Author Topic: Computer Crashing?  (Read 23235 times)

0 Members and 1 Guest are viewing this topic.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #15 on: March 05, 2011, 08:20:37 PM »
That was a new adventure!  Here is the  ComboFix log.  It will be about an hour from now before I can get the HijackThis log done, and then I will post it, too. 

~~~

ComboFix 11-03-05.01 - hdw4 03/05/2011  15:56:31.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2558.2129 [GMT -6:00]
Running from: c:\documents and settings\hdw4\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Scanner.lnk
c:\documents and settings\hdw4\Application Data\facemoods.com
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\twain.dll
c:\windows\system32\twunk_32.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-05 to 2011-03-05  )))))))))))))))))))))))))))))))
.
.
2011-03-04 21:13 . 2011-03-04 21:14   --------   d-----w-   C:\rsit
2011-03-02 23:10 . 2011-02-23 14:54   19544   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-03-02 23:10 . 2011-02-23 14:56   301528   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-03-02 23:10 . 2011-02-23 14:55   49240   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-03-02 23:10 . 2011-02-23 14:55   25432   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-03-02 23:10 . 2011-02-23 14:56   371544   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-03-02 23:10 . 2011-02-23 14:55   102232   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2011-03-02 23:10 . 2011-02-23 14:55   96344   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2011-03-02 23:10 . 2011-02-23 14:54   30680   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2011-03-02 23:10 . 2011-02-23 15:04   40648   ----a-w-   c:\windows\avastSS.scr
2011-03-02 23:10 . 2011-02-23 15:04   190016   ----a-w-   c:\windows\system32\aswBoot.exe
2011-03-02 23:09 . 2011-03-02 23:09   --------   d-----w-   c:\program files\AVAST Software
2011-03-02 23:09 . 2011-03-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2011-02-28 18:41 . 2011-02-28 18:41   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-02-11 17:43 . 2009-12-14 07:08   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-02-11 17:43 . 2010-04-27 13:59   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-02-11 17:43 . 2010-04-27 13:05   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-02-11 17:43 . 2009-02-09 12:10   714752   ----a-w-   c:\windows\system32\ntdll.dll
2011-02-11 17:43 . 2009-06-25 08:25   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2011-02-06 03:18 . 2011-02-06 03:18   --------   d-----w-   C:\output
2011-02-05 18:54 . 2011-02-05 19:41   --------   d-----w-   c:\documents and settings\hdw4\Application Data\PhotoScape
2011-02-05 18:53 . 2011-02-05 18:53   --------   d-----w-   c:\program files\PhotoScape
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 14:09 . 2004-08-19 20:49   290048   ----a-w-   c:\windows\system32\atmfd(2).dll
2010-12-21 00:09 . 2009-08-09 20:51   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2009-08-09 20:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-20 22:15 . 2004-08-19 20:49   667136   ----a-w-   c:\windows\system32\wininet(3).dll
2010-12-20 22:15 . 2004-08-19 20:49   629760   ----a-w-   c:\windows\system32\urlmon(3).dll
2010-12-20 22:15 . 2004-08-19 20:49   1025024   ----a-w-   c:\windows\system32\browseui(2).dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04   122512   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-06 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-06-03 19:58   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pagis Schedule Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pagis Schedule Monitor.lnk
backup=c:\windows\pss\Pagis Schedule Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^hdw4^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\hdw4\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05   127035   ----a-w-   c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 13:50   53248   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 13:50   131072   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 15:26   26112   ----a-w-   c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-09-06 12:12   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/2/2011 5:10 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/2/2011 5:10 PM 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/2/2011 5:10 PM 19544]
R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [9/6/2005 5:39 AM 485888]
S1 VFILT;Outpost Firewall Kernel Driver;\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\2000\FILTNT.SYS --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\2000\FILTNT.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 4:16 PM 133104]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\ADBLOCK.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\ADBLOCK.DLL [?]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\CONTENT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\CONTENT.DLL [?]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\DNSCACHE.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\DNSCACHE.DLL [?]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\FTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\FTPFILT.DLL [?]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTMLFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTMLFILT.DLL [?]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTTPFILT.DLL [?]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\IMAPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\IMAPFILT.DLL [?]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\MAILFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\MAILFILT.DLL [?]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\NNTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\NNTPFILT.DLL [?]
S3 pmxscan;PrimaScan USB Kernel;c:\windows\system32\drivers\usbscan.sys [9/8/2005 3:12 PM 15104]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\POP3FILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\POP3FILT.DLL [?]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\PROTECT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\PROTECT.DLL [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-14 22:10]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 22:15]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.facemoods.com/?a=stonicus
mWindow Title = ShreveNet, Inc.
FF - ProfilePath - c:\documents and settings\hdw4\Application Data\Mozilla\Firefox\Profiles\dmrnd1rn.default\
FF - prefs.js: browser.startup.homepage - hxxp://local.msn.com/weather.aspx?q=ben%20lomond-ar&zip=71823&eid=153985903
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=stonicus&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Add-Art: development@add-art.org - %profile%\extensions\development@add-art.org
FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: QuickDrag: quickdrag@mozilla.ktechcomputing.com - %profile%\extensions\quickdrag@mozilla.ktechcomputing.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Tab Popup: tabpopup@adarsh.tp - %profile%\extensions\tabpopup@adarsh.tp
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
FF - Ext: FlipClock: {cdd09450-7280-11de-8a39-0800200c9a66} - %profile%\extensions\{cdd09450-7280-11de-8a39-0800200c9a66}
FF - Ext: CoolPreviews                   : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Foxit Toolbar: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
 
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
MSConfigStartUp-Outpost Firewall - e:\program files\Agnitum\Outpost Firewall 1.0\outpost.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Foxit Reader - c:\program files\Foxit Software\Foxit Reader\Uninstall.exe
AddRemove-HijackThis - c:\documents and settings\hdw4\My Documents\Misc\DL's\2010 dl's\HijackThis.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 16:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-03-05  16:11:11
ComboFix-quarantined-files.txt  2011-03-05 22:11
.
Pre-Run: 47,415,476,224 bytes free
Post-Run: 47,506,694,144 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8A6978610516AED91E2E1D6FF87FF1FB

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #16 on: March 05, 2011, 08:52:19 PM »
I got to this sooner than I thought.  Here's the HijackThis log.

