# Laptop reboots with BSOD STOP 0x0000008E



## Bruno58 (Feb 1, 2008)

My Fujitsu Siemens AMILO Pro V3505 keeps booting up and crashing after a few seconds with a BSOD message.
The laptop works fine in SAFE mode, but will only boot up normally for a few seconds.

I have run just about every online scan available and although they found some problems they were all spyware. I am begining to suspect a ROOTKIT (don't ask me why!) but have found that I am unable to run any of the ROOTKIT detectors when in SAFE mode. 

I am aslo unable to install AdAware (in safe mode) although Spybot worked.
I get "The system administrator has set policies to prevent this installation"

The BSOD is 
STOP 0x0000008E (0Xc0000005, 0x805924E1, 0xAA0BA9D0,0x00000000)

I have several MiniDumps, the last few all say:
Now looking at the MiniDumps 
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805924e1, aa08a9d0, 0}

Probably caused by : ntkrnlmp.exe ( nt!HvpIsFreeNeighbor+4a )
Followup: MachineOwner

NOW WHAT?
I have :
	gone back to a System Restore Point when the PC was working fine - same problem.
	removed any spyware, viruses found - same problem.
	stopped EVERYTHING in MSCONFIG and rebooted - same problem.
	tried changing my graphics resolution to the lowest and removing my screen saver (before it crashes) - same problem.
	run HJT and parsed the log online - nothing (it was in SAFE mode)

I have also noticed that for the last few days my Netgear router is showing loads of:
2008-02-01 00:21:05 - TCP Flood - Source:192.168.0.3
,3496,LAN - Destination:212.135.93.143,80,WAN
(The destination IP addresses change from time to time)


This laptop seems to have a SATA drive and I had to buy an external USB floppy to get a Windows XP boot disc to load. I was then going to try a REPAIR, but it asks for Administrator password and I've tried all the passwords I normally use - no luck!

PLEASE HELP (hopefully before the laptop goes flying out of the window).
How on earth can I trace this fault and therefore (more hopefully) find a cure.

Thanks for any help / advice.


----------



## Bruno58 (Feb 1, 2008)

*HELP *

I originally posted this into Malware Removal & HijackThis Logs, but having managed to run Mcafee Rootkit Detective in SAFE mode - it found NOTHING!


So now I'm back in the HARDWARE section (sorry if this causes a duplicate entry).

My Fujitsu Siemens AMILO Pro V3505 keeps booting up and crashing after a few seconds with a BSOD message.
The laptop works fine in SAFE mode, but will only boot up normally for a few seconds.

I have run just about every online scan available and although they found some problems they were all spyware. I am begining to suspect a ROOTKIT (don't ask me why!) but have found that I am unable to run any of the ROOTKIT detectors when in SAFE mode.

I am aslo unable to install AdAware (in safe mode) although Spybot worked.

The BSOD is 
STOP 0x0000008E (0Xc0000005, 0x805924E1, 0xAA0BA9D0,0x00000000)

I have several MiniDumps, the last few all say:
Now looking at the MiniDumps 
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805924e1, aa08a9d0, 0}

Probably caused by : ntkrnlmp.exe ( nt!HvpIsFreeNeighbor+4a )
Followup: MachineOwner

NOW WHAT?
I have :
	gone back to a System Restore Point when the PC was working fine - same problem.
	removed any spyware, viruses found - same problem.
	stopped EVERYTHING in MSCONFIG and rebooted - same problem.
	tried changing my graphics resolution to the lowest and removing my screen saver (before it crashes) - same problem.
	run HJT and parsed the log online - nothing (it was in SAFE mode)

I have also noticed that for the last few days my Netgear router is showing loads of:
2008-02-01 00:21:05 - TCP Flood - Source:192.168.0.3
,3496,LAN - Destination:212.135.93.143,80,WAN
(The destination IP addresses change from time to time)

This laptop seems to have a SATA drive and I had to buy an external USB floppy to get a Windows XP boot disc to load. I was then going to try a REPAIR, but it asks for Administrator password and I've tried all the passwords I normally use - no luck!

