Bsod

Hi,
Keep getting BSOD on my laptop. TeMerc has rid me of viruses, trojans etc, however, BSOD remains. More info on this can be found in the "Removing Spyware" forum. Was instructed to run debugwiz & post log here. Which I have:-

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120106-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:07:20.687 2006 (GMT+0)
System Uptime: 0 days 0:05:43.291
Loading Kernel Symbols
..................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 5, {0, 86f426a0, 1, 0}

Unable to load image usbkbd.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for usbkbd.sys
*** ERROR: Module load completed but symbols could not be loaded for usbkbd.sys
Probably caused by : usbkbd.sys ( usbkbd+76a9 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: 00000000
Arg2: 86f426a0
Arg3: 00000001
Arg4: 00000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: explorer.exe

LAST_CONTROL_TRANSFER: from 804f75a0 to 804f8925

STACK_TEXT:
f6aefcbc 804f75a0 00000005 00000000 86f426a0 nt!KeBugCheckEx+0x1b
f6aefce0 f3e6e6a9 00000000 86f83c10 00000000 nt!KeAttachProcess+0x64
WARNING: Stack unwind information not available. Following frames may be wrong.
f6aefd30 f3e6f885 86f83c10 f6aefdb4 00000104 usbkbd+0x76a9
f6aefd8c f3e70184 f6aefdb4 00000104 f3e8fa00 usbkbd+0x8885
f6aeffec f3e7488c 80536d74 00000000 f3e8d198 usbkbd+0x9184
f6af0240 f3e76adb f3e8f2e0 f3e8f7a8 00000000 usbkbd+0xd88c
f6af0dac 805c4a06 86deade0 00000000 00000000 usbkbd+0xfadb
f6af0ddc 80540fa2 f3e76388 f3e8d198 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
usbkbd+76a9
f3e6e6a9 ?? ???