~~~

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:49:38 PM, on 3/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=stonicus
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Unknown owner - E:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5872 bytes

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #17 on: March 05, 2011, 08:59:57 PM »
Great job, deew!

I need to spend some time looking at the logs.  It has been a long day and I'm not certain if I will finish tonight.  I'll bet your computer is already working better though. 

BTW, are you on dial-up? 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #18 on: March 05, 2011, 09:16:42 PM »
I do notice that things are moving faster already.  I am on DSL.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #19 on: March 05, 2011, 11:30:31 PM »
Hi, deew.

I found information that the kernel driver from the old version of OutpostFirewall that appears to be what is left-over on your computer was a source of BSOD's.  Since that "service" was active, it is indeed possible that it interfered with the Windows Update process.  That said, please don't test installing updates just yet.  I will have additional advice in that regard later on.  Although most likely unnecessary, I've added an extra entry in the ComboFix script to specifically ensure that file is removed from your computer!

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below (note the scroll bar and be careful to copy the complete script):
Code: [Select]
File::
e:\program files\Agnitum\Outpost Firewall 1.0\kernel\2000\FILTNT.SYS

Driver::
FILTNT

Folder::
e:\program files\Agnitum
C:\Program Files\Grisoft\AVG Free

Firefox::
FF - ProfilePath - c:\documents and settings\hdw4\Application Data\Mozilla\Firefox\Profiles\dmrnd1rn.default\
FF - Ext: Facemoods: ffxtlbr@Facemoods.com -
FF - Ext: Search Toolbar: searchtoolbar@zugo.com -
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=stonicus&q=-
FF - Ext: Foxit Toolbar: {E9A1DEE0-C623-4439-8932-001E7D17607D} -

Registry::
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #20 on: March 06, 2011, 03:13:15 AM »
Got a problem.  CFScript.txt won't drop into ComboFix.exe on my Desktop.  It just sits on top of it.  Any other way to merge them?

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #21 on: March 06, 2011, 01:30:53 PM »
Hi, deew.

Please try this after again disabling your security programs.  Make sure that both ComboFix.exe and CFscript.txt are on your desktop:

Click Start > Run or press Windows Key + R.  Copy/paste the following into the run box that opens and press OK:

ComboFix "C:\Documents and Settings\User\Desktop\CFscript.txt"


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #22 on: March 06, 2011, 06:47:19 PM »
Hey, Corrine.