PLEASE HELP (hopefully before the laptop goes flying out of the window).
How on earth can I trace this fault and therefore (more hopefully) find a cure.

Thanks for any help / advice.

I have also looked at my NTBTLOG.TXT and this is what I find:

Service Pack 2 1 31 2008 10:36:46.375
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver compbatt.sys
Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver pcmcia.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver ACPIEC.sys
Loaded driver \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver iaStor.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Did not load driver ACPI Multiprocessor PC
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver Intel Processor
Did not load driver Intel Processor
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
.......

The rest of this log and the latest MiniDump (zipped) are attached to this post.


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: It would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched.*


----------



## Bruno58 (Feb 1, 2008)

Hi Cookiegal

Herea e the logs as requested, I already checked have HJT (V2.0.2) installed and have attached the Hijachthis log as well as a new startup log.

_Well at least I tried but that it was more than 3000 characters in total so I have attached the startup log as a file._

Just to remind you that I can ONLY stay booted up in SAFE mode, so these logs were taken in safe mode. I will keep trying to get a log in the few seconds my PC is working in normal mode, if I get a log I will post it here.

I have also attached ntbtlog.txt and Mini122907-12.zip in my second post, if it helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:08:29, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...uct=SymNRT&version=2008.0.1.19&build=Symantec
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bw+0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IZAR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Neil\LOCALS~1\Temp\IZAR.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: OYQKQFMR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Neil\LOCALS~1\Temp\OYQKQFMR.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: XTHPRAPRTZS - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XTHPRAPRTZS.exe

--
End of file - 20988 bytes

Thanks for your help.
Please let me know if you need any more info.
At this stage I'm willing to TRY ANYTHING!


----------



## Cookiegal (Aug 27, 2003)

Can you boot to safe mode with networking? If not, you can download this program to a CD and run it.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## Bruno58 (Feb 1, 2008)

Hi again Cookiegal.

Here are the logs as requested.
I ran COMBOFIX in SAFE mode, there was no antivirus running (I use Bit Defender).
Once again it was over 30000 characters so I have attached the HJT log.
Do you want me to copy and paste LOGs or just attach them?

ComboFix 08-02.05.3 - Neil 2008-02-04 23:09:08.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.349 [GMT 0:00]
Running from: C:\Documents and Settings\Neil\My Documents\WCS\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll

(((((((((((((((((((((((((((((((((((((((  Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://assist.talktalk.net
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-02 12:39 . 2007-12-19 11:06	172,032	--a------	C:\WINDOWS\system32\igfxres.dll
2008-02-01 17:17 . 2008-02-01 17:17	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2008-02-01 15:05 . 2008-02-01 15:05 d--------	C:\Documents and Settings\Neil\Application Data\Lavasoft
2008-02-01 15:04 . 2008-02-01 15:04 d--------	C:\Program Files\Lavasoft
2008-02-01 14:39 . 2008-02-01 14:39	25,600	--a------	C:\WINDOWS\system32\Partizan.exe
2008-02-01 13:10 . 2008-02-01 14:05 d--------	C:\WINDOWS\system32\ActiveScan
2008-02-01 13:10 . 2008-02-01 13:30	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-02-01 13:10 . 2008-02-01 13:30	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-02-01 13:10 . 2008-02-01 13:30	1,406	--a------	C:\WINDOWS\system32\Help.ico
2008-02-01 11:46 . 2008-02-01 13:07 d--------	C:\WINDOWS\BDOSCAN8
2008-02-01 10:34 . 2008-02-01 10:34 d--------	C:\Program Files\Trend Micro
2008-01-31 22:10 . 2008-01-31 23:19 d--------	C:\Documents and Settings\Neil\.housecall6.6
2008-01-31 20:55 . 2008-01-31 20:55 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-31 20:55 . 2008-01-31 20:55 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-31 20:51 . 2008-01-31 20:51 d--------	C:\KAV
2008-01-31 20:26 . 2008-02-01 14:53 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 18:13 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-31 16:26 . 2007-01-18 12:00	3,968	--a------	C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-31 14:04 . 2008-01-31 14:04 d--------	C:\Program Files\Spybot - Search & Destroy
2008-01-31 14:04 . 2008-01-31 14:43 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 14:03 . 2008-01-31 14:03 d--------	C:\Program Files\CCleaner
2008-01-31 13:15 . 2008-01-31 13:15 d--------	C:\WINDOWS\system32\IOSUBSYS
2008-01-31 10:43 . 2008-02-01 16:19 d--------	C:\Program Files\Windows Live Safety Center
2008-01-09 15:01 . 2008-01-09 15:01	53,248	--a------	C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01	453	--a------	C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 11:40	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-31 13:15	---------	d-----w	C:\Program Files\Picasa2
2008-01-04 08:51	920,088	----a-w	C:\WINDOWS\system32\igxpun.exe
2007-12-29 18:17	81,984	----a-w	C:\WINDOWS\system32\bdod.bin
2007-12-28 16:09	---------	d-----w	C:\Program Files\TalkTalk
2007-12-20 10:38	---------	d-----w	C:\Documents and Settings\Neil\Application Data\Steinberg
2007-12-19 11:40	147,456	----a-w	C:\WINDOWS\system32\igfxCoIn_v4906.dll
2007-12-19 11:32	57,344	----a-w	C:\WINDOWS\system32\igxprd32.dll
2007-12-19 11:32	5,854,688	----a-w	C:\WINDOWS\system32\drivers\igxpmp32.sys
2007-12-19 11:32	2,643,456	----a-w	C:\WINDOWS\system32\igxpdx32.dll
2007-12-19 11:32	151,040	----a-w	C:\WINDOWS\system32\igxpgd32.dll
2007-12-19 11:32	1,670,144	----a-w	C:\WINDOWS\system32\igxpdv32.dll
2007-12-19 11:22	294,912	----a-w	C:\WINDOWS\system32\igldev32.dll
2007-12-19 11:22	2,334,720	----a-w	C:\WINDOWS\system32\iglicd32.dll
2007-12-19 11:09	524,288	----a-w	C:\WINDOWS\system32\igfxcfg.exe
2007-12-19 11:08	159,744	----a-w	C:\WINDOWS\system32\hkcmd.exe
2007-12-19 11:08	135,168	----a-w	C:\WINDOWS\system32\igfxtray.exe
2007-12-19 11:07	48,128	----a-w	C:\WINDOWS\system32\igfxsrvc.dll
2007-12-19 11:07	249,856	----a-w	C:\WINDOWS\system32\igfxsrvc.exe
2007-12-19 11:07	24,576	----a-w	C:\WINDOWS\system32\igfxexps.dll
2007-12-19 11:07	208,896	----a-w	C:\WINDOWS\system32\igfxdev.dll
2007-12-19 11:07	204,800	----a-w	C:\WINDOWS\system32\igfxpph.dll
2007-12-19 11:07	163,840	----a-w	C:\WINDOWS\system32\igfxzoom.exe
2007-12-19 11:07	163,840	----a-w	C:\WINDOWS\system32\igfxext.exe
2007-12-19 11:07	135,168	----a-w	C:\WINDOWS\system32\igfxdo.dll
2007-12-19 11:07	131,072	----a-w	C:\WINDOWS\system32\igfxpers.exe
2007-12-19 11:07	102,400	----a-w	C:\WINDOWS\system32\hccutils.dll
2007-12-19 11:06	3,293,184	----a-w	C:\WINDOWS\system32\igfxress.dll
2007-12-12 12:32	---------	d-----w	C:\Program Files\Avery Wizard 3.1
2007-12-10 22:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-10 21:45	---------	d-----w	C:\Program Files\Common Files\SupportSoft
2007-11-14 07:26	450,560	----a-w	C:\WINDOWS\system32\dllcache\jscript.dll
2007-09-16 07:14	22,885	----a-w	C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 21:57 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2004-08-04 12:00 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe" [2004-04-09 03:00 98304]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2006-05-04 10:34 86016]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-21 13:16 761946]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 10:34 544768 C:\WINDOWS\sm56hlpr.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 15:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 13:56 16261632 C:\WINDOWS\RTHDCPL.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 16:35 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 09:34 614960]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 08:46 497200]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-04-19 17:03 65536]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]

