Zákeřný VIR

[da.backer]

Tak Mám problém.
Nedávno jsem sem psal že mám zavirovaný PC. Jednalo se o exe soubory které se samy objevovali v C:\

Nakonec jsem naformátoval HDD a naistaloval Win. + Nejnovejší aktualizace co jsou. Dále ZoneAlarm,SpyWare Terminator a AVAST.

Stejně mám ale problém začalo se objevovat skoro to samé v C:\ se vždy nezávysle na sobě spouští isass.exe který po spuštění zase zmizí ale při spouštění AVAST nahlasí že je to infikovaný soubor ( Win32:agent-LMI Trojský Kun) at dám co dám stejně to za chvíli vyletí znovu. Dále se tam objevil sasa.exe uplně to samé ale u toho jsem zablokoval spouštění přes SpywareTerm... Díky tomu mi zase padajá občas EXPLORER.exe a myslím, že toto téma souvisí s jiným témem jako bylo fufins.exe nebo tak něco měl v popisu.

Jinak přikládám logy. Z NOUZOVÉHO REŽIMU.

ComboFix 08-04-06.1 - ThiefMaster 2008-04-07 17:19:15.1 - NTFSx86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.776 [GMT 2:00]
Running from: C:\Documents and Settings\ThiefMaster\Plocha\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-04-07 14:54 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-07 14:54 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-06 21:40 . 2008-04-06 21:43 222,515 --a------ C:\sasa.exe
2008-04-06 11:09 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-05 21:52 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-03 20:36 . 2008-04-07 15:42 <DIR> d-------- C:\Program Files\Krtecek_2_0_2
2008-04-03 18:31 . 2008-04-03 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:23 . 2008-04-03 17:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-03 16:12 . 2008-04-03 16:12 <DIR> d-------- C:\Program Files\MSBuild
2008-04-03 16:09 . 2008-04-03 17:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-03 16:09 . 2008-04-03 16:09 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-03 16:00 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-03 15:59 . 2008-04-03 15:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-03 15:59 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-03 15:59 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-03 15:59 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-03 15:57 . 2008-04-03 15:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 15:57 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 14:59 . 2007-12-07 04:14 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-03 14:59 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-03 14:59 . 2007-07-01 05:36 1,024,000 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-03 14:59 . 2007-12-07 04:14 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-03 14:59 . 2007-12-07 04:14 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-03 14:59 . 2007-12-07 04:14 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-03 14:59 . 2007-12-07 04:14 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-03 14:59 . 2007-12-07 04:14 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-03 14:59 . 2007-12-06 13:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-03 14:58 . 2008-04-03 16:13 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2008-04-03 14:56 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-03 14:04 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 21:56 . 2008-04-02 21:56 <DIR> d-------- C:\Documents and Settings\LocalService\Nabídka Start
2008-04-02 21:42 . 2008-04-02 21:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 21:41 . 2008-04-02 21:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 21:36 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002300_.tmp
2008-04-02 21:34 . 2008-04-02 21:43 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 18:54 . 2008-04-02 18:54 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MailFrontier
2008-04-02 18:45 . 2008-04-07 17:18 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Java
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 18:37 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-02 18:35 . 2008-04-02 18:35 <DIR> d--hs---- C:\Documents and Settings\ThiefMaster\UserData
