Vymazany Avast

[spratek]

Zdravim,
Jednoho dne jsem si vsiml, ze nemam spusteni antivir (Avast). Pidil jsem se po problemu a zjistil, ze v adresari Avastu jsou vsechny soubory s priponou .exe vymazany. Pokusil jsem se Avast preinstalovat, ale soubory tam stále nejsou (pri instalaci nehlasil zadnou chybu). Nainstaloval jsem tedy Avast v nouzovém rezimu a spustil scan objevil a vylecil vir win32: beagle. Po restartu ovsem znovu chybely vsechny .exe soubory. Zkusil jsem opravu WinXP s instalacniho CD a problem pretrvava. Stejny problem mam i s porogramem Spybot. Zkusil jsem v nouzovém rezimu .exe soubory zálohovat a po restaru natvrdo zkopirovat, ale system pise, ze nelze a ze disk je pravdepodobne plny, coz samozrejme neni pravda.
Preinstalovavt cele Winy se mi opravdu nechce. Setkal se s tim nekdy nekdo?

Logfile of HijackThis v1.99.1
Scan saved at 8:27:30, on 29.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Documents and Settings\marik\Plocha\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOff ... ?clid=1029
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] S:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Akcelerátor spuštění AutoCADu.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Hlavní panel ATI CATALYST.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.cz/buxus/docs/OnlineScanner.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ESA 5.2.320 - Macrovision Corporation - C:\LMGRD\Lmgrd.exe
O23 - Service: Nexis 3.5 license server - dT 2004 - Unknown owner - C:\flexlm\nexis\LMGRD.EXE

[Reklama]

[Baron Prášil]

log je v pořádku-exáče u avastu i spybotu jsou.

nainstaluj firewall
vyber si tady,doporučuju ZoneAlarm nebo Comodo

udělej log z MWAV

[spratek]

MWAV nasel vir BkCln.Unknown !! v ntoskrnl.exe, ale nevim co stim dal. Vymazat tento soubor nejspis nelze. Avast a NOD32 ten vir nedetekovali.


zde je log z MWAV
Tue Oct 30 09:04:47 2007 => System found infected with websearch Toolbar ({7dd95801-9882-11cf-9fa9-00aa006c42c4})!

Action taken: Nic nebylo provedeno.
Tue Oct 30 09:04:50 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\gator.com !!!
Tue Oct 30 09:04:50 2007 => Objekt "gain.gator Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic

nebylo provedeno.

Tue Oct 30 09:04:50 2007 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\p3p\history\gator.com !!!
Tue Oct 30 09:04:50 2007 => Objekt "gain.gator Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic

nebylo provedeno.

Tue Oct 30 09:04:50 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\p3p\history\gator.com !!!
Tue Oct 30 09:04:50 2007 => Objekt "gain.gator Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic

nebylo provedeno.

Tue Oct 30 09:04:54 2007 => Offending file found: C:\WINDOWS\gpinstall.exe
Tue Oct 30 09:04:54 2007 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action

taken: Nic nebylo provedeno.

Tue Oct 30 09:05:22 2007 => Checking MountPoints2 Registry Key...
Tue Oct 30 09:05:22 2007 => Invalid Command Found in

{78913394-76f1-11dc-8c83-0016e6565895}\Shell\Autoplay\DropTarget\AutoRun\command: G:\USBNB.exe
Tue Oct 30 09:05:22 2007 => Offending Key found:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{78913394-76f1-11dc-8c83-0016e6565

895} !!!
Tue Oct 30 09:05:22 2007 => Objekt "Possible Fujacks-type Worm" nalezen v souborovém systému! Provedené akce: Nic

nebylo provedeno.



Tue Oct 30 09:06:53 2007 => Testování souboru C:\WINDOWS\system32\ntoskrnl.exe
Tue Oct 30 09:06:54 2007 => Result: ERROR!!! File C:\WINDOWS\system32\ntoskrnl.exe: Scanning Failure!!!
Tue Oct 30 09:06:54 2007 => C:\WINDOWS\system32\ntoskrnl.exe possibly infected and removed by background antivirus

package!
Tue Oct 30 09:06:54 2007 => Soubor C:\WINDOWS\system32\ntoskrnl.exe je infikovaný virem BkCln.Unknown !! Provedené

akce: Nic nebylo provedeno.

