bsod stop 0x00000005

keep getting bsod. error reads
stop :0x00000005 (0x00000000, 0x86f8ada0, 0x00000001, 0x00000000)
invalid_process_attach_attempt

Any advise would be greatly appreciated.

By the way, excellent site guys!

 

i've run the debug tool & here's the log.

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini102006-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Fri Oct 20 21:35:14.140 2006 (GMT+1)
System Uptime: 0 days 0:05:51.726
Loading Kernel Symbols
...................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 5, {0, 86f8ada0, 1, 0}

Unable to load image usbkbd.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for usbkbd.sys
*** ERROR: Module load completed but symbols could not be loaded for usbkbd.sys
Probably caused by : usbkbd.sys ( usbkbd+76a9 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: 00000000
Arg2: 86f8ada0
Arg3: 00000001
Arg4: 00000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: explorer.exe

LAST_CONTROL_TRANSFER: from 804f75a0 to 804f8925

STACK_TEXT:
f7a49cbc 804f75a0 00000005 00000000 86f8ada0 nt!KeBugCheckEx+0x1b
f7a49ce0 f3eb16a9 00000000 86f78b50 00000000 nt!KeAttachProcess+0x64
WARNING: Stack unwind information not available. Following frames may be wrong.
f7a49d30 f3eb2885 86f78b50 f7a49db4 00000104 usbkbd+0x76a9
f7a49d8c f3eb3184 f7a49db4 00000104 f3ed2a00 usbkbd+0x8885
f7a49fec f3eb788c 80536d74 00000000 f3ed0198 usbkbd+0x9184
f7a4a240 f3eb9adb f3ed22e0 f3ed27a8 00000000 usbkbd+0xd88c
f7a4adac 805c4a06 87015200 00000000 00000000 usbkbd+0xfadb
f7a4addc 80540fa2 f3eb9388 f3ed0198 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
usbkbd+76a9
f3eb16a9 ?? ???