2008-04-02 18:32 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-04-02 18:26 . 2008-04-02 18:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 18:25 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-02 18:25 . 2008-04-07 14:22 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 18:25 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-02 18:24 . 2008-03-29 19:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 18:24 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 18:24 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 18:24 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 18:24 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 18:24 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 18:23 . 2008-04-02 18:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 18:23 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 18:23 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-02 18:23 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-02 18:23 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-02 18:23 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-02 18:22 . 2004-08-17 15:45 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-02 18:22 . 2008-04-02 18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 18:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 18:15 . 2008-04-02 18:15 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:15 . 2008-04-02 18:15 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-02 18:15 . 2008-04-02 18:15 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-02 18:15 . 2004-08-17 15:49 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-02 18:14 . 2008-04-02 18:14 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-02 18:13 . 2008-04-02 18:13 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:13 . 2004-08-17 15:43 119,808 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-02 18:13 . 2005-11-16 10:08 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-04-02 18:12 . 2006-06-14 11:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-02 18:12 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-02 18:12 . 2006-06-14 10:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-04-02 18:10 . 2006-03-14 11:01 16,010,752 -r------- C:\WINDOWS\RTHDCPL.exe
2008-04-02 18:10 . 2006-03-14 09:49 9,711,104 -r------- C:\WINDOWS\RTLCPL.exe
2008-04-02 18:10 . 2006-03-16 07:24 4,249,088 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2008-04-02 18:10 . 2006-03-09 11:45 364,544 -r------- C:\WINDOWS\RtlUpd.exe
2008-04-02 18:10 . 2006-01-10 07:58 266,240 -r------- C:\WINDOWS\system32\RTSndMgr.Cpl
2008-04-02 18:10 . 2006-02-20 11:00 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-04-02 18:10 . 2007-10-05 15:42 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Program Files\Realtek
2008-04-02 18:09 . 2006-03-14 09:45 2,809,344 -r------- C:\WINDOWS\alcwzrd.exe
2008-04-02 18:09 . 2006-03-10 13:32 2,158,592 -r------- C:\WINDOWS\MicCal.exe
2008-04-02 18:09 . 2005-04-16 16:20 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-02 18:09 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.Cpl
2008-04-02 18:09 . 2005-05-03 12:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-04-02 18:06 . 2006-01-19 22:10 363,008 --a------ C:\WINDOWS\system32\drivers\rt61.sys
2008-04-02 18:06 . 2005-05-17 15:24 311,296 --a------ C:\WINDOWS\system32\AegisI5.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 18:51 1,491,456 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-02 17:10 --------- d-----w C:\Program Files\QIP
2008-04-02 16:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 16:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-02 16:01 --------- d-----w C:\Program Files\ATI Technologies
2008-04-02 15:57 --------- d-----w C:\Program Files\AMD
2008-04-02 15:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 15:49 558,142 ----a-w C:\WINDOWS\java\Packages\6MZBHB9V.ZIP
2008-04-02 15:49 155,995 ----a-w C:\WINDOWS\java\Packages\YA2HZJDV.ZIP
2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 11:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 05:20 88203 C:\WINDOWS\AGRSMMSG.exe]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-08-17 15:57 90112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-04-02 18:25 2957824]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2008-04-02 18:06:19 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QIP\\qip.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 09:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 10:01]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-04-02 18:25]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-06 11:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - PARPORT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 15:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 17:20:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 17:21:15
ComboFix-quarantined-files.txt 2008-04-07 15:21:07
Adresářů: 6, Volných bajtů: 87,381,372,928
Adresářů: 8, Volných bajtů: 87,356,661,760







