Prosím o kontrolu logu

[motji]

Avptool odinstalujte
Vy máte crack na AVast? Smažte hoa dejte si Avast home , mát cracknutý antivir je na největší pitomost .

Tohle znáte?
K:\ZZZZZZZZ.ZZZ Read error
K:\KAZOALI.DOK Read error

Ty sektory jsou ok, tam nic opravovat nebudeme.

[Kovas]

Teraz ma napadá, že pred spustením AVPtool som zabudol vypnúť obnovu systému, ako je to odporúčané. Bude test potrebné zopakovať?

[Kovas]

AVPtoll som odinštaloval. Nemám cracknutý Avast. Mám nainštalovaný Avast Home (teraz 5-ku) a používam ho už asi 7 rokov. V podstate na domácich PC a notebooku som nikdy iný nepoužíval. O tom cracknutom Avaste som sa len rozprával s jedným známym a chcel som ho niekedy vyskúšať. Mám ho uložený na disku, ale som ho nikdy neinštaloval. Pozeral som síce cez Winrar, čo je v balíku.
Taktiež ten Kaspersky Mobile Security for Symbian som nikdy nepoužil. V mobile mám nainštalovanú zakúpenú ročnú licenciu. No len človek je tvor zvedavý!!! a aj hľa, čo som si pripravil. Mám to všetko zmazať?

K tej flashke :

K:\ZZZZZZZZ.ZZZ Read error tento adresár som tam skutočne videl, ale sa nedal otvoriť. Myslím že vznikol, keď som robil na flaske bezpečné mazanie pri mazaní jedného adresára a mazanie som ukončil predčasne.

K:\KAZOALI.DOK Read error tento súbor som pred tým na flaske nikdy nevidel neviem čo to môže byť.

Asi preformátujem flasku. Čo Vy na to?

[motji]

Ano, zformátujte ji .
Jak se chová počítač? máte stále problémy se s pouštěním programů s právy admina?

[Kovas]

No mal som problémy pri spúšťaní ComboFixu a RootRepael. Tieto programy som musel spúšťať v administrátorskom rozhrani cez RevoUninstaller Pro.
Teraz so skúsil spustiť RootRepael a v pohode sa naštartoval. Je to zmena. Prebehol som jednosltivé záložky a všetko bežalo OK. Dať z toho aj logy?
Neviem, či mám skúsiť spustiť aj ComboFix. Bude to nutné?

[motji]

Zkuste znovu combofix odinstalovat, pročistit registry, stahnout nový a spustit.
Bylo by to lepší .

[Kovas]

no pokúsil som sa odinštalovať ComboFix cez ŠTART-SPUSTIŤ a zadal som do okna príkaz combofix /u , ale ComboFix sa spustil a začal scan. Mal som však zapnutý AV a Firewall. Po začatí scanu sa objavila hláška, že bol detekovaný rootkit a reštartoval sa. Potom sa zapol ukázalo sa okno, kde vypísalo

PREPARING LOG REPORT
DO NOT RUN ANY PROGRAMS UNTIL COMBOFIX HAS FINESHED

systéme je už cca 30 minút bez odozvy. Čo s tým?

[Kovas]

Tu som uložil adresár, ktorý sa vytvoril pri odinštalácii Combofixu

http://files.uloziste.com/5018c3ddcfb493d2/

systém som cca po 30 minútach musel vypnúť nešiel ani reštartovať. Potom keď som ho znova spustil mi zamrzol tak som ho reštartoval. Následne som vošiel do núdzového režimu a zadal som ŠTART-SPUSTIT a do okno som zdal ComboFix /Uninstall

celé to nabehlo a potom mi vypísalo ComboFix is Uninstall

tak dúfam, že je je už odinštalovaný. Pošlem Vám ešte screen čo mi po ňom zostalo na C:/

Tie adresáre mám vymazať?

Stiahnem znova ComboFix a spustím ho.

