MWAV - nález!!!

[Guivan5]

Tak sem poprvé použil MWAV, to je teda síla

co s tim pls???



Wed Oct 25 14:34:22 2006 => System found infected with bonzibuddy Spyware/Adware ({0a45db4d-bd0d-11d2-8d14-00104b9e072a})! Action taken: No Action Taken.
Wed Oct 25 14:34:22 2006 => System found infected with bonzibuddy Spyware/Adware ({0a45db4e-bd0d-11d2-8d14-00104b9e072a})! Action taken: No Action Taken.
Wed Oct 25 14:34:23 2006 => System found infected with bonzibuddy Spyware/Adware ({e91e27a2-c5ae-11d2-8d1b-00104b9e072a})! Action taken: No Action Taken.
Wed Oct 25 14:34:23 2006 => Offending Key found: HKLM\Software\microsoft\downloadmanager !!!
Wed Oct 25 14:34:23 2006 => Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 25 14:34:25 2006 => Offending Key found: HKLM\System\CurrentControlSet\Services\nwsapagent !!!
Wed Oct 25 14:34:25 2006 => Object "linkmedia Trojan" found in File System! Action Taken: No Action Taken.

Wed Oct 25 14:34:25 2006 => Offending value found in HKCU\Software\Licenses: {k7c0db872a3f777c0} !!!
Wed Oct 25 14:34:25 2006 => Object "spywarestrike Trojan" found in File System! Action Taken: No Action Taken.

Wed Oct 25 14:34:25 2006 => Offending Folder found: C:\win32app
Wed Oct 25 14:34:25 2006 => Object "winpup32 Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 25 14:35:12 2006 => Checking CLSID Reference Entries...
Wed Oct 25 14:35:13 2006 => Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Wed Oct 25 14:35:13 2006 => Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Wed Oct 25 14:35:14 2006 => Entry "HKCR\ICQPhone.SipxPhoneManager" refers to invalid object "{82308D15-1A2C-416A-A5BE-21DAF85DDB75}". Action Taken: No Action Taken.

Wed Oct 25 14:35:16 2006 => Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Wed Oct 25 14:35:16 2006 => Entry "HKCR\WMPlayer.OCX" refers to invalid object "{6BF52A52-394A-11d3-B153-00C04F79FAA6}". Action Taken: No Action Taken.

Wed Oct 25 14:35:17 2006 => Entry "HKCR\WMPlayer.OCX.7" refers to invalid object "{6BF52A52-394A-11d3-B153-00C04F79FAA6}". Action Taken: No Action Taken.

Wed Oct 25 14:35:19 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bmx". Action Taken: No Action Taken.

Wed Oct 25 14:35:20 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".q07". Action Taken: No Action Taken.

Wed Oct 25 14:35:20 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".SF2". Action Taken: No Action Taken.

Wed Oct 25 14:35:20 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.

Wed Oct 25 14:35:20 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".u2". Action Taken: No Action Taken.

Wed Oct 25 14:35:20 2006 => Checking Application Cache Entries...
Wed Oct 25 14:35:20 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}". Action Taken: No Action Taken.

Wed Oct 25 14:54:49 2006 => ***** Scanning complete. *****

Wed Oct 25 14:54:49 2006 => Total Objects Scanned: 36316
Wed Oct 25 14:54:49 2006 => Total Critical Objects: 7
Wed Oct 25 14:54:49 2006 => Total Disinfected Objects: 0
Wed Oct 25 14:54:49 2006 => Total Objects Renamed: 0
Wed Oct 25 14:54:49 2006 => Total Deleted Objects: 0
Wed Oct 25 14:54:49 2006 => Total Errors: 14
Wed Oct 25 14:54:49 2006 => Time Elapsed: 00:22:04
Wed Oct 25 14:54:49 2006 => Virus Database Date: 10/25/2006
Wed Oct 25 14:54:49 2006 => Virus Database Count: 234752

Wed Oct 25 14:54:49 2006 => Scan Completed.

[Reklama]

[mijaja]

Takže šup do registrů a hledat a mazat

Pro bonzibuddyho máš tady seznam jeho registrů - v dolní polovině roletka Registry Items
Ty tři, co ti našel mwav by měly být mezi něma.

a zbytek:

HKLM\Software\microsoft\downloadmanager
HKLM\System\CurrentControlSet\Services\nwsapagent
HKCU\Software\Licenses: {k7c0db872a3f777c0}

a soubor:
C:\win32app

a všechno zničit, spálit.

[Guivan5]

tak to bude na dlouho

HKLM\Software\microsoft\downloadmanager
HKLM\System\CurrentControlSet\Services\nwsapagent
HKCU\Software\Licenses: {k7c0db872a3f777c0}


tyhle nemůžu najít!

EDIT: Už sem je našel a vymazal a chystám se projet komp CCleanerem a novej log z mwavu

[Guivan5]

Tak jsem ty viry v registru vymazal a posílám nový log z MWAVu.

