Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Problems with BSOD UNKNOWN ERROR


  • This topic is locked This topic is locked
16 replies to this topic

#1 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 10 April 2010 - 10:55 AM

I have been having some BSOD problems and cannot track it down to specific software or hardware additions. It has recently been happening with Windows Updates!

I have run the GMER and HiJackThis. Can anyone help me?


ANY HELP IS APPRECIATED! Thank you in advance!

Here is my HiJackThis logfile.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:23 AM, on 4/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:WindowsRtHDVCpl.exe
C:Program FilesTOSHIBAPower SaverTPwrMain.exe
C:Program FilesTOSHIBASmoothViewSmoothView.exe
C:Program FilesTOSHIBAFlashCardsTCrdMain.exe
C:Program FilesCOMODOCOMODO Internet Securitycfp.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:Windowsehomeehtray.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesTOSHIBAConfigFreeNDSTray.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.EXE
C:Windowsehomeehmsas.exe
C:Program FilesTOSHIBAConfigFreeCFSwMgr.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticCCC.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Program FilesMiPonyMiPony.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---DownloadsHijackThis.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe
C:Users---AppDataLocalGoogleChromeApplicationchrome.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
F3 - REG:win.ini: run=
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.5.4723.1820swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:Program FilesMegauploadMega ManagerMegaIEMn.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:Program FilesFree Download Manageriefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll
O4 - HKLM..Run: [StartCCC] C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [TPwrMain] %ProgramFiles%TOSHIBAPower SaverTPwrMain.EXE
O4 - HKLM..Run: [HSON] %ProgramFiles%TOSHIBATBSHSON.exe
O4 - HKLM..Run: [SmoothView] %ProgramFiles%ToshibaSmoothViewSmoothView.exe
O4 - HKLM..Run: [00TCrdMain] C:Program FilesTOSHIBAFlashCardsTCrdMain.exe
O4 - HKLM..Run: [Skytel] Skytel.exe
O4 - HKLM..Run: [COMODO Internet Security] "C:Program FilesCOMODOCOMODO Internet Securitycfp.exe" -h
O4 - HKLM..Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [MSSE] "c:Program FilesMicrosoft Security Essentialsmsseces.exe" -hide -runkey
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - Startup: NDSTray.exe - Shortcut.lnk = C:Program FilesTOSHIBAConfigFreeNDSTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:Program FilesFree Download Managerdlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:Program FilesFree Download Managerdlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:Program FilesFree Download Managerdlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:Program FilesFree Download Managerdllink.htm
O8 - Extra context menu item: Download with Mipony - file://C:Program FilesMiPonyBrowserIEContext.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:Program FilesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:Windowssystem32agrsmsvc.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:Program FilesAmazonAmazon Games & Software DownloaderAmazonGSDownloaderService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:Windowssystem32Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c985ea78cf41e0) (gupdate1c985ea78cf41e0) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:Program FilesJumpstartjswpsapi.exe
O23 - Service: NPWLDGET - Sysinternals - www.sysinternals.com - C:Users---AppDataLocalTempNPWLDGET.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - (no file)
O23 - Service: pinger - Unknown owner - C:TOSHIBAIVPISMpinger.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:Program FilesSiSoftwareSiSoftware Sandra Lite 2010.SP1aRpcAgentSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe
O23 - Service: SCM_Service - Windows ® Codename Longhorn DDK provider - (no file)
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:Program FilesCommon FilesSony SharedFskSonySCSIHelperService.exe
O23 - Service: Swupdtmr - Unknown owner - c:TOSHIBAIVPswupdateswupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:Program FilesTOSHIBATOSHIBA DVD PLAYERTNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:Windowssystem32TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:Program FilesTOSHIBAPower SaverTosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:Program FilesTOSHIBASMARTLogServiceTosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe

--
End of file - 12365 bytes

I ran sfc /scannow, and the only thing that seems out of the ordinary is:

2010-04-10 13:52:36, Info CSI 000001a9 [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

I tried to run ComboFix, but it creates a BSOD

UPDATE:

I was able to run it. I was going to include a logfile, but the instructions say not to...

