VIRY.CZ

POčkejte, ten soubor tam je nebo není?
Já seomlouvám, ale k pc se dostanu zase až večer..

soubor tam je. S nulovou velikostí

JAsně, to je v pohodě..

tohle znáte?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smedjorgensen.local





tento soubor znáte? Pokud ne, otestujte ho na www.virustotal.com
C:\msizap.exe

msizap.exe je čistý, ale nic mi to neříká..

klíč v registru. to si myslím, že je nějaká definice ohledně domény resp. active directory...

Fajn, můžete si prosím ten soubor někde zazálohovat (do rar souboru, na flešku?ú. Já ho smažu.
Až budete moct restartovat počítač, proveďte tento skript



Spustte OTL
-do bílého okna dole skopírujte tento skript:
-klikněte na tlačítko opravit.
-Následně se pc restartuje.
- Log vložte zde


Můžete nějak odzkoušet, zda ještě spamuje?

níže přikládám log. Přemýšlím, jak to vyzkoušet... ja meziím zakázal některé porty a open relay SMTP. nicméně server běžel i dosti pomalu. Ted, co tak namátkově "klikám", tak běží docela líp...


All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Error: Unable to stop service setup_9.0.0.722_13.12.2010_10-22drv!
Service\Driver key setup_9.0.0.722_13.12.2010_10-22drv not found.
Error: Unable to stop service 80856892!
Service\Driver key 80856892 not found.
Error: Unable to stop service 80856891!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\80856891 deleted successfully.
File C:\WINDOWS\System32\DRIVERS\80856891.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck not found.
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\GuildFTPd FTP Deamon.lnk moved successfully.
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_13.12.2010_10-22.lnk moved successfully.
F:\Virus Removal Tool1\setup_9.0.0.722_13.12.2010_10-22\startup.exe moved successfully.
========== FILES ==========
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\LMI14.tmp folder moved successfully.
C:\WINDOWS\SET11.tmp moved successfully.
C:\WINDOWS\SET12.tmp moved successfully.
C:\WINDOWS\SET13.tmp moved successfully.
C:\WINDOWS\SET27.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET7.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17B.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CD.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27A.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29C.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2AB.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP384.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D3.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B3.tmp folder moved successfully.
C:\WINDOWS\inf\005\MSExchangeOMA\tmpF79.tmp moved successfully.
C:\WINDOWS\inf\009\MSExchangeOMA\tmpF79.tmp moved successfully.
C:\WINDOWS\inf\inc\MSExchangeOMA\tmpF7A.tmp moved successfully.
C:\WINDOWS\Installer\MSI30.tmp moved successfully.
C:\WINDOWS\Installer\MSI42.tmp moved successfully.
C:\WINDOWS\Installer\MSI4A.tmp moved successfully.
C:\WINDOWS\Installer\MSI99B.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\inetsrv\ASP Compiled Templates\PID10740.TMP folder moved successfully.
C:\WINDOWS\Temp\bba100C.tmp moved successfully.
C:\WINDOWS\Temp\bba1051.tmp moved successfully.
C:\WINDOWS\Temp\bba1106.tmp moved successfully.
C:\WINDOWS\Temp\bba12E7.tmp moved successfully.
C:\WINDOWS\Temp\bba1634.tmp moved successfully.
C:\WINDOWS\Temp\bba1638.tmp moved successfully.
C:\WINDOWS\Temp\bba1CD8.tmp moved successfully.
C:\WINDOWS\Temp\bba1D4F.tmp moved successfully.
C:\WINDOWS\Temp\bba1FC7.tmp moved successfully.
C:\WINDOWS\Temp\bba2050.tmp moved successfully.
C:\WINDOWS\Temp\bba2086.tmp moved successfully.
C:\WINDOWS\Temp\bba20CB.tmp moved successfully.
