Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Harware failure or spyware activation?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Harware failure or spyware activation?

Unread postby BiperX » September 15th, 2008, 6:56 am

Hello everyone

I have this dilemma for quite long time, and keep asking myself if its hardware fault (I connect to the internet via router Netgear DG834G) or kind of malware is using my resources. Thing is that the internet connection or rather some ports are being blocked ocassionally preventing me from browsing the internet but also the whole system run really slowly. Anyway this is the HiJack log of my machine. I do appreciate any suggestions.

Thanks

BiperX


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:08, on 15/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\rogueremoval\HiJack This\HJT.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &T3umaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/35.06/uploader2.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.bridgwater.ac.uk/tsweb/msrdp.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7020 bytes
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am
Advertisement
Register to Remove

Re: Harware failure or spyware activation?

Unread postby John B. » September 22nd, 2008, 10:16 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log and tell me if your initial problem still exists.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » September 22nd, 2008, 6:28 pm

Hello John :cheers:

Thank you very much for your quick response - I do appreciate your willingness to help me.
I have done what you suggested and there is a list of installed software displayed by HiJackThis:


Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader 8.1.1
Ahead Nero 6 Demo
Atheros Driver Installation Program
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Antivirus
CCleaner (remove only)
DebugMode Wink
DivX
DivX Converter
DivX Player
DivX Web Player
English Translator XT
Flash Movie Player 1.5
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 3
K-Lite Codec Pack 3.5.0 Full
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.16)
Picasa 2
PowerISO
PrimoPDF
PrimoPDF Redistribution Package
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
SiSoftware Sandra Professional Business XII.SP1
Skype™ 3.5
SUPERAntiSpyware Free Edition
Tlen.pl
Tsunami-Filter-Pack
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Wielki s3ownik polsko-angielski i angielsko-polski PWN-OXFORD
Winamp
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm Pro

I am surprised there is so many Windows fixes installed - are they likely to cause the trouble you think?
And below you can see the HiJack log I have done today as well:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:17:00, on 22/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\SiSoftware Sandra Professional Business\sandra.exe
C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe
C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe
C:\Documents and Settings\Anna Bialek\Desktop\rogueremoval\HiJack This\HJT.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &T3umaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/35.06/uploader2.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.bridgwater.ac.uk/tsweb/msrdp.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7224 bytes

Once again, thanks for your time and looking at those complicated for me log entries. I hope you will be able to find the solution :alien:


BiperX


PS. If you find it any of use I attach a copy of report about the entire system created by Sandra benchmarking software.


SiSoftware Sandra

System
Host Name : A100
User : BiperX
Workgroup : WORKGROUP

Processor
Model : Intel(R) Celeron(R) M processor 1.50GHz
Speed : 1.5GHz
Cores per Processor : 1 Unit(s)
Threads per Core : 1 Unit(s)
Internal Data Cache : 32kB, Synchronous, Write-Back, 8-way, 64 byte line size
L2 On-board Cache : 1MB, ECC, Synchronous, ATC, 4-way, 64 byte line size

System
System : TOSHIBA Satellite Pro A100
Mainboard : ATI SB450
Bus(es) : X-Bus AGP PCI IMB PCMCIA CardBus USB FireWire/1394 i2c/SMBus
Multi-Processor (MP) Support : 1 Processor(s)
Multi-Processor Advanced PIC (APIC) : Yes
System BIOS : Phoenix Technologies LTD 2.20
Total Memory : 1.37GB DDR2

Chipset 1
Model : Toshiba RS400/133 Host Bridge
Front Side Bus Speed : 4x 100MHz (400MHz)
Total Memory : 1.5GB DDR2
Shared Memory : 2GB
Memory Bus Speed : 2x 267MHz (534MHz)

Video System
Monitor/Panel : Default Monitor
Monitor/Panel : Default Monitor
Monitor/Panel : Plug and Play Monitor
Adapter : ATI RADEON XPRESS 200M Series
Imaging Device : HP Photosmart C4100

Physical Storage Devices
HTS541060G9SA00 60GB (SATA150, NCQ, 7MB Cache) : 55.89GB (C:) (D:) (E:)
MATSHITA DVD/CDRW UJDA770 (ATAPI33, 24x CD-R, 146x CD-W, 3x DVD-R, 2MB Cache) : 4.10GB (F:)