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbkbd

IMAGE_NAME: usbkbd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 435f6140

SYMBOL_NAME: usbkbd+76a9

FAILURE_BUCKET_ID: 0x5_usbkbd+76a9

BUCKET_ID: 0x5_usbkbd+76a9

Followup: MachineOwner
---------

eax=ffdff13c ebx=86f8ada0 ecx=00000000 edx=00000000 esi=8647b5e8 edi=00000000
eip=804f8925 esp=f7a49ca4 ebp=f7a49cbc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
804f8925 5d pop ebp
ChildEBP RetAddr Args to Child
f7a49cbc 804f75a0 00000005 00000000 86f8ada0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f7a49ce0 f3eb16a9 00000000 86f78b50 00000000 nt!KeAttachProcess+0x64 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f7a49d30 f3eb2885 86f78b50 f7a49db4 00000104 usbkbd+0x76a9
f7a49d8c f3eb3184 f7a49db4 00000104 f3ed2a00 usbkbd+0x8885
f7a49fec f3eb788c 80536d74 00000000 f3ed0198 usbkbd+0x9184
f7a4a240 f3eb9adb f3ed22e0 f3ed27a8 00000000 usbkbd+0xd88c
f7a4adac 805c4a06 87015200 00000000 00000000 usbkbd+0xfadb
f7a4addc 80540fa2 f3eb9388 f3ed0198 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806cd280 nt ntkrnlpa.exe Wed Mar 02 00:34:37 2005 (42250A1D)
806ce000 806ee380 hal halaacpi.dll Wed Aug 04 06:59:05 2004 (41107B29)
b8ae1000 b8b0b180 kmixer kmixer.sys Wed Jun 14 09:47:45 2006 (448FCD31)
b97ee000 b9810080 RDPWD RDPWD.SYS Fri Jun 10 00:52:39 2005 (42A8D647)
b9839000 b9879280 HTTP HTTP.sys Fri Mar 17 00:33:09 2006 (441A03C5)
b9b72000 b9b7a080 ipfltdrv ipfltdrv.sys Fri Aug 17 21:55:07 2001 (3B7D84AB)
b9c8a000 b9cb1f00 secdrv secdrv.sys Tue Aug 31 14:42:55 2004 (4134805F)
ba118000 ba12c400 wdmaud wdmaud.sys Wed Jun 14 10:00:44 2006 (448FD03C)
ba155000 ba170f20 naiavf5x naiavf5x.sys Mon Jun 13 23:54:46 2005 (42AE0EB6)
ba17d000 ba17fe40 mdmxsdk mdmxsdk.sys Wed Mar 17 19:04:10 2004 (4058A12A)
ba1c1000 ba212480 srv srv.sys Mon Aug 14 11:34:39 2006 (44E051BF)
ba303000 ba32f400 mrxdav mrxdav.sys Wed Aug 04 07:00:49 2004 (41107B91)
ba3c8000 ba3d6d80 sysaudio sysaudio.sys Wed Aug 04 07:15:54 2004 (41107F1A)
ba5f4000 ba5f7280 ndisuio ndisuio.sys Wed Aug 04 07:03:10 2004 (41107C1E)
ba734000 ba7368c0 s24trans s24trans.sys Tue Aug 31 16:53:03 2004 (41349EDF)
ba738000 ba73bba0 AegisP AegisP.sys Fri Jul 23 15:33:15 2004 (410121AB)
ba740000 ba7588c0 tfsnudfa tfsnudfa.sys Tue May 31 23:50:00 2005 (429CEA18)
ba759000 ba771160 tfsnudf tfsnudf.sys Tue May 31 23:49:19 2005 (429CE9EF)
ba772000 ba787320 tfsnifs tfsnifs.sys Tue May 31 23:49:14 2005 (429CE9EA)
ba7f0000 ba7f3aa0 tfsnopio tfsnopio.sys Tue May 31 23:49:37 2005 (429CEA01)
bf000000 bf011580 dxg dxg.sys Wed Aug 04 07:00:51 2004 (41107B93)
bf012000 bf3cd200 nv4_disp nv4_disp.dll Thu Jul 07 04:31:12 2005 (42CCA200)
bf800000 bf9c1180 win32k win32k.sys Thu Oct 06 01:05:44 2005 (43446A58)
f3daf000 f3dc6480 dump_atapi dump_atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f3dc7000 f3de7f00 ipnat ipnat.sys Wed Sep 29 23:28:36 2004 (415B3714)
f3de8000 f3e56a00 mrxsmb mrxsmb.sys Fri May 05 10:41:42 2006 (445B1DD6)
f3e7f000 f3ea9a00 rdbss rdbss.sys Fri May 05 10:47:55 2006 (445B1F4B)
f3eaa000 f3f14380 usbkbd usbkbd.sys Wed Oct 26 11:58:08 2005 (435F6140)
f3f15000 f3f36d00 afd afd.sys Wed Aug 04 07:14:13 2004 (41107EB5)
f3f37000 f3f5ec00 netbt netbt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f3f5f000 f3f72540 MpFirewall MpFirewall.sys Thu May 06 17:23:59 2004 (409A669F)
f3f73000 f3fcad80 tcpip tcpip.sys Thu Apr 20 12:51:47 2006 (444775D3)
f3fcb000 f3fdd400 ipsec ipsec.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f401a000 f401c900 Dxapi Dxapi.sys Fri Aug 17 21:53:19 2001 (3B7D843F)
f604e000 f6081200 update update.sys Wed Aug 04 06:58:32 2004 (41107B08)
f6122000 f6132e00 psched psched.sys Wed Aug 04 07:04:16 2004 (41107C60)
f6133000 f6149680 ndiswan ndiswan.sys Wed Aug 04 07:14:30 2004 (41107EC6)
f614a000 f6187000 iwca iwca.sys Thu Aug 12 16:44:02 2004 (411B9042)
f6187000 f61a0c00 Apfiltr Apfiltr.sys Tue Nov 16 01:03:51 2004 (419951F7)
f61a1000 f6248400 HSF_CNXT HSF_CNXT.sys Thu Jun 17 23:55:36 2004 (40D22168)