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbkbd

IMAGE_NAME: usbkbd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 435f6140

SYMBOL_NAME: usbkbd+76a9

FAILURE_BUCKET_ID: 0x5_usbkbd+76a9

BUCKET_ID: 0x5_usbkbd+76a9

Followup: MachineOwner
---------

eax=ffdff13c ebx=86f426a0 ecx=00000000 edx=00000000 esi=864feb58 edi=00000000
eip=804f8925 esp=f6aefca4 ebp=f6aefcbc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
804f8925 5d pop ebp
ChildEBP RetAddr Args to Child
f6aefcbc 804f75a0 00000005 00000000 86f426a0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f6aefce0 f3e6e6a9 00000000 86f83c10 00000000 nt!KeAttachProcess+0x64 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f6aefd30 f3e6f885 86f83c10 f6aefdb4 00000104 usbkbd+0x76a9
f6aefd8c f3e70184 f6aefdb4 00000104 f3e8fa00 usbkbd+0x8885
f6aeffec f3e7488c 80536d74 00000000 f3e8d198 usbkbd+0x9184
f6af0240 f3e76adb f3e8f2e0 f3e8f7a8 00000000 usbkbd+0xd88c
f6af0dac 805c4a06 86deade0 00000000 00000000 usbkbd+0xfadb
f6af0ddc 80540fa2 f3e76388 f3e8d198 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806cd280 nt ntkrnlpa.exe Wed Mar 02 00:34:37 2005 (42250A1D)
806ce000 806ee380 hal halaacpi.dll Wed Aug 04 06:59:05 2004 (41107B29)
b8de3000 b8e0d180 kmixer kmixer.sys Wed Jun 14 09:47:45 2006 (448FCD31)
b9758000 b977a080 RDPWD RDPWD.SYS Fri Jun 10 00:52:39 2005 (42A8D647)
b9e33000 b9e44500 tmcomm tmcomm.sys Mon Jul 31 07:41:15 2006 (44CDA60B)
ba058000 ba07ff00 secdrv secdrv.sys Tue Aug 31 14:42:55 2004 (4134805F)
ba0a3000 ba0b7400 wdmaud wdmaud.sys Wed Jun 14 10:00:44 2006 (448FD03C)
ba180000 ba1d1480 srv srv.sys Mon Aug 14 11:34:39 2006 (44E051BF)
ba1fa000 ba23a280 HTTP HTTP.sys Fri Mar 17 00:33:09 2006 (441A03C5)
ba32b000 ba357400 mrxdav mrxdav.sys Wed Aug 04 07:00:49 2004 (41107B91)
ba388000 ba396d80 sysaudio sysaudio.sys Wed Aug 04 07:15:54 2004 (41107F1A)
ba400000 ba402e40 mdmxsdk mdmxsdk.sys Wed Mar 17 19:04:10 2004 (4058A12A)
ba664000 ba667280 ndisuio ndisuio.sys Wed Aug 04 07:03:10 2004 (41107C1E)
ba6d8000 ba6e0080 ipfltdrv ipfltdrv.sys Fri Aug 17 21:55:07 2001 (3B7D84AB)
ba728000 ba72a8c0 s24trans s24trans.sys Tue Aug 31 16:53:03 2004 (41349EDF)
ba72c000 ba72fba0 AegisP AegisP.sys Fri Jul 23 15:33:15 2004 (410121AB)
ba740000 ba7588c0 tfsnudfa tfsnudfa.sys Tue May 31 23:50:00 2005 (429CEA18)
ba759000 ba771160 tfsnudf tfsnudf.sys Tue May 31 23:49:19 2005 (429CE9EF)
ba772000 ba787320 tfsnifs tfsnifs.sys Tue May 31 23:49:14 2005 (429CE9EA)
ba7fc000 ba7ffaa0 tfsnopio tfsnopio.sys Tue May 31 23:49:37 2005 (429CEA01)
bf000000 bf011580 dxg dxg.sys Wed Aug 04 07:00:51 2004 (41107B93)
bf012000 bf3cd200 nv4_disp nv4_disp.dll Thu Jul 07 04:31:12 2005 (42CCA200)
bf800000 bf9c1180 win32k win32k.sys Thu Oct 06 01:05:44 2005 (43446A58)
f3ccc000 f3ce3480 dump_atapi dump_atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f3ce4000 f3dab620 avg7core avg7core.sys Mon Oct 23 19:52:56 2006 (453D0F88)
f3dac000 f3dccf00 ipnat ipnat.sys Wed Sep 29 23:28:36 2004 (415B3714)
f3dcd000 f3e3ba00 mrxsmb mrxsmb.sys Fri May 05 10:41:42 2006 (445B1DD6)
f3e3c000 f3e66a00 rdbss rdbss.sys Fri May 05 10:47:55 2006 (445B1F4B)
f3e67000 f3ed1380 usbkbd usbkbd.sys Wed Oct 26 11:58:08 2005 (435F6140)
f3ed2000 f3ef3d00 afd afd.sys Wed Aug 04 07:14:13 2004 (41107EB5)
f3ef4000 f3f1bc00 netbt netbt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f3f1c000 f3f73d80 tcpip tcpip.sys Thu Apr 20 12:51:47 2006 (444775D3)
f3f74000 f3f86400 ipsec ipsec.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f3fd7000 f3fd9900 Dxapi Dxapi.sys Fri Aug 17 21:53:19 2001 (3B7D843F)
f6084000 f60b7200 update update.sys Wed Aug 04 06:58:32 2004 (41107B08)
f6158000 f6168e00 psched psched.sys Wed Aug 04 07:04:16 2004 (41107C60)
f6169000 f617f680 ndiswan ndiswan.sys Wed Aug 04 07:14:30 2004 (41107EC6)
f6180000 f61bd000 iwca iwca.sys Thu Aug 12 16:44:02 2004 (411B9042)
f61bd000 f61d6c00 Apfiltr Apfiltr.sys Tue Nov 16 01:03:51 2004 (419951F7)
f61d7000 f627e400 HSF_CNXT HSF_CNXT.sys Thu Jun 17 23:55:36 2004 (40D22168)
f627f000 f637d480 HSF_DP HSF_DP.sys Thu Jun 17 23:55:00 2004 (40D22144)
f637e000 f63aed80 HSFHWICH HSFHWICH.sys Thu Jun 17 23:57:01 2004 (40D221BD)
f63af000 f63d1680 ks ks.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f63d2000 f63f5980 portcls portcls.sys Wed Aug 04 07:15:47 2004 (41107F13)
f63f6000 f6438a00 STAC97 STAC97.sys Thu Mar 10 22:56:01 2005 (4230D081)
f6439000 f6748d00 w29n51 w29n51.sys Fri Oct 22 00:56:03 2004 (41784C93)
f6749000 f6759800 sdbus sdbus.sys Wed Aug 04 07:07:47 2004 (41107D33)
f675a000 f677ce80 USBPORT USBPORT.SYS Wed Aug 04 07:08:34 2004 (41107D62)
f677d000 f6790780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 07:07:04 2004 (41107D08)
f6791000 f6aa0700 nv4_mini nv4_mini.sys Thu Jul 07 04:36:01 2005 (42CCA321)
f7295000 f7298c80 mssmbios mssmbios.sys Wed Aug 04 07:07:47 2004 (41107D33)
f7299000 f729cc80 serenum serenum.sys Wed Aug 04 06:59:06 2004 (41107B2A)
f72d2000 f72ec580 Mup Mup.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f72ed000 f7319a80 NDIS NDIS.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f731a000 f73a6480 Ntfs Ntfs.sys Wed Aug 04 07:15:06 2004 (41107EEA)
f73a7000 f73bd780 KSecDD KSecDD.sys Wed Aug 04 06:59:45 2004 (41107B51)
f73be000 f73d30c0 drvmcdb drvmcdb.sys Fri Apr 22 23:56:10 2005 (4269810A)
f73d4000 f73e5f00 sr sr.sys Wed Aug 04 07:06:22 2004 (41107CDE)
f73e6000 f7405780 fltMgr fltMgr.sys Mon Aug 21 10:14:57 2006 (44E97991)
f7406000 f741d480 atapi atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f741e000 f743c880 ftdisk ftdisk.sys Fri Aug 17 21:52:41 2001 (3B7D8419)
f743d000 f745a480 pcmcia pcmcia.sys Wed Aug 04 07:07:45 2004 (41107D31)
f745b000 f746ba80 pci pci.sys Wed Aug 04 07:07:45 2004 (41107D31)
f746c000 f7499d80 ACPI ACPI.sys Wed Aug 04 07:07:35 2004 (41107D27)
f759b000 f75a3c00 isapnp isapnp.sys Fri Aug 17 21:58:01 2001 (3B7D8559)
f75ab000 f75b5500 MountMgr MountMgr.sys Wed Aug 04 06:58:29 2004 (41107B05)