Logical Storage Devices
Hard Disk (C:) : 11.85GB (4.78GB, 40% Free Space) (NTFS) @ HTS541060G9SA00 60GB (SATA150, NCQ, 7MB Cache)
Programs (D:) : 19.63GB (9.73GB, 50% Free Space) (NTFS) @ HTS541060G9SA00 60GB (SATA150, NCQ, 7MB Cache)
Multimedia (E:) : 24.42GB (2.12GB, 9% Free Space) (NTFS) @ HTS541060G9SA00 60GB (SATA150, NCQ, 7MB Cache)
Films (F:) : 4.10GB (CDFS) @ MATSHITA DVD/CDRW UJDA770 (ATAPI33, 24x CD-R, 146x CD-W, 3x DVD-R, 2MB Cache)

Peripherals
USB Controller/Hub : Standard Enhanced PCI to USB Host Controller
USB Controller/Hub : Standard OpenHCD USB Host Controller
USB Controller/Hub : Standard OpenHCD USB Host Controller
USB Controller/Hub : USB Root Hub
USB Controller/Hub : USB Root Hub
USB Controller/Hub : USB Root Hub
USB Controller/Hub : USB Composite Device
USB Controller/Hub : USB Printing Support
USB Controller/Hub : HP Photosmart C4100 series (DOT4USB)
USB Controller/Hub : USB Mass Storage Device
USB Controller/Hub : USB Mass Storage Device
USB Controller/Hub : USB Mass Storage Device
FireWire/1394 Controller/Hub : Texas Instruments OHCI Compliant IEEE 1394 Host Controller
PCMCIA/CardBus Controller : Generic CardBus Controller
Keyboard : Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Mouse : PS/2 Compatible Mouse

Printers and Faxes
Model : PrimoPDF
Model : Microsoft Office Document Image Writer
Model : HP Photosmart C4100 series

Power Management
Mains (AC) Line Status : Off-Line
Battery No 1 : 53%

Operating System(s)
Windows System : Microsoft Windows XP (2002) Professional 5.01.2600 (Service Pack 2)
Platform Compliance : Win32 x86

Network Services
Adapter : Realtek RTL8139 Family PCI Fast Ethernet NIC
Adapter : Atheros AR5005G Wireless Network Adapter
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » September 23rd, 2008, 2:45 pm

Hi BiperX,

I am surprised there is so many Windows fixes installed - are they likely to cause the trouble you think?

Those should be on your system. Completely unrelated to your problem.

Your logs look completely clean and I don't think your problem is related to malware. Still I want you to run two scanners to make sure there is no malware. If nothing shows up we will try to find out what the non-malware related solution is.

Step 1: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:
  • Download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Now let's download and install the newest version:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Click on Windows XP/Vista/2000/2003 Offline and save the downloaded file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
  • Reboot your computer.

Step 2: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!

Step 3: Run Malwarebytes' Anti-Malware
From your uninstall log I saw that you already have Malwarebytes' Anti-Malware, so no need to download it.
  • Start Malwarebytes' Anti-Malware.
  • Make sure you perform an update before scanning, because older versions may have vulnerabilities.
  • Now select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 4: Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

Step 5: Post logs
Please post the following logs in a reply to this topic:
  • Fresh HijackThis log
  • JavaRa log
  • Malwarebytes' Anti-Malware log
  • RSIT log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » September 24th, 2008, 7:43 pm

Hello John,

With small pain but I managed to do what you told me to do. WIth pain, because I have trouble with downloading files; either Mozilla or IE6 when it comes to saving a file downloaded from Web saves only several Kbytes, then says that the download is complete, and but the file is corrupted and impossible to open for that reason.
It happens as well with previeving some websites and seeing pictures or movies. I must underline, I have quite decent ISP connection, and wouldn't blame them for it.
It is worth of mentioning that today I was not able to login to this service using Firefox - once I logon after 3 seconds I have been send back to previous page as if I was a guest...strange - because when used IE I was accepted immediately.