[Kovas]

Tu pripájam screen z C:/
Potom čo sa mi podarilo úspešne odištalovať ComboFix mi adresár s dnešným dátumom zmizol a zostali tam len z 1.10.2010. Mám tie zmazať? ComboFix mi zmizol aj z plochy tak dúfam, že je to v poriadku. Stiahnem ho znova a nechám ho spustiť.

[Kovas]

Konečne menší úspech! ComboFix vykonal úplný scan nezasekol sa, vyhodil log, ktorý prikladám. Že ten súbor SafeBoot.sys bol skutočne infikovaný?

Keď som spustil Combofix po začatí mi znova vyskočilo okno, že bol zistený rootkit a machine musí byť reštartovaný. Notebook sa reštartoval a všetko zbehlo

ComboFix 10-10-02.02 - Administrator . 10. 2010 18:23:50.5.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.1976.1523 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\SafeBoot.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-02 23:58 . 2010-10-02 23:58 -------- d-----w- c:\program files\HxD
2010-10-02 20:39 . 2010-10-02 20:39 -------- d-----w- c:\documents and settings\LocalService\Plocha
2010-10-02 18:33 . 2010-10-02 18:33 -------- d-----w- c:\program files\Fingerprint Sensor
2010-10-02 18:32 . 2010-10-02 18:32 -------- d-----w- c:\program files\Common Files\ActivIdentity
2010-10-02 18:32 . 2010-10-02 18:32 -------- d-----w- c:\program files\ActivIdentity
2010-10-02 06:46 . 2010-10-02 06:46 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2010-10-01 20:25 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-01 20:25 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-01 20:25 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-01 20:25 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-01 20:25 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-01 20:25 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-01 20:25 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-01 20:24 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-01 20:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-01 10:14 . 2010-10-01 10:16 -------- d-----w- C:\cokoliv.com24528c
2010-10-01 09:54 . 2010-10-01 09:54 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-01 09:01 . 2010-10-01 09:54 -------- d-----w- C:\cokoliv.com
2010-09-30 21:53 . 2010-10-01 09:54 -------- d-----w- C:\RECYCLER(3)
2010-09-29 15:35 . 2010-09-29 15:54 -------- d-----w- c:\program files\trend micro
2010-09-29 15:35 . 2010-09-29 15:49 -------- d-----w- C:\rsit
2010-09-26 13:52 . 2010-09-26 13:52 63488 ----a-w- c:\documents and settings\Administrator\Data aplikací\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-26 13:52 . 2010-09-26 13:52 52224 ----a-w- c:\documents and settings\Administrator\Data aplikací\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-26 13:52 . 2010-09-26 13:52 117760 ----a-w- c:\documents and settings\Administrator\Data aplikací\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 22:20 . 2010-10-02 13:24 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-09-14 10:20 . 2010-09-14 10:20 -------- d-----w- c:\program files\Network Stumbler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 18:34 . 2009-08-29 06:07 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-02 18:32 . 2009-08-29 07:33 -------- d-----w- c:\program files\HPQ
2010-10-02 05:57 . 2001-10-25 12:00 523488 ----a-w- c:\windows\system32\perfh005.dat
2010-10-02 05:57 . 2001-10-25 12:00 117506 ----a-w- c:\windows\system32\perfc005.dat
2010-10-01 14:56 . 2009-08-29 08:40 -------- d-----w- c:\program files\Alwil Software
2010-09-28 15:04 . 2010-06-01 17:00 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-28 15:04 . 2010-06-01 17:00 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-28 15:04 . 2010-06-01 17:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-28 15:04 . 2010-06-01 17:00 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-28 15:04 . 2010-06-04 09:55 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-14 11:07 . 2010-09-30 18:44 12604 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1029.dat
2010-08-17 13:17 . 2004-08-17 13:49 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:09 . 2010-08-16 08:09 -------- d-----w- c:\program files\COMODO
2010-07-22 15:46 . 2004-08-17 13:49 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-20 16:29 . 2010-07-20 16:29 1683460 ----a-w- c:\documents and settings\Administrator\Data aplikací\SuperHideIP_2.1.1.2.Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF28533.cfxxe" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 142360]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2010-04-13 358456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2010-01-18 24832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-3-31 576104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\programy\SuperAntispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\programy\SuperAntispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 14:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 14:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2010-01-18 03:59 192768 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"=d:\programy\Winamp\winampa.exe
"Malwarebytes Anti-Malware (reboot)"="d:\programy\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"RemoteControl"=d:\programy\CyberLink\PowerDVD\PDVDServ.exe
"vspdfprsrv.exe"=d:\programy\Visagesoft\eXPert PDE 5\vspdfprsrv.exe --background
"USBToolTip"=c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
"PTHOSTTR"=c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" -h
"OODefragTray"=c:\windows\system32\oodtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"d:\\Programy\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"d:\\Programy\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"d:\\Programy\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"d:\\Programy\\totalcmd\\TOTALCMD.EXE"=
"d:\\Programy\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Programy\\Skype\\Phone\\Skype.exe"=