Here is the SMitFraudFix logfile:

SmitFraudFix v2.424

Scan done at 2:30:48.91, Sun 04/11/2010
Run from C:DownloadsSoftwareSmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:Windowssystem32csrss.exe
C:Windowssystem32wininit.exe
C:Windowssystem32csrss.exe
C:Windowssystem32services.exe
C:Windowssystem32lsass.exe
C:Windowssystem32lsm.exe
C:Windowssystem32winlogon.exe
C:Windowssystem32svchost.exe
C:WindowsMicrosoft.NetFrameworkv3.0WPFPresentationFontCache.exe
C:Windowssystem32svchost.exe
C:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
C:Windowssystem32svchost.exe
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:Windowssystem32Ati2evxx.exe
C:WindowsSystem32svchost.exe
C:WindowsSystem32svchost.exe
C:Windowssystem32svchost.exe
C:Windowssystem32svchost.exe
C:Windowssystem32SLsvc.exe
C:Windowssystem32Ati2evxx.exe
C:Windowssystem32svchost.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe
C:Windowssystem32agrsmsvc.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:TOSHIBAIVPISMpinger.exe
C:Windowssystem32svchost.exe
C:Windowssystem32svchost.exe
c:TOSHIBAIVPswupdateswupdtmr.exe
C:Program FilesTOSHIBATOSHIBA DVD PLAYERTNaviSrv.exe
C:Windowssystem32TODDSrv.exe
C:Program FilesTOSHIBAPower SaverTosCoSrv.exe
C:Program FilesTOSHIBASMARTLogServiceTosIPCSrv.exe
C:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
C:WindowsSystem32svchost.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32SearchIndexer.exe
C:Program FilesSpybot - Search & DestroySDWinSec.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32taskeng.exe
C:Program FilesUnHackMehackmon.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe
C:WindowsRtHDVCpl.exe
C:Program FilesTOSHIBAPower SaverTPwrMain.exe
C:Program FilesTOSHIBASmoothViewSmoothView.exe
C:Program FilesTOSHIBAFlashCardsTCrdMain.exe
C:Program FilesCOMODOCOMODO Internet Securitycfp.exe
C:Program FilesTOSHIBAConfigFreeNDSTray.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:Windowsehomeehtray.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Windowsehomeehmsas.exe
C:Program FilesiPodbiniPodService.exe
C:WindowsExplorer.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:


»»»»»»»»»»»»»»»»»»»»»»»» C:Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:Windowssystem


»»»»»»»»»»»»»»»»»»»»»»»» C:WindowsWeb


»»»»»»»»»»»»»»»»»»»»»»»» C:Windowssystem32


»»»»»»»»»»»»»»»»»»»»»»»» C:Windowssystem32LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:Users---


»»»»»»»»»»»»»»»»»»»»»»»» C:Users---AppDataLocalTemp


»»»»»»»»»»»»»»»»»»»»»»»» C:Users---Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:Users---FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLs"="C:PROGRA~1GoogleGOOGLE~1GoogleDesktopNetwork3.dll C:PROGRA~1GoogleGOOGLE~1GoogleDesktopNetwork3.dll C:WindowsSystem32avgrsstx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Userinit"="C:Windowssystem32userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NETGEAR WG111 802.11g Wireless USB2.0 Adapter
DNS Server Search Order: 65.32.1.65
DNS Server Search Order: 4.2.2.1

HKLMSYSTEMCCSServicesTcpip..{070B2A59-6C27-471B-8FDE-0A21BC74161B}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCCSServicesTcpip..{6396848B-96D9-41DE-A1CE-DB6A614CF3ED}: DhcpNameServer=65.32.1.65 4.2.2.1
HKLMSYSTEMCCSServicesTcpip..{B0848379-FEF9-4E26-B541-907C97D0BEC5}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCS1ServicesTcpip..{070B2A59-6C27-471B-8FDE-0A21BC74161B}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCS1ServicesTcpip..{6396848B-96D9-41DE-A1CE-DB6A614CF3ED}: DhcpNameServer=65.32.1.65 4.2.2.1
HKLMSYSTEMCS1ServicesTcpip..{B0848379-FEF9-4E26-B541-907C97D0BEC5}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCS3ServicesTcpip..{070B2A59-6C27-471B-8FDE-0A21BC74161B}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCS3ServicesTcpip..{6396848B-96D9-41DE-A1CE-DB6A614CF3ED}: DhcpNameServer=65.32.1.65 4.2.2.1
HKLMSYSTEMCS3ServicesTcpip..{B0848379-FEF9-4E26-B541-907C97D0BEC5}: DhcpNameServer=192.168.10.1
HKLMSYSTEMCCSServicesTcpipParameters: DhcpNameServer=65.32.1.65 4.2.2.1
HKLMSYSTEMCS1ServicesTcpipParameters: DhcpNameServer=65.32.1.65 4.2.2.1
HKLMSYSTEMCS3ServicesTcpipParameters: DhcpNameServer=65.32.1.65 4.2.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I ran Hot CPU Tester Pro. Here is the log:

There is one noted problem with the HD, but I have no clue what it means: File Exception error:All or part of the path is invalid:CPU 0: an unnamed file contains an invalid path.