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:17:04, on 7.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7154166520
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\System32\o2flash.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4894 bytes

[Reklama]

[gyga]

Buď máš zavirovanou nějakou instalačku, nebo Boot sektor. S tím výpisem počkáme na někoho zkušenějšího. Zkus hledat jak odstranit vira z Boot sektoru.

[da.backer]

Jj ale chtěl bych někoho kdo to se mnou dotáhne do konce protože jsem z toho akorát celej nasr*nej. Takže díky všem za pomoc předem :)

[Baron Prášil]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\sasa.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis z norm režimu

[da.backer]

Takže v nouzovém režimu

ComboFix 08-04-06.1 - ThiefMaster 2008-04-07 18:42:24.2 - NTFSx86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.815 [GMT 2:00]
Running from: C:\Documents and Settings\ThiefMaster\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\ThiefMaster\Plocha\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
C:\sasa.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sasa.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-04-07 14:54 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-07 14:54 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-06 11:09 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-05 21:52 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-03 20:36 . 2008-04-07 15:42 <DIR> d-------- C:\Program Files\Krtecek_2_0_2
2008-04-03 18:31 . 2008-04-03 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:23 . 2008-04-03 17:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-03 16:12 . 2008-04-03 16:12 <DIR> d-------- C:\Program Files\MSBuild
2008-04-03 16:09 . 2008-04-03 17:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-03 16:09 . 2008-04-03 16:09 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-03 16:00 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-03 15:59 . 2008-04-03 15:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-03 15:59 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-03 15:59 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-03 15:59 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-03 15:57 . 2008-04-03 15:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 15:57 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 14:59 . 2007-12-07 04:14 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-03 14:59 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-03 14:59 . 2007-07-01 05:36 1,024,000 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-03 14:59 . 2007-12-07 04:14 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-03 14:59 . 2007-12-07 04:14 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-03 14:59 . 2007-12-07 04:14 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-03 14:59 . 2007-12-07 04:14 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-03 14:59 . 2007-12-07 04:14 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-03 14:59 . 2007-12-06 13:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-03 14:58 . 2008-04-03 16:13 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2008-04-03 14:56 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-03 14:04 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 21:56 . 2008-04-02 21:56 <DIR> d-------- C:\Documents and Settings\LocalService\Nabídka Start
2008-04-02 21:42 . 2008-04-02 21:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 21:41 . 2008-04-02 21:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 21:36 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002300_.tmp
2008-04-02 21:34 . 2008-04-02 21:43 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 18:54 . 2008-04-02 18:54 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MailFrontier
2008-04-02 18:45 . 2008-04-07 18:36 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Java
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 18:37 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-02 18:35 . 2008-04-02 18:35 <DIR> d--hs---- C:\Documents and Settings\ThiefMaster\UserData
2008-04-02 18:32 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-04-02 18:26 . 2008-04-02 18:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 18:25 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-02 18:25 . 2008-04-07 14:22 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 18:25 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-02 18:24 . 2008-03-29 19:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 18:24 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 18:24 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 18:24 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 18:24 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 18:24 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 18:23 . 2008-04-02 18:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 18:23 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 18:23 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-02 18:23 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-02 18:23 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-02 18:23 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-02 18:22 . 2004-08-17 15:45 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-02 18:22 . 2008-04-02 18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 18:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 18:15 . 2008-04-02 18:15 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:15 . 2008-04-02 18:15 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-02 18:15 . 2008-04-02 18:15 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-02 18:15 . 2004-08-17 15:49 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-02 18:14 . 2008-04-02 18:14 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-02 18:13 . 2008-04-02 18:13 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:13 . 2004-08-17 15:43 119,808 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-02 18:13 . 2005-11-16 10:08 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-04-02 18:12 . 2006-06-14 11:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-02 18:12 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-02 18:12 . 2006-06-14 10:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-04-02 18:10 . 2006-03-14 11:01 16,010,752 -r------- C:\WINDOWS\RTHDCPL.exe
2008-04-02 18:10 . 2006-03-14 09:49 9,711,104 -r------- C:\WINDOWS\RTLCPL.exe
2008-04-02 18:10 . 2006-03-16 07:24 4,249,088 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2008-04-02 18:10 . 2006-03-09 11:45 364,544 -r------- C:\WINDOWS\RtlUpd.exe
2008-04-02 18:10 . 2006-01-10 07:58 266,240 -r------- C:\WINDOWS\system32\RTSndMgr.Cpl
2008-04-02 18:10 . 2006-02-20 11:00 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-04-02 18:10 . 2007-10-05 15:42 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Program Files\Realtek
2008-04-02 18:09 . 2006-03-14 09:45 2,809,344 -r------- C:\WINDOWS\alcwzrd.exe
2008-04-02 18:09 . 2006-03-10 13:32 2,158,592 -r------- C:\WINDOWS\MicCal.exe
2008-04-02 18:09 . 2005-04-16 16:20 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-02 18:09 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.Cpl
2008-04-02 18:09 . 2005-05-03 12:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-04-02 18:06 . 2006-01-19 22:10 363,008 --a------ C:\WINDOWS\system32\drivers\rt61.sys
2008-04-02 18:06 . 2005-05-17 15:24 311,296 --a------ C:\WINDOWS\system32\AegisI5.exe
2008-04-02 18:06 . 2006-01-19 09:20 295,016 --a------ C:\WINDOWS\system32\Install6x.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 18:51 1,491,456 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-02 17:10 --------- d-----w C:\Program Files\QIP
2008-04-02 16:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 16:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-02 16:01 --------- d-----w C:\Program Files\ATI Technologies
2008-04-02 15:57 --------- d-----w C:\Program Files\AMD
2008-04-02 15:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 15:49 558,142 ----a-w C:\WINDOWS\java\Packages\6MZBHB9V.ZIP
2008-04-02 15:49 155,995 ----a-w C:\WINDOWS\java\Packages\YA2HZJDV.ZIP
2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 11:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 05:20 88203 C:\WINDOWS\AGRSMMSG.exe]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-08-17 15:57 90112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-04-02 18:25 2957824]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2008-04-02 18:06:19 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QIP\\qip.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 09:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 10:01]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-04-02 18:25]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-06 11:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 16:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 18:44:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 18:44:31
ComboFix-quarantined-files.txt 2008-04-07 16:44:23
ComboFix2.txt 2008-04-07 15:21:16
Adresářů: 6, Volných bajtů: 87,410,507,776
Adresářů: 7, Volných bajtů: 87,385,821,184

