a vizualizace. Jsou to nové verze, které nemůžou nahradit ty starší, protože s nima nespolupracují všechny aplikace.
Znáte pravidla?
Tipy a triky ve Windows XP
Návody: HijackThis, MWAV, CCleaner (THX to mijaja)
Problémy, které chcete vyřešit pište sem do fóra. Neposílejte je emailem ani po ICQ!
Tipy a triky ve Windows XP
Návody: HijackThis, MWAV, CCleaner (THX to mijaja)
Problémy, které chcete vyřešit pište sem do fóra. Neposílejte je emailem ani po ICQ!
Vmmlog32.dll je opravdu ve složce Windows a při každém spuštění pc se znovu vytvoří. Během víkendu se mi stalo, že jeho napadení se nehlásí hned při startu, ale až po proběhnutí testu avg. Takže mě napadá, že by mohla být spojitost mezi procesy, které jsme fixli a které ho při startu aktivovaly.
V současné době je Obnovení systému vypnuto.
Podezřelé soubory z F: jsem vymazal, protože je již nepotřebuji.
Přikládám log z Black Lightu.
09/03/06 12:00:46 [Info]: BlackLight Engine 1.0.46 initialized
09/03/06 12:00:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/03/06 12:00:46 [Note]: 7019 4
09/03/06 12:00:46 [Note]: 7005 0
09/03/06 12:00:55 [Note]: 7006 0
09/03/06 12:00:55 [Note]: 7022 0
09/03/06 12:00:55 [Note]: 7011 1284
09/03/06 12:00:56 [Note]: 7026 0
09/03/06 12:00:56 [Note]: 7026 0
09/03/06 12:00:56 [Note]: FSRAW library version 1.7.1019
09/03/06 12:04:33 [Note]: 7007 0
V současné době je Obnovení systému vypnuto.
Podezřelé soubory z F: jsem vymazal, protože je již nepotřebuji.
Přikládám log z Black Lightu.
09/03/06 12:00:46 [Info]: BlackLight Engine 1.0.46 initialized
09/03/06 12:00:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/03/06 12:00:46 [Note]: 7019 4
09/03/06 12:00:46 [Note]: 7005 0
09/03/06 12:00:55 [Note]: 7006 0
09/03/06 12:00:55 [Note]: 7022 0
09/03/06 12:00:55 [Note]: 7011 1284
09/03/06 12:00:56 [Note]: 7026 0
09/03/06 12:00:56 [Note]: 7026 0
09/03/06 12:00:56 [Note]: FSRAW library version 1.7.1019
09/03/06 12:04:33 [Note]: 7007 0
-
besst
- Level 2.5
- Příspěvky: 386
- Registrován: březen 05
- Bydliště: Severozápad
- Pohlaví:
- Stav:
Offline
- Kontakt:
ale už se na AVG vykašli a nedávej ho tam... Doporučuju mnohem silnější antiviry jakými jsou např. NOD32, nebo MicroWorld Escan - ten doporučuju osobně..
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 13 hostů