infected laptop shuts off before I can run Spybot

[scooperman]

IBM Thinkpad G41 running XP

Malware showed up yesterday. Fake antivirus popup claimed application can not be executed. Saw three different popup windows, tried clicking out/dismissing the popups but they kept coming back. Then it started Internet Explorer and tried to access some porn site. Shut it down. Disconnected from network.

Restarted and tried running Spybot. While it ran, these popups kept appearing every few seconds. Spybot takes 3 hours to run, for a while I kept dismissing popups but gave up. When Spybot finished, it showed one red thing. It would not let me start the fix process, it just beeped when I tried clicking on Fix.

Tried a system restore to an earlier date. No better.

Tried running Spybot from command line with /autoupdate and /autofix /onlyspyware, it starts but can not finish, the PC shuts off.

Tried this a number of times, it boots, program starts, PC shuts off.

Tried a number of times to get into Safe Mode. Usually PC shuts off after it fllls the screen with the page showing a list of drivers.

Changed the BIOS date back a year and was able to boot to Safe Mode. Was able to start Spybot, it ran for a minute, maybe two, and then the PC shut off.

Now using an old 98 PC to go online and search for help.

This morning I found this forum. I see others had similar infection but have not seen anyone with the PC-shutting-itself-off symptom.

As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.
---------------------------------
Hello scooperman,

As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Post #2. Hope that helps.

Best regards.
-------------------------------------
yes that helped.

Sometimes it stays on longer than a couple minutes. I am on it right now so I am typing fast. Want to get these uploaded.

DDS instructions said to zip the text files and attach, hope it works.

In advance, thank you for any assistance.

DDS (Ver_10-03-17.01) - NTFSx86
Run by JR at 14:24:57.41 on Thu 06/24/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
E:\PEACHT~1\PeachtreePrefetcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\JR\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [TrackPointSrv] tp4serv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [QuickTime Task] "E:\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [Prolific_OneButton] c:\program files\usbfast\OneBtn.exe
mRun: [PeachtreePrefetcher.exe] "e:\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - e:\msoffi~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\msoffi~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: QConGina - QConGina.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli pwdmon
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jr\applic~1\mozilla\firefox\profiles\nizs9fet.default\
FF - plugin: e:\plugins\npqtplugin.dll
FF - plugin: e:\plugins\npqtplugin2.dll
FF - plugin: e:\plugins\npqtplugin3.dll
FF - plugin: e:\plugins\npqtplugin4.dll
FF - plugin: e:\plugins\npqtplugin5.dll
FF - plugin: e:\plugins\npqtplugin6.dll
FF - plugin: e:\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
e:\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\firefox\greprefs\all.js - pref("html5.enable", false);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ASMBATT;ASMBATT;c:\windows\system32\drivers\ASMBATT.SYS [2008-9-19 4992]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2008-9-19 16384]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 PEDRV;P&E Microcomputer System PCI Driver.;c:\windows\system32\drivers\pedrv.sys [2000-8-3 23296]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13904]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-6 30192]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2008-9-22 10379]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-7-6 9728]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-7-6 9984]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2008-9-19 12288]

=============== Created Last 30 ================

2010-06-23 22:17:22 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-24 13:01:00 90112 ----a-w- c:\windows\DUMP4016.tmp
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2009-07-06 15:35:27 1990640 ----a-w- c:\program files\GoogleDesktopSetup.exe
2009-06-29 14:15:07 1951432 ----a-w- c:\program files\ppviewer.exe
2008-10-07 15:35:50 20 --sha-w- c:\windows\WINPROD.DLL
2009-08-26 22:53:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082620090827\index.dat

============= FINISH: 14:26:55.84 ===============

[Blade81]

Hello,

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab, uncheck files option and then click scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Copy-paste also contents of fresh dds.txt log.