f6249000 f6347480 HSF_DP HSF_DP.sys Thu Jun 17 23:55:00 2004 (40D22144)
f6348000 f6378d80 HSFHWICH HSFHWICH.sys Thu Jun 17 23:57:01 2004 (40D221BD)
f6379000 f639b680 ks ks.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f639c000 f63bf980 portcls portcls.sys Wed Aug 04 07:15:47 2004 (41107F13)
f63c0000 f6402a00 STAC97 STAC97.sys Thu Mar 10 22:56:01 2005 (4230D081)
f6403000 f6712d00 w29n51 w29n51.sys Fri Oct 22 00:56:03 2004 (41784C93)
f6713000 f6723800 sdbus sdbus.sys Wed Aug 04 07:07:47 2004 (41107D33)
f6724000 f6746e80 USBPORT USBPORT.SYS Wed Aug 04 07:08:34 2004 (41107D62)
f6747000 f675a780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 07:07:04 2004 (41107D08)
f675b000 f6a6a700 nv4_mini nv4_mini.sys Thu Jul 07 04:36:01 2005 (42CCA321)
f7295000 f7298c80 mssmbios mssmbios.sys Wed Aug 04 07:07:47 2004 (41107D33)
f7299000 f729cc80 serenum serenum.sys Wed Aug 04 06:59:06 2004 (41107B2A)
f729d000 f729f9e0 btnetdrv btnetdrv.sys Tue Sep 21 11:15:32 2004 (414FFF44)
f72d2000 f72ec580 Mup Mup.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f72ed000 f7319a80 NDIS NDIS.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f731a000 f73a6480 Ntfs Ntfs.sys Wed Aug 04 07:15:06 2004 (41107EEA)
f73a7000 f73bd780 KSecDD KSecDD.sys Wed Aug 04 06:59:45 2004 (41107B51)
f73be000 f73d30c0 drvmcdb drvmcdb.sys Fri Apr 22 23:56:10 2005 (4269810A)
f73d4000 f73e5f00 sr sr.sys Wed Aug 04 07:06:22 2004 (41107CDE)
f73e6000 f7405780 fltMgr fltMgr.sys Mon Aug 21 10:14:57 2006 (44E97991)
f7406000 f741d480 atapi atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f741e000 f743c880 ftdisk ftdisk.sys Fri Aug 17 21:52:41 2001 (3B7D8419)
f743d000 f745a480 pcmcia pcmcia.sys Wed Aug 04 07:07:45 2004 (41107D31)
f745b000 f746ba80 pci pci.sys Wed Aug 04 07:07:45 2004 (41107D31)
f746c000 f7499d80 ACPI ACPI.sys Wed Aug 04 07:07:35 2004 (41107D27)
f759b000 f75a3c00 isapnp isapnp.sys Fri Aug 17 21:58:01 2001 (3B7D8559)
f75ab000 f75b5500 MountMgr MountMgr.sys Wed Aug 04 06:58:29 2004 (41107B05)
f75bb000 f75c7c80 VolSnap VolSnap.sys Wed Aug 04 07:00:14 2004 (41107B6E)
f75cb000 f75d3e00 disk disk.sys Wed Aug 04 06:59:53 2004 (41107B59)
f75db000 f75e7200 CLASSPNP CLASSPNP.SYS Wed Aug 04 07:14:26 2004 (41107EC2)
f75eb000 f75f9e80 ohci1394 ohci1394.sys Wed Aug 04 07:10:05 2004 (41107DBD)
f75fb000 f7608000 1394BUS 1394BUS.SYS Wed Aug 04 07:10:03 2004 (41107DBB)
f761b000 f762a180 nic1394 nic1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f762b000 f7634560 VcommMgr VcommMgr.sys Fri Nov 05 03:39:07 2004 (418AF5DB)
f763b000 f7647880 rasl2tp rasl2tp.sys Wed Aug 04 07:14:21 2004 (41107EBD)
f764b000 f7655200 raspppoe raspppoe.sys Wed Aug 04 07:05:06 2004 (41107C92)
f765b000 f7666d00 raspptp raspptp.sys Wed Aug 04 07:14:26 2004 (41107EC2)
f766b000 f7673900 msgpc msgpc.sys Wed Aug 04 07:04:11 2004 (41107C5B)
f768b000 f7694f00 termdd termdd.sys Wed Aug 04 06:58:52 2004 (41107B1C)
f769b000 f76a4480 NDProxy NDProxy.SYS Fri Aug 17 21:55:30 2001 (3B7D84C2)
f76ab000 f76b9100 usbhub usbhub.sys Wed Aug 04 07:08:40 2004 (41107D68)
f76bb000 f76c3700 netbios netbios.sys Wed Aug 04 07:03:19 2004 (41107C27)
f76db000 f76e3880 Fips Fips.SYS Sat Aug 18 02:31:49 2001 (3B7DC585)
f76fb000 f7703700 wanarp wanarp.sys Wed Aug 04 07:04:57 2004 (41107C89)
f770b000 f7719d80 arp1394 arp1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f774b000 f77545a0 drvnddm drvnddm.sys Thu Apr 21 21:43:05 2005 (42681059)
f775b000 f77637e0 tfsncofs tfsncofs.sys Tue May 31 23:49:32 2005 (429CE9FC)
f776b000 f777a900 Cdfs Cdfs.SYS Wed Aug 04 07:14:09 2004 (41107EB1)
f77ab000 f77b3d00 intelppm intelppm.sys Wed Aug 04 06:59:19 2004 (41107B37)
f77bb000 f77c5f80 bcm4sbxp bcm4sbxp.sys Wed May 26 23:18:17 2004 (40B517A9)
f77cb000 f77d9b80 drmk drmk.sys Wed Aug 04 07:07:54 2004 (41107D3A)
f77db000 f77e7e00 i8042prt i8042prt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f77eb000 f77f5380 imapi imapi.sys Wed Aug 04 07:00:12 2004 (41107B6C)
f77fb000 f7807180 cdrom cdrom.sys Wed Aug 04 06:59:52 2004 (41107B58)
