computer thinks it's in safe mode (ht log)

Hi,

We have had some problems with a client PC lately. The last two days I have been struggling with trying to keep the spooler active, and today I could not activate any virus software and was forced to do an online scan. Also, when trying to start the spooler or the installer services, it said I could not do this in "safe mode ", but i'm not in safe mode. Here is the hijack this log and the Panda active scan log. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:16 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Softrax\Tools\msghost.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
C:\tm\tmsimg\bin\ftsrvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STXMSGHOST] C:\PROGRA~1\Softrax\Tools\msghost.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Imaging Server.lnk = C:\tm\tmsimg\bin\tmimgpcx.exe
O4 - Global Startup: PrintKey-Pro.lnk = C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmscorp.com
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

Panda scan log

Here are the results from the Panda scan log...

Panda log

Incident Status Location

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\alisonc\Application Data\Mozilla\Firefox\Profiles\s3hlcbbl.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\alisonc\Application Data\Mozilla\Firefox\Profiles\s3hlcbbl.default\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\alisonc\Cookies\alisonc@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\alisonc\Cookies\alisonc@go[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.centrport.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dinab\Application Data\Mozilla\Firefox\Profiles\4z2rmwtk.default\cookies.txt[.advertising.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dinab\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv521.jar-4c5a2ea7-1d085641.zip[Parser.class]
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\RE: AOL Instant Messenger Confirmation (fSWbWWzbl1 nikipage)
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Sent Items\FW: email I got this morning\text.zip[text.scr]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.target.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.server.iad.liveperson.net/hc/5125383]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.server.iad.liveperson.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.revenue.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.statse.webtrendslive.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tickle.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.target.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.overture.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jeanniem\Application Data\Mozilla\Firefox\Profiles\zwlu5opn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@burstnet[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@go[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@target[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@web.tickle[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\jeanniem\Cookies\jeanniem@www2.addfreestats[1].txt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft102E.tmp\Softrax\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1031.tmp\Softrax\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Client\Opr_Fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Client\Opr_Fin\program\Temp.Htt
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\jeanniem\Local Settings\Temp\pft1053.tmp\Softrax\Temp.Htt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@bs.serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\lindar\Cookies\lindar@tribalfusion[1].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Program Files\Softrax\Opr_fin\program\desktop.ini
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Program Files\Softrax\Opr_fin\program\Temp.Htt
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll

Thanks again,
mtaffer

 

Hi mtaffer

Please click the eTrust online scanner link in my signature and run a full system scan with it as well. When complete, check the recommended action for anything identified as infected then click Clean. Let me know how that goes.

Next, download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log. Let me know what issues still exist.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

here's the log

Malwarebytes' Anti-Malware 1.05
Database version: 445

Scan type: Quick Scan
Objects scanned: 68712
Time elapsed: 16 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:46 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Softrax\Tools\msghost.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
C:\tm\tmsimg\bin\ftsrvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STXMSGHOST] C:\PROGRA~1\Softrax\Tools\msghost.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Imaging Server.lnk = C:\tm\tmsimg\bin\tmimgpcx.exe
O4 - Global Startup: PrintKey-Pro.lnk = C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmscorp.com
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6563 bytes


As far as the CA scan, it found 4 java files that it could not clean. All of them were in one profile on the PC.

Thanks again,
mtaffer

 

You can clean the Java temps and all other temps easily with ATF Cleaner. You will need to run it from each user account.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


I see nothing malware related that would cause the issue with the computer thinking it's in safe mode. I am curious about the lesser number of svchost.exe processes than normal, and wonder if some services are not running as they should. Lets have a look at those.

Highlight and copy the bolded text below.

sc query> "%userprofile%\desktop\services.txt "
exit
cls

Now click Start>Run and type cmd then hit enter to open a command window. Right click in the window and select paste. The command window will close on it's own. Please post the contents of the services.txt log it creates on the desktop.

 

ok, here's the results

All of this started with the inability to print to network printer, then it spread from there. Anytime a network printer was accessed, it would kill the spooler process and, in turn, the installer process.
Just some other information. I have considered doing a windows repair to see if won't fix the spooler corruption, or maybe a chkdsk. What do you think?


SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: dmserver
DISPLAY_NAME: Logical Disk Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Netlogon
DISPLAY_NAME: Net Logon
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

Appreciate the help as always.
mtaffer

 

Seems to be a number of services not running that I would normally expect to see. Lets look into why. Highlight and copy the contents of the code box below.

Code:

reg query  "hklm\software\microsoft\windows nt\currentversion\svchost" /s|findstr /v  "! "> "%userprofile%\desktop\service.txt "
echo.>> "%userprofile%\desktop\service.txt "
echo.>> "%userprofile%\desktop\service.txt "
echo -------Inactive Services------->> "%userprofile%\desktop\service.txt "
echo.>> "%userprofile%\desktop\service.txt "
sc query state= inactive|findstr /i /v  "wait checkpoint exit ignores ">> "%userprofile%\desktop\service.txt "
exit
cls

Open a command window and paste the text. Post the contents of the service.txt log it creates on the desktop.

 

service.txt

Ok, here is the output file

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HPZ12 REG_MULTI_SZ Pml Driver HPZ12\0Net Driver HPZ12\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 0x1
DefaultRpcStackSize REG_DWORD 0x8

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 0x1
AuthenticationCapabilities REG_DWORD 0x2000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 0x1
AuthenticationCapabilities REG_DWORD 0x3020

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 0x2
AuthenticationCapabilities REG_DWORD 0x40

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 0x1
DefaultRpcStackSize REG_DWORD 0x8


-------Inactive Services-------


SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: AppMgmt
DISPLAY_NAME: Application Management
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: aspnet_state
DISPLAY_NAME: ASP.NET State Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: bdss
DISPLAY_NAME: BitDefender Scan Server
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: CiSvc
DISPLAY_NAME: Indexing Service
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: ClipSrv
DISPLAY_NAME: ClipBook
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: COMSysApp
DISPLAY_NAME: COM+ System Application
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: dmadmin
DISPLAY_NAME: Logical Disk Manager Administrative Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: HidServ
DISPLAY_NAME: HID Input Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: HTTPFilter
DISPLAY_NAME: HTTP SSL
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: IDriverT
DISPLAY_NAME: InstallDriver Table Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ImapiService
DISPLAY_NAME: IMAPI CD-Burning COM Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: LIVESRV
DISPLAY_NAME: BitDefender Desktop Update Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: MDM
DISPLAY_NAME: Machine Debug Manager
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: Messenger
DISPLAY_NAME: Messenger
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: mnmsrvc
DISPLAY_NAME: NetMeeting Remote Desktop Sharing
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: MSDTC
DISPLAY_NAME: Distributed Transaction Coordinator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: MSIServer
DISPLAY_NAME: Windows Installer
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: NetDDE
DISPLAY_NAME: Network DDE
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: NetDDEdsdm
DISPLAY_NAME: Network DDE DSDM
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: NetSvc
DISPLAY_NAME: Intel NCS NetService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: NtLmSsp
DISPLAY_NAME: NT LM Security Support Provider
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: NtmsSvc
DISPLAY_NAME: Removable Storage
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ose
DISPLAY_NAME: Office Source Engine
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME: Pml Driver HPZ12
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: RasAuto
DISPLAY_NAME: Remote Access Auto Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RDSessMgr
DISPLAY_NAME: Remote Desktop Help Session Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RemoteAccess
DISPLAY_NAME: Routing and Remote Access
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RemoteRegistry
DISPLAY_NAME: Remote Registry
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RpcLocator
DISPLAY_NAME: Remote Procedure Call (RPC) Locator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: RSVP
DISPLAY_NAME: QoS RSVP
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SCardSvr
DISPLAY_NAME: Smart Card
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 1 STOPPED

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SwPrv
DISPLAY_NAME: MS Software Shadow Copy Provider
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: SysmonLog
DISPLAY_NAME: Performance Logs and Alerts
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: TlntSvr
DISPLAY_NAME: Telnet
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: upnphost
DISPLAY_NAME: Universal Plug and Play Device Host
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: UPS
DISPLAY_NAME: Uninterruptible Power Supply
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: VSS
DISPLAY_NAME: Volume Shadow Copy
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: VSSERV
DISPLAY_NAME: BitDefender Virus Shield
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: w32time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: WmdmPmSN
DISPLAY_NAME: Portable Media Serial Number Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: Wmi
DISPLAY_NAME: Windows Management Instrumentation Driver Extensions
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: WmiApSrv
DISPLAY_NAME: WMI Performance Adapter
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: XCOMM
DISPLAY_NAME: BitDefender Communicator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED

SERVICE_NAME: xmlprov
DISPLAY_NAME: Network Provisioning Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED


Still can't get it to install any network printers though, wierd.

Appreciate you hanging in there with me, even though this has left the realm of virus or spyware it seems. I'm just as intrigued as you are, i've never seen anything like this behavior before.

mtaffer

 

Quite a number of services are disabled that should be set to automatic or manual startup. Below is the list of running services from my machine, most of which remain at the XP default settings.

-------Active Services-------


SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: MDM
DISPLAY_NAME: Machine Debug Manager
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING

SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING

SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING

SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Internet Connection Sharing
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: W32Time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING


I recommend you either compare with another XP system, the startup type for each service, or download and install Service Controller XP then set the services to the default setting as shown for each entry. The one exception to the default settings I can think of is Messenger, which should be disabled unless you use the service in the workplace. Incidentally, most machines fare well using the Safe settings as well. You will need to view the service description and determine what's best for your environment.

When done, reboot the machine and see if things are working as they should. I would also like to see another log of the running services at that time, so run the following from a command window again, then post the services.txt file on the desktop (current copy will be overwritten).

sc query> "%userprofile%\desktop\services.txt "
exit
cls

 

sorry

Hey Dave,

Didn't mean to drop this thread. I ended up running out of time and had to reformat the machine. I was able to get all of the files that were needed off of it, so the effort was worth it.

Thanks as always
mtaffer

 

Thanks for the follow-up.