UPDATE: The software needs to be run with administrator rights to check the HD. All was normal...



Hot CPU Tester Pro(Lite Edition) 4.4.1
Copyright © 1999-2003 7Byte Computers
Sunday, April 11, 2010 - 12:59:49
Diagnostic Report
---------------------------------------------
Test Started at: 03:53:56
Test Duration: 06:00:03
Physical Processors Available: 2
Logical Processors Available: 2
Multi-Processors System(SMP): Available
Hyper-Threading Technology: Not Available
CPU Name String: AMD Turion™ 64 X2 Mobile Technology TL-60
Speed: 1995MHz
Logical Processors Tested: CPU 0, CPU 1
Average CPU(s) Performance: 99.7%

Modules Results:
Complex Matrix: Finished without error
Calculating Pi: Finished without error
Sorting Algorithms:
Prime Test: Finished without error
Fast Fourier Transforms:
Chipset:
L1 Cache:
L2 Cache:
Memory: Finished without error
HD: File Exception error:All or part of the path is invalid:CPU 0: an unnamed file contains an invalid path.
MMX: Finished without error
SSE:
SSE2/SSE3:
3DNow!:

Here is the BSOD message:

UNEXPECTED_KERNEL_MODE_TRAP 0x1000007f 0x00000008 0x80156000 0x00000000 0x00000000 fltmgr.sys fltmgr.sys+11200 Microsoft Filesystem Filter Manager Microsoft® Windows® Operating System Microsoft Corporation 6.0.6000.16386 (vista_rtm.061101-2205) 32-bit C:WindowsminidumpMini040910-01.dmp 2 15 6002

Does anyone have any comments or suggestion? thumbup2.gif

EDIT: 7 posts merged and moved from AII. Please don't bump your topic. This will result in you having to wait longer to receive help ~BP

Edited by Budapest, 15 April 2010 - 12:10 AM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.

Posted 15 April 2010 - 05:21 AM

Greetings tdmorgan and Welcome to the Forums,

I've claimed your logs (all of them), for review and will have some suggestions for you later on today. Please do nothing else with the computer until I have had a chance to review your issue in depth. Thanks for your patience!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:32 AM

Posted 15 April 2010 - 09:46 AM

Your issue:
QUOTE
0x0000007F: UNEXPECTED_KERNEL_MODE_TRAP
One of three types of problems occurred in kernel-mode: (1) Hardware
failures. (2) Software problems. (3) A bound trap (i.e., a condition
that the kernel is not allowed to have or intercept). Hardware failures
are the most common cause (many dozen KB articles exist for this error
referencing specific hardware failures) and, of these, memory hardware
failures are the most common.


You can troubleshoot your hardware if you want to waste your time...here is a pretty good read.

Judging from your logs, your issue is software related...specifically, conflicting drivers. You've installed security application after security application on top of each other. Some look to have been uninstalled but left some drivers behind. With your system, Windows Defender is on board by default...so you need to remove the wrestling match that ensues from having all these as well:
SpybotSD TeaTimer
COMODO Internet Security
Microsoft Security Essentials
AVG


Microsoft Security Essentials is really very good and with Windows Defender, the two pretty well cover the bases for you as far as your real time protection. If you choose to keep SpybotSearch and Destroy installed to use the right-click menu as another on demand scanner when needed, it's fine but you need to remove the TeaTimer feature's strangle hold on your registry.

As well, Microsoft Security Essentials is your antivirus real time protection...and so is Comodo Internet Security which has the firewall engaged as well. The two antivirus scan engines will struggle for control over any offending file they find. This struggle will ultimately result in a system crash with potential loss of data. You should NEVER have more than one real time scan engines engaged for a like product. In other words, one of each of these is fine, but no more than one of each of these running real time protection:
Antivirus
AntiSpyware
AntiTrojan
Firewall


Additionally, Comodo does not disable the native firewall upon installation so you also have the Windows firewall engaged along with Comodo's firewall.

You can read more about the recommended security applications for home users Here.

After you've decided to remove all but one of those, run a manual update and perform a complete system scan. Post back THAT log along with the log that was produced when you ran combofix. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#4 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 15 April 2010 - 10:08 AM

Thanks for the response.

I do not have AVG installed, so whatever you are seeing is an artifact from a past install. How do you recommend I fix it?

How do you control Spybot's "control" of the registry?

