Vypnul se AV, nejde nainstalovat jiný, ani online scanner

[jarrasick]

Nainstalovaný MSES po zapnutí stroje hlásil, že není zapnutý. Občas se mi nespustil i FW ZoneAlarm. MSES nejde spustit ani vynuceně a nestahoval aktualizace. Nejde odinstalovat (resp. není odinstalovaný úplně) a nejde nainstalovat ani žádný jiný AV - chybové hlášky při rozbalování (file corrupt) či při instalaci (např. AVG - chyba 2002)Nejde spustit ani žádný online scanner. Stroj je po reinstalaci XP sp3, protože byly problémy, ale reinstalace to asi nevyřešila. Mám problémy i se stabilitou MS Outlook a Firefoxem. Neustále padají a pak nejdou spustit znovu, až po restartu OS. Stroj se občas drasticky zpomalí, občas mu trvá SW vypnutí i 3 minuty a víc (nejde o reset po aktualizaci OS)
Jestli mi tady může někdo pomoc, pak prosím o emajl pro zaslání logu, normálně se sem nevejde a příloha to nevezme, jak jsem se přesvědčil minule.
Dííííky předem

[jarrasick]

A ještě:
RSIT nejde spustit, hlásí nespecifikovanou chybu. HiJackThis spustit lze, zde je log.
Logfile of HijackThis v1.99.1
Scan saved at 0:32:22, on 3.6.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\PeaZip\Virtual mech\Phantom CD\pcdservice.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CNAC4RPK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jarra\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office Outlook 2007.lnk = ?
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6087.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: pcdservice - Phantombility, Inc - C:\Program Files\PeaZip\Virtual mech\Phantom CD\pcdservice.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

[jarrasick]

Ještě log z CF
ComboFix 10-06-02.01 - Jarra 03.06.2010 0:55.3.1 - x86
Spuštěný z: c:\documents and settings\Jarra\Plocha\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jarra\LOCALS~1\Temp\tmp1.tmp

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-05-02 do 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 22:47 . 2010-06-02 22:47 -------- d-----w- c:\windows\LastGood
2010-06-02 22:47 . 2010-06-02 22:47 -------- d-----w- c:\program files\Zone Labs
2010-06-02 22:30 . 2010-06-02 22:30 -------- d-----w- C:\rsit
2010-06-02 21:54 . 2010-06-02 21:54 -------- d-----w- c:\program files\ESET
2010-06-02 21:43 . 2010-06-02 22:55 -------- d-----w- c:\windows\Internet Logs
2010-06-01 19:33 . 2004-08-03 21:00 20736 -c--a-w- c:\windows\system32\dllcache\ramdisk.sys
2010-06-01 19:32 . 2004-08-17 13:49 32256 -c--a-w- c:\windows\system32\dllcache\gzip.dll
2010-06-01 19:31 . 2004-08-17 13:49 68608 -c--a-w- c:\windows\system32\dllcache\isatq.dll
2010-06-01 19:30 . 2001-10-25 14:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-06-01 18:53 . 2004-08-17 13:49 26624 ----a-w- c:\windows\system32\irmon.dll
2010-06-01 18:53 . 2004-08-17 13:49 153088 ----a-w- c:\windows\system32\irftp.exe
2010-06-01 18:53 . 2004-08-17 13:49 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-06-01 18:53 . 2004-08-03 21:00 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2010-06-01 17:04 . 2001-08-17 19:51 18688 ----a-w- c:\windows\system32\drivers\irsir.sys
2010-06-01 16:38 . 2001-08-17 19:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-06-01 16:36 . 2001-10-25 14:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-06-01 16:36 . 2001-10-25 14:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-06-01 16:36 . 2001-10-25 14:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-06-01 16:36 . 2001-10-25 14:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-05-28 18:07 . 2010-05-28 18:07 -------- d-----w- c:\program files\CheckPoint
2010-05-18 11:15 . 2007-12-15 07:07 90112 ----a-w- c:\windows\system32\ccrpTmr6.dll
2010-05-18 11:15 . 2010-05-18 11:15 -------- d-----w- c:\program files\Cool Timer
2010-05-05 15:58 . 2010-05-05 15:58 -------- d-----w- c:\temp\Psychokatka publikovat
2010-05-04 12:45 . 2010-05-04 12:45 -------- d-----w- c:\program files\Common Files\Protexis
2010-05-04 10:55 . 2010-05-04 10:55 -------- d-----w- c:\program files\Corel
2010-05-04 10:30 . 2010-05-04 10:30 -------- d-----w- c:\program files\Common Files\Corel
2010-05-04 09:18 . 2009-05-05 13:41 -------- d-----w- c:\temp\FONTS

