Vista Blue Screens ("Maybe" a Resolution)

[jholland1964]

Since I had not done this before we ran combofix....

ComboFix 08-03-20.2 - Sharon 2008-03-20 19:16:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.984 [GMT -5:00]
Running from: C:\Users\Sharon\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan



.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-20 21:53 2,260 ----a-w C:\Users\Sharon\AppData\Roaming\wklnhst.dat
2008-03-20 13:00 --------- d-----w C:\ProgramData\avg7
2008-03-16 14:28 --------- d---a-w C:\ProgramData\TEMP
2008-03-16 14:28 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-13 13:41 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-12 12:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-06 00:57 --------- d-----w C:\Program Files\Java
2008-03-06 00:03 --------- d-----w C:\Program Files\Common Files\Java
2008-03-03 21:52 --------- d-----w C:\Program Files\CleanUp!
2008-03-01 04:39 --------- d-----w C:\Users\Sharon\AppData\Roaming\WinBatch
2008-02-29 12:46 --------- d-----w C:\Program Files\Trend Micro
2008-02-23 23:03 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-13 16:16 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 16:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:16 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 16:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 15:51 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 15:49 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 15:49 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 15:49 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 15:49 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 15:47 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 15:47 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 15:47 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 15:47 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 15:47 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 15:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-09 01:46 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-09 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 12:50 --------- d-----w C:\Users\Sharon\AppData\Roaming\Grisoft
2008-02-01 12:48 --------- d-----w C:\ProgramData\Grisoft
2008-01-31 17:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 11:42 --------- d-----w C:\Program Files\Google
2007-08-29 11:31 174 --sha-w C:\Program Files\desktop.ini
2007-04-02 22:25 22 --sha-w C:\Windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-01-30 20:34 171448]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 20:15 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-10 18:02 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 08:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"ATICCC"="c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 20:12 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 06:52 4702208 C:\Windows\RtHDVCpl.exe]
"DPService"="C:\Program Files\HP\DVDPlay\DPService.exe" [2006-11-08 02:52 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:37 579072]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-05-21 18:29 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1925650744-2817293247-260502016-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{12BF8921-9B8D-466C-B0F1-643B65412963}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{24B9FCBD-B393-4379-B8BE-A58A16430EA2}"= Profile=Private|C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{52E05E6F-F5DE-4E4E-8392-832B1C19FB76}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1CB6A675-5CBB-4160-944B-30E70D88D9E0}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{9B4C4B1C-3BBE-4F28-9CA5-B464E55596A4}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0D1ED38A-DA50-43E6-84C9-FDC60A2B9DB1}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F34996C1-9727-455D-BEA6-8BA77EE0F3D0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A7228EED-0CCF-4702-B47D-B98B611AC286}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1F6B5D47-348D-455F-AA1B-9AD9DED45919}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F715E5F2-8AFE-49D4-B436-01B9D38330D9}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A65FCD18-131C-4A43-BB86-3BDE718AEB0E}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C9D63C3B-D14B-494C-B8A1-61FDFA4A3227}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7E4B6C7F-850B-4B0B-9AC9-521566071239}"= Disabled:C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{FFCD0C8F-7AD1-40DA-A2FE-290ADF04CFC6}"= Disabled:UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{F68D33E1-C4DF-40C4-B135-B37517A4B8D1}"= Disabled:TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A11176A8-BA04-47E7-8BFB-26C30F27B29F}"= Disabled:UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C738BFDC-A81B-49F6-9519-3E9E1E625198}"= Disabled:TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2B97359F-79AE-40F0-8CCC-710BCA227ADD}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{AD1FBD97-05C0-4788-9858-2FD3C20AFDCD}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{78F86F2C-E662-437C-8C40-01BFE2B7116E}"= UDP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{6EE75342-707C-4038-A91E-77DC82DCFFC8}"= TCP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{B0459409-B99C-40A7-904E-D6A10580EAF9}"= UDP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault
"{2F520A35-D8BC-4C37-9399-2DDD9AECFBD5}"= TCP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Configurable\System]
"Rip-Listener-1"= TCP:520|%SystemRoot%\System32\svchost.exe|Svc=ipri p:@iprip.dll,-200|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|
"SNMP-1"= TCP:%SystemRoot%\system32\snmp.exe|Svc=SNMP:@%Syst emRoot%\system32\snmp.exe,-5|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-11-03 10:29]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.s ys [2007-08-07 06:26]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2007-06-13 20:28]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 08:41]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-13 20:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc
ipripsvc REG_MULTI_SZ iprip

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{48bf4476-cead-11dc-9f1f-e25ab51505b4}]
\shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 00:10:55 C:\Windows\Tasks\User_Feed_Synchronization-{4A322068-0DD0-40F9-A585-52DB6EEF200B}.job"
- C:\Windows\system32\msfeedssync.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 19:21:23
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\hp\kbd\kbd.exe
.
************************************************** ************************
.
Completion time: 2008-03-20 19:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 00:23:29

The earthlink listings we assume are ones put in place when she had computer in a shop, he used earthlink.

[jholland1964]

HELP!!!!!!!
Blue screens continue. Have pretty much determined these are not however, BSOD's, but REBOOTING of the computer.
No errors showing in event log at time of shutdown. Always about 30 minutes prior to these though are Warnings showing in event viewer which state;

Tcpip 4227
TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.

Then right after this happens these will show in event viewer;

Event processing
Level: Error
Keywords: Audit Success
User: N/A
Computer: Sharons-PC
Description:
Audit events have been dropped by the transport. The real time backup file was corrupt due to improper shutdown.

This only happens online. 99% of the time while trying to view a photo of some kind...google images, photo on websites, etc.
Had her turn off Windows Defender and things worked for awhile. Only because I had problems with Defender seeming to slow things on my computer. Found several threads last night concerning Vista Firewall and dial-up...so today had her temporarily turn off Vista Firewall.
Her dial-up is terrible so think culprit probably lies there but I am at a total loss now. Everything relating to connections other than dial up on the computer are turned off. I am at a total loss. HELP!!!!!