A v normálním režimu

ComboFix 08-04-06.1 - ThiefMaster 2008-04-07 18:48:41.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.582 [GMT 2:00]
Running from: C:\Documents and Settings\ThiefMaster\Plocha\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 16:49 . 2008-04-07 16:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-04-07 14:54 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-07 14:54 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-06 11:09 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-04-06 11:08 . 2008-04-06 11:08 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-05 21:52 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-03 20:36 . 2008-04-07 15:42 <DIR> d-------- C:\Program Files\Krtecek_2_0_2
2008-04-03 18:31 . 2008-04-03 18:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:23 . 2008-04-03 17:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-03 16:12 . 2008-04-03 16:12 <DIR> d-------- C:\Program Files\MSBuild
2008-04-03 16:09 . 2008-04-03 17:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-03 16:09 . 2008-04-03 16:09 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-03 16:00 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-03 15:59 . 2008-04-03 15:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-03 15:59 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-03 15:59 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-03 15:59 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-03 15:57 . 2008-04-03 15:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 15:57 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 14:59 . 2007-12-07 04:14 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-03 14:59 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-03 14:59 . 2007-07-01 05:36 1,024,000 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-03 14:59 . 2007-12-07 04:14 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-03 14:59 . 2007-12-07 04:14 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-03 14:59 . 2007-12-07 04:14 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-03 14:59 . 2007-12-07 04:14 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-03 14:59 . 2007-12-07 04:14 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-03 14:59 . 2007-12-06 13:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-03 14:58 . 2008-04-03 16:13 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2008-04-03 14:56 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-03 14:04 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 21:56 . 2008-04-02 21:56 <DIR> d-------- C:\Documents and Settings\LocalService\Nabídka Start
2008-04-02 21:42 . 2008-04-02 21:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 21:41 . 2008-04-02 21:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 21:36 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002300_.tmp
2008-04-02 21:34 . 2008-04-02 21:43 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 18:54 . 2008-04-02 18:54 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-02 18:46 . 2008-04-02 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MailFrontier
2008-04-02 18:45 . 2008-04-07 18:46 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Java
2008-04-02 18:37 . 2008-04-02 18:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 18:37 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-02 18:35 . 2008-04-02 18:35 <DIR> d--hs---- C:\Documents and Settings\ThiefMaster\UserData
2008-04-02 18:32 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-04-02 18:26 . 2008-04-02 18:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 18:25 . 2008-04-06 21:44 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-02 18:25 . 2008-04-07 14:22 <DIR> d-------- C:\Documents and Settings\ThiefMaster\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-02 18:25 . 2008-04-02 18:25 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-02 18:24 . 2008-03-29 19:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 18:24 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 18:24 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 18:24 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 18:24 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 18:24 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 18:23 . 2008-04-02 18:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 18:23 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 18:23 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-02 18:23 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-02 18:23 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-02 18:23 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-02 18:22 . 2004-08-17 15:45 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-02 18:22 . 2008-04-02 18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 18:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 18:15 . 2008-04-02 18:15 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:15 . 2008-04-02 18:15 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-02 18:15 . 