f75bb000 f75c7c80 VolSnap VolSnap.sys Wed Aug 04 07:00:14 2004 (41107B6E)
f75cb000 f75d3e00 disk disk.sys Wed Aug 04 06:59:53 2004 (41107B59)
f75db000 f75e7200 CLASSPNP CLASSPNP.SYS Wed Aug 04 07:14:26 2004 (41107EC2)
f75eb000 f75f9e80 ohci1394 ohci1394.sys Wed Aug 04 07:10:05 2004 (41107DBD)
f75fb000 f7608000 1394BUS 1394BUS.SYS Wed Aug 04 07:10:03 2004 (41107DBB)
f761b000 f762a180 nic1394 nic1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f762b000 f7639080 redbook redbook.sys Wed Aug 04 06:59:34 2004 (41107B46)
f763b000 f7644560 VcommMgr VcommMgr.sys Fri Nov 05 03:39:07 2004 (418AF5DB)
f764b000 f7657880 rasl2tp rasl2tp.sys Wed Aug 04 07:14:21 2004 (41107EBD)
f765b000 f7665200 raspppoe raspppoe.sys Wed Aug 04 07:05:06 2004 (41107C92)
f766b000 f7676d00 raspptp raspptp.sys Wed Aug 04 07:14:26 2004 (41107EC2)
f767b000 f7683900 msgpc msgpc.sys Wed Aug 04 07:04:11 2004 (41107C5B)
f768b000 f7694f00 termdd termdd.sys Wed Aug 04 06:58:52 2004 (41107B1C)
f769b000 f76a4480 NDProxy NDProxy.SYS Fri Aug 17 21:55:30 2001 (3B7D84C2)
f76bb000 f76c9100 usbhub usbhub.sys Wed Aug 04 07:08:40 2004 (41107D68)
f76cb000 f76d3700 netbios netbios.sys Wed Aug 04 07:03:19 2004 (41107C27)
f76eb000 f76f3880 Fips Fips.SYS Sat Aug 18 02:31:49 2001 (3B7DC585)
f76fb000 f7703700 wanarp wanarp.sys Wed Aug 04 07:04:57 2004 (41107C89)
f770b000 f7719d80 arp1394 arp1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f772b000 f77345a0 drvnddm drvnddm.sys Thu Apr 21 21:43:05 2005 (42681059)
f773b000 f77437e0 tfsncofs tfsncofs.sys Tue May 31 23:49:32 2005 (429CE9FC)
f775b000 f776a900 Cdfs Cdfs.SYS Wed Aug 04 07:14:09 2004 (41107EB1)
f77bb000 f77c3d00 intelppm intelppm.sys Wed Aug 04 06:59:19 2004 (41107B37)
f77cb000 f77d5f80 bcm4sbxp bcm4sbxp.sys Wed May 26 23:18:17 2004 (40B517A9)
f77db000 f77e9b80 drmk drmk.sys Wed Aug 04 07:07:54 2004 (41107D3A)
f77eb000 f77f7e00 i8042prt i8042prt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f77fb000 f7805380 imapi imapi.sys Wed Aug 04 07:00:12 2004 (41107B6C)
f780b000 f7817180 cdrom cdrom.sys Wed Aug 04 06:59:52 2004 (41107B58)
f781b000 f7821200 PCIIDEX PCIIDEX.SYS Wed Aug 04 06:59:40 2004 (41107B4C)
f7823000 f7827900 PartMgr PartMgr.sys Sat Aug 18 02:32:23 2001 (3B7DC5A7)
f782b000 f782f180 extfs extfs.sys Tue Sep 27 08:45:36 2005 (4338F8A0)
f7833000 f7837de0 PxHelp20 PxHelp20.sys Thu Jan 27 01:32:51 2005 (41F844C3)
f783b000 f7841de0 BTHidMgr BTHidMgr.sys Tue Oct 19 06:40:54 2004 (4174A8E6)
f786b000 f7871000 symlcbrd symlcbrd.sys Fri Sep 03 02:56:06 2004 (4137CF36)
f7873000 f7879f00 avg7rsxp avg7rsxp.sys Mon Jun 19 09:21:28 2006 (44965E88)
f789b000 f78a0500 TDTCP TDTCP.SYS Wed Aug 04 06:58:52 2004 (41107B1C)
f78ab000 f78af500 watchdog watchdog.sys Wed Aug 04 07:07:32 2004 (41107D24)
f78db000 f78e1440 tfsnboio tfsnboio.sys Tue May 31 23:49:20 2005 (429CE9F0)
f792b000 f7930000 usbuhci usbuhci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f7933000 f7939800 usbehci usbehci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f793b000 f7942580 Modem Modem.SYS Wed Aug 04 07:08:04 2004 (41107D44)
f7943000 f7948a00 mouclass mouclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f794b000 f7951000 kbdclass kbdclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f7953000 f7957880 TDI TDI.SYS Wed Aug 04 07:07:47 2004 (41107D33)
f795b000 f795f580 ptilink ptilink.sys Fri Aug 17 21:49:53 2001 (3B7D8371)
f7963000 f7967080 raspti raspti.sys Fri Aug 17 21:55:32 2001 (3B7D84C4)
f796b000 f7972040 VComm VComm.sys Tue Oct 19 06:37:37 2004 (4174A821)
f7973000 f79772c0 omci omci.sys Fri Feb 13 16:45:58 2004 (402CFF46)
f7983000 f7988bc0 ssrtln ssrtln.sys Fri May 13 18:37:18 2005 (4284E5CE)
f798b000 f7990200 vga vga.sys Wed Aug 04 07:07:06 2004 (41107D0A)
f7993000 f7997a80 Msfs Msfs.SYS Wed Aug 04 07:00:37 2004 (41107B85)
f799b000 f79a2880 Npfs Npfs.SYS Wed Aug 04 07:00:38 2004 (41107B86)
f79a3000 f79a7180 tdiip tdiip.sys Tue Sep 27 08:45:21 2005 (4338F891)
f79ab000 f79ae000 BOOTVID BOOTVID.dll Fri Aug 17 21:49:09 2001 (3B7D8345)
f79af000 f79b1480 compbatt compbatt.sys Fri Aug 17 21:57:58 2001 (3B7D8556)
f79b3000 f79b6700 BATTC BATTC.SYS Fri Aug 17 21:57:52 2001 (3B7D8550)
f7a37000 f7a39280 rasacd rasacd.sys Fri Aug 17 21:55:39 2001 (3B7D84CB)
f7a67000 f7a6af00 APPDRV APPDRV.SYS Wed Jun 30 16:39:34 2004 (40E2DEB6)
f7a7b000 f7a7e700 CmBatt CmBatt.sys Wed Aug 04 07:07:39 2004 (41107D2B)
f7a8b000 f7a8d580 ndistapi ndistapi.sys Fri Aug 17 21:55:29 2001 (3B7D84C1)
f7a9b000 f7a9cb80 kdcom kdcom.dll Fri Aug 17 21:49:10 2001 (3B7D8346)
f7a9d000 f7a9e100 WMILIB WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7a9f000 f7aa0580 intelide intelide.sys Wed Aug 04 06:59:40 2004 (41107B4C)
f7ad9000 f7ada5c0 sscdbhk5 sscdbhk5.sys Fri May 13 18:37:26 2005 (4284E5D6)
f7adb000 f7adc100 swenum swenum.sys Wed Aug 04 06:58:41 2004 (41107B11)
f7adf000 f7ae0280 USBD USBD.SYS Fri Aug 17 22:02:58 2001 (3B7D8682)
f7ae3000 f7ae5000 i2omgmt i2omgmt.SYS Wed Aug 04 07:00:50 2004 (41107B92)
f7ae5000 f7ae6f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 21:49:37 2001 (3B7D8361)
f7ae7000 f7ae8080 Beep Beep.SYS Fri Aug 17 21:47:33 2001 (3B7D82E5)
f7ae9000 f7aea080 mnmdd mnmdd.SYS Fri Aug 17 21:57:28 2001 (3B7D8538)
f7aeb000 f7aec080 RDPCDD RDPCDD.sys Fri Aug 17 21:46:56 2001 (3B7D82C0)
f7aff000 f7b00080 avg7rsw avg7rsw.sys Tue Jul 26 13:10:51 2005 (42E6284B)
f7b1b000 f7b1c100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7b51000 f7b528a0 tfsnpool tfsnpool.sys Tue May 31 23:49:15 2005 (429CE9EB)
f7b63000 f7b63d00 pciide pciide.sys Fri Aug 17 21:51:49 2001 (3B7D83E5)
f7be5000 f7be5c00 audstub audstub.sys Fri Aug 17 21:59:40 2001 (3B7D85BC)
f7c92000 f7c92d00 dxgthk dxgthk.sys Fri Aug 17 21:53:12 2001 (3B7D8438)
f7ca8000 f7ca8b80 Null Null.SYS Fri Aug 17 21:47:39 2001 (3B7D82EB)
f7ca9000 f7ca9f80 avgclean avgclean.sys Mon Aug 21 23:55:15 2006 (44EA39D3)
f7cd0000 f7cd0880 tfsndres tfsndres.sys Tue May 31 23:50:05 2005 (429CEA1D)
f7cd1000 f7cd1fe0 tfsndrct tfsndrct.sys Tue May 31 23:49:36 2005 (429CEA00)