C:\Documents and Settings\Neil\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-16 19:50:27 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2007-06-03 13:47:16 962663]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-18 18:17:22 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2007-02-02 17:41]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-02-02 17:40]
S1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
S3 01e7;01e7;C:\WINDOWS\system32\01e7.sys []
S3 091B;091B;C:\WINDOWS\system32\091B.sys []
S3 0b83;0b83;C:\WINDOWS\system32\0b83.sys []
S3 1dd10;1dd10;C:\WINDOWS\system32\1dd10.sys []
S3 1fbC;1fbC;C:\WINDOWS\system32\1fbC.sys []
S3 29b7;29b7;C:\WINDOWS\system32\29b7.sys []
S3 3512;3512;C:\WINDOWS\system32\3512.sys []
S3 3aaE;3aaE;C:\WINDOWS\system32\3aaE.sys []
S3 47617;47617;C:\WINDOWS\system32\47617.sys []
S3 4ca5;4ca5;C:\WINDOWS\system32\4ca5.sys []
S3 52b13;52b13;C:\WINDOWS\system32\52b13.sys []
S3 68013;68013;C:\WINDOWS\system32\68013.sys []
S3 70d8;70d8;C:\WINDOWS\system32\70d8.sys []
S3 72418;72418;C:\WINDOWS\system32\72418.sys []
S3 8399;8399;C:\WINDOWS\system32\8399.sys []
S3 85e6;85e6;C:\WINDOWS\system32\85e6.sys []
S3 886F;886F;C:\WINDOWS\system32\886F.sys []
S3 8a4B;8a4B;C:\WINDOWS\system32\8a4B.sys []
S3 8cc11;8cc11;C:\WINDOWS\system32\8cc11.sys []
S3 8eaD;8eaD;C:\WINDOWS\system32\8eaD.sys []
S3 92e15;92e15;C:\WINDOWS\system32\92e15.sys []
S3 9a2A;9a2A;C:\WINDOWS\system32\9a2A.sys []
S3 9e8C;9e8C;C:\WINDOWS\system32\9e8C.sys []
S3 a9810;a9810;C:\WINDOWS\system32\a9810.sys []
S3 aa18;aa18;C:\WINDOWS\system32\aa18.sys []
S3 d00F;d00F;C:\WINDOWS\system32\d00F.sys []
S3 d8716;d8716;C:\WINDOWS\system32\d8716.sys []
S3 ddb4;ddb4;C:\WINDOWS\system32\ddb4.sys []
S3 e3c12;e3c12;C:\WINDOWS\system32\e3c12.sys []
S3 e533;e533;C:\WINDOWS\system32\e533.sys []
S3 e8214;e8214;C:\WINDOWS\system32\e8214.sys []
S3 e954;e954;C:\WINDOWS\system32\e954.sys []
S3 fd714;fd714;C:\WINDOWS\system32\fd714.sys []
S3 IZAR;IZAR;C:\DOCUME~1\Neil\LOCALS~1\Temp\IZAR.exe [2008-02-01 17:19]
S3 OYQKQFMR;OYQKQFMR;C:\DOCUME~1\Neil\LOCALS~1\Temp\OYQKQFMR.exe [2008-02-01 10:27]
S3 XTHPRAPRTZS;XTHPRAPRTZS;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XTHPRAPRTZS.exe [2008-02-01 14:32]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 07:53:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 23:11:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-02-04 23:12:08
ComboFix-quarantined-files.txt 2008-02-04 23:12:01
.
2007-12-24 07:09:47	--- E O F ---

HJT log attached

Thanks for looking.