Anyway I attach all the logs as you asked.
Thanks for looking

Cheers

BiperX


Malware Log:

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 2

25/09/2008 00:12:31
mbam-log-2008-09-25 (00-12-26).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 114526
Time elapsed: 44 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RSIT log:


Logfile of random's system information tool 1.02 (written by random/random)
Run by Anna Bialek at 2008-09-25 00:12:59
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (40%) free of 12 GB
Total RAM: 1406 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:19, on 25/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\INSTALL\System Mintenance\RSIT.exe
C:\Program Files\trend micro\Anna Bialek.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &T3umaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/35.06/uploader2.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.bridgwater.ac.uk/tsweb/msrdp.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6766 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - &Tłumaczenie - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll [2005-11-05 323584]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2006-08-23 968696]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2007-10-16 344064]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-11-10 15473664]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2007-04-09 200704]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-04-01 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Komunikator"=C:\Program Files\Tlen.pl\tlen.exe [2007-10-05 6226432]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2007-09-13 22983464]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-04 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"="C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Disabled:TrueVector Service"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe"="C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe"="C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af1cc51f-7818-11dc-ad59-00a0d13e956d}]
shell\AutoRun\command - G:\setupSNK.exe


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-09-25 00:13:01 ----D---- C:\Program Files\trend micro
2008-09-25 00:12:59 ----D---- C:\rsit
2008-09-24 22:54:01 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-24 22:54:01 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-24 22:54:01 ----A---- C:\WINDOWS\system32\java.exe
2008-09-20 14:12:31 ----D---- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-09-08 09:36:59 ----N---- C:\WINDOWS\SchedLgU.Txt
2008-09-08 01:46:04 ----D---- C:\Documents and Settings\Anna Bialek\Application Data\Malwarebytes
2008-09-08 01:46:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 01:46:01 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-08 01:45:07 ----D---- C:\Program Files\RogueRemover FREE
2008-09-08 01:39:30 ----SHD---- C:\RECYCLER
2008-09-08 01:38:50 ----D---- C:\Program Files\CCleaner
2008-09-08 01:15:12 ----D---- C:\WINDOWS\temp
2008-09-08 01:15:10 ----A---- C:\ComboFix.txt
2008-09-08 01:12:39 ----D---- C:\WINDOWS\erdnt
2008-09-08 01:12:22 ----D---- C:\QooBox
2008-09-08 01:12:16 ----A---- C:\WINDOWS\zip.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\VFind.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\swxcacls.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\swsc.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\swreg.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\sed.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\Nircmd.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\grep.exe
2008-09-08 01:12:16 ----A---- C:\WINDOWS\fdsv.exe
2008-09-08 01:10:45 ----D---- C:\rogueremoval
2008-09-08 00:53:54 ----D---- C:\WINDOWS\CSC
2008-09-07 11:47:03 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-07 11:46:55 ----D---- C:\Program Files\SUPERAntiSpyware
2008-09-07 11:46:55 ----D---- C:\Documents and Settings\Anna Bialek\Application Data\SUPERAntiSpyware.com
2008-09-07 11:46:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