[scooperman]

I tried twice. The first time, it stayed ON long enough to download and start GMER, it ran for a minute and then BSOD with "IRQL_NOT_LESS_OR_EQUAL" error. The second time, after it booted it wanted to report errors to Microsoft so I hooked up the cable and let it do so. Then I started the downloaded exe again and it seemed to be running OK, but of course after a couple of minutes the PC shut down, that's what it does now. Unless someone can tell me how to keep it powered up, I won't be able to run anything that takes more than a couple minutes.

I have looked for BIOS options that might have anything to do with turning off the PC but can't find anything abnormal looking. I used the blue button to check the Thinkpad configuration options, even changed the power management to a setting for never going into a power-saving or sleep mode, and it still shuts off a few minutes after power-up.

Another thing. I don't type quickly. This post editor logs me off before I get my post written. Can I change the timeout setting?

[scooperman]

Last week after this started, I tried to do a Windows update but was unable to find IE anywhere on this PC. I tried accessing Microsoft with Firefox but it refused to play, insisted I must use IE. I did a soft shutdown and the Windows popup saying it was doing an update showed up, so I let it do its thing. It took a long time, maybe 30 minutes.

This morning I was doing what you asked, booted up the laptop, download GMER, run it, it shuts off. Repeat, tried running a couple more times, it powered off. Then I noticed that IE was back. So after a few tries/fails with GMER what the heck I used IE to access Microsoft and had it send the latest updates.

Next boot, it would get as far as the Welcome screen and then shut off. A couple of times I saw a flash of an error message and then it would power off. The message would say "the requested operation was..." and then it was gone before I could read the rest.

For an hour and a half, I tried booting, and it never made it to XP, shut off during boot. (Still can't safe boot, that shuts off too.) Eventually I gave up and threw in the XP cd and tried a cd boot. It did some loading and said it would start Windows, and then of course it just powered off. Then more boot attempts without CD, would not finish, powered off same as before. Tried the cd with the F2 option, got to a screen which looks DOSish, typed HELP to see what was there. I didn't want to mess with stuff I didn't understand but the SCAN option for BOOTCFG seemed safe so I tried that and ... it powered off.

Now at about 2 hours of unfinished boots, finally it booted to XP and I quickly hit Task Manager to see if I could recognize anything, watched that for a bit as the screen refreshed a few times, didn't see anything useful to me.

Hit the Access IBM icon. This is similar to hitting the blue keyboard button during boot, but in Windows it looks prettier and seems to have some more functions. I went looking for hardware configuration, anything that might affect power down, or battery saving, of hibernate, and I seemed to get it into a higher-power mode, the screen is brighter and I told it to never hibernate.

The PC has stayed on now for a whopping ten minutes. So I am trying GMER again and it is running. Net post I will let you know if it finished.

[Blade81]

Hi,

Please try to run gmer by having just sections checked (in safe mode if needed).

[scooperman]

GMER started with all the boxes checked. I did not see your previous instruction to leave "Files" unchecked, I did see the instruction to not check the "Show All" box.

It has been running for 3 hours now. Do you want me to stop it and change to just "Sections" or let it run?

[Blade81]

If it takes much longer (shouldn't take hours) try with sections only.

[scooperman]

I let it run for another hour and then gave up. It had not finished the C drive.
I unclicked all the boxes except for Sections, and restarted it.

[scooperman]

The previous attempt to run GMER was showing about a dozen lines of text in its screen when I told it to stop. I re-ran it with only Sections selected, after half an hour it finished. Only one line of text showing. I tried Copy to clipboard and then opened Notepad, it opened and I pasted, but when I attempted to save the text file everything died, Notepad froze. I figured the information was still in the paste buffer so I attempted to get online, and this froze, could not connect to the internet.

In the GMER screen I see this:
Type: Init
Name: C:\\WINDOWS\System32\Drivers\PEDRV.SYS
Value entry point in "init secton (0B986CE00)

I need to shut down now and go home, will be back in the morning.

[scooperman]

Restarted, one more attempt, ran DDS before going home. Just attached dds.zip and attach.zip.