Unloaded modules:
f7b9e000 f7b9f000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba02d000 ba058000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba2cb000 ba2d8000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba358000 ba366000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba080000 ba0a3000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7b0f000 f7b11000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f76db000 f76eb000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f797b000 f7980000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7a33000 f7a36000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

Software error

Routine usbkdb+0x76a9 invoke KeAttachProcess and the input parameter is zero. Hence windows crashes with bugcheck 05 and it is software error of usbkdb.sys. Upgrade usbkdb resolves the blue screen problem.

STACK_TEXT:
f6aefcbc 804f75a0 00000005 00000000 86f426a0 nt!KeBugCheckEx+0x1b
f6aefce0 f3e6e6a9 00000000 86f83c10 00000000 nt!KeAttachProcess+0x64
Remark 00000000 is the input parameter to KeAttachProcess
f6aefd30 f3e6f885 86f83c10 f6aefdb4 00000104 usbkbd+0x76a9

 

Hi, timeoutgang.

I reviewed your related thread where you stated you could not find C:\WINDOWS\system32\drivers\usbkbd.sys

usbkbd.sys is apparently somewhere in your computer.

Given that you apparently have had problems with traces of keyloggers mysteriously appearing on your system, I can't help thinking you're still somehow running a keylogger.

In fact, I still see the following in your BSOD info above:

Anyhow, let's do a search of your hard drives for usbkbd.sys and see what we can come up with.

1. Click Start > All Programs > Accessories > Windows Explorer
2. Click Tools > Folder Options > "View" tab
3. Enable "Show hidden files and folders "
4. UNcheck "Hide extensions for known filetypes "
5. UNcheck "Hide protected operating system files (Recommended) "
6. Click the "Apply to All Folders" button.
7. Click the "Apply" button.
8. Click the OK button.

1. Click Start > Search
2. Select "All files and folders "
3. Type (or paste) [FONT= "Courier New"][SIZE= "3"]usbkbd.sys[/SIZE][/FONT] in the "All or part of the file name:" field.
4. Select "All hard drives" in the "Look in:" field.
5. Click the "Search" button.

Please provide the exact path(s) of any matches found and also the properties of each as instructed in my post in the related thread:

• Right-click on the usbkbd.sys filename and select "Properties ".
• Write down the information under the "General ", "Version ", and "Summary" tabs in the "usbkbd.sys Properties" window.
  Under the "Version" tab, you can click on each of the items under "Item Name:" in the "Other version information" section to see additional details about the file.

It may be helpful to do similar searches for tdiip.sys and extfs.sys as well and give us that information.

 

Mailman, did as instructed in previous post, however, none of the files found? Could these have been removed in my previous thread within the "Removing viruses" forum? Is it possible to run another log of some sort to see if they are still present?

 

Haven't had a bsod for about 2 days now, so hopefully, things are back to normal! Unfortunately, I have a problem with riched.dll & am unaable to run adwarese due to this problem. Error message is "Entry point not found. The procedure entry point RichEdit10ANSIWndProc could not be located in the dynamic link library RICHED20.dll "

 

Hi, timeoutgang. I'm glad you haven't had recent BSODs.

That's strange that those files did not appear during your searches.

Since that BSOD apparently happened after you and TeMerc had exhausted ideas for locating/removing malware, then I'm guessing those suspect files have not been removed or they reappeared after your cleaning. I find it puzzling that those suspect files still show up in your November 30 BSOD info. Perhaps there is undetected malware that keeps replacing those files (usbkbd.sys, extfs.sys, tdiip.sys) if deleted.

Your most recent HJT log in your related thread is dated November 15. I am wondering if a new HJT log would show any signs of malware.

Also, since TeMerc had you delete suspicious batch files from your root directory:

• 2006-09-26 19:30 163 --a------ C:\obgakx.bat
• 2006-09-26 19:30 163 --a------ C:\fncbde.bat
• 2006-09-26 19:29 163 --a------ C:\ixrnbm.bat

I wonder if TeMerc missed:

• 2006-10-07 21:44 20 --a------ C:\WINDOWS\rem.bat

or if it is a legitimate batch file. (Perhaps that rem.bat file was placed there by one of your anti-malware programs that TeMerc had you use. If so, I am puzzled about the "2006-10-07" date since the date you started your related thread is October 20.)

There is no "rem.bat" file in my C:\WINDOWS directory or anywhere else in my computer. It might be interesting to see the contents of that batch file. If you open Notepad and then use Notepad to open the rem.bat file, you can see the text contents of the batch file. Choose "Files of type: All Files" to see the rem.bat file listed. (Do NOT "Open" the file or double-click it from within Windows Explorer because I suspect that would run the batch file.)

If the contents of your rem.bat file look like something we should see, please paste that info here.

Please search your hard drives for RICHED20.dll and let us know the properties (path, version, file size, date, etc.) for your RICHED20.dll file(s). Perhaps you just need to replace your RICHED20.dll file with a different one suggested in the Lavasoft forum thread TeMerc linked in your related thread.

 

Mailman, thanks for your reply.
The contents of the rem.bat file are "C:\WINDOWS\rem.rdp "

I have three riched20.dll files on my system. Proberties as follows:-

First one is located in "C:\WINDOWS\system ". Version 2.0. File size 279Kb. File Version 5.0.150.0. Date created 16/07/1999.

Second one is located in "C:\WINDOWS\system32 ". Version 2.0. File size 279Kb. File Version 5.0.150.0. Date created 16/07/1999.

Third one is located in "C:\ProgramFiles\Common Files\Microsoft Shared\Office10 ". Version 4.0. File size 500Kb. File Version 5.40.11.2212. Date created 15/09/2003.

Fresh HJT below:-
Logfile of HijackThis v1.99.1
Scan saved at 09:55:10, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm594YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://jemmaconners.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139423841203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://online.eversheds.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4825/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Hi, timeoutgang.

Nothing in your HJT log jumps out at my untrained eye as a sign of malware. I will look over your HJT log more closely in the upcoming days.

Your rem.bat file contents don't strike me as malicious (yet) either. I Googled rem.rdp and came up with only a few results that indicate it might have something to do with "remote desktop" (which I suppose might be related to one of the keyloggers you had).

The riched20.dll files you have located in your C:\WINDOWS\System and C:\WINDOWS\System32 directories appear to match the one that is available via the Lavasoft forum thread link. (I downloaded it and compared.) I'm guessing even that version is too old for Ad-Aware to perform properly.

I searched my C:\ drive for riched20.dll and compared my results to yours. My riched20.dll files' properties are as follows:

Code:

Location                                                 Version  File Size               File Version  Date Created                                      
C:\WINDOWS\$NtServicePackUninstall$                      3.0      413 KB (423,424 bytes)  5.30.23.1211  Tuesday, August 24, 2004, 5:20:02 PM
C:\WINDOWS\system32                                      3.0      421 KB (431,616 bytes)  5.30.23.1221  Monday, March 31, 2003, 7:00:00 AM     
C:\WINDOWS\ServicePackFiles\i386                         3.0      421 KB (431,616 bytes)  5.30.23.1221  Wednesday, August 04, 2004, 2:56:44 AM 
C:\WINDOWS\system32\dllcache                             3.0      421 KB (431,616 bytes)  5.30.23.1221  Monday, March 31, 2003, 7:00:00 AM     
C:\Program Files\Common Files\Microsoft Shared\OFFICE11  5.0      942 KB (965,400 bytes)  5.50.99.2010  Monday, September 20, 2004, 10:13:36 PM

As you can see, all my riched20.dll file versions are newer than yours. (Scroll the "Code:" window above to the right to view additional details.)

Have you applied all critical updates available from Microsoft? Even if you have, perhaps one or more of them need to be reinstalled.