2008-04-02 18:15 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-02 18:15 . 2004-08-17 15:49 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 18:15 . 2001-10-24 11:54 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-02 18:15 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-02 18:14 . 2008-04-02 18:14 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-02 18:13 . 2008-04-02 18:13 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:13 . 2004-08-17 15:43 119,808 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-02 18:13 . 2005-11-16 10:08 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-04-02 18:12 . 2006-06-14 11:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-02 18:12 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-02 18:12 . 2006-06-14 10:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-04-02 18:10 . 2006-03-14 11:01 16,010,752 -r------- C:\WINDOWS\RTHDCPL.exe
2008-04-02 18:10 . 2006-03-14 09:49 9,711,104 -r------- C:\WINDOWS\RTLCPL.exe
2008-04-02 18:10 . 2006-03-16 07:24 4,249,088 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2008-04-02 18:10 . 2006-03-09 11:45 364,544 -r------- C:\WINDOWS\RtlUpd.exe
2008-04-02 18:10 . 2006-01-10 07:58 266,240 -r------- C:\WINDOWS\system32\RTSndMgr.Cpl
2008-04-02 18:10 . 2006-02-20 11:00 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-04-02 18:10 . 2007-10-05 15:42 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Program Files\Realtek
2008-04-02 18:09 . 2006-03-14 09:45 2,809,344 -r------- C:\WINDOWS\alcwzrd.exe
2008-04-02 18:09 . 2006-03-10 13:32 2,158,592 -r------- C:\WINDOWS\MicCal.exe
2008-04-02 18:09 . 2005-04-16 16:20 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-02 18:09 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.Cpl
2008-04-02 18:09 . 2005-05-03 12:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-04-02 18:06 . 2006-01-19 22:10 363,008 --a------ C:\WINDOWS\system32\drivers\rt61.sys
2008-04-02 18:06 . 2005-05-17 15:24 311,296 --a------ C:\WINDOWS\system32\AegisI5.exe
2008-04-02 18:06 . 2006-01-19 09:20 295,016 --a------ C:\WINDOWS\system32\Install6x.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 16:46 730,701 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-03 18:51 1,491,456 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-02 17:10 --------- d-----w C:\Program Files\QIP
2008-04-02 16:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 16:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-02 16:01 --------- d-----w C:\Program Files\ATI Technologies
2008-04-02 15:57 --------- d-----w C:\Program Files\AMD
2008-04-02 15:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 15:49 558,142 ----a-w C:\WINDOWS\java\Packages\6MZBHB9V.ZIP
2008-04-02 15:49 155,995 ----a-w C:\WINDOWS\java\Packages\YA2HZJDV.ZIP
2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-07_17.21.00,28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-07 16:46:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 11:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 05:20 88203 C:\WINDOWS\AGRSMMSG.exe]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-08-17 15:57 90112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-04-02 18:25 2957824]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2008-04-02 18:06:19 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QIP\\qip.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 09:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-04-02 18:25]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-06 11:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 16:47:03 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 18:50:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 18:51:23
ComboFix-quarantined-files.txt 2008-04-07 16:51:19
ComboFix2.txt 2008-04-07 16:44:32
ComboFix3.txt 2008-04-07 15:21:16
Adresářů: 6, Volných bajtů: 87,414,407,168
Adresářů: 7, Volných bajtů: 87,392,804,864



Co se teda stalo s C:\Isass.exe? když se ten exe soubor objeví mám udělat to samé co ted akorát s sasa.exe?

[Baron Prášil]

promiň,mám jen jeden mozek a ten již dnes exaktně nefunguje(nerad to přiznávám)
popojedem zejtra,oki
ten soubor C:\Isass.exe nemá v této destinaci co dělat- smaž ho!

[da.backer]

C:\Isass.exe jak jsem právě řekl že se objeví po určitejch souvislostech, a tím jakoby nainstaluje vir a mazat ho mužu x-krát.

Je to upln ěto samé jako sasa.exe akorat toho jsme blocknul tudíš tam byl vidět mohl být odstaněn přes combofix.

[Baron Prášil]

ok. takže další kroky

použij T-Cleaner smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

potom stáhni znova combofix na plochu. odpoj se od netu. restartuj do [u]nouzového režimu[/u]

vypni štíty avastu a spy terminatora. a použij combofix s tímto skriptem

Kód: Vybrat vše

File::
C:\Isass.exe
C:\sasa.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe

Folder::
C:\Program Files\MyPlayCity.com

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}]

po akci opět zapni štíty a restartuj do norm.režimu,připoj se na net a pošli log z combofixu a novej log z hijackthis