Here's the latest ComboFix report.

~~~

ComboFix 11-03-05.01 - hdw4 03/06/2011  14:20:29.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2558.1990 [GMT -6:00]
Running from: c:\documents and settings\hdw4\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-06 to 2011-03-06  )))))))))))))))))))))))))))))))
.
.
2011-03-04 21:13 . 2011-03-04 21:14   --------   d-----w-   C:\rsit
2011-03-02 23:10 . 2011-02-23 14:54   19544   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-03-02 23:10 . 2011-02-23 14:56   301528   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-03-02 23:10 . 2011-02-23 14:55   49240   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-03-02 23:10 . 2011-02-23 14:55   25432   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-03-02 23:10 . 2011-02-23 14:56   371544   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-03-02 23:10 . 2011-02-23 14:55   102232   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2011-03-02 23:10 . 2011-02-23 14:55   96344   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2011-03-02 23:10 . 2011-02-23 14:54   30680   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2011-03-02 23:10 . 2011-02-23 15:04   40648   ----a-w-   c:\windows\avastSS.scr
2011-03-02 23:10 . 2011-02-23 15:04   190016   ----a-w-   c:\windows\system32\aswBoot.exe
2011-03-02 23:09 . 2011-03-02 23:09   --------   d-----w-   c:\program files\AVAST Software
2011-03-02 23:09 . 2011-03-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2011-02-28 18:41 . 2011-02-28 18:41   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-02-11 17:43 . 2009-12-14 07:08   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-02-11 17:43 . 2010-04-27 13:59   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-02-11 17:43 . 2010-04-27 13:05   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-02-11 17:43 . 2009-02-09 12:10   714752   ----a-w-   c:\windows\system32\ntdll.dll
2011-02-11 17:43 . 2009-06-25 08:25   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2011-02-06 03:18 . 2011-02-06 03:18   --------   d-----w-   C:\output
2011-02-05 18:54 . 2011-02-05 19:41   --------   d-----w-   c:\documents and settings\hdw4\Application Data\PhotoScape
2011-02-05 18:53 . 2011-02-05 18:53   --------   d-----w-   c:\program files\PhotoScape
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 14:09 . 2004-08-19 20:49   290048   ----a-w-   c:\windows\system32\atmfd(2).dll
2010-12-21 00:09 . 2009-08-09 20:51   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2009-08-09 20:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-20 22:15 . 2004-08-19 20:49   667136   ----a-w-   c:\windows\system32\wininet(3).dll
2010-12-20 22:15 . 2004-08-19 20:49   629760   ----a-w-   c:\windows\system32\urlmon(3).dll
2010-12-20 22:15 . 2004-08-19 20:49   1025024   ----a-w-   c:\windows\system32\browseui(2).dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-03-05_22.05.50   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-06 20:34 . 2011-03-06 20:34   16384              c:\windows\Temp\Perflib_Perfdata_688.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04   122512   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-06 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-06-03 19:58   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pagis Schedule Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pagis Schedule Monitor.lnk
backup=c:\windows\pss\Pagis Schedule Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^hdw4^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\hdw4\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05   127035   ----a-w-   c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 13:50   53248   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 13:50   131072   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 15:26   26112   ----a-w-   c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-09-06 12:12   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/2/2011 5:10 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/2/2011 5:10 PM 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/2/2011 5:10 PM 19544]
R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [9/6/2005 5:39 AM 485888]
S1 VFILT;Outpost Firewall Kernel Driver;\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\2000\FILTNT.SYS --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\2000\FILTNT.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 4:16 PM 133104]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\ADBLOCK.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\ADBLOCK.DLL [?]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\CONTENT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\CONTENT.DLL [?]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\DNSCACHE.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\DNSCACHE.DLL [?]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\FTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\FTPFILT.DLL [?]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTMLFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTMLFILT.DLL [?]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\HTTPFILT.DLL [?]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\IMAPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\IMAPFILT.DLL [?]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\MAILFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\MAILFILT.DLL [?]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\NNTPFILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\NNTPFILT.DLL [?]
S3 pmxscan;PrimaScan USB Kernel;c:\windows\system32\drivers\usbscan.sys [9/8/2005 3:12 PM 15104]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\POP3FILT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\POP3FILT.DLL [?]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\e:\program files\Agnitum\Outpost Firewall 1.0\kernel\PROTECT.DLL --> e:\program files\Agnitum\Outpost Firewall 1.0\kernel\PROTECT.DLL [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-14 22:10]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 22:15]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.facemoods.com/?a=stonicus
mWindow Title = ShreveNet, Inc.
FF - ProfilePath - c:\documents and settings\hdw4\Application Data\Mozilla\Firefox\Profiles\dmrnd1rn.default\
FF - prefs.js: browser.startup.homepage - hxxp://local.msn.com/weather.aspx?q=ben%20lomond-ar&zip=71823&eid=153985903
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=stonicus&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Add-Art: development@add-art.org - %profile%\extensions\development@add-art.org
FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: QuickDrag: quickdrag@mozilla.ktechcomputing.com - %profile%\extensions\quickdrag@mozilla.ktechcomputing.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Tab Popup: tabpopup@adarsh.tp - %profile%\extensions\tabpopup@adarsh.tp
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
FF - Ext: FlipClock: {cdd09450-7280-11de-8a39-0800200c9a66} - %profile%\extensions\{cdd09450-7280-11de-8a39-0800200c9a66}
FF - Ext: CoolPreviews                   : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Foxit Toolbar: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
 
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 14:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\stsystra.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-06  14:40:46 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-06 20:40
ComboFix2.txt  2011-03-05 22:11
.
Pre-Run: 47,347,458,048 bytes free
Post-Run: 47,431,327,744 bytes free
.
- - End Of File - - 36343EC0ADE02D422AAFF2CCE9B4A147

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #23 on: March 06, 2011, 07:08:04 PM »
Corrine,  I forgot to ask before, but why was my scanner and Foxit Reader taken out?

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #24 on: March 06, 2011, 07:28:38 PM »
Hi, deew.

FoxitReader was identified as orphaned in the previous run of ComboFix, which indicates it had already been uninstalled.  What is the name of your scanner?  I don't see an indication of its removal but we can check further.  What does concern me is that userinit.exe was found to be infected this run, but not the first run of ComboFix. 

As explained at TechNet:  http://technet.microsoft.com/en-us/library/cc939862.aspx
Quote
Specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface.

Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #25 on: March 06, 2011, 08:04:21 PM »
I never uninstalled Foxit Reader, so that has me confused. 

My scanner is a Canon CanoScan LiDE 1000.  This  is from the first run of ComboFix, and afterward my Desktop icon was gone  Was it just the icon that it took out?

I have Sunday company coming, so I'll do the online scan later today.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #26 on: March 06, 2011, 08:08:56 PM »

I never uninstalled Foxit Reader, so that has me confused. 

My scanner is a Canon CanoScan LiDE 1000.  This  is from the first run of ComboFix, and afterward my Desktop icon was gone  Was it just the icon that it took out?

Quote
  Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Scanner.lnk

I have Sunday company coming, so I'll do the online scan later today.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #27 on: March 06, 2011, 08:50:14 PM »
Hi, deew.

Just like ComboFix, I also saw that as being part of the rogue, "Scanner".  A program desktop shortcut generally includes the filename (i.e., CanoScan.lnk).

Enjoy your company. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline deew

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Re: Computer Crashing?
« Reply #28 on: March 07, 2011, 11:34:40 PM »
Corrine, here the ESET log.  I noticed that it had E:\ listed.  That is the hard drive from my old computer I had someone add to this one.  I never use it, now that I've transferred all my music files to this HD.  Are all the threats in E:\?

Also, ESET is asking me if I want to uninstall the ESET files.  Do I check to do it before clicking Finish or not?