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [27. 12. 2009 22:35 38448]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5. 3. 2010 11:08 109288]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5. 3. 2010 11:09 51480]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5. 3. 2010 11:09 13032]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [28. 3. 2008 14:14 24064]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [5. 9. 2009 0:10 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [5. 9. 2009 0:10 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1. 10. 2010 22:25 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4. 6. 2010 11:55 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1. 6. 2010 19:00 25240]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5. 3. 2010 11:08 12600]
R1 SASDIFSV;SASDIFSV;d:\programy\SuperAntispyware\sasdifsv.sys [17. 2. 2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;d:\programy\SuperAntispyware\SASKUTIL.SYS [10. 5. 2010 20:41 67656]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [3. 6. 2009 16:16 207400]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [17. 8. 2004 15:49 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Bioscrypt [17. 8. 2004 15:49 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1. 10. 2010 22:25 17744]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [29. 7. 2009 12:43 1201400]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5. 3. 2010 11:08 256616]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [29. 8. 2009 10:35 482176]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23. 7. 2008 11:31 44800]
S1 SABKUTIL;SABKUTIL;\??\d:\programy\SuperAntispyware\SABKUTIL.sys --> d:\programy\SuperAntispyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13. 1. 2010 0:44 135664]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [13. 4. 2010 10:36 45056]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [20. 7. 2010 16:28 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker
Bioscrypt REG_MULTI_SZ ASChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\1-Click Maintenance.job
- d:\programy\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 19:36]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-12 22:44]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-12 22:44]