======List of files/folders modified in the last 1 months======

2008-09-25 00:13:20 ----D---- C:\WINDOWS\Prefetch
2008-09-25 00:13:02 ----D---- C:\WINDOWS\Internet Logs
2008-09-25 00:13:01 ----RD---- C:\Program Files
2008-09-25 00:10:56 ----D---- C:\Documents and Settings\Anna Bialek\Application Data\Skype
2008-09-24 23:31:12 ----D---- C:\Program Files\Mozilla Firefox
2008-09-24 23:14:36 ----D---- C:\WINDOWS\system32\drivers
2008-09-24 23:11:03 ----D---- C:\WINDOWS\system32\Lang
2008-09-24 23:07:37 ----D---- C:\WINDOWS
2008-09-24 22:57:20 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-09-24 22:54:07 ----SHD---- C:\WINDOWS\Installer
2008-09-24 22:54:07 ----HD---- C:\Config.Msi
2008-09-24 22:54:01 ----D---- C:\Program Files\Java
2008-09-24 22:54:01 ----AD---- C:\WINDOWS\system32
2008-09-22 23:19:12 ----A---- C:\Documents and Settings\All Users\Application Data\xmlB.tmp
2008-09-22 23:19:12 ----A---- C:\Documents and Settings\All Users\Application Data\xmlA.tmp
2008-09-22 23:19:12 ----A---- C:\Documents and Settings\All Users\Application Data\xml9.tmp
2008-09-20 21:44:46 ----D---- C:\WINDOWS\Help
2008-09-20 14:40:36 ----A---- C:\WINDOWS\win.ini
2008-09-17 17:02:49 ----A---- C:\WINDOWS\YDPDICT.INI
2008-09-15 11:05:12 ----D---- C:\WINDOWS\Debug
2008-09-14 12:25:12 ----HD---- C:\WINDOWS\inf
2008-09-14 12:25:11 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-11 09:01:42 ----D---- C:\WINDOWS\WinSxS
2008-09-11 09:00:48 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-08 12:04:13 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-08 01:39:30 ----D---- C:\WINDOWS\Minidump
2008-09-08 01:14:10 ----A---- C:\WINDOWS\system.ini
2008-09-08 01:13:39 ----D---- C:\WINDOWS\AppPatch
2008-09-08 01:13:39 ----D---- C:\Program Files\Common Files
2008-09-07 13:08:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-08-26 21:28:12 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-04-09 31548]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2006-08-23 392824]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2007-04-05 546112]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-11-11 4064256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-13 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-13 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-13 21568]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCANDIS5_RETWIFI;PCANDIS5_RETWIFI Protocol Driver; \??\C:\PROGRA~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS []
S3 PCANDIS5_WIFISCAN.SYS;PCANDIS5_WIFISCAN.SYS; \??\C:\Program Files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS []
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2006-08-23 75768]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SandraDataSrv;SiSoftware Database Agent Service; C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe [2007-12-12 213176]
S3 SandraTheSrv;SiSoftware Sandra Agent Service; C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe [2007-12-12 1433776]

-----------------EOF-----------------


RSIT info:

info.txt logfile of random's system information tool 1.02 2008-09-25 00:13:22

======Uninstall list======

-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop Elements 4.0-->msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Ahead Nero 6 Demo-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\setup.exe" -l0x15
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DebugMode Wink-->"C:\Program Files\Wink\uninst.exe"
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
English Translator XT-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6F89200D-9C19-42F7-A056-640C9D4C158C}
Flash Movie Player 1.5-->C:\Program Files\Flash Movie Player\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 3.5.0 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover-->"C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.16)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PrimoPDF Redistribution Package-->MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
PrimoPDF-->"C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\PrimoPDF\Uninstall\uninstall.xml"
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x15 -removeonly
SiSoftware Sandra Professional Business XII.SP1-->"C:\Program Files\SiSoftware Sandra Professional Business\unins000.exe"
Skype™ 3.5-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tlen.pl-->"C:\Program Files\Tlen.pl\uninstall.exe"
Tsunami-Filter-Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCFF9230-22DC-40ED-BBCC-0F260B85734C}\setup.exe" -l0x9
Wielki słownik polsko-angielski i angielsko-polski PWN-OXFORD-->C:\WINDOWS\IsUn0415.exe -f"d:\english\Slownik PWN-Oxford\Uninst.isu"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
ZoneAlarm Pro-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: avast! antivirus 4.8.1229 [VPS 080924-1]
FW: ZoneAlarm Pro Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0d08
"SAN_DIR"=C:\Program Files\SiSoftware Sandra Professional Business
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8
"windir"=%SystemRoot%

-----------------EOF-----------------

JavaRa log:


JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Sep 24 22:49:31 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: Software\JavaSoft\Java2D\1.6.0_03

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

Fresh HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:10, on 25/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\rogueremoval\HiJack This\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &T3umaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/35.06/uploader2.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.bridgwater.ac.uk/tsweb/msrdp.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\SOFTWARE\Photoshop ELEMENTS 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Professional Business\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6767 bytes
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » September 25th, 2008, 11:32 am

Hi BiperX,

All the logs were clean, but MBAM and RSIT found that there is something wrong with your settings for some files. I would like to research that together with some other places we can look to find a solution for your problems.

Step 1: Download and Run DAFT
Please download DAFT and save it to your desktop.
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Save the logfile to your desktop, by default it will save as daft.txt.

Step 2: Check Event Viewer logs
By viewing the Event Viewer logs we could maybe find out what is wrong.
  • Go to Start
  • Click on Run
  • In the box, type eventvwr
  • Look at the System and Application log files and note any that are red and made when you lose your internet connection.
  • We need to know the Event ID and Source.
  • Post about two or three if there are some.