C:\WINDOWS\Temp\bba2254.tmp moved successfully.
C:\WINDOWS\Temp\bba230B.tmp moved successfully.
C:\WINDOWS\Temp\bba2943.tmp moved successfully.
C:\WINDOWS\Temp\bba29A0.tmp moved successfully.
C:\WINDOWS\Temp\bba2C42.tmp moved successfully.
C:\WINDOWS\Temp\bba2C43.tmp moved successfully.
C:\WINDOWS\Temp\bba3073.tmp moved successfully.
C:\WINDOWS\Temp\bba307D.tmp moved successfully.
C:\WINDOWS\Temp\bba3107.tmp moved successfully.
C:\WINDOWS\Temp\bba3116.tmp moved successfully.
C:\WINDOWS\Temp\bba311A.tmp moved successfully.
C:\WINDOWS\Temp\bba312D.tmp moved successfully.
C:\WINDOWS\Temp\bba3152.tmp moved successfully.
C:\WINDOWS\Temp\bba316A.tmp moved successfully.
C:\WINDOWS\Temp\bba3190.tmp moved successfully.
C:\WINDOWS\Temp\bba336.tmp moved successfully.
C:\WINDOWS\Temp\bba358A.tmp moved successfully.
C:\WINDOWS\Temp\bba35AA.tmp moved successfully.
C:\WINDOWS\Temp\bba37DA.tmp moved successfully.
C:\WINDOWS\Temp\bba38B.tmp moved successfully.
C:\WINDOWS\Temp\bba3E13.tmp moved successfully.
C:\WINDOWS\Temp\bba435E.tmp moved successfully.
C:\WINDOWS\Temp\bba4BE5.tmp moved successfully.
C:\WINDOWS\Temp\bba4D71.tmp moved successfully.
C:\WINDOWS\Temp\bba4EE8.tmp moved successfully.
C:\WINDOWS\Temp\bba523A.tmp moved successfully.
C:\WINDOWS\Temp\bba526D.tmp moved successfully.
C:\WINDOWS\Temp\bba5288.tmp moved successfully.
C:\WINDOWS\Temp\bba54D9.tmp moved successfully.
C:\WINDOWS\Temp\bba54E4.tmp moved successfully.
C:\WINDOWS\Temp\bba54EB.tmp moved successfully.
C:\WINDOWS\Temp\bba54FD.tmp moved successfully.
C:\WINDOWS\Temp\bba5622.tmp moved successfully.
C:\WINDOWS\Temp\bba562A.tmp moved successfully.
C:\WINDOWS\Temp\bba57DC.tmp moved successfully.
C:\WINDOWS\Temp\bba5A69.tmp moved successfully.
C:\WINDOWS\Temp\bba5A71.tmp moved successfully.
C:\WINDOWS\Temp\bba5A81.tmp moved successfully.
C:\WINDOWS\Temp\bba5F6C.tmp moved successfully.
C:\WINDOWS\Temp\bba5F77.tmp moved successfully.
C:\WINDOWS\Temp\bba67AD.tmp moved successfully.
C:\WINDOWS\Temp\bba69D3.tmp moved successfully.
C:\WINDOWS\Temp\bba69EF.tmp moved successfully.
C:\WINDOWS\Temp\bba6A5B.tmp moved successfully.
C:\WINDOWS\Temp\bba6BA2.tmp moved successfully.
C:\WINDOWS\Temp\bba6D17.tmp moved successfully.
C:\WINDOWS\Temp\bba6D1F.tmp moved successfully.
C:\WINDOWS\Temp\bba6EF.tmp moved successfully.
C:\WINDOWS\Temp\bba745C.tmp moved successfully.
C:\WINDOWS\Temp\bba7460.tmp moved successfully.
C:\WINDOWS\Temp\bba749C.tmp moved successfully.
C:\WINDOWS\Temp\bba76CA.tmp moved successfully.
C:\WINDOWS\Temp\bba79CF.tmp moved successfully.
C:\WINDOWS\Temp\bba81EF.tmp moved successfully.
C:\WINDOWS\Temp\bba86D2.tmp moved successfully.
C:\WINDOWS\Temp\bba86DC.tmp moved successfully.
C:\WINDOWS\Temp\bba89AD.tmp moved successfully.
C:\WINDOWS\Temp\bba8C86.tmp moved successfully.
C:\WINDOWS\Temp\bba8CF1.tmp moved successfully.
C:\WINDOWS\Temp\bba8CFA.tmp moved successfully.
C:\WINDOWS\Temp\bba8CFE.tmp moved successfully.
C:\WINDOWS\Temp\bba8FDB.tmp moved successfully.
C:\WINDOWS\Temp\bba9BE1.tmp moved successfully.
C:\WINDOWS\Temp\bbaA53E.tmp moved successfully.
C:\WINDOWS\Temp\bbaA554.tmp moved successfully.
C:\WINDOWS\Temp\bbaAD5.tmp moved successfully.
C:\WINDOWS\Temp\bbaC84.tmp moved successfully.
C:\WINDOWS\Temp\bbaEE63.tmp moved successfully.
C:\WINDOWS\Temp\bbaF7F3.tmp moved successfully.
C:\WINDOWS\Temp\UPD34.tmp moved successfully.
C:\msizap.exe moved successfully.
C:\WINDOWS\System32\-1 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2010262 bytes
->Temporary Internet Files folder emptied: 949277 bytes
->Java cache emptied: 63104043 bytes
->FireFox cache emptied: 56726339 bytes
->Flash cache emptied: 759 bytes