[spratek]

pri instalaci firewallu nastala modra smrt, vypis pameti a obnova systemu...

[Baron Prášil]

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, který se ti zobrazí, jinak ho najdeš zde: C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[spratek]

ComboFix 07-10-30.2 - marik 2007-10-30 13:53:26.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.522 [GMT 1:00]
Running from: C:\Documents and Settings\marik\Plocha\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\marik\Data aplikací\hidires
C:\Documents and Settings\marik\Data aplikací\hidires\m_hook.sys
C:\Program Files\Common Files\{3C7EB~1
C:\Program Files\Common Files\{3C7EB~1\Uninst.exe
C:\Program Files\Common Files\{AC7EB~1
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\m_hook


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 13:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 12:32 <DIR> d-------- C:\Documents and Settings\marik\Data aplikací\Comodo
2007-10-30 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Comodo
2007-10-30 12:28 <DIR> d-------- C:\Program Files\Comodo
2007-10-30 12:24 2,150,400 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-10-30 12:24 2,150,400 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-30 12:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-30 08:52 <DIR> d-------- C:\Program Files\CCleaner
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\system32\systems.txt
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-10-29 15:18 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-10-29 15:12 147,968 --a------ C:\WINDOWS\R.COM
2007-10-29 15:12 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-10-29 09:48 <DIR> d-------- C:\Documents and Settings\marik\Data aplikací\FINE
2007-10-29 09:42 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-29 07:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-29 07:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-29 07:42 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Kaspersky Lab
2007-10-25 14:08 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-25 13:39 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-10-25 13:39 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-10-25 13:39 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-10-25 13:39 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-10-24 07:08 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-10-24 07:00 <DIR> d-------- C:\Documents and Settings\marik\Data aplikací\Uniblue
2007-10-18 09:37 679,424 --a------ C:\WINDOWS\is-8P4BI.exe
2007-10-18 08:23 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-17 06:03 60,416 --a------ C:\WINDOWS\system32\drivers\xdyw^nfo.sys
2007-10-16 08:20 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-18 11:26 <DIR> d-------- C:\Documents and Settings\marik\Data aplikací\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 06:32 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-10-23 09:34 --------- d-----w C:\Program Files\Paint.NET
2007-10-22 05:10 --------- d-----w C:\Program Files\Opera
2007-10-16 07:34 --------- d-----w C:\Program Files\Java
2007-10-16 05:36 --------- d-----w C:\Program Files\eMule
2007-10-10 11:32 --------- d-----w C:\Documents and Settings\marik\Data aplikací\XnView
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-16 12:03 105,420 ----a-w C:\Documents and Settings\marik\seznam.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 20:05]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-05-03 23:33]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 09:22 C:\WINDOWS\soundman.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]
"SpybotSD TeaTimer"="S:\Spybot - Search & Destroy\TeaTimer.exe" []

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\
Akcelerátor spuštění AutoCADu.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22]
Hlavní panel ATI CATALYST.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-05-03 23:33:42]

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S1 srosa;Megadrv3;\??\C:\WINDOWS\system32\drivers\srosa.sys
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 NPF;Netgroup Packet Filter;C:\WINDOWS\system32\drivers\npf.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78913394-76f1-11dc-8c83-0016e6565895}]
AutoRun\command - G:\USBNB.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 13:57:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 13:58:43 - machine was rebooted
.
--- E O F ---

[Baron Prášil]

sorry,nebyl sem

použij Avenger http://www.spyware.cz/go.php?p=spyware&t=aplikace&id=35

a tento skript

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys

toto
C:\WINDOWS\is-8P4BI.exe
C:\WINDOWS\system32\drivers\xdyw^nfo.sys
nech zkontrolovat tady http://www.virustotal.com/flash/index_en.html

nepoužívej "Procházet" ale vlož do okna celou cestu k souboru metodou Ctrl+C > Ctrl+V