One handy way to check is to download and run Belarc Advisor. When you run Belarc Advisor after downloading it, Belarc Advisor will install and automatically open your web browser (after several seconds) with a detailed report. The parts of the Belarc Advisor report that pertain to critical updates are the "Missing Microsoft Security Hotfixes" and "Installed Microsoft Hotfixes" sections.

If you generate a Belarc Advisor report and Belarc Advisor indicates any missing hotfixes or hotfixes that need to be reinstalled, please let us know what they are (including the "KBxxxxxx" numbers) and we can direct you to the Microsoft download location(s) to obtain the appropriate hotfixes.

I am guessing you might be able to obtain and install a newer riched20.dll version via one of those hotfixes (and improve your computer's security at the same time).

 

Ran the Belarc Advisor & all of the required hotfixes are installed?

 

Mailman, I've searched for a newer riched20.dll file on the net, but, can't find one. Would it be on my OS CD? If it is, do I just search & install?

 

Hi, timeoutgang.

I searched Microsoft's Download Catalog for riched20.dll and came up empty. I also searched Microsoft's Download Catalog for Rich Text Edit Control and came up empty.

Since I have newer versions of riched20.dll in C:\WINDOWS\$NtServicePackUninstall$ and C:\WINDOWS\ServicePackFiles\i386, it seems the newer version of riched20.dll came with one of my Windows Updates. I looked around in those directories for clues about what Windows Update they were associated with but I cannot arrive at any definite conclusions yet.


I suppose you could try running System File Checker (SFC) if you have your Windows XP CD handy:

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]sfc /scannow[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.

You may be prompted to insert your Windows XP CD so you should have it handy when running SFC.

If SFC runs to completion without your intervention, it should take about 20-25 minutes to do so. The "Windows File Protection" window will simply disappear when SFC completes.

If you have troubles running SFC, please let us know and we will try to help you troubleshoot.

After the Windows File Protection window closes, you can review any changes that may have been made as follows:

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]eventvwr.msc[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.
• Click the "System" item in the left column of the Event Viewer window.

The changes made (if any) will be "Windows File Protection" events displayed between Event ID 64016 (Windows File Protection started) and Event ID 64017 (Windows File Protection completed). The events are listed in reverse-chronological order.

Double-click on an event (or right-click and select "Properties ") to view details about the event. You can use the up/down arrow buttons at the right side of the "Event Properties" window to view properties about adjacent events in the list without having to close the Event Properties window.

You can use the button immediately below the up/down arrows in the Event Properties window to copy the details to your clipboard for pasting into a forum message if you think that may be helpful.

Even if you have troubles running SFC, details about those problems should also be listed as "Windows File Protection" events in Event Viewer.

 

I can now run adaware se! Do i need to do anything else to prevent further problems?

 

Spoke to soon! While running adwaware se, bsod appeared (0X05 invalid _process_attach_attempt). If I re-install XP, will this bsod stop? I know I'll lose all of my settings, files etc. but I haven't got anything on the system that I would keep anyway. Also, would this restore my sytem to factory settings?

 

Hi, Arie.

Thanks for jumping in. I read timeoutgang's messages above last night and I didn't feel comfortable making any recommendations regarding a repair/reinstall of timeoutgang's OS so I was hoping someone more knowledgeable would contribute to this discussion.

According to Belarc Advisor, Microsoft's suggested resolution to timeoutgang's issue (download/install KB887742) was applied to my computer on 2/25/2005.

Let's hope KB887742 resolves timeoutgang's issue.

Timeoutgang, I'm curious about whether the BSOD you had yesterday involved the same suspect files (usbkbd.sys, extfs.sys, tdiip.sys) that you had in your earlier BSODs.

 

Here's the debug log from my latest bsod & I notice that there it could be down to usbkbd.sys, but, why can't I find it? Am I doing something wrong when searching for it, as it is somewhere on my system!
Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120906-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Sat Dec 9 00:02:01.781 2006 (GMT+0)
System Uptime: 0 days 0:07:17.359
Loading Kernel Symbols
..................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 5, {0, 86fcc020, 1, 0}

Unable to load image usbkbd.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for usbkbd.sys
*** ERROR: Module load completed but symbols could not be loaded for usbkbd.sys
Probably caused by : usbkbd.sys ( usbkbd+76a9 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_PROCESS_ATTACH_ATTEMPT (5)
Arguments:
Arg1: 00000000
Arg2: 86fcc020
Arg3: 00000001
Arg4: 00000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: explorer.exe

LAST_CONTROL_TRANSFER: from 804f75a0 to 804f8925

STACK_TEXT:
f7a3dcbc 804f75a0 00000005 00000000 86fcc020 nt!KeBugCheckEx+0x1b
f7a3dce0 f3ede6a9 00000000 86e3a2d8 00000000 nt!KeAttachProcess+0x64
WARNING: Stack unwind information not available. Following frames may be wrong.
f7a3dd30 f3edf885 86e3a2d8 f7a3ddb4 00000104 usbkbd+0x76a9
f7a3dd8c f3ee0184 f7a3ddb4 00000104 f3effa00 usbkbd+0x8885
f7a3dfec f3ee488c 80536d74 00000000 f3efd198 usbkbd+0x9184
f7a3e240 f3ee6adb f3eff2e0 f3eff7a8 00000000 usbkbd+0xd88c
f7a3edac 805c4a06 86fa2de0 00000000 00000000 usbkbd+0xfadb
f7a3eddc 80540fa2 f3ee6388 f3efd198 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
usbkbd+76a9
f3ede6a9 ?? ???