User: All Users

User: blackberry
->Temp folder emptied: 66688 bytes
->Temporary Internet Files folder emptied: 388176 bytes
->Java cache emptied: 49674868 bytes
->FireFox cache emptied: 46332898 bytes
->Flash cache emptied: 446 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 104843 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: SBS Backup User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1967134 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 211,00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: blackberry
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: SBS Backup User

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12142010_203006

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\blackberry\Local Settings\Temp\hsperfdata_blackberry\9056 not found!

Registry entries deleted on Reboot...

Víte kdy ten spam odcházel? Většinou odchází denně ve stejnou dobu.
Vyzkoušejte to, jinak na to nepřijdeme

Dobrá dobrá.. zkusím to nějak vyzkoušet...

tak jsem to nemusel ani zkoušet a IP adresa je znova na blacklistu.

citat: ja meziím zakázal některé porty a open relay SMTP
nuz mat na serveri povolene open relay je hruba nezodpovednost ,,, aj kvoli tomu si sa mohol dostat na BL, vymazanie niektorych zaznamov BL trva dlhsie zvacsa 7 dni,,,

To samozřejmě souhlasím. Open relay jsem zakázal ještě dřív, než se dostal na blacklist. Trvá to většinou pár hodin.
nicméně toto je vada Win serverů. Defaultně při instalaci mají open relay a povolené skoro všechny porty, jak dovnitř, tak ven..Tento server jsem začal spravovat až poté, co se dostal jednou na blacklist a správa se přesunula pode mě. takže toto bylo první, co mě dostalo na kolena..
i přes open relay, zakázané porty, odesílání přes SSL, stejně počítač SPAMuje.

skus teda pohladaj rootkit http://www.antirootkit.com/software/index.htm
doporucujem produkty od AVG, Avira, Sophos >> pre zaciatok ,,,

tak jediný, co šel spustit, byl spohos, ale hned při startu hodil chyby -

Warning: Failed to read the complete raw process list. Process scan may not be supported on this version of Windows.
Nepřípustný přístup k paměťovému místu.

Warning: Failed to read kernel process handle list. Process scan may not be supported on this version of Windows.

Error: Failed to read raw process list by any method. Process scan may not be supported on this version of Windows.

Sophos by mal fungovat ,,,
no tam bude treba iba skusat napr. http://www.antirootkit.com/software/F-S ... t-Beta.htm
+
http://www.techmixer.com/mcafee-rootkit ... t-remover/
dost malo utilit bezi na serveroch ,,,