----------



## Cookiegal (Aug 27, 2003)

Pasting the log for easier viewing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:15, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...uct=SymNRT&version=2008.0.1.19&build=Symantec
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bw+0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IZAR - Unknown owner - C:\DOCUME~1\Neil\LOCALS~1\Temp\IZAR.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: OYQKQFMR - Unknown owner - C:\DOCUME~1\Neil\LOCALS~1\Temp\OYQKQFMR.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: XTHPRAPRTZS - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XTHPRAPRTZS.exe (file missing)

--
End of file - 20860 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Logitech Desktop Messenger (*this is not required)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## Bruno58 (Feb 1, 2008)

Hi again Cookiegal and thanks for your continued efforts.

I downloaded SDFIX in safe mode with networking as I can only boot up in safe mode.
I have not disabled anything as I am in SAFE mode.
I followed your instructions and ran SDFIX, it came up with a few "file is corrupt or unreadable. Please run the CHKDSK utility". This was rather odd as I had recently run a full CHKDSK /R and everything was fine. All the files mentioned were in SKYPE.

Anyhow after OK to all those messages I was back at the press Y, which I did.
The PC rebooted and all by itself started  a CHKDSK which found some index errors ($I30) and it seem to have sorted itself out.

The PC rebooted again - diplayed the desktop (corrupt) and crashed
STOP: 0x0000008E (0xC0000005, 0x805924E1, 0xF88029D0, 0x00000000)
I pressed the ON/OFF switch and rebooted again, this time it crashed with
STOP: 0x0000008E (0xC0000005, 0x805924E1, 0xF7A759D0, 0x00000000)

When Windows started in normal mode, it also came up with a blue screen:
REGRUN PARTICIAN - BOOTWATCH ANTIROOTKIT GRATIS SOFTWARE (c) 2007-2008
This was one of the rootkit detectors I had run before I posted here.

So back to good old SAFE mode with networking.
I have attached the new MiniDumps as well.

Do you think this is a virus infection rather than a driver problem?

Hope all this means something to you and you can still help.

Thanks.

REPORT.TXT

SDFix: Version 1.137

Run by Neil on 05/02/2008 at 22:04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

HJT log 7
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:49, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...uct=SymNRT&version=2008.0.1.19&build=Symantec
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bw+0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {3B0CB089-9F4F-4BFC-8107-2766DEF1BC63} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IZAR - Unknown owner - C:\DOCUME~1\Neil\LOCALS~1\Temp\IZAR.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: OYQKQFMR - Unknown owner - C:\DOCUME~1\Neil\LOCALS~1\Temp\OYQKQFMR.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: XTHPRAPRTZS - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XTHPRAPRTZS.exe (file missing)

--
End of file - 20967 bytes


----------



## Bruno58 (Feb 1, 2008)

Hi again Cookiegal.

As I have been running for weeks in SAFE mode I totally forgot that I had BitDefender running and I am pretty sure that I also installed AdAware and SpyBot in SAFE mode.

I have just realised that these applications were probably running as soon as the PC finished running SDFIX in SAFE mode and booted up in NORMAL mode.

SORRY!

Should I disable all the above (in SAFE mode - how???) and try SDFIX again?

PS
I am rather looking forward to my late night "homework", well late night for me anyhow.


----------



## Cookiegal (Aug 27, 2003)

There is a long list of odd drivers shown in ComboFix but all of them have their files missing and I wanted to see if SDFix could find something. It's possible it's malware related since you had some before and we need to rule that out.

Download GMER from: http://gmer.net/index.php

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.

Also, please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Bruno58 (Feb 1, 2008)

Wow - that was a quick reply.