As far as Comodo, I will remove its real time protection.

Finally, regarding your request that I redo a system scan, which do you refer to?

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:32 AM

Posted 15 April 2010 - 12:42 PM

QUOTE
I do not have AVG installed...
Your log says otherwise:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLs"="C:PROGRA~1GoogleGOOGLE~1GoogleDesktopNetwork3.dll C:PROGRA~1GoogleGOOGLE~1GoogleDesktopNetwork3.dll C:WindowsSystem32avgrsstx.dll"
...the avgrsstx.dll is related to AVG's antivirus scan engine.


so whatever you are seeing is an artifact from a past install. How do you recommend I fix it?
We will remove it in time...patience my friend, we'll get there

How do you control Spybot's "control" of the registry?
Open Spybot-S&D. Go to the Mode menu, and make sure "Advanced Mode" is selected. On the left hand side, choose Tools -> Resident. Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer.

As far as Comodo, I will remove its real time protection.
Ok, that would be good...but what about the Firewall's protection, not to mention it's related behavioral protective feature...then there's the Windows firewall issue you have not addressed.

Finally, regarding your request that I redo a system scan, which do you refer to?

OK, what I said was:
"After you've decided to remove all but one of those, run a manual update and perform a complete system scan. Post back THAT log along with the log that was produced when you ran combofix. Thanks!

In my previous instruction, the last item addressed in the quote above, I am referring to your multiple installations of antivirus/firewall programs. Once you've decided which ONE to keep, you are to run a manual update to that program and run a complete system scan. You then are requested to post back the results from THAT scan along with the scan log that combofix produced for you when you ran that on your own. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 15 April 2010 - 02:03 PM

Here is the ComboFix logfile: [removed]

Edited by tdmorgan, 16 April 2010 - 12:55 PM.


#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.

Posted 15 April 2010 - 04:42 PM

I'm reviewing the cf log now. I'll post more instructions after you post the virus scan log I requested. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 15 April 2010 - 09:12 PM

I ran MS Security Essentials, but i do not know where the logfile is stored. Nothing other than a false positive for Combofix was found...

Edited by tdmorgan, 16 April 2010 - 03:17 PM.


#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:32 AM

Posted 16 April 2010 - 04:34 AM

Alright then, I'll take your word for it...When the Microsoft Security Essentials application scan completes, a summarized report window opens. Ideally, the report will show:
"Scan completed on 37216 items (or whatever)
No threats were detected on your computer during this scan"...
...but since all it found was combofix, then I'd say things went well...kind of.

There are indeed a couple of issues indicated in the combofix log you posted. First and foremost, it does show some problems. Secondly, it shows the utility you used is out of date and thirdly, it shows that this is not the first time you scanned with combofix. I'd also like to see the log from the first scan. It would be located in c:\Qoobox.

Please delete the version of combofix you have by just right-clicking on the comobofix icon on your desktop and selecting "Delete". Download a fresh copy for the next step below:

Please Uninstall uTorrent. Reboot when the uninsall completes.

Next, please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Killall::

File::
C:\HCT34D3.tmp
C:\HCT34C2.tmp
c:\windows\winstart.bat
C:\HCTB50D.tmp
c:\programdata\xmlED8D.tmp
c:\programdata\xmlE3FA.tmp
c:\programdata\xmlD1B1.tmp
c:\programdata\Google\Google Toolbar\Update\gtbA557.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtb930F.tmp.exe

DirLook::
C:\d936e2794721760b215d
c:\users\---\{ea639edb-698b-4d47-9379-16b55aa98237}

Folder::
c:\users\---\AppData\Roaming\uTorrent

Regnull::
[HKEY_USERS\S-1-5-21-2175489178-680292354-854438968-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D1A3FADB-E68E-C6BB-EE6D-DF77DD3FA722}*]
[HKEY_USERS\S-1-5-21-2175489178-680292354-854438968-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6FC40E7F-A528-5C99-E91C-AAF089896F03}*]

Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 16 April 2010 - 11:44 AM

For some reason there was no new ComboFix log created with the current run that you asked for. Should I run it again?

Edited by tdmorgan, 16 April 2010 - 03:17 PM.


#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.

Posted 16 April 2010 - 01:00 PM

QUOTE
Additonally, FYI, the following files did not exist:

C:\HCT34D3.tmp
C:\HCT34C2.tmp
C:\HCTB50D.tmp
c:\programdata\xmlED8D.tmp
c:\programdata\xmlE3FA.tmp
c:\programdata\xmlD1B1.tmp
c:\programdata\Google\Google Toolbar\Update\gtbA557.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtb930F.tmp.exe

and c:\windows\winstart.bat was an empty file. I checked these before running the Combofix.

Could you let me know what the rest of the "kill" file means or what concerns you might be having?


Point 1) How can you say those files did not exist? Clearly, they do as they appeared in the combofix log. As an example, a rootkit file hides from the windows API so you should learn not to trust your eyes.

Point 2) Winstart.bat is native to windows 98 or ME and has no business to perform on a Vista Machine. Did you create that file? Did you place it where it was? Regardless that it showed YOU an empty file, the placement of it and the time of it's arrival on your system are all suspect.

Point 3) I cannot divulge information regarding the intricate design of combofix nor the processes performed based upon any one of the commands used for performing the surgery that I had intended. If I do that here, are you not aware that those who have authored some of the malicious programs that I (along with countless others) fight to remove, will then have usable data that will return to bite all of us in the back side?

If you would send sUBs a PM, I am certain, absolutely certain without a doubt that he would tell you the same.

I am rethinking our troubleshooting strategy since the effort I have made so far, has been met with resistance. If you do not allow the script I write to do what was intended, but edit it to suit your own purpose then why would you think this endeavor should be successful? I certainly don't.

As for the log, did you look in the Qoobox for the first log? If you had, you not only would have found it there, you would also find the log from the cfscript scan. Now, please post both of them. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 16 April 2010 - 01:06 PM

I am uncertain what you are saying, as I indicated that I ran your script, but ComboFix did not create a log file after running. I did not edit your script, but simply looked to see what the files were you have indicated. As far as the winstart.bat, I have no clue where that came from.

As far as your comments regarding why you can't divulge the workings of ComboFix, I certainly understand that people could use that information for nefarious purposes...

I am trying to follow your directions, and am unsure where you feel there is resistance. I am sorry if you feel that way, and appreciate your help.

By the way, the Combofix Script from the new scan does exist in the folder on the c: drive, just no log. Here is the script:

Edited by tdmorgan, 16 April 2010 - 03:16 PM.


#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:09:32 AM

Posted 16 April 2010 - 02:37 PM

QUOTE
I am uncertain what you are saying, as I indicated that I ran your script, but ComboFix did not create a log file after running.

Sorry but I simply cannot just take your word for it AND continue any sort of cleanup/troubleshooting issue with you regarding the use of combofix. Certainly you understand how this troubles me. You are able to find both combofix logs from the two times you ran combofix on your own, but are not able to post the log produced from the scan resulting from the cfscript. Your claim that it failed to produce a log does not reconcile with the fact that you uploaded the cfscipt used text file that cf translates from the cfscript. This does not happen unless it generates a log. We can certainly continue with troubleshooting if you are still having blue screen issues, we will just not be able to carry on using combofix...at least not under my guidance.

Are you still having blue screen issues?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 Guest_tdmorgan_*

Guest_tdmorgan_*

  • Guests
  • OFFLINE
  •  

Posted 16 April 2010 - 03:15 PM

OK. You can choose not to believe me, and if you think I have some underhanded motivation for not sharing the logfile, then OK. But you might want to give my statement some credence, because I am being forthright with you. I do not understand how it troubles you to take my word for it, since I do not understand how you must have been "burned" in the past by people saying that a log was not created when in fact it had been.

I asked if you wanted me to redo the ComboFix again, but I presume you do not.

I have not had a BSOD for a couple of days, but that is not to say that whatever is causing it has been resolved.

I will trust that you are just having a bad day, and I want to say thank you again for your time. It really has been appreciated.

I guess if you do not want to work with this further, then this can be closed.

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.

Posted 16 April 2010 - 03:47 PM

Uhmmm, again, and to simplify, what I said was:
"Sorry but I simply cannot...continue any sort of cleanup/troubleshooting issue with you regarding the use of combofix...We can certainly continue with troubleshooting if you are still having blue screen issues, we will just not be able to carry on using combofix...at least not under my guidance."

If you are still having issues please detail for me what they are and we will try to work it out together...just not with the use of combofix.

Your logs never did indicate to me that it was necessary to use combofix to begin with. Since you indicated that you had already used it, I simply asked to see the log. From those logs, I saw that there were still things that needed to be removed and combofix would certainly remove whatever you ask it to remove. There are other tools we can use to finish up with this troubleshooting issue regarding your blue screen stop messages.

Sorry if you felt I had some reason to believe your motive for posting as you have is somehow underhanded. I stated what facts I have at my disposal. If my facts are incorrect, then it is me who is in error.


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users