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbkbd

IMAGE_NAME: usbkbd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 435f6140

SYMBOL_NAME: usbkbd+76a9

FAILURE_BUCKET_ID: 0x5_usbkbd+76a9

BUCKET_ID: 0x5_usbkbd+76a9

Followup: MachineOwner
---------

eax=ffdff13c ebx=86fcc020 ecx=00000000 edx=00000000 esi=86f3ba48 edi=00000000
eip=804f8925 esp=f7a3dca4 ebp=f7a3dcbc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
804f8925 5d pop ebp
ChildEBP RetAddr Args to Child
f7a3dcbc 804f75a0 00000005 00000000 86fcc020 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f7a3dce0 f3ede6a9 00000000 86e3a2d8 00000000 nt!KeAttachProcess+0x64 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f7a3dd30 f3edf885 86e3a2d8 f7a3ddb4 00000104 usbkbd+0x76a9
f7a3dd8c f3ee0184 f7a3ddb4 00000104 f3effa00 usbkbd+0x8885
f7a3dfec f3ee488c 80536d74 00000000 f3efd198 usbkbd+0x9184
f7a3e240 f3ee6adb f3eff2e0 f3eff7a8 00000000 usbkbd+0xd88c
f7a3edac 805c4a06 86fa2de0 00000000 00000000 usbkbd+0xfadb
f7a3eddc 80540fa2 f3ee6388 f3efd198 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806cd280 nt ntkrnlpa.exe Wed Mar 02 00:34:37 2005 (42250A1D)
806ce000 806ee380 hal halaacpi.dll Wed Aug 04 06:59:05 2004 (41107B29)
b96b8000 b96da080 RDPWD RDPWD.SYS Fri Jun 10 00:52:39 2005 (42A8D647)
b9ccb000 b9cdc500 tmcomm tmcomm.sys Mon Jul 31 07:41:15 2006 (44CDA60B)
ba07b000 ba08f400 wdmaud wdmaud.sys Wed Jun 14 10:00:44 2006 (448FD03C)
ba090000 ba0b7f00 secdrv secdrv.sys Tue Aug 31 14:42:55 2004 (4134805F)
ba0e0000 ba131480 srv srv.sys Mon Aug 14 11:34:39 2006 (44E051BF)
ba1fa000 ba23a280 HTTP HTTP.sys Fri Mar 17 00:33:09 2006 (441A03C5)
ba293000 ba2a1d80 sysaudio sysaudio.sys Wed Aug 04 07:15:54 2004 (41107F1A)
ba32b000 ba357400 mrxdav mrxdav.sys Wed Aug 04 07:00:49 2004 (41107B91)
ba360000 ba362e40 mdmxsdk mdmxsdk.sys Wed Mar 17 19:04:10 2004 (4058A12A)
ba3c0000 ba3c8080 ipfltdrv ipfltdrv.sys Fri Aug 17 21:55:07 2001 (3B7D84AB)
ba640000 ba643280 ndisuio ndisuio.sys Wed Aug 04 07:03:10 2004 (41107C1E)
ba668000 ba66a8c0 s24trans s24trans.sys Tue Aug 31 16:53:03 2004 (41349EDF)
ba66c000 ba66fba0 AegisP AegisP.sys Fri Jul 23 15:33:15 2004 (410121AB)
ba718000 ba7308c0 tfsnudfa tfsnudfa.sys Tue May 31 23:50:00 2005 (429CEA18)
ba731000 ba749160 tfsnudf tfsnudf.sys Tue May 31 23:49:19 2005 (429CE9EF)
ba772000 ba787320 tfsnifs tfsnifs.sys Tue May 31 23:49:14 2005 (429CE9EA)
bf000000 bf011580 dxg dxg.sys Wed Aug 04 07:00:51 2004 (41107B93)
bf012000 bf3cd200 nv4_disp nv4_disp.dll Thu Jul 07 04:31:12 2005 (42CCA200)
bf800000 bf9c1180 win32k win32k.sys Thu Oct 06 01:05:44 2005 (43446A58)
f3c74000 f3c8b480 dump_atapi dump_atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f3ccc000 f3cd47e0 tfsncofs tfsncofs.sys Tue May 31 23:49:32 2005 (429CE9FC)
f3cdc000 f3ce55a0 drvnddm drvnddm.sys Thu Apr 21 21:43:05 2005 (42681059)
f3d2c000 f3d2faa0 tfsnopio tfsnopio.sys Tue May 31 23:49:37 2005 (429CEA01)
f3d54000 f3e1b620 avg7core avg7core.sys Mon Oct 23 19:52:56 2006 (453D0F88)
f3e1c000 f3e3cf00 ipnat ipnat.sys Wed Sep 29 23:28:36 2004 (415B3714)
f3e3d000 f3eaba00 mrxsmb mrxsmb.sys Fri May 05 10:41:42 2006 (445B1DD6)
f3eac000 f3ed6a00 rdbss rdbss.sys Fri May 05 10:47:55 2006 (445B1F4B)
f3ed7000 f3f41380 usbkbd usbkbd.sys Wed Oct 26 11:58:08 2005 (435F6140)
f3f42000 f3f63d00 afd afd.sys Wed Aug 04 07:14:13 2004 (41107EB5)
f3f64000 f3f8bc00 netbt netbt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f3f8c000 f3fe3d80 tcpip tcpip.sys Thu Apr 20 12:51:47 2006 (444775D3)
f3fe4000 f3ff6400 ipsec ipsec.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f4017000 f4019900 Dxapi Dxapi.sys Fri Aug 17 21:53:19 2001 (3B7D843F)
f6067000 f609a200 update update.sys Wed Aug 04 06:58:32 2004 (41107B08)
f613b000 f614be00 psched psched.sys Wed Aug 04 07:04:16 2004 (41107C60)
f614c000 f6162680 ndiswan ndiswan.sys Wed Aug 04 07:14:30 2004 (41107EC6)
f6163000 f61a0000 iwca iwca.sys Thu Aug 12 16:44:02 2004 (411B9042)
f61a0000 f61b9c00 Apfiltr Apfiltr.sys Tue Nov 16 01:03:51 2004 (419951F7)
f61ba000 f6261400 HSF_CNXT HSF_CNXT.sys Thu Jun 17 23:55:36 2004 (40D22168)
f6262000 f6360480 HSF_DP HSF_DP.sys Thu Jun 17 23:55:00 2004 (40D22144)
f6361000 f6391d80 HSFHWICH HSFHWICH.sys Thu Jun 17 23:57:01 2004 (40D221BD)
f6392000 f63b4680 ks ks.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f63b5000 f63d8980 portcls portcls.sys Wed Aug 04 07:15:47 2004 (41107F13)
f63d9000 f641ba00 STAC97 STAC97.sys Thu Mar 10 22:56:01 2005 (4230D081)
f641c000 f672bd00 w29n51 w29n51.sys Fri Oct 22 00:56:03 2004 (41784C93)
f672c000 f673c800 sdbus sdbus.sys Wed Aug 04 07:07:47 2004 (41107D33)
f673d000 f675fe80 USBPORT USBPORT.SYS Wed Aug 04 07:08:34 2004 (41107D62)
f6760000 f6773780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 07:07:04 2004 (41107D08)
f6774000 f6a83700 nv4_mini nv4_mini.sys Thu Jul 07 04:36:01 2005 (42CCA321)
f7291000 f7294c80 mssmbios mssmbios.sys Wed Aug 04 07:07:47 2004 (41107D33)
f7295000 f7298c80 serenum serenum.sys Wed Aug 04 06:59:06 2004 (41107B2A)
f72d2000 f72ec580 Mup Mup.sys Wed Aug 04 07:15:20 2004 (41107EF8)
f72ed000 f7319a80 NDIS NDIS.sys Wed Aug 04 07:14:27 2004 (41107EC3)
f731a000 f73a6480 Ntfs Ntfs.sys Wed Aug 04 07:15:06 2004 (41107EEA)
f73a7000 f73bd780 KSecDD KSecDD.sys Wed Aug 04 06:59:45 2004 (41107B51)
f73be000 f73d30c0 drvmcdb drvmcdb.sys Fri Apr 22 23:56:10 2005 (4269810A)
f73d4000 f73e5f00 sr sr.sys Wed Aug 04 07:06:22 2004 (41107CDE)
f73e6000 f7405780 fltMgr fltMgr.sys Mon Aug 21 10:14:57 2006 (44E97991)
f7406000 f741d480 atapi atapi.sys Wed Aug 04 06:59:41 2004 (41107B4D)
f741e000 f743c880 ftdisk ftdisk.sys Fri Aug 17 21:52:41 2001 (3B7D8419)
f743d000 f745a480 pcmcia pcmcia.sys Wed Aug 04 07:07:45 2004 (41107D31)
f745b000 f746ba80 pci pci.sys Wed Aug 04 07:07:45 2004 (41107D31)
f746c000 f7499d80 ACPI ACPI.sys Wed Aug 04 07:07:35 2004 (41107D27)
f759b000 f75a3c00 isapnp isapnp.sys Fri Aug 17 21:58:01 2001 (3B7D8559)