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-05 23:33:14
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!send 71AB428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!listen 71AB88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[568] WS2_32.dll!accept 71AC1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!send 71AB428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!listen 71AB88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\winlogon.exe[1212] WS2_32.dll!accept 71AC1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\savedump.exe[1268] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!send 71AB428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!listen 71AB88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\lsass.exe[1276] WS2_32.dll!accept 71AC1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!sendto 71AB2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!recvfrom 71AB2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!send 71AB428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!listen 71AB88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!accept 71AC1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/Softwin SRL)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp bdpredir.sys (BitDefender Proxy Redirector Driver/Softwin SRL)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/Softwin SRL)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/Softwin SRL)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/Softwin SRL)

---- EOF - GMER 1.0.14 ----

I had loads and loads of Application and System errors, is this normal?
So I have attached a WORD document (ZIP) with screen dumps of Applications and some System erros. Please have a look and let me know if you would like any more text from them.

As far as I can remember all these problems started after the 20th of December, or there abouts.

Result of ERRORS in EVENTVWR.MSC

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 04/02/2008
Time: 09:58:03
User: N/A
Computer:	NEIL
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module sockspy.dll, version 0.0.0.0, fault address 0x0000104a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 73 6f 63 6b 73 in socks
0038: 70 79 2e 64 6c 6c 20 30 py.dll 0
0040: 2e 30 2e 30 2e 30 20 61 .0.0.0 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 30 31 30 34 0000104
0058: 61 0d 0a a..

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1505
Date: 02/02/2008
Time: 09:59:28
User: S-1-5-21-1719712599-3740830519-3362814715-1006
Computer:	NEIL
Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.

DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1508
Date: 02/02/2008
Time: 09:59:14
User: NT AUTHORITY\SYSTEM
Computer:	NEIL
Description:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format. for C:\Documents and Settings\WCS\Local Settings\Application Data\Microsoft\Windows\\UsrClass.dat

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1505
Date: 02/02/2008
Time: 09:08:12
User: S-1-5-21-1719712599-3740830519-3362814715-1006
Computer:	NEIL
Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.

DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1508
Date: 02/02/2008
Time: 09:08:01
User: NT AUTHORITY\SYSTEM
Computer:	NEIL
Description:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format. for C:\Documents and Settings\WCS\Local Settings\Application Data\Microsoft\Windows\\UsrClass.dat

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:02
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\be339.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\be339.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\1c19b.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\1c19b.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\8d5a2.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\8d5a2.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 01/02/2008
Time: 16:21:01
User: NEIL\Neil
Computer:	NEIL
Description:
The installation of C:\WINDOWS\Installer\be568.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks.


----------



## Cookiegal (Aug 27, 2003)

What is it that you've been trying to install that is not being allowed? It looks like Software Restriction Policies is preventing the download.

Is this a networked computer?

I see you're running XP Pro. How much RAM do you have? What is the size of the paging file?

To find that information, do this:

Click Start, and then click Control Panel. 
If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). 
On the Advanced tab, under Performance, click Settings. 
On the Advanced tab, under Virtual memory, click Change. 
Don't change anything but let me know what it says the size of the initial file is. 


I'm going to ask someone else to look at these errors.


----------



## Bruno58 (Feb 1, 2008)

I've been trying to install all sort of antivirus / spyware programs.
The only one I can remember failing was the latest AdAware which gave me some sort of policy error. It may have also popped on on some anti rootkit software.

"The system administrator has set policies to prevent this installation"

Not really sure what this all means.
In the end I downloaded an older version of AdAware which worked, and found nothing.

Yes - this PC runs on a network, sometimes!
Well I use it to share and print to other PCs and it has an Ethernet card and a Wireless card built in (for access to Internet via router).

It is running XP PRO Version 2002 SP2.
The Virtual Memory screen says Initial Size 756, Mac 1512 (Custom Size)
The first System Property screen says 504Mb of RAM
System Information says 512.00 MB

I did find some SpyWare when I used SpyBot - see attached file.

SORRY to cause you so many problems.


----------



## Rollin' Rog (Dec 9, 2000)

It looks like you have a damaged User Profile -- so I would really recommend you go to the Control Panel > User Accounts and create a new one with administrative rights for yourself.

http://support.microsoft.com/?kbid=318011

Also, for the installer error, this link is applicable to server versions, you probably have it in XP PRO -- it's just not on my Home edition of XP, but it is in Vista Business, which I have, see attached image.

http://207.46.196.114/windowsserver...89e5-469f-af86-9cf819e1d30c1033.mspx?mfr=true

Also run *regedit* and navigate to:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]

If there are any policy restrictions on that key, just right click and delete them.