Step 3: Post logs
Please post the following logs in a reply to this topic:
  • Tell me how long it has been since you did some general maintenance like defragmentation.
  • Let me know if you have any other computers in the same network and tell me if they also sometimes lose their internet connection.
  • DAFT log
  • Event Viewer logs from about the time you lose your internet connection (if present)

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » September 27th, 2008, 11:12 am

Hello John,

Yes, it's been a while since I defragmented my system although I use various maintenence programs to check registry keys, network connections, etc like: RegistryMechanic, Everest Ultimate Engineer, PC tuneUP2007.

It doesn't seem to have any influence on loosing the internet connection accidents. The reason for that is because recently we bought a new computer, and in first instance everything was fine, but after few days it was similar than in this computer. The is not a network as such - the internet connection is shared via router but the PC is connected permanently via LAN, and laptop works wirelessly. The connection is lost in both stations pretty much at the same time, but the event viewer doesn't seem to recognise any errors at the time of connection problem, just several warnings and they have something to do with TCP/IP:

Type Date Time Source CategoryEvent User Computer

Information 26/09/2008 14:22:14 Tcpip None 4201 N/A A100
Information 26/09/2008 14:22:09 Tcpip None 4202 N/A A100
Warning 26/09/2008 14:22:08 Dhcp None 1003 N/A A100
Information 26/09/2008 14:22:07 Browser None 8033 N/A A100
Warning 25/09/2008 20:17:17 Tcpip None 4226 N/A A100
Information 25/09/2008 20:17:06 Tcpip None 4201 N/A A100
Information 25/09/2008 20:16:49 Tcpip None 4201 N/A A100
Information 25/09/2008 20:16:44 Tcpip None 4201 N/A A100
Information 25/09/2008 20:15:29 Tcpip None 4202 N/A A100
Information 25/09/2008 20:15:24 Browser None 8033 N/A A100
Information 25/09/2008 16:03:34 Tcpip None 4201 N/A A100
Warning 25/09/2008 16:03:32 Dhcp None 1003 N/A A100
Warning 25/09/2008 16:02:33 Tcpip None 4226 N/A A100
Information 25/09/2008 16:02:29 Tcpip None 4201 N/A A100
Information 25/09/2008 16:02:09 Tcpip None 4202 N/A A100
Information 25/09/2008 16:02:05 Browser None 8033 N/A A100
Information 25/09/2008 09:46:11 Service Control Manager None 7035 A100
Error 25/09/2008 09:46:09 IPNATHLP None 30005 N/A A100
Information 25/09/2008 09:41:02 Service Control Manager None 7036 N/A A100

Information 25/09/2008 09:40:49 Service Control Manager None 7036 N/A A100
Information 25/09/2008 09:40:14 Tcpip None 4201 N/A A100
Information 25/09/2008 09:40:01 eventlog None 6005 N/A A100
Information 25/09/2008 09:40:01 eventlog None 6009 N/A A100

Information 24/09/2008 22:58:37 W32Time None 35 N/A A100
Information 24/09/2008 22:58:31 Service Control Manager None 7036 N/A A100
Information 24/09/2008 22:58:28 Service Control Manager None 7036 N/A A100
Information 24/09/2008 22:58:28 Service Control Manager None 7035 LOCAL SERVICE A100