2010-10-03 c:\windows\Tasks\Úklid 1 kliknutím.job
- d:\programy\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 19:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\myd1jj65.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.sk
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\programy\Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
d:\programy\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\programy\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\programy\Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
d:\programy\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 18:29
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A0C2D08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba11cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f58cb8
\Driver\atapi -> 0x8a0c2d08
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 62 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-117609710-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,09,6a,f8,b5,6b,52,4b,8a,a7,83,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,09,6a,f8,b5,6b,52,4b,8a,a7,83,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="11AA12E2A3A41484F58FFB46DD07F95E2F5CDD4294302AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DA6171C11EC38DE3DA9C6AECB7A5D14077DFE8CFAC74074818B9AEB344F5E8E2F934B99265462E69EEE823C73A72416A543E5A843613B49E69AF6F40A0307A24316051C1D348E199BAC72AEA384ACFDDD74491743C30D81E7879F693768F6CDB96FCD481A05E9B3F0226F581A528CE19E153A3EEA3F65B16457A3B6909F6A02E4425235F4D9DD1F87B7E39757B477C186ED02677D2AE3944D5448303ECE10D0ADFB745E5C4846E8DB176E30AE5398C3C50B1D40135B2107298B860CBE9F8B6F0DC8CAA1526AF1BD7E3162CCC3D80B30A13C395896AF260D13CC89E3613FF2BB149A9C442CE1A674133746F715F7E1F37495B9A64888EFC9B7AEB3B74B61D133E5296A6D144D9B045122D2236F6121202B6F3785BC49F1895B091767F53827F8B86EE2288657FB86872C78A275CDC0E8C566FCAFDA5D1139D27A7EBBAD00E45359276D63D6A669BE93D4582E1E7830285A5A89495F2E29EA0962655D1376742EA5D622742A6D760F6B5FC962B4A24DD914EE92D5582E8653FBE7FCDC9ADC2E979143CF8F7A5CAC0095D1D7C0D78D6F9F2D8D7DBFAAD16B4EBD7329AA8D7663C3A4F47752952A07BCB078402C7A03DFBDF760E6530E120FD875B1021E09115587F83DCEBB9C9375956BE1F56D62CCDA9EDA591E438EE919955C13D570FC773CDEBFABBFAF07D3DBFD0B629EB1ABBB904D4D2B27240C5C2AC8C14F23412F7CC269BA18E5F39CAF138EE60F95884423A6FADE4F39EF396C535D87DC9F13377487E8C11B1536FBEDE682EAC4E9E66FDA377E2F01BE839FA29A61A3FAB2CC82B91E45BF93D20416D8183B19235CA4C33E4ECE724158A0198D790620A97A37D1AB8D87B4A456D1B2BE58BA040BE4FE2B2E6C08F4D3D96D56BADDA29C2DC6013A2AD06133330FF6E9F1D1AA5626AD95E60C08ED91C04A715AC2ABAFC9909BBC241A562363E89D2EA94AA0D4495D956D07C088633B54E51BFE3AB64CEEA0B261CCE682C5FE35D816B422D22BAE61AE6E73B8CC70F51E1ABBEDC0C938666D77C944FDAAE2D6CA49B420576EBF6A253FE3666224C4DB730D89A8F5A3DB9C4D8BB26FCF9A3ACD9D2C6F564DE94CF55FC280EF3254AF98EA159C01FD754017584140875211ADD9E8F292936AB3AB5B8AE5D7719F9626EF62BC739F02651269ECA3771901424509AC44CCEA19295DBC678EE2A2A598C03579C5EE01AF0D253FAA6EC38456D3AA7727F833C1489F864E784F7C0E44F93D5213A2D3F3B5FB6E56F711737FD762ADDA621FBA526A5F6ED7847565927FCF7C455879CC9D4AB20800FDB13812087A4179A6F7BFAA77A380B517"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
d:\programy\SuperAntispyware\SASWINLO.DLL
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\itmsg.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\brand.dll
c:\program files\Hewlett-Packard\IAM\bin\AsChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\HPPlugIn.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTStrings.dll
c:\windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_cs_b77a5c561934e089\mscorlib.resources.dll
c:\windows\assembly\GAC_MSIL\System.Xml.resources\2.0.0.0_cs_b77a5c561934e089\System.Xml.resources.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\windows\system32\midimap.dll

- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\MPR.dll
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2300)
c:\windows\system32\guard32.dll
c:\program files\Hewlett-Packard\IAM\bin\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Hewlett-Packard\IAM\bin\AsGHost.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\oodag.exe
d:\programy\Alkohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\System32\TUProgSt.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
.
**************************************************************************
.
Completion time: 2010-10-03 18:32:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-03 16:31

Pre-Run: Volných bajtů: 16 344 363 008
Post-Run: Volných bajtů: 16 323 932 160

- - End Of File - - B00F69592D0C25B1CE57FC708054D0AD

[motji]

Na virustotalu byl soubor čistý, i z qooboxu.
Bud je to falešná detekce combofixu, nebo tam skutečně vir je.
Bohužel mám strach dělat nějaké pokusy, už by jste se nemusel dostat do systému
Ještě se poradím s kolegy.

Pokud by jste souhlasil s pokusy, můžete si zazálohovat důležitá data?

[Kovas]

O.K. Zazálohujem si ich

[motji]

Fajn, až budete mít zazálohováno, ozvěte se, asi zítra ráno bych Vám tu nechala pokyny

[Kovas]

Takže mám to zazálohované. Notbook beží zatiaľ super.

[motji]

Já se ještě poradím s Milinessem. Přece jen mám strach, abych Vám neodpálila celý disk, ten soubor potřebujete