Wed Oct 25 16:38:05 2006 => Offending value found in HKCU\Software\Licenses: {k7c0db872a3f777c0} !!!
Wed Oct 25 16:38:08 2006 => Object "spywarestrike Trojan" found in File System! Action Taken: No Action Taken.

Wed Oct 25 16:54:33 2006 => ***** Scanning complete. *****

Wed Oct 25 16:54:33 2006 => Total Objects Scanned: 36479
Wed Oct 25 16:54:33 2006 => Total Critical Objects: 1
Wed Oct 25 16:54:33 2006 => Total Disinfected Objects: 0
Wed Oct 25 16:54:33 2006 => Total Objects Renamed: 0
Wed Oct 25 16:54:33 2006 => Total Deleted Objects: 0
Wed Oct 25 16:54:33 2006 => Total Errors: 1
Wed Oct 25 16:54:33 2006 => Time Elapsed: 00:17:19
Wed Oct 25 16:54:33 2006 => Virus Database Date: 10/25/2006
Wed Oct 25 16:54:33 2006 => Virus Database Count: 234793

Wed Oct 25 16:54:33 2006 => Scan Completed.

Furt tam něco je... ten registr hned vymažu ten první ale ten druhej spywarestrike, co s tim?

[mijaja]

No je to už jen klíč, který není vázaný na nějaký soubor. Spíše je vázán nějakým jiným, pro mwav už zdánlivě neškodným klíčem. Musel bys projít všechny registry a hledat.

Takhle to píší na Symantecu (ale je to po indijánsky ):
.....
.....
.....
3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit

Then click OK.

Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

3. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value:

"Solid Key Logger" = ""%ProgramFiles%\Solid Key Logger\SolidKeyLogger.exe" minimized"

5. Navigate to and delete the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0707FC1-858A-FEAA-3DA7-FF895EED2C75}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Solid Key Logger_is1
HKEY_ALL_USERS\Software\Virtuoza\Solid Key Logger

6. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

7. In the right pane, delete the values:

"{I16368956CF7437B5}" = "06 00 00 00"
"{016368956CF7437B5}" = "56 3E A8 0E 0B A2 A7 A6 41 06 53 98 0D B9 44 A3 ED 32 92 66 BC B6 01 AB 99 E8 09 9B 01 B1 52 3D 7E E3 0B 3D 71 C8 79 79 C2 A3 33 5B 45 E7 43 79 52 F4 89 4F F2 85 97 A6 75 37 5F 7B B7 2C 86 1B 22 9C 32 79 34 B9 D3 2D 93 10 1D AC 7E 5D 6F 8B 70 0A EF A3 1C AE BC 92 C6 43 16 8B 46 A4 53 43 64 29 44 C3 95 4D 2C FE D0 10 5E 60 24 A3 E0 7C 3F 70 66 9B 01"
"{K7C0DB872A3F777C0}" = "[RANDOM VALUE]"
"{R7C0DB872A3F777C0}" = "[RANDOM VALUE]"

8. Navigate to the subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

9. In the right pane, reset the following value if required:

"DisableTaskMgr" = "1"

10. Exit the Registry Editor.

Jestli se v tom vyznáš.......

[Guivan5]

no přeložit to umim ale furt nevim jak vymazat ten spywarestrike protože u něj není zádnej klíč ani nic a mě to obtěžuje :/

[Guivan5]

Tak ten spywarestrike už tam není ale furt tam je ten error:

Wed Oct 25 21:16:16 2006 => ERROR!!! Invalid Entry \SystemRoot\system32\drivers\avgclnit.sys in SYSTEM\CurrentControlSet\Services\AvgClean...

Wed Oct 25 21:47:20 2006 => ***** Scanning complete. *****

Wed Oct 25 21:47:20 2006 => Total Objects Scanned: 37048
Wed Oct 25 21:47:20 2006 => Total Critical Objects: 0
Wed Oct 25 21:47:20 2006 => Total Disinfected Objects: 0
Wed Oct 25 21:47:20 2006 => Total Objects Renamed: 0
Wed Oct 25 21:47:20 2006 => Total Deleted Objects: 0
Wed Oct 25 21:47:20 2006 => Total Errors: 1
Wed Oct 25 21:47:20 2006 => Time Elapsed: 00:31:49
Wed Oct 25 21:47:20 2006 => Virus Database Date: 10/25/2006
Wed Oct 25 21:47:20 2006 => Virus Database Count: 234957

Wed Oct 25 21:47:20 2006 => Scan Completed.

poradíte jak ho odstranit?

[mijaja]

Error už je chyba legálního souboru - zkus přeinstalovat ten soubor z cdčka AVG, nebo si jej zkus stáhnout někde z netu. Ale dal bych si pozor! On nemusí být špatný. Může být jen pozměněm woknama k obrazu svému a tím se lišit od originálu.