Information 24/09/2008 22:58:16 Service Control Manager None 7035 SYSTEM A100
Information 24/09/2008 22:58:16 Service Control Manager None 7036 N/A A100
Information 24/09/2008 22:57:38 Tcpip None 4201 N/A A100
Information 24/09/2008 22:57:26 eventlog None 6005 N/A A100
Information 24/09/2008 22:57:26 eventlog None 6009 N/A A100
Information 24/09/2008 22:56:22 eventlog None 6006 N/A A100
Information 24/09/2008 22:43:37 Tcpip None 4201 N/A A100
Information 24/09/2008 22:43:32 Tcpip None 4202 N/A A100
Information 24/09/2008 22:43:29 Browser None 8033 N/A A100
Information 24/09/2008 16:33:41 Service Control Manager None 7036 N/A A100
Information 24/09/2008 16:33:37 Tcpip None 4201 N/A A100
Information 24/09/2008 16:33:28 Browser None 8033 N/A A100
Information 24/09/2008 16:33:27 Tcpip None 4202 N/A A100
Information 24/09/2008 09:15:29 Service Control Manager None 7036 N/A A100
Information 24/09/2008 09:15:23 Tcpip None 4201 N/A A100
Information 24/09/2008 09:15:13 Browser None 8033 N/A A100
Information 24/09/2008 09:15:13 Tcpip None 4202 N/A A100
Information 24/09/2008 01:10:58 Service Control Manager None 7036 N/A A100
Information 24/09/2008 01:10:51 Tcpip None 4201 N/A A100
Information 24/09/2008 01:10:47 Browser None 8033 N/A A100
Information 24/09/2008 01:10:46 Tcpip None 4202 N/A A100
Information 23/09/2008 21:27:07 W32Time None 35 N/A A100
Information 23/09/2008 10:38:40 Tcpip None 4201 N/A A100
Information 23/09/2008 10:38:35 Tcpip None 4202 N/A A100
Information 23/09/2008 10:38:33 Browser None 8033 N/A A100
Information 23/09/2008 10:38:32 Application Popup None 26 N/A A100
Information 23/09/2008 00:36:02 Application Popup None 26 N/A A100
Information 22/09/2008 23:53:02 Service Control Manager None 7036 N/A A100
Information 22/09/2008 23:52:58 Tcpip None 4201 N/A A100

Error 22/09/2008 23:19:05 SideBySide None 59 N/A A100
Error 22/09/2008 23:19:05 SideBySide None 58 N/A A100
Error 22/09/2008 23:19:05 SideBySide None 34 N/A A100
Error 22/09/2008 23:19:04 SideBySide None 59 N/A A100
Error 22/09/2008 23:19:04 SideBySide None 58 N/A A100
Error 22/09/2008 23:19:04 SideBySide None 34 N/A A100

Looking at one of the errors I have got that explanation:

Product: Windows Operating System
ID: 30005
Source: ipnathlp
Version: 5.2
Symbolic Name: IP_AUTO_DHCP_LOG_DUPLICATE_SERVER
Message: The DHCP allocator has detected a DHCP server with IP address %1 on the same network as the interface with IP address %2. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.

Explanation
The DHCP allocator, configured with Internet Connection Sharing (ICS) or Routing and Remote Access network address translation (NAT), detected an additional DHCP server on the network and disabled itself to avoid allocating conflicting address ranges on the local area network.

Daft report showed results as below:

DAFT Log saved on 2008-09-27 14:34:21
-----------------------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

I also looked at the other new PC's event log and this is what is shows (shortly before the connection was lost):

Type Date Time Source Category Event User Computer
Information 27/09/2008 10:34:56 Service Control Manager None 7036 N/A IT-HCS
Warning 27/09/2008 10:17:19 Dhcp None 1003 N/A IT-HCS
Information 27/09/2008 10:16:50 Tcpip None 4201 N/A IT-HCS
Information 27/09/2008 10:16:46 e1express None 33 N/A IT-HCS
Information 27/09/2008 10:15:05 Browser None 8033 N/A IT-HCS
Information 27/09/2008 10:15:05 Tcpip None 4202 N/A IT-HCS
Warning 27/09/2008 10:14:57 e1express None 27 N/A IT-HCS
Information 27/09/2008 10:11:52 Service Control Manager None 7036 N/A IT-HCS
Information 27/09/2008 10:11:52 Service Control Manager None 7035 SYSTEM IT-HCS
Warning 27/09/2008 10:00:21 Tcpip None 4226 N/A IT-HCS
Information 27/09/2008 09:55:37 Service Control Manager None 7036 N/A IT-HCS
Information 27/09/2008 08:46:39 Service Control Manager None 7036 N/A IT-HCS
Warning 27/09/2008 03:58:18 Tcpip None 4226 N/A IT-HCS
Warning 27/09/2008 02:57:20 Tcpip None 4226 N/A IT-HCS
Warning 27/09/2008 01:26:58 Tcpip None 4226 N/A IT-HCS
Warning 27/09/2008 00:45:12 Tcpip None 4226 N/A IT-HCS
Information 26/09/2008 22:53:43 Service Control Manager None 7036 N/A IT-HCS
Information 26/09/2008 22:48:50 Service Control Manager None 7036 N/A IT-HCS
Error 26/09/2008 22:48:50 Service Control Manager None 7026 N/A IT-HCS
Information 26/09/2008 22:48:49 Service Control Manager None 7035 SYSTEM IT-HCS
Error 26/09/2008 22:48:49 Service Control Manager None 7000 N/A IT-HCS
Information 26/09/2008 22:48:09 e1express None 33 N/A IT-HCS
Information 26/09/2008 22:48:14 eventlog None 6005 N/A IT-HCS
Information 26/09/2008 22:48:14 eventlog None 6009 N/A IT-HCS
Information 26/09/2008 20:23:57 eventlog None 6006 N/A IT-HCS
Information 26/09/2008 20:23:43 Service Control Manager None 7036 N/A IT-HCS
Information 26/09/2008 20:23:24 Service Control Manager None 7036 N/A IT-HCS