f780b000 f7819080 redbook redbook.sys Wed Aug 04 06:59:34 2004 (41107B46)
f781b000 f7821200 PCIIDEX PCIIDEX.SYS Wed Aug 04 06:59:40 2004 (41107B4C)
f7823000 f7827900 PartMgr PartMgr.sys Sat Aug 18 02:32:23 2001 (3B7DC5A7)
f782b000 f782f180 extfs extfs.sys Tue Sep 27 08:45:36 2005 (4338F8A0)
f7833000 f7837de0 PxHelp20 PxHelp20.sys Thu Jan 27 01:32:51 2005 (41F844C3)
f783b000 f7841de0 BTHidMgr BTHidMgr.sys Tue Oct 19 06:40:54 2004 (4174A8E6)
f785b000 f785f500 watchdog watchdog.sys Wed Aug 04 07:07:32 2004 (41107D24)
f786b000 f7871000 symlcbrd symlcbrd.sys Fri Sep 03 02:56:06 2004 (4137CF36)
f787b000 f7881440 tfsnboio tfsnboio.sys Tue May 31 23:49:20 2005 (429CE9F0)
f78cb000 f78d0500 TDTCP TDTCP.SYS Wed Aug 04 06:58:52 2004 (41107B1C)
f78fb000 f7900000 usbuhci usbuhci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f7903000 f7909800 usbehci usbehci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f790b000 f7912580 Modem Modem.SYS Wed Aug 04 07:08:04 2004 (41107D44)
f7913000 f7918a00 mouclass mouclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f791b000 f7921000 kbdclass kbdclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f7923000 f7927e80 blueletaudio blueletaudio.sys Tue Oct 19 04:39:23 2004 (41748C6B)
f792b000 f792f880 TDI TDI.SYS Wed Aug 04 07:07:47 2004 (41107D33)
f7933000 f7937580 ptilink ptilink.sys Fri Aug 17 21:49:53 2001 (3B7D8371)
f793b000 f793f080 raspti raspti.sys Fri Aug 17 21:55:32 2001 (3B7D84C4)
f7943000 f7948020 wanatw4 wanatw4.sys Tue Jul 16 16:23:14 2002 (3D343A62)
f794b000 f7952040 VComm VComm.sys Tue Oct 19 06:37:37 2004 (4174A821)
f7953000 f79572c0 omci omci.sys Fri Feb 13 16:45:58 2004 (402CFF46)
f7963000 f7968bc0 ssrtln ssrtln.sys Fri May 13 18:37:18 2005 (4284E5CE)
f796b000 f7970200 vga vga.sys Wed Aug 04 07:07:06 2004 (41107D0A)
f7973000 f7977a80 Msfs Msfs.SYS Wed Aug 04 07:00:37 2004 (41107B85)
f797b000 f7982880 Npfs Npfs.SYS Wed Aug 04 07:00:38 2004 (41107B86)
f7983000 f7987180 tdiip tdiip.sys Tue Sep 27 08:45:21 2005 (4338F891)
f79ab000 f79ae000 BOOTVID BOOTVID.dll Fri Aug 17 21:49:09 2001 (3B7D8345)
f79af000 f79b1480 compbatt compbatt.sys Fri Aug 17 21:57:58 2001 (3B7D8556)
f79b3000 f79b6700 BATTC BATTC.SYS Fri Aug 17 21:57:52 2001 (3B7D8550)
f7a3f000 f7a41280 rasacd rasacd.sys Fri Aug 17 21:55:39 2001 (3B7D84CB)
f7a67000 f7a6af00 APPDRV APPDRV.SYS Wed Jun 30 16:39:34 2004 (40E2DEB6)
f7a77000 f7a7a700 CmBatt CmBatt.sys Wed Aug 04 07:07:39 2004 (41107D2B)
f7a83000 f7a85d00 vbtenum vbtenum.sys Tue Sep 21 11:18:01 2004 (414FFFD9)
f7a87000 f7a89580 ndistapi ndistapi.sys Fri Aug 17 21:55:29 2001 (3B7D84C1)
f7a9b000 f7a9cb80 kdcom kdcom.dll Fri Aug 17 21:49:10 2001 (3B7D8346)
f7a9d000 f7a9e100 WMILIB WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7a9f000 f7aa0580 intelide intelide.sys Wed Aug 04 06:59:40 2004 (41107B4C)
f7ad5000 f7ad65c0 sscdbhk5 sscdbhk5.sys Fri May 13 18:37:26 2005 (4284E5D6)
f7ad7000 f7ad8100 swenum swenum.sys Wed Aug 04 06:58:41 2004 (41107B11)
f7add000 f7ade280 USBD USBD.SYS Fri Aug 17 22:02:58 2001 (3B7D8682)
f7ae9000 f7aeb000 i2omgmt i2omgmt.SYS Wed Aug 04 07:00:50 2004 (41107B92)
f7aeb000 f7aecf00 Fs_Rec Fs_Rec.SYS Fri Aug 17 21:49:37 2001 (3B7D8361)
f7aed000 f7aee080 Beep Beep.SYS Fri Aug 17 21:47:33 2001 (3B7D82E5)
f7aef000 f7af0080 mnmdd mnmdd.SYS Fri Aug 17 21:57:28 2001 (3B7D8538)
f7af1000 f7af2080 RDPCDD RDPCDD.sys Fri Aug 17 21:46:56 2001 (3B7D82C0)
f7b07000 f7b08100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7b37000 f7b388a0 tfsnpool tfsnpool.sys Tue May 31 23:49:15 2005 (429CE9EB)
f7b63000 f7b63d00 pciide pciide.sys Fri Aug 17 21:51:49 2001 (3B7D83E5)
f7bdf000 f7bdfb80 Null Null.SYS Fri Aug 17 21:47:39 2001 (3B7D82EB)
f7c3d000 f7c3dd00 dxgthk dxgthk.sys Fri Aug 17 21:53:12 2001 (3B7D8438)
f7c54000 f7c54c00 audstub audstub.sys Fri Aug 17 21:59:40 2001 (3B7D85BC)
f7cb6000 f7cb6880 tfsndres tfsndres.sys Tue May 31 23:50:05 2005 (429CEA1D)
f7cb9000 f7cb9fe0 tfsndrct tfsndrct.sys Tue May 31 23:49:36 2005 (429CEA00)