The Blue Screens and other issues as well could be due to damaged ram. You need to test that.

Beginners Guides: Diagnosing Bad Memory

Memtest86 - A Stand-alone Memory Diagnostic

>> by the way if you try to load the Recovery Console (not much you can really do there for these issues) and it asks for password, and you have never created an Adminstrator password -- just hit "enter'.

I do think you have a hardware issue with the ram! Sometimes just reseating them can be helpful -- very easy to do on most laptops. Do remove the battery before handling or replacing any ram.


----------



## Bruno58 (Feb 1, 2008)

Hi Rollin' Rog and thanks for you help and advice.

I have already tried setting up a new user and that also crashed - but will do it again and get back to you.

My first thoughts was that I had a memory problem so I took out the RAM, cleaned the contacts and put it back - CRASH.
So I booted from the excellent Hirens Boot CD and ran a memory test, for a while.
THis passed and as the PC works fine in SAFE mode and with a Linux boot CD - I again dismissed memory problems as the fault.
BUT again, I will run another test.

Sorry - what is the installer error and server version?
If we are talking about the problems loading AdAware in SAFE mode, I don't really care!
My main problem is the STOP error that crashes whenever I try to boot up as normal windows. It starts loading, displays my desktop (although the actual picture is only about 1/3 of the screen?) and then crashes before I can do anything.

Will now go and read those pages and run some more memory tests.

It's begining to look like my only option is to run the recovery CD, that came with the laptop, and reinstall ALL my programs from scratch. 

Not something I look forward to doing!

Well, thanks for the advice - I will post back any results.


----------



## Bruno58 (Feb 1, 2008)

I have, again, created a new user in SAFE mode. This time with Limited rather than Administrator rights. I then reboot the PC and select the new user, it crashes straight away. 
No desktop displayed, nothing, just:
*STOP 0x0000008E (0Xc0000005, 0x805924E1, 0xA9B4459D0,0x00000000)*

Reboot in SAFE mode, the new user is not there?

Reboot in SAFE mode this time not as me but as Administrator to delete the new user  but it was not there? Created another new user with Administrator rights and rebooted in SAFE mode.
This time the new user is there (in SAFE mode) and selected this new user.

The two MiniDumps have been extracted and are attached as a ZIP file.

Rebooting into normal mode, both new users are now displayed on the log on screen.
Selecting the last one I have created with Administrator rights.
It crashes straight away. 
No desktop displayed, nothing, just:
STOP 0x0000008E (0Xc0000005, 0x805924E1, 0xA9B4D9D0,0x00000000)

Im not sure this is helping?

[20:42]. Booting from Hirens BOOTCD 9.3 and running Memtest86+ 1.70 (again)
[20:53]. First pass OK  no errors (Std test).
[21:05]. Second pass OK
Running more tests - will report any errors.
As I said before as it is running in SAFE mode and with Linux boot CD  can we assume that the memory, graphics card etc. are OK.

It must be something that loads in normal Windows and not in SAFE mode?
A driver or a piece of software  would the MiniDumps give any clue?
I have no idea how to read them, yes I can run them through Windbg, but what do they MEAN.
BugCheck 1000008E, {c0000005, 805924e1, f88c29d0, 0}
Probably caused by : ntkrnlmp.exe ( nt!HvpIsFreeNeighbor+4a )
Followup: MachineOwner​I have already tried booting up in SAFE mode, disabling ALL the start ups in MSCONFIG and rebooting into normal mode  still crashes.

I am now at a total loss, I could not find any virus, rootkit or SpyWare.
A few bits of Norton still seem to be in the PC, but this is not uncommon on new PCs.

*HELP* - I think my brain is about to have a STOP error of its own!


----------



## Rollin' Rog (Dec 9, 2000)

Since there seem to be no issues in Safe Mode -- have you also tried a "Clean Boot"? You need to include all NON Microsoft services as well as the normal startup group.