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 22:46 . 2010-03-23 22:51 -------- d-----w- c:\program files\Alwil Software
2010-06-02 22:44 . 2001-10-25 14:00 79040 ----a-w- c:\windows\system32\perfc005.dat
2010-06-02 22:44 . 2001-10-25 14:00 431998 ----a-w- c:\windows\system32\perfh005.dat
2010-06-02 20:34 . 2010-04-26 21:21 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-01 19:28 . 2010-03-16 19:31 22916 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-31 05:25 . 2010-03-18 22:01 -------- d-----r- c:\program files\Skype
2010-05-28 18:07 . 2010-05-28 18:07 -------- d-----w- c:\program files\CheckPoint
2010-05-28 18:07 . 2010-03-16 20:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-21 12:14 . 2010-03-16 22:48 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:49 . 2010-04-05 09:45 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-28 08:32 . 2010-04-28 08:32 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-26 20:15 . 2010-04-26 20:11 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-26 14:39 . 2010-03-23 22:51 -------- d-----w- c:\program files\Google
2010-04-09 06:44 . 2010-04-09 06:44 -------- d-----w- c:\program files\Xmarks
2010-04-05 10:06 . 2010-03-16 19:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-24 07:01 . 2010-03-24 07:01 390144 ----a-w- c:\windows\system32\CF23627.exe
2010-03-18 22:45 . 2010-03-18 22:45 315392 ----a-w- c:\windows\HideWin.exe
2010-03-18 22:13 . 2010-03-18 22:13 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-17 19:47 . 2010-03-16 19:33 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-17 19:47 . 2010-03-16 19:33 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-03-17 19:46 . 2010-03-16 19:34 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-03-16 22:39 . 2010-03-16 22:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 21:11 . 2010-03-16 21:11 0 ----a-w- c:\windows\nsreg.dat
2010-03-16 20:02 . 2010-03-16 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2010-03-10 08:07 . 2004-08-17 13:49 417792 ----a-w- c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

c:\documents and settings\Jarra\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2010-3-23 845584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\CNAC4RPK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [2007-12-14 9216]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
S0 phmcd;phmcd;c:\windows\system32\DRIVERS\phmcd.sys [2008-11-06 44696]
S2 pcdservice;pcdservice;c:\program files\PeaZip\Virtual mech\Phantom CD\pcdservice.exe [2008-11-06 266424]

.
Obsah adresáře 'Naplánované úlohy'

2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: WikiKomentáře Google...
FF - ProfilePath - c:\documents and settings\Jarra\Data aplikací\Mozilla\Firefox\Profiles\jtq6eao6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz/firefox?client=firefox-a& ... s:official
FF - plugin: c:\program files\PDF Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 00:59
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="c:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="c:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-06-03 01:00:54
ComboFix-quarantined-files.txt 2010-06-02 23:00
ComboFix2.txt 2010-04-02 20:44
ComboFix3.txt 2010-03-24 07:34

Před spuštěním: Volných bajtů: 107 763 830 784
Po spuštění: Volných bajtů: 111 243 776 000

- - End Of File - - C6F47B3B844CEC650F0D0F89CD271E39

[jarrasick]

Ten CF přo rozbalování také hlásil nějakou chybu, ale spustil se, když jsem to ignoroval

[jarrasick]

Jo a,
kvůli instalaci AVG, která se nepovedla jsem odinstaloval FW ZA a teď tam nejde nainstalovat zpět. Při instalaci hláška- Validation failed

[motji]

Dobré ranko
Je také možné, že máte nabořený systém. Pro jistotu si důležitá data zazálohujte .
Nevíte, co za chybu Vám combofix hlásil?


Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

[jarrasick]

Díky za odpověď.
První log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-03 11:09:59
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jarra\LOCALS~1\Temp\awlyifow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

[jarrasick]

To, že bych měl nabořený systém, se mi zdá pravděpodobné, ale udělal jsem opravu OS XP z cédéčka a nepomohlo to.

[JaRon]

zaskocim na chvilku:
1. pouzi CFScript:

Kód: Vybrat vše

Folder::
c:\program files\ESET
c:\program files\Microsoft Security Essentials
c:\program files\Alwil Software

log vloz

2. vycisti PC s CCleanerom

[jarrasick]

Druhý scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-03 11:49:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jarra\LOCALS~1\Temp\awlyifow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x9C1DF782]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x9C1FE6DC]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x9C1E0398]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x9C1FFFE4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x9C1FF93C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x9C20093C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x9C200B44]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x9C1DFFAA]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x9C2018D2]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x9C201208]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x9C2022A4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x9C1E075C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x9C201E12]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x9C1FF0C4]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!RtlEqualSid + D7D 805D978F 1 Byte [4A]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8A98000, 0x1BDE76, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[996] SHLWAPI.dll!SHRegSetUSValueA + 15E8 77FA3C2F 1 Byte [6D]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2204] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A525E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54CF0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54890] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54850] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1668] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Id 79619
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Friendly Name IPSec Relying Party
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Description Provides IPSec based enforcement for Network Access Protection
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Version 1.0
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Vendor Name Microsoft Corporation
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Component Type 2
Reg HKLM\SYSTEM\ControlSet001\Services\napagent\Qecs\79619@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@midimapper midimap.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.imaadpcm imaadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msadpcm msadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msg711 msg711.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msgsm610 msgsm32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.trspch tssoft32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.cvid iccvid.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.I420 msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv31 ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv32 ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv41 ir41_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iyuv iyuv_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.mrle msrle32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.msvc msvidc32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.uyvy msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yuy2 msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yvu9 tsbyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yvyu msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@wavemapper msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msg723 msg723.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.M263 msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.M261 msh261.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msaudio1 msaud32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.sl_anet sl_anet.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.iac2 C:\WINDOWS\system32\iac25_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv50 ir50_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.l3acm C:\WINDOWS\system32\l3codeca.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@wave wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@midi wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@mixer wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@aux wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@wave rdpsnd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@mixer rdpsnd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@MaxBandwidth 22201
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@wavemapper msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@EnableMP3Codec 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@midimapper midimap.dll

---- EOF - GMER 1.0.15 ----

[jarrasick]

Při pokusu nainstalovat nový CF opět klasická hláška:
Instalation files are corrupt, atd

Už nemůžu nic nainstalovat.

[JaRon]

skus Avenger - jeho script:
Folders to delete:
c:\program files\ESET
c:\program files\Microsoft Security Essentials
c:\program files\Alwil Software

[jarrasick]

OK, script proběhl v CF, měl jsem nainstalovanou starší verzi. Vyčištěno Cleanerem.
Hláška: "nesprávná inicializace Isas.exe a winlogon.exe"; potíže s potčátečním přihlášení, místo přihlášení se odhlásí a musím restartovat

[JaRon]

sice pises v uvode o SP3, ale niet o nom ani slychu ,,, doinstaluj SP3 - ak je to mozne

[jarrasick]

Asi se po opravě instalace SP3 smazal. Mám ho jako iso, ale nemůžu obraz připojit na Phantoma, píše neznámá chyba při připojení. Teď stahuju sp3 jako .exe, ale pochybuju o úspěšnosti, neinstalují se mi žádné aktualizace s hláškou - porušený instalační soubor