Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
We have had some problems with a client PC lately. The last two days I have been struggling with trying to keep the spooler active, and today I could not activate any virus software and was forced to do an online scan. Also, when trying to start the spooler or the installer services, it said I could not do this in "safe mode", but i'm not in safe mode. Here is the hijack this log and the Panda active scan log. Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:16 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\alisonc\Application Data\Mozilla\Firefox\Profiles\s3hlcbbl.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\alisonc\Application Data\Mozilla\Firefox\Profiles\s3hlcbbl.default\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\alisonc\Cookies\alisonc@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\alisonc\Cookies\alisonc@go[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.centrport.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.advertising.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Parser.class]
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: AOL Instant Messenger Confirmation (fSWbWWzbl1 nikipage)
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Sent Items\FW: email I got this morning\text.zip[text.scr]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.target.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.server.iad.liveperson.net/hc/5125383]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.server.iad.liveperson.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.revenue.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.statse.webtrendslive.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tickle.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.target.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.overture.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@burstnet[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@go[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@target[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@web.tickle[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@www2.addfreestats[1].txt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Temp.Htt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@bs.serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@tribalfusion[1].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Program Files\Softrax\Opr_fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Program Files\Softrax\Opr_fin\program\Temp.Htt
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Please click the eTrust online scanner link in my signature and run a full system scan with it as well. When complete, check the recommended action for anything identified as infected then click Clean. Let me know how that goes.
Next, download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin
The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
Reboot
Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.
Double click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform Quick Scan', then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply along with a fresh HijackThis log. Let me know what issues still exist.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:46 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
You can clean the Java temps and all other temps easily with ATF Cleaner. You will need to run it from each user account.
Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin
The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
Reboot
I see nothing malware related that would cause the issue with the computer thinking it's in safe mode. I am curious about the lesser number of svchost.exe processes than normal, and wonder if some services are not running as they should. Lets have a look at those.
Now click Start>Run and type cmd then hit enter to open a command window. Right click in the window and select paste. The command window will close on it's own. Please post the contents of the services.txt log it creates on the desktop.
All of this started with the inability to print to network printer, then it spread from there. Anytime a network printer was accessed, it would kill the spooler process and, in turn, the installer process.
Just some other information. I have considered doing a windows repair to see if won't fix the spooler corruption, or maybe a chkdsk. What do you think?
Seems to be a number of services not running that I would normally expect to see. Lets look into why. Highlight and copy the contents of the code box below.
SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: AppMgmt
DISPLAY_NAME: Application Management
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: aspnet_state
DISPLAY_NAME: ASP.NET State Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: bdss
DISPLAY_NAME: BitDefender Scan Server
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: CiSvc
DISPLAY_NAME: Indexing Service
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: ClipSrv
DISPLAY_NAME: ClipBook
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: COMSysApp
DISPLAY_NAME: COM+ System Application
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: dmadmin
DISPLAY_NAME: Logical Disk Manager Administrative Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: HidServ
DISPLAY_NAME: HID Input Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: HTTPFilter
DISPLAY_NAME: HTTP SSL
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: IDriverT
DISPLAY_NAME: InstallDriver Table Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ImapiService
DISPLAY_NAME: IMAPI CD-Burning COM Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: LIVESRV
DISPLAY_NAME: BitDefender Desktop Update Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: MDM
DISPLAY_NAME: Machine Debug Manager
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: Messenger
DISPLAY_NAME: Messenger
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: mnmsrvc
DISPLAY_NAME: NetMeeting Remote Desktop Sharing
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: MSDTC
DISPLAY_NAME: Distributed Transaction Coordinator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: MSIServer
DISPLAY_NAME: Windows Installer
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: NetDDE
DISPLAY_NAME: Network DDE
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: NetDDEdsdm
DISPLAY_NAME: Network DDE DSDM
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: NetSvc
DISPLAY_NAME: Intel NCS NetService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: NtLmSsp
DISPLAY_NAME: NT LM Security Support Provider
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: NtmsSvc
DISPLAY_NAME: Removable Storage
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ose
DISPLAY_NAME: Office Source Engine
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME: Pml Driver HPZ12
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: RasAuto
DISPLAY_NAME: Remote Access Auto Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RDSessMgr
DISPLAY_NAME: Remote Desktop Help Session Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RemoteAccess
DISPLAY_NAME: Routing and Remote Access
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RemoteRegistry
DISPLAY_NAME: Remote Registry
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RpcLocator
DISPLAY_NAME: Remote Procedure Call (RPC) Locator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: RSVP
DISPLAY_NAME: QoS RSVP
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SCardSvr
DISPLAY_NAME: Smart Card
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED
SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SwPrv
DISPLAY_NAME: MS Software Shadow Copy Provider
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: SysmonLog
DISPLAY_NAME: Performance Logs and Alerts
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: TlntSvr
DISPLAY_NAME: Telnet
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: upnphost
DISPLAY_NAME: Universal Plug and Play Device Host
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: UPS
DISPLAY_NAME: Uninterruptible Power Supply
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: VSS
DISPLAY_NAME: Volume Shadow Copy
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: VSSERV
DISPLAY_NAME: BitDefender Virus Shield
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: w32time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: WmdmPmSN
DISPLAY_NAME: Portable Media Serial Number Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: Wmi
DISPLAY_NAME: Windows Management Instrumentation Driver Extensions
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: WmiApSrv
DISPLAY_NAME: WMI Performance Adapter
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: XCOMM
DISPLAY_NAME: BitDefender Communicator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
SERVICE_NAME: xmlprov
DISPLAY_NAME: Network Provisioning Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
Still can't get it to install any network printers though, wierd.
Appreciate you hanging in there with me, even though this has left the realm of virus or spyware it seems. I'm just as intrigued as you are, i've never seen anything like this behavior before.
Quite a number of services are disabled that should be set to automatic or manual startup. Below is the list of running services from my machine, most of which remain at the XP default settings.
-------Active Services-------
SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: MDM
DISPLAY_NAME: Machine Debug Manager
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: SharedAccess
DISPLAY_NAME: Internet Connection Sharing
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: W32Time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
I recommend you either compare with another XP system, the startup type for each service, or download and install Service Controller XP then set the services to the default setting as shown for each entry. The one exception to the default settings I can think of is Messenger, which should be disabled unless you use the service in the workplace. Incidentally, most machines fare well using the Safe settings as well. You will need to view the service description and determine what's best for your environment.
When done, reboot the machine and see if things are working as they should. I would also like to see another log of the running services at that time, so run the following from a command window again, then post the services.txt file on the desktop (current copy will be overwritten).
Didn't mean to drop this thread. I ended up running out of time and had to reformat the machine. I was able to get all of the files that were needed off of it, so the effort was worth it.
Panda scan log