f75ab000 f75b5500 MountMgr MountMgr.sys Wed Aug 04 06:58:29 2004 (41107B05)
f75bb000 f75c7c80 VolSnap VolSnap.sys Wed Aug 04 07:00:14 2004 (41107B6E)
f75cb000 f75d3e00 disk disk.sys Wed Aug 04 06:59:53 2004 (41107B59)
f75db000 f75e7200 CLASSPNP CLASSPNP.SYS Wed Aug 04 07:14:26 2004 (41107EC2)
f75eb000 f75f9e80 ohci1394 ohci1394.sys Wed Aug 04 07:10:05 2004 (41107DBD)
f75fb000 f7608000 1394BUS 1394BUS.SYS Wed Aug 04 07:10:03 2004 (41107DBB)
f761b000 f7625200 raspppoe raspppoe.sys Wed Aug 04 07:05:06 2004 (41107C92)
f762b000 f763a180 nic1394 nic1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f763b000 f7646d00 raspptp raspptp.sys Wed Aug 04 07:14:26 2004 (41107EC2)
f764b000 f7653900 msgpc msgpc.sys Wed Aug 04 07:04:11 2004 (41107C5B)
f765b000 f7664f00 termdd termdd.sys Wed Aug 04 06:58:52 2004 (41107B1C)
f766b000 f7674480 NDProxy NDProxy.SYS Fri Aug 17 21:55:30 2001 (3B7D84C2)
f767b000 f7689100 usbhub usbhub.sys Wed Aug 04 07:08:40 2004 (41107D68)
f768b000 f7693700 netbios netbios.sys Wed Aug 04 07:03:19 2004 (41107C27)
f76ab000 f76b3880 Fips Fips.SYS Sat Aug 18 02:31:49 2001 (3B7DC585)
f76bb000 f76c3700 wanarp wanarp.sys Wed Aug 04 07:04:57 2004 (41107C89)
f76cb000 f76d9d80 arp1394 arp1394.sys Wed Aug 04 06:58:28 2004 (41107B04)
f76db000 f76ea900 Cdfs Cdfs.SYS Wed Aug 04 07:14:09 2004 (41107EB1)
f778b000 f7793d00 intelppm intelppm.sys Wed Aug 04 06:59:19 2004 (41107B37)
f779b000 f77a5f80 bcm4sbxp bcm4sbxp.sys Wed May 26 23:18:17 2004 (40B517A9)
f77ab000 f77b9b80 drmk drmk.sys Wed Aug 04 07:07:54 2004 (41107D3A)
f77bb000 f77c7e00 i8042prt i8042prt.sys Wed Aug 04 07:14:36 2004 (41107ECC)
f77cb000 f77d5380 imapi imapi.sys Wed Aug 04 07:00:12 2004 (41107B6C)
f77db000 f77e7180 cdrom cdrom.sys Wed Aug 04 06:59:52 2004 (41107B58)
f77eb000 f77f9080 redbook redbook.sys Wed Aug 04 06:59:34 2004 (41107B46)
f77fb000 f7804560 VcommMgr VcommMgr.sys Fri Nov 05 03:39:07 2004 (418AF5DB)
f780b000 f7817880 rasl2tp rasl2tp.sys Wed Aug 04 07:14:21 2004 (41107EBD)
f781b000 f7821200 PCIIDEX PCIIDEX.SYS Wed Aug 04 06:59:40 2004 (41107B4C)
f7823000 f7827900 PartMgr PartMgr.sys Sat Aug 18 02:32:23 2001 (3B7DC5A7)
f782b000 f782f180 extfs extfs.sys Tue Sep 27 08:45:36 2005 (4338F8A0)
f7833000 f7837de0 PxHelp20 PxHelp20.sys Thu Jan 27 01:32:51 2005 (41F844C3)
f783b000 f7841de0 BTHidMgr BTHidMgr.sys Tue Oct 19 06:40:54 2004 (4174A8E6)
f7853000 f7859f00 avg7rsxp avg7rsxp.sys Mon Jun 19 09:21:28 2006 (44965E88)
f78ab000 f78b1000 symlcbrd symlcbrd.sys Fri Sep 03 02:56:06 2004 (4137CF36)
f78bb000 f78c0500 TDTCP TDTCP.SYS Wed Aug 04 06:58:52 2004 (41107B1C)
f78d3000 f78d7500 watchdog watchdog.sys Wed Aug 04 07:07:32 2004 (41107D24)
f7903000 f7909440 tfsnboio tfsnboio.sys Tue May 31 23:49:20 2005 (429CE9F0)
f7923000 f7928000 usbuhci usbuhci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f792b000 f7931800 usbehci usbehci.sys Wed Aug 04 07:08:34 2004 (41107D62)
f7933000 f793a580 Modem Modem.SYS Wed Aug 04 07:08:04 2004 (41107D44)
f793b000 f7940a00 mouclass mouclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f7943000 f7949000 kbdclass kbdclass.sys Wed Aug 04 06:58:32 2004 (41107B08)
f794b000 f794f880 TDI TDI.SYS Wed Aug 04 07:07:47 2004 (41107D33)
f7953000 f7957580 ptilink ptilink.sys Fri Aug 17 21:49:53 2001 (3B7D8371)
f795b000 f795f080 raspti raspti.sys Fri Aug 17 21:55:32 2001 (3B7D84C4)
f7963000 f796a040 VComm VComm.sys Tue Oct 19 06:37:37 2004 (4174A821)
f796b000 f796f2c0 omci omci.sys Fri Feb 13 16:45:58 2004 (402CFF46)
f797b000 f7980bc0 ssrtln ssrtln.sys Fri May 13 18:37:18 2005 (4284E5CE)
f7983000 f7988200 vga vga.sys Wed Aug 04 07:07:06 2004 (41107D0A)
f798b000 f798fa80 Msfs Msfs.SYS Wed Aug 04 07:00:37 2004 (41107B85)
f7993000 f799a880 Npfs Npfs.SYS Wed Aug 04 07:00:38 2004 (41107B86)
f799b000 f799f180 tdiip tdiip.sys Tue Sep 27 08:45:21 2005 (4338F891)
f79ab000 f79ae000 BOOTVID BOOTVID.dll Fri Aug 17 21:49:09 2001 (3B7D8345)
f79af000 f79b1480 compbatt compbatt.sys Fri Aug 17 21:57:58 2001 (3B7D8556)
f79b3000 f79b6700 BATTC BATTC.SYS Fri Aug 17 21:57:52 2001 (3B7D8550)
f7a4b000 f7a4d280 rasacd rasacd.sys Fri Aug 17 21:55:39 2001 (3B7D84CB)
f7a6b000 f7a6ef00 APPDRV APPDRV.SYS Wed Jun 30 16:39:34 2004 (40E2DEB6)
f7a7f000 f7a82700 CmBatt CmBatt.sys Wed Aug 04 07:07:39 2004 (41107D2B)
f7a8b000 f7a8d580 ndistapi ndistapi.sys Fri Aug 17 21:55:29 2001 (3B7D84C1)
f7a9b000 f7a9cb80 kdcom kdcom.dll Fri Aug 17 21:49:10 2001 (3B7D8346)
f7a9d000 f7a9e100 WMILIB WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7a9f000 f7aa0580 intelide intelide.sys Wed Aug 04 06:59:40 2004 (41107B4C)
f7ac3000 f7ac45c0 sscdbhk5 sscdbhk5.sys Fri May 13 18:37:26 2005 (4284E5D6)
f7ac5000 f7ac6100 swenum swenum.sys Wed Aug 04 06:58:41 2004 (41107B11)
f7ac7000 f7ac8280 USBD USBD.SYS Fri Aug 17 22:02:58 2001 (3B7D8682)
f7acb000 f7acd000 i2omgmt i2omgmt.SYS Wed Aug 04 07:00:50 2004 (41107B92)
f7acd000 f7acef00 Fs_Rec Fs_Rec.SYS Fri Aug 17 21:49:37 2001 (3B7D8361)
f7acf000 f7ad0080 Beep Beep.SYS Fri Aug 17 21:47:33 2001 (3B7D82E5)
f7ad1000 f7ad2080 mnmdd mnmdd.SYS Fri Aug 17 21:57:28 2001 (3B7D8538)
f7ad3000 f7ad4080 RDPCDD RDPCDD.sys Fri Aug 17 21:46:56 2001 (3B7D82C0)
f7ad9000 f7ada080 avg7rsw avg7rsw.sys Tue Jul 26 13:10:51 2005 (42E6284B)
f7b05000 f7b06100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 22:07:23 2001 (3B7D878B)
f7b35000 f7b368a0 tfsnpool tfsnpool.sys Tue May 31 23:49:15 2005 (429CE9EB)
f7b63000 f7b63d00 pciide pciide.sys Fri Aug 17 21:51:49 2001 (3B7D83E5)
f7b9f000 f7b9fb80 Null Null.SYS Fri Aug 17 21:47:39 2001 (3B7D82EB)
f7ba0000 f7ba0f80 avgclean avgclean.sys Mon Aug 21 23:55:15 2006 (44EA39D3)
f7bb2000 f7bb2860 BANTExt BANTExt.sys Thu May 28 03:43:29 1998 (356CCF51)
f7bda000 f7bdafe0 tfsndrct tfsndrct.sys Tue May 31 23:49:36 2005 (429CEA00)
f7c5d000 f7c5dd00 dxgthk dxgthk.sys Fri Aug 17 21:53:12 2001 (3B7D8438)
f7ca1000 f7ca1c00 audstub audstub.sys Fri Aug 17 21:59:40 2001 (3B7D85BC)
f7ca3000 f7ca3880 tfsndres tfsndres.sys Tue May 31 23:50:05 2005 (429CEA1D)