The warning for event TCPIP with code 4226 or something to do with DHCP - event 1003. I also suspect the router, but it's kind of strange - because not all connections are lost - I can still use instant messengers or P2P programs, it's only internet browsing and trying to download something from it becomes impossible and the only solution is switch off the power in router for about 10 sek, after rebooting usually is fine, but should I take it for granted?

Regards

BiperX
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » September 28th, 2008, 11:34 am

Hi,

Two of your file associations seem to be wrong, so we will fix that with DAFT.
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries:
    • .reg
    • .scr
  • Click the Fix button.
  • Click on the Scan button again.
  • Save the logfile to your desktop, by default it will save as daft.txt.

It doesn't seem to have any influence on loosing the internet connection accidents.

The reason why I asked for this is because in your first post you said that your computer is running slow in general. This is a very interesting page for cases like this:
viewtopic.php?f=4&t=34484

Regarding the loss of internet connection, I will try to explain what the errors mean:
The DHCP allocator has detected a DHCP server with IP address %1 on the same network as the interface with IP address %2. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.

Your router has a function which is called DHCP. This function makes it possible to just plug in a client (desktop or laptop) and have internet access straightaway. A couple of things the DHCP does for you is give your client an internal IP address and tell your client how to find your ISP. If you would not have DHCP you would have to set all those things manually (which can be difficult for people who do not have a lot of computer knowledge).

Now, the error states that for some reason a second DHCP server (router or something) has connected and now your normal router switches off its DHCP function to avoid confusing your computer with two things trying to set stuff up.

I hope this story is understandable for you.

Anyway, this seems to be a router problem as you have the problem at multiple clients. Please let me know the exact type of router you have. Also post the DAFT log.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » September 29th, 2008, 8:09 pm

Hi John,

The daft log seems OK, but still the internet connection is playing tricks with the laptop computer.

DAFT Log saved on 2008-09-30 00:18:30
-----------------------------------------------------------------------
All associations okay!

I have tried to play some video streams and the PC works great but the laptop hangs up; will download just tiny part of the file and it stops. My router is Netgear DG834Gv2. The trouble is that with I think the same tests you asked me to do (I have done it on both machines), only the laptop now doesn't respond properly. Images, video or files are just being partly downloaded and then I can hardly do anything. I was using someone else's laptop for a while and it did not have any problems as above in the same network.
I also set up the router to send me the whole log on my email address so any causalities can be reported so I could send you those in a while.
I also read the article you have suggested and I think pretty much I have done all trying to speed up my laptop.

When I look at the wireless network settings is looks as the WINS Server is missing completely - is that what may cause the problem?

Many thanks

BiperX
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » September 30th, 2008, 1:26 pm

Please enable the WINS Server and let me know if you still have the same problems.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » October 1st, 2008, 5:40 pm

Hi John,

I am sorry but I don't quite know how to do it. All internet settings are pretty much automatic, so I have no idea how I could do that.
Bit of advice please?

Thanks

BiperX
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » October 2nd, 2008, 2:42 am

Sorry, I thought you knew how to change the setting because you told me something about it.

On the internet I found a couple of things which could be a solution to your problem, but your setup is still a little bit unclear to me. Please tell me again which computer this is: A desktop or a laptop. And is this one using the wireless internet? The same questions for the other one(s). Only wireless connected computers lose their internet, right?