~~~

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=988bd1d223a3c34f85386d130beefb4b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-08 01:18:52
# local_time=2011-03-07 07:18:52 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 90529 90529 0 0
# compatibility_mode=768 16777215 100 0 28784281 28784281 0 0
# compatibility_mode=6912 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 50810138 72848628 0 0
# scanned=132190
# found=4
# cleaned=0
# scan_time=8591
E:\WINDOWS\Start Menu\Programs\Disabled Startup Items\PowerReg SchedulerV2.exe   Win32/PowerReg application (unable to clean)   00000000000000000000000000000000   I
E:\HP\bin\KillWind.exe   Win32/ProcKill.NAD application (unable to clean)   00000000000000000000000000000000   I
E:\HP Internet\Surfboard\KillWind.exe   Win32/ProcKill.NAD application (unable to clean)   00000000000000000000000000000000   I
E:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe   Win32/Adware.HiWire application (unable to clean)   00000000000000000000000000000000   I

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20212
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Computer Crashing?
« Reply #29 on: March 08, 2011, 12:09:32 AM »
Hi, deew.

Correct!  Not only that, but it is E:\ is the location showing for the Outpost service in your log.

Close all programs leaving only HijackThis running. Place a check against the following, making sure you do not check anything else by mistake:

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Unknown owner - E:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Please shutdown/restart the computer and then post a fresh RSIT log:
  • Double-click RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, this time only one log will open. Please post the contents of log.txt with your next reply.


How is your computer running now?  Have you had any more crashes?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.