Unloaded modules:
b9f8d000 b9fb8000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7ba6000 f7ba7000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba058000 ba07b000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba263000 ba270000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba273000 ba281000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7b11000 f7b13000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f769b000 f76ab000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7973000 f7978000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7a43000 f7a46000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

When using search to locate usbkbd, the search takes about 2 seconds! This is very unusall as most searches take about 5 minutes. Could this be related?

 

Hi, timeoutgang.

Did you try running System File Checker as I outlined above? If so, what were your results?

Did you try Arie's suggestion above?

Yes, I think that is possible. You are remembering to search "Local Hard Drives" in the "Look in:" field and your computer is configured to display hidden files and folders, right? If so, then I suspect you may still have malware that is somehow intercepting your searches for those files and preventing you from "finding" them.

I have been assuming you are not on a local area network (LAN). If you are on a LAN, then try searching your network drives too.

 

I Googled usbkbd.sys extfs.sys tdiip.sys and came up with about 43 results, many of them involving Elite Keylogger (no surprise there).

Here are some links from that Google search.

• Sunbelt Software: Elite Keylogger Threat Details
• Symantec: Spyware.EliteKeylogger Tecnhnical Details
• Symantec: Spyware.EliteKeylogger Removal
• Panda Software: Elite Tech Details
• Panda Software: Elite Prevention & Cure
• Laplink Security Center: Elite Keylogger
• Symantec Security Response: Spyware.EliteKeylogger
  This appears to be a single page (larger font, handy for printing) containing the same/similar info as the "Symantec:" links above.

I am not familiar with the reputation of Laplink. However, I think Sunbelt, Symantec, and Panda all have good reputations.

I am guessing one or more of the registry keys described in Symantec's pages may be causing your searches for usbkbd.sys (and perhaps other files) to be filtered or even causing searches not to run.

Since you're thinking of a hard drive format/reinstall of your OS as a last resort, I'm leaning toward suggesting you run Panda's ActiveScan, follow ActiveScan's instructions, and then follow Symantec's removal instructions (if necessary). No matter what you do (assuming you already tried System File Checker and Arie's suggestion), it looks like some time will be invested. Following Panda's and Symantec's removal instructions is the option that will probably be more of a learning experience for you (and us) if you have the patience to do so.

I sent TeMerc a PM and asked him to have a look at this thread and offer any alternative suggestions if he has any.

 

Hi, timeoutgang.

I just ran across another post related to searching that has extra steps I was not aware of. (I must have made these settings on my computer long ago and forgot about them.) Therefore, I have rewritten my detailed search instructions to include those extra steps (shown in blue below).

1. Click Start > All Programs > Accessories > Windows Explorer
2. Click Tools > Folder Options > "View" tab
3. Enable "Show hidden files and folders "
4. UNcheck "Hide extensions for known filetypes "
5. UNcheck "Hide protected operating system files (Recommended) "
6. Click the "Apply to All Folders" button.
7. Click the "Apply" button.
8. Click the OK button.

1. Click Start > Search
2. Select "All files and folders "
3. Type (or paste) [FONT= "Courier New"][SIZE= "3"]usbkbd.sys[/SIZE][/FONT] in the "All or part of the file name:" field.
4. Select "Local Hard Drives" in the "Look in:" field.
5. Click "More advanced options "
   [*]Select Type of file: "(All files and folders) "
   [*]Checkmark "Search system folders "
   [*]Checkmark "Search hidden files and folders "
   [*]Checkmark "Search subfolders "
   [*]UNcheck "Case sensitive "
6. Click the "Search" button.

Perhaps now you will be able to find usbkbd.sys (and extfs.sys and tdiip.sys) when you search. (I crossed my fingers.)

Please let us know how that pans out.