Unloaded modules:
f7c91000 f7c92000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba002000 ba02d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba388000 ba395000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba398000 ba3a6000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba0f5000 ba118000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7b13000 f7b15000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f76cb000 f76db000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f795b000 f7960000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7a3b000 f7a3e000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

Sorry pete, forgot to mention that it's a laptop

 

There is a reasonable chance this is malware.

Do you have any of these files:

%UserProfile%\Desktop\ek_setup.exe
%System%\drivers\tdiip.sys
%System%\drivers\usbkbd.sys
%System%\mciole.dll
%System%\windump.exe

For the Elite Keylogger detection, these are the "files" that you would expect to find if you did actually have the infection.

I have a feeling that the file is not necessary for your laptop and can be disabled. I have a strong perference for using the Disable command from Recovery Console for this task:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;244905

 

No luck guys. None of these files exist. just to clarify, I used the windows search option to locate them, but, it came up with nothing. Haven't had the BSOD since my last post, could it be possible the debug fixed it?

 

OK. I'll run another debug & post the log.

 

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini102906-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Sun Oct 29 20:15:00.703 2006 (GMT+0)
System Uptime: 0 days 0:05:04.311
Loading Kernel Symbols
...................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 5, {0, 8707e4c0, 1, 0}

Unable to load image usbkbd.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for usbkbd.sys
*** ERROR: Module load completed but symbols could not be loaded for usbkbd.sys
Probably caused by : usbkbd.sys ( usbkbd+76a9 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: 00000000
Arg2: 8707e4c0
Arg3: 00000001
Arg4: 00000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: explorer.exe

LAST_CONTROL_TRANSFER: from 804f75a0 to 804f8925

STACK_TEXT:
f6d7bcbc 804f75a0 00000005 00000000 8707e4c0 nt!KeBugCheckEx+0x1b
f6d7bce0 f418f6a9 00000000 87126c28 00000000 nt!KeAttachProcess+0x64
WARNING: Stack unwind information not available. Following frames may be wrong.
f6d7bd30 f4190885 87126c28 f6d7bdb4 00000104 usbkbd+0x76a9
f6d7bd8c f4191184 f6d7bdb4 00000104 f41b0a00 usbkbd+0x8885
f6d7bfec f419588c 80536d74 00000000 f41ae198 usbkbd+0x9184
f6d7c240 f4197adb f41b02e0 f41b07a8 00000000 usbkbd+0xd88c
f6d7cdac 805c4a06 87010b68 00000000 00000000 usbkbd+0xfadb
f6d7cddc 80540fa2 f4197388 f41ae198 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
usbkbd+76a9
f418f6a9 ?? ???

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbkbd

IMAGE_NAME: usbkbd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 435f6140

SYMBOL_NAME: usbkbd+76a9

FAILURE_BUCKET_ID: 0x5_usbkbd+76a9

BUCKET_ID: 0x5_usbkbd+76a9

Followup: MachineOwner
---------

eax=ffdff13c ebx=8707e4c0 ecx=00000000 edx=00000000 esi=864635e8 edi=00000000
eip=804f8925 esp=f6d7bca4 ebp=f6d7bcbc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
804f8925 5d pop ebp
ChildEBP RetAddr Args to Child
f6d7bcbc 804f75a0 00000005 00000000 8707e4c0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f6d7bce0 f418f6a9 00000000 87126c28 00000000 nt!KeAttachProcess+0x64 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f6d7bd30 f4190885 87126c28 f6d7bdb4 00000104 usbkbd+0x76a9
f6d7bd8c f4191184 f6d7bdb4 00000104 f41b0a00 usbkbd+0x8885
f6d7bfec f419588c 80536d74 00000000 f41ae198 usbkbd+0x9184
f6d7c240 f4197adb f41b02e0 f41b07a8 00000000 usbkbd+0xd88c
f6d7cdac 805c4a06 87010b68 00000000 00000000 usbkbd+0xfadb
f6d7cddc 80540fa2 f4197388 f41ae198 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806cd280 nt ntkrnlpa.exe Wed Mar 02 00:34:37 2005 (42250A1D)
806ce000 806ee380 hal halaacpi.dll Wed Aug 04 06:59:05 2004 (41107B29)
b8ab9000 b8ae3180 kmixer kmixer.sys Wed Jun 14 09:47:45 2006 (448FCD31)
b9726000 b9748080 RDPWD RDPWD.SYS Fri Jun 10 00:52:39 2005 (42A8D647)
b9811000 b9851280 HTTP HTTP.sys Fri Mar 17 00:33:09 2006 (441A03C5)
b99d2000 b99da080 ipfltdrv ipfltdrv.sys Fri Aug 17 21:55:07 2001 (3B7D84AB)
b9c8a000 b9cb1f00 secdrv secdrv.sys Tue Aug 31 14:42:55 2004 (4134805F)
ba050000 ba064400 wdmaud wdmaud.sys Wed Jun 14 10:00:44 2006 (448FD03C)
ba0b5000 ba0d0f20 naiavf5x naiavf5x.sys Mon Jun 13 23:54:46 2005 (42AE0EB6)
ba0dd000 ba0dfe40 mdmxsdk mdmxsdk.sys Wed Mar 17 19:04:10 2004 (4058A12A)
ba1c1000 ba212480 srv srv.sys Mon Aug 14 11:34:39 2006 (44E051BF)
ba2a3000 ba2b1d80 sysaudio sysaudio.sys Wed Aug 04 07:15:54 2004 (41107F1A)
ba303000 ba32f400 mrxdav mrxdav.sys Wed Aug 04 07:00:49 2004 (41107B91)
ba628000 ba62b280 ndisuio ndisuio.sys Wed Aug 04 07:03:10 2004 (41107C1E)
ba73c000 ba73e8c0 s24trans s24trans.sys Tue Aug 31 16:53:03 2004 (41349EDF)
ba740000 ba7588c0 tfsnudfa tfsnudfa.sys Tue May 31 23:50:00 2005 (429CEA18)
ba759000 ba771160 tfsnudf tfsnudf.sys Tue May 31 23:49:19 2005 (429CE9EF)
ba772000 ba787320 tfsnifs tfsnifs.sys Tue May 31 23:49:14 2005 (429CE9EA)
ba788000 ba78bba0 AegisP AegisP.sys Fri Jul 23 15:33:15 2004 (410121AB)
bf000000 bf011580 dxg dxg.sys Wed Aug 04 07:00:51 2004 (41107B93)
bf012000 bf3cd200 nv4_disp nv4_disp.dll Thu Jul 07 04:31:12 2005 (42CCA200)
bf800000 bf9c1180 win32k win32k.sys Thu Oct 06 01:05:44 2005 (43446A58)
f408d000 f40a4480 dump_atapi dump_atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f40a5000 f40c5f00 ipnat ipnat.sys Wed Sep 29 23:28:36 2004 (415B3714)
f40c6000 f4134a00 mrxsmb mrxsmb.sys Fri May 05 10:41:42 2006 (445B1DD6)
f415d000 f4187a00 rdbss rdbss.sys Fri May 05 10:47:55 2006 (445B1F4B)
f4188000 f41f2380 usbkbd usbkbd.sys Wed Oct 26 11:58:08 2005 (435F6140)
f41f3000 f4214d00 afd afd.sys Wed Aug 04 07:14:13 2004 (41107EB5)
f4215000 f423cc00 netbt netbt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f423d000 f4250540 MpFirewall MpFirewall.sys Thu May 06 17:23:59 2004 (409A669F)
f4251000 f42a8d80 tcpip tcpip.sys Thu Apr 20 12:51:47 2006 (444775D3)
f42a9000 f42bb400 ipsec ipsec.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f6318000 f631a900 Dxapi Dxapi.sys Fri Aug 17 21:53:19 2001 (3B7D843F)
f632c000 f635f200 update update.sys Wed Aug 04 06:58:32 2004 (41107B08)
f6370000 f63787e0 tfsncofs tfsncofs.sys Tue May 31 23:49:32 2005 (429CE9FC)
f6380000 f63895a0 drvnddm drvnddm.sys Thu Apr 21 21:43:05 2005 (42681059)
f6400000 f6410e00 psched psched.sys Wed Aug 04 07:04:16 2004 (41107C60)
f6411000 f6427680 ndiswan ndiswan.sys Wed Aug 04 07:14:30 2004 (41107EC6)
f6428000 f6465000 iwca iwca.sys Thu Aug 12 16:44:02 2004 (411B9042)
f6465000 f647ec00 Apfiltr Apfiltr.sys Tue Nov 16 01:03:51 2004 (419951F7)
f647f000 f6526400 HSF_CNXT HSF_CNXT.sys Thu Jun 17 23:55:36 2004 (40D22168)
f6527000 f6625480 HSF_DP HSF_DP.sys Thu Jun 17 23:55:00 2004 (40D22144)
f6626000 f6656d80 HSFHWICH HSFHWICH.sys Thu Jun 17 23:57:01 2004 (40D221BD)
f6657000 f6679680 ks ks.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f667a000 f669d980 portcls portcls.sys Wed Aug 04 07:15:47 2004 (41107F13)
f669e000 f66e0a00 STAC97 STAC97.sys Thu Mar 10 22:56:01 2005 (4230D081)
f66e1000 f69f0d00 w29n51 w29n51.sys Fri Oct 22 00:56:03 2004 (41784C93)
f69f1000 f6a01800 sdbus sdbus.sys Wed Aug 04 07:07:47 2004 (41107D33)
f6a02000 f6a24e80 USBPORT USBPORT.SYS Wed Aug 04 07:08:34 2004 (41107D62)
f6a25000 f6a38780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 07:07:04 2004 (41107D08)
f6a39000 f6d48700 nv4_mini nv4_mini.sys Thu Jul 07 04:36:01 2005 (42CCA321)
f6d81000 f6d83280 rasacd rasacd.sys Fri Aug 17 21:55:39 2001 (3B7D84CB)
f729d000 f72a0c80 mssmbios mssmbios.sys Wed Aug 04 07:07:47 2004 (41107D33)
f72d2000 f72ec580 Mup Mup.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f72ed000 f7319a80 NDIS NDIS.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f731a000 f73a6480 Ntfs Ntfs.sys Wed Aug 04 07:15:06 2004 (41107EEA)
f73a7000 f73bd780 KSecDD KSecDD.sys Wed Aug 04 06:59:45 2004 (41107B51)
f73be000 f73d30c0 drvmcdb drvmcdb.sys Fri Apr 22 23:56:10 2005 (4269810A)
f73d4000 f73e5f00 sr sr.sys Wed Aug 04 07:06:22 2004 (41107CDE)
f73e6000 f7405780 fltMgr fltMgr.sys Mon Aug 21 10:14:57 2006 (44E97991)
f7406000 f741d480 atapi atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f741e000 f743c880 ftdisk ftdisk.sys Fri Aug 17 21:52:41 2001 (3B7D8419)
f743d000 f745a480 pcmcia pcmcia.sys Wed Aug 04 07:07:45 2004 (41107D31)
f745b000 f746ba80 pci pci.sys Wed Aug 04 07:07:45 2004 (41107D31)
f746c000 f7499d80 ACPI ACPI.sys Wed Aug 04 07:07:35 2004 (41107D27)
f759b000 f75a3c00 isapnp isapnp.sys Fri Aug 17 21:58:01 2001 (3B7D8559)
f75ab000 f75b5500 MountMgr MountMgr.sys Wed Aug 04 06:58:29 2004 (41107B05)
f75bb000 f75c7c80 VolSnap VolSnap.sys Wed Aug 04 07:00:14 2004 (41107B6E)
f75cb000 f75d3e00 disk disk.sys Wed Aug 04 06:59:53 2004 (41107B59)
f75db000 f75e7200 CLASSPNP CLASSPNP.SYS Wed Aug 04 07:14:26 2004 (41107EC2)
f75eb000 f75f9e80 ohci1394 ohci1394.sys Wed Aug 04 07:10:05 2004 (41107DBD)
f75fb000 f7608000 1394BUS 1394BUS.SYS Wed Aug 04 07:10:03 2004 (41107DBB)
f761b000 f762a180 nic1394 nic1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f762b000 f7634480 NDProxy NDProxy.SYS Fri Aug 17 21:55:30 2001 (3B7D84C2)
f763b000 f7649100 usbhub usbhub.sys Wed Aug 04 07:08:40 2004 (41107D68)
f764b000 f7653700 netbios netbios.sys Wed Aug 04 07:03:19 2004 (41107C27)
f766b000 f7673880 Fips Fips.SYS Sat Aug 18 02:31:49 2001 (3B7DC585)
f768b000 f7693700 wanarp wanarp.sys Wed Aug 04 07:04:57 2004 (41107C89)
f769b000 f76a9d80 arp1394 arp1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f76cb000 f76da900 Cdfs Cdfs.SYS Wed Aug 04 07:14:09 2004 (41107EB1)
f774b000 f7753d00 intelppm intelppm.sys Wed Aug 04 06:59:19 2004 (41107B37)
f775b000 f7765f80 bcm4sbxp bcm4sbxp.sys Wed May 26 23:18:17 2004 (40B517A9)
f776b000 f7779b80 drmk drmk.sys Wed Aug 04 07:07:54 2004 (41107D3A)
f777b000 f7787e00 i8042prt i8042prt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f778b000 f7795380 imapi imapi.sys Wed Aug 04 07:00:12 2004 (41107B6C)
f779b000 f77a7180 cdrom cdrom.sys Wed Aug 04 06:59:52 2004 (41107B58)
f77ab000 f77b9080 redbook redbook.sys Wed Aug 04 06:59:34 2004 (41107B46)
f77bb000 f77c4560 VcommMgr VcommMgr.sys Fri Nov 05 03:39:07 2004 (418AF5DB)
f77cb000 f77d7880 rasl2tp rasl2tp.sys Wed Aug 04 07:14:21 2004 (41107EBD)
f77db000 f77e5200 raspppoe raspppoe.sys Wed Aug 04 07:05:06 2004 (41107C92)
f77eb000 f77f6d00 raspptp raspptp.sys Wed Aug 04 07:14:26 2004 (41107EC2)
f77fb000 f7803900 msgpc msgpc.sys Wed Aug 04 07:04:11 2004 (41107C5B)
f780b000 f7814f00 termdd termdd.sys Wed Aug 04 06:58:52 2004 (41107B1C)
f781b000 f7821200 PCIIDEX PCIIDEX.SYS Wed Aug 04 06:59:40 2004 (41107B4C)
f7823000 f7827900 PartMgr PartMgr.sys Sat Aug 18 02:32:23 2001 (3B7DC5A7)
f782b000 f782f180 extfs extfs.sys Tue Sep 27 08:45:36 2005 (4338F8A0)
f7833000 f7837de0 PxHelp20 PxHelp20.sys Thu Jan 27 01:32:51 2005 (41F844C3)
f783b000 f7841de0 BTHidMgr BTHidMgr.sys Tue Oct 19 06:40:54 2004 (4174A8E6)
f7873000 f7879000 symlcbrd symlcbrd.sys Fri Sep 03 02:56:06 2004 (4137CF36)
f78d3000 f78d8000 usbuhci usbuhci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f78db000 f78e1800 usbehci usbehci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f78e3000 f78ea580 Modem Modem.SYS Wed Aug 04 07:08:04 2004 (41107D44)
f78eb000 f78f0a00 mouclass mouclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f78f3000 f78f9000 kbdclass kbdclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f78fb000 f78ffe80 blueletaudio blueletaudio.sys Tue Oct 19 04:39:23 2004 (41748C6B)
f7903000 f7907880 TDI TDI.SYS Wed Aug 04 07:07:47 2004 (41107D33)
f790b000 f790f580 ptilink ptilink.sys Fri Aug 17 21:49:53 2001 (3B7D8371)
f7913000 f7917080 raspti raspti.sys Fri Aug 17 21:55:32 2001 (3B7D84C4)
f791b000 f7920020 wanatw4 wanatw4.sys Tue Jul 16 16:23:14 2002 (3D343A62)
f7923000 f792a040 VComm VComm.sys Tue Oct 19 06:37:37 2004 (4174A821)
f792b000 f792f2c0 omci omci.sys Fri Feb 13 16:45:58 2004 (402CFF46)
f793b000 f7940bc0 ssrtln ssrtln.sys Fri May 13 18:37:18 2005 (4284E5CE)
f7943000 f7948200 vga vga.sys Wed Aug 04 07:07:06 2004 (41107D0A)
f794b000 f794fa80 Msfs Msfs.SYS Wed Aug 04 07:00:37 2004 (41107B85)
f7953000 f795a880 Npfs Npfs.SYS Wed Aug 04 07:00:38 2004 (41107B86)
f795b000 f795f180 tdiip tdiip.sys Tue Sep 27 08:45:21 2005 (4338F891)
f7963000 f7968500 TDTCP TDTCP.SYS Wed Aug 04 06:58:52 2004 (41107B1C)
f797b000 f797f500 watchdog watchdog.sys Wed Aug 04 07:07:32 2004 (41107D24)
f7983000 f7989440 tfsnboio tfsnboio.sys Tue May 31 23:49:20 2005 (429CE9F0)
f79ab000 f79ae000 BOOTVID BOOTVID.dll Fri Aug 17 21:49:09 2001 (3B7D8345)
f79af000 f79b1480 compbatt compbatt.sys Fri Aug 17 21:57:58 2001 (3B7D8556)
f79b3000 f79b6700 BATTC BATTC.SYS Fri Aug 17 21:57:52 2001 (3B7D8550)
f7a2b000 f7a2eaa0 tfsnopio tfsnopio.sys Tue May 31 23:49:37 2005 (429CEA01)
f7a5f000 f7a62f00 APPDRV APPDRV.SYS Wed Jun 30 16:39:34 2004 (40E2DEB6)
f7a6b000 f7a6e700 CmBatt CmBatt.sys Wed Aug 04 07:07:39 2004 (41107D2B)
f7a77000 f7a79d00 vbtenum vbtenum.sys Tue Sep 21 11:18:01 2004 (414FFFD9)
f7a7b000 f7a7d580 ndistapi ndistapi.sys Fri Aug 17 21:55:29 2001 (3B7D84C1)
f7a93000 f7a959e0 btnetdrv btnetdrv.sys Tue Sep 21 11:15:32 2004 (414FFF44)
f7a97000 f7a9ac80 serenum serenum.sys Wed Aug 04 06:59:06 2004 (41107B2A)
f7a9b000 f7a9cb80 kdcom kdcom.dll Fri Aug 17 21:49:10 2001 (3B7D8346)
f7a9d000 f7a9e100 WMILIB WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7a9f000 f7aa0580 intelide intelide.sys Wed Aug 04 06:59:40 2004 (41107B4C)
f7ac5000 f7ac65c0 sscdbhk5 sscdbhk5.sys Fri May 13 18:37:26 2005 (4284E5D6)
f7ac7000 f7ac8100 swenum swenum.sys Wed Aug 04 06:58:41 2004 (41107B11)
f7ac9000 f7aca280 USBD USBD.SYS Fri Aug 17 22:02:58 2001 (3B7D8682)
f7ad1000 f7ad3000 i2omgmt i2omgmt.SYS Wed Aug 04 07:00:50 2004 (41107B92)
f7ad3000 f7ad4f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 21:49:37 2001 (3B7D8361)
f7ad5000 f7ad6080 Beep Beep.SYS Fri Aug 17 21:47:33 2001 (3B7D82E5)
f7ad7000 f7ad8080 mnmdd mnmdd.SYS Fri Aug 17 21:57:28 2001 (3B7D8538)
f7ad9000 f7ada080 RDPCDD RDPCDD.sys Fri Aug 17 21:46:56 2001 (3B7D82C0)
f7ae7000 f7ae8100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7afb000 f7afc8a0 tfsnpool tfsnpool.sys Tue May 31 23:49:15 2005 (429CE9EB)
f7b63000 f7b63d00 pciide pciide.sys Fri Aug 17 21:51:49 2001 (3B7D83E5)
f7bc2000 f7bc2880 tfsndres tfsndres.sys Tue May 31 23:50:05 2005 (429CEA1D)
f7bc3000 f7bc3fe0 tfsndrct tfsndrct.sys Tue May 31 23:49:36 2005 (429CEA00)
f7c84000 f7c84d00 dxgthk dxgthk.sys Fri Aug 17 21:53:12 2001 (3B7D8438)
f7cca000 f7ccab80 Null Null.SYS Fri Aug 17 21:47:39 2001 (3B7D82EB)
f7cd7000 f7cd7c00 audstub audstub.sys Fri Aug 17 21:59:40 2001 (3B7D85BC)

Unloaded modules:
f7ca9000 f7caa000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba002000 ba02d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba273000 ba280000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba283000 ba291000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba02d000 ba050000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7aab000 f7aad000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f765b000 f766b000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7933000 f7938000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f6d85000 f6d88000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

Hi, timeoutgang.

I expect Pete is suggesting the following...

In "Windows Explorer" or "My Computer ":

• Click Tools > Folder Options... > View tab.
• Enable "Show hidden files and folders "
• Click the OK button.

Then perform your searches (on your entire hard drive that has Windows is installed) for the filenames Bill mentioned:

• [FONT= "Courier New"]ek_setup.exe[/FONT]
• [FONT= "Courier New"]tdiip.sys[/FONT]
• [FONT= "Courier New"]usbkbd.sys[/FONT]
• [FONT= "Courier New"]mciole.dll[/FONT]
• [FONT= "Courier New"]windump.exe[/FONT]

 

Looks like you have at least [FONT= "Courier New"]usbkbd.sys[/FONT] and [FONT= "Courier New"]tdiip.sys[/FONT] on your system.

I suggest you carefully follow the instructions in this link.

After you scan and clean with Spybot Search & Destroy and Ad-Aware (with the latest updates), post your HijackThis Log here in this thread. If an infection is/was present, a forum moderator will likely move this thread to the "Removing Spyware & Viruses" forum where experts will look at your log and provide guidance.

Malware often has to be removed in a very specific manner that should be done only by carefully following expert guidance to remove all traces of the malware. DO NOT use HiJackThis to "fix" anything unless an expert instructs you how/when to do so.


Here is a link to more information about tdiip.sys.

Here is a link to more information from Sunbelt Software about Elite Keylogger.

In the Sunbelt Software link above, [FONT= "Courier New"]extfs.sys[/FONT] is also apparently associated with Elite Keylogger. The file date/time for extfs.sys on your system is also very close to the file date/time for tdiip.sys on your system.

According to Sunbelt Software these are files you might have on your system if you have Elite Keylogger installed:

Here are a couple more links with information from Symantec about Elite Keylogger.

• Symantec: Elite Keylogger Technical Details
• Symantec: Elite Keylogger Removal Instructions (using Symantec antivirus products and then manually editing the registry)

 

I've followed the instructions in the previous post & here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 02:02:46, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apoint\Apntex.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Dafydd\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm594YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://jemmaconners.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139423841203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://online.eversheds.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4825/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Hi, timeoutgang.

Thanks for posting your HijackThis log.

It looks like you have or had at least a keylogger active on your computer.

I expect this thread will be moved to the Removing Spyware & Viruses forum for further advice from malware removal experts.

While waiting for further advice from a malware removal expert, you probably should create a folder on your hard drive such as C:\HJT and then MOVE your HijackThis.exe file from your desktop to that folder. This is usually a necessary step that malware removal experts direct people to perform.


Here are a few links with information from reputable sources about winlogons.exe:

• http://www.bleepingcomputer.com/startups/winlogons.exe-11564.html
• http://www.sophos.com/security/analyses/w32forbotfi.html
  The "Advanced" tab includes details about the W32/Forbot-FI worm that may have compromised your computer.
• http://www.castlecops.com/o23list-914.html

 

It might be a good idea to reduce the number of antivirus programs you have installed and actively scanning.

 

Timeout you have a couple of problems. The key logger and another one, could be related, O20 - Winlogon Notify: explorer - explorer.dll (file missing):
http://www.sophos.com/virusinfo/analyses/trojsclogb.html

I'll move this over to the proper forum.

And yes, I would also decide on which av you want to be running, both can actually leave you more vulnerable. I'm betting the AVG was just an additional resource to try and find whatever was on the system.

 

OK, Ive disabled McAfee & am just running AVG. Do I follow the link on the previous thread to remove this Trojan?

 

Lets get a couple of scans and then a fresh HJT log please.

Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Trend Microâ„¢ HouseCall Scan

• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

 

Ran the panda scan, log listed below. When running the housecall scan, mid way through the scan, it stopped & closed all IE windows. I tried the scan a couple of times & it still closed mid way through. HJT log is also posted below.

Panda Log.

Incident Status Location

Adware:adware/azesearch Not disinfected c:\windows\system32\azebar.xml
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Adware:adware/thespyguard Not disinfected c:\windows\system32\winsrv32.exe
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/adwaresheriff Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@112.2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@ad.yieldmanager[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@maxserving[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@toplist[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Dafydd\Cookies\dafydd@yadro[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dafydd\Local Settings\Temp\Cookies\dafydd@ad.yieldmanager[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dafydd\Local Settings\Temp\Cookies\dafydd@com[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Dafydd\Local Settings\Temp\Cookies\dafydd@toplist[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\guest@xmts[1].txt
Virus:Eicar.Mod Not disinfected C:\KAV\PersonalPro\CD French\data1.cab[eicar.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[contents.rdf]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[menu.xul]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar[toolbarembed.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Hacktool:HackTool/EvID Not disinfected C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\rfscanax.dll
HJT Log.
Logfile of HijackThis v1.99.1
Scan saved at 22:31:50, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Dafydd\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm594YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://jemmaconners.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139423841203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://online.eversheds.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4825/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Ok, lets get to some killing.

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


Please go to Add/Remove, and if found, uninstall the following:
Free KGB Key Logger


Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\Free KGB Key Logger\winlogons.exe


O20 - Winlogon Notify: explorer - explorer.dll (file missing)

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\Free KGB Key Logger<<<<---this folder
c:\program files\secure32.html <<<--this folder
c:\windows\system32\azebar.xml <<<--this file
c:\windows\system32\f3PSSavr.scr <<<--this file
c:\windows\system32\winsrv32.exe <<<--this file
C:\WINDOWS\rfscanax.dll <<<--this file
m3ffxtbr.jar<<<--this file
riched20.dll <<<--this file
explorer.dll<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.