By the way I see an 018 entry for Skype >> O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

Is this an orphan? I would "fix" it or remove Skype for the time being.

I'm also suspicious of BitDefender.

First, restart in Safe Mode if necessary -- (tap the f8 key promptly on startup and choose the Safe Mode option from the boot menu) or Normal mode

Then:

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

See this link for detailed information:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353
http://support.microsoft.com/kb/929135 << for Vista, but applies equally to XP, and better written.

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.


----------



## Bruno58 (Feb 1, 2008)

Well, where do I start?

I dont use SKYPE much, so I removed both the entries from *Add or Remove Programs*.
The laptop still crashed after a reboot.

I had already tried a clean boot but Im willing to try anything, so I disabled everything in MSCONFIG and reboot  CRASH!

So what next!
I decided to boot up in SAFE mode, again, and back up all my user data, programs and a few other directories to another USB drive. I had already done this once, but I am taking no chances loosing all my data and iTunes.

I then tried several System Restore Points in SAFE mode, rebooting them came up with a crash or more worrying - *Message: "Restoration Incomplete. Your computer cannot be restored . . . " *

Having exhausted all hardware and virus tests, it must be something in one of my drivers or a startup files, something that only loads in NORMAL mode. So I dug out my recovery CD and my drivers CD. With a tear in my eye I squared up to my laptop. Ready to put my poor old thing out of its misery, now I know how cowboys felt when their horse broke a leg.

Then I remembered some old notes that I had about manually rolling back a PC.
*A salvage mission into the depths of Windows XP, explained by a non-geek
By Charlie White​*See http://www.michaelstevenstech.com/XPrepairinstall.htm for a link to this.

So back to XP Recovery Console and good old DOS.
After a few failed reboots, I went back and back between C:\windows\repair defaults and the older and older System Restore Points in the System Volume Information folder.

Following the instructions I replaced the original system, software, Sam, security and default files from C:\Windows\repair. Much to my surprise this booted up OK and I was back to something like my original logon, when I first bought the laptop.

Following the instructions I then rolled back and rebooted  CRASH. I repeated this process until I found a set of backed up files that did not crash the system after a reboot.

The laptop has now been running all afternoon, and rebooted quite a few times.
Everything seems fine.

Thank you both for your kind help.


----------



## Rollin' Rog (Dec 9, 2000)

Well that was evidence of hive corruption -- probably in the software hive.

But if you had earlier done a system restore -- and gone back far enough -- it should have gotten you a good one, since that is really all you did this time -- only the hard way.

Normally I don't recommend that procedure unless Windows is unbootable -- but I'm quite familiar with it and have a canned set of instructions for it.

Anyway, let's hope it remains good.


----------



## Bruno58 (Feb 1, 2008)

Totally agree Rollin' Rog, but as I was getting 
"Restoration Incomplete. Your computer cannot be restored . . . " 
this was the only option I had except for a reinstallation.

While I have you online - is there anything I should have done or anything I can do now to prevent this "Hive Corruption"?

Is there some software you have used to check or repair corrupt hives?
Or any idea of what I did to screw it up - I don't want to do it again!

Thanks.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. I'm glad you got it sorted out.


----------



## Rollin' Rog (Dec 9, 2000)

Well there is really not much from a practical concept except to ensure the integrity of both the ram and the drive itself. 

At one time I did use the Recovery console to independently backup the hives -- but never really had any problems so I didn't continue the practice.

Since you had prior issues with the drive -- it probably corrupted the software hive or entriies related to it. While chkdsk does it's thing, it really cannot fix some corrupt issues -- it may try to "save" a bad file, but more often it just deletes them by deleting the invalid index entry.

By the way, for what it's worth, the most vulnerable time for Windows is during shutdown, when cache is written to the registry. On a laptop one would expect fewer issues than on a desktop -- when an unregulated power failure can cause havoc.

However laptop drives are subject to more handling abuse and sometimes instability results from poor internal connections.


----------