Also, are you using both a router and a modem to connect to the internet or just a router?
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby BiperX » October 2nd, 2008, 5:10 pm

Hi

Sorry for not being more specific. The router I am using have a modem, switch and firewall installed and at the moment I am using it to share int. connection for the laptop wirelessly and PC via LAN. Those two devices are setup on the router so they have permanent local area IP, so actually they don't request from it each time from DHCP, or they do but the allocation will always be the same. At the moment the router's firewalls don't have any rules applied to it so only the software firewall (ZoneAlarm on both machines) filters incoming traffic.
Now just to clarify: the new PC which is connected to the same Netgear router at the moment is working great apart from situations where I need to download a file from the web and then again some of the downloads are incomplete - and there is no rule at all - some files will download easily either using IE or Mozilla, others will stuck on several KB and I am not able to download the whole file whatsoever - there was some improvement after you advised me to clear all the browser cache but do I need to do that each time I wan't to download something?

The other computer - the laptop connected the the same router wirelessly (Toshiba A100, Intel Celeron 1.5GHz, 1,4GB Ram), uses pretty much the same settings as the PC, but the performance in browsing the internet, downloading files is much worse than on the PC: websites don't load fully, downloading files is nearly impossible or viewing the video streams like youtube is hardly pleasant - only tiny part of the video will download and then downloading process stops not allowing for progress.

So to summarise - the router provides internet for 2 machines - and only 2 as for security reasons their MAC addresses are filterd by the router. Both have some problems with downloading but the laptop is performing worse than the PC, and on both I have performed the same steps with checking agains spyware as you wrote earlier. I never had any trouble with the router but just in case I am sending recent log:

Sun, 2002-09-08 13:00:39 - Initialize LCP.
Sun, 2002-09-08 13:05:30 - LCP is allowed to come up.
Sun, 2002-09-08 13:05:31 - CHAP authentication success
Sun, 2002-09-08 13:05:38 - Send out NTP request to time-g.netgear.com
Sat, 2008-09-27 10:22:32 - Receive NTP Reply from time-g.netgear.com
Sat, 2008-09-27 10:16:55 - Router start up
Sun, 2008-09-28 23:21:34 - Administrator login successful - IP:192.168.0.4
Mon, 2008-09-29 02:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. f13sm2971421gvd.10
Tue, 2008-09-30 00:20:18 - Administrator login successful - IP:192.168.0.3
Tue, 2008-09-30 00:33:52 - Administrator login successful - IP:192.168.0.3
Tue, 2008-09-30 00:52:59 - Administrator login successful - IP:192.168.0.3
Tue, 2008-09-30 02:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. t2sm1773674gve.9
Tue, 2008-09-30 08:22:32 - Send out NTP request to time-g.netgear.com
Tue, 2008-09-30 08:22:33 - Receive NTP Reply from time-g.netgear.com
Wed, 2008-10-01 00:03:44 - Administrator login successful - IP:192.168.0.4
Wed, 2008-10-01 01:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. t12sm4909032gvd.4
Thu, 2008-10-02 01:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. f13sm1330886gvd.10
Thu, 2008-10-02 21:24:20 - Administrator login successful - IP:192.168.0.4
Thu, 2008-10-02 22:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. t2sm820776gve.9
Thu, 2008-10-02 22:08:17 - Administrator login successful - IP:192.168.0.4

Thanks again for watching and commitment

Regards

Dariusz
BiperX
Active Member
 
Posts: 9
Joined: September 15th, 2008, 6:33 am

Re: Harware failure or spyware activation?

Unread postby John B. » October 3rd, 2008, 4:12 pm

I am sorry I have not replied today. Friday is the busiest day in the week for me with no free time until now. Within 16 hours I will reply, after I have slept ;)
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Harware failure or spyware activation?

Unread postby John B. » October 4th, 2008, 5:38 am

Hi,

Mon, 2008-09-29 02:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. f13sm2971421gvd.10

Have you set your router to send logs to your e-mail? This error is normally related to that.

A couple of questions:
  • When did this problem start? When you started using Netgear? Or after a firmware upgrade? After you installed any new hardware or software? Or just out of nothing?
  • Which firmware are you using?

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware