All Apps close immediately, help please.

[drwatson]

I'm running windows 2000 Sp4. My computer started closing app's immediately on open after reading webmail last night, please help.

Here is my hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:48 PM, on 10/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.EXE
G:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - E:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINNT\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1220945662-854245398-1957994488-1001\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O15 - Trusted Zone: http://*.linkshare.com
O15 - Trusted Zone: http://*.linksynergy.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135192468824
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\MSTask.exe (file missing)
O23 - Service: Search Engine Commando Schedule Service (SECScheduleService) - Tates Creek Software, LLC - E:\Program Files\Search Engine Commando\ScheduleService.exe

--
End of file - 5996 bytes

[drwatson]

I reregistered shell32.dll, to no avail.

When I open any executible it pops on screen and then vanishes, I hear the windows error sound and it disappears quickly.

I log in as a different profile and can run app's while items are still loading, but shortly after they close and it begins on that profile as well.

Any ideas what I can try??

I will have to do it in safe mode.

Thanks

Chris

[Ried]

Hello Chris,

We'd prefer a more comprehensive scan of your system--especially since you're operating in Safe Mode. As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

[drwatson]

Here is Main.txt: (and please find the extra.txt attached.)

I was able to run dss in normal mode before the program was killed, by changing the process to realtime after login. Shortly after the main.txt appeared it was shutdown.

Deckard's System Scanner v20070905.67
Run by lcladmin on 2007-10-09 23:51:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as lcladmin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:51 PM, on 10/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
E:\Program Files\Search Engine Commando\ScheduleService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Documents and Settings\lcladmin\Desktop\dss.exe
C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
C:\WINNT\system32\InetCntrl\InetCntrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\DOCUME~1\lcladmin\Desktop\lcladmin.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - E:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINNT\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135192468824
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\MSTask.exe (file missing)
O23 - Service: Search Engine Commando Schedule Service (SECScheduleService) - Tates Creek Software, LLC - E:\Program Files\Search Engine Commando\ScheduleService.exe

--
End of file - 6283 bytes

-- Files created between 2007-09-09 and 2007-10-09 -----------------------------

2007-10-09 23:51:10 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_f4.dat
2007-10-09 23:49:16 376564 ---h----- C:\WINNT\ShellIconCache
2007-10-09 2351 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Talkback
2007-10-09 23:05:38 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Google
2007-10-09 23:05:15 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Mozilla
2007-10-09 23:00:37 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Identities
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Templates
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\Start Menu
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\SendTo
2007-10-09 23:00:32 0 dr-h----- C:\Documents and Settings\lcladmin\Recent
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\PrintHood
2007-10-09 23:00:32 327680 --ah----- C:\Documents and Settings\lcladmin\NTUSER.DAT
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\NetHood
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\My Documents
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Local Settings
2007-10-09 23:00:32 0 dr------- C:\Documents and Settings\lcladmin\Favorites
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\Desktop
2007-10-09 23:00:32 0 d---s---- C:\Documents and Settings\lcladmin\Cookies
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Application Data
2007-10-09 21:04:18 0 d-------- C:\Documents and Settings\Riley\Application Data\Google
2007-10-09 21:03:36 0 d-------- C:\Documents and Settings\Riley\Application Data\Talkback
2007-10-09 21:03:07 0 d-------- C:\Documents and Settings\Riley\Application Data\Mozilla
2007-10-09 21:02:03 0 d-------- C:\Documents and Settings\Riley\Application Data\Identities
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Templates
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\Start Menu
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\SendTo
2007-10-09 21:01:56 0 dr-h----- C:\Documents and Settings\Riley\Recent
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\PrintHood
2007-10-09 21:01:56 225280 --ah----- C:\Documents and Settings\Riley\NTUSER.DAT
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\NetHood
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\My Documents
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Local Settings
2007-10-09 21:01:56 0 dr------- C:\Documents and Settings\Riley\Favorites
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\Desktop
2007-10-09 21:01:56 0 d---s---- C:\Documents and Settings\Riley\Cookies
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Application Data
2007-10-09 21:01:56 0 d---s---- C:\Documents and Settings\Riley\Application Data\Microsoft
2007-10-09 20:33:22 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2007-09-22 13:45:06 1364 --a------ C:\Documents and Settings\All Users.WINNT\Application Data\QTSBandwidthCache


-- Find3M Report ---------------------------------------------------------------

2007-10-09 23:00:39 0 d-------- C:\Program Files\Common Files
2007-08-17 00:00:50 0 d-------- C:\Program Files\RegCleaner
2007-08-13 17:16:43 0 d-------- C:\Program Files\Orwell
2007-08-09 20:34:48 0 d-------- C:\Program Files\SEO Elite
2007-08-07 20:01:00 664 -----n--- C:\WINNT\system32\d3d9caps.dat
2007-08-04 15:19:30 93248 -----n--- C:\WINNT\Orwell Uninstaller.exe
2007-08-03 21:44:44 16384 --------t C:\WINNT\system32\Perflib_Perfdata_344.dat
2007-07-18 22:29:02 31 -----n--- C:\WINNT\J


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/17/03 06:40a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"gcasServ"="E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [11/15/05 12:12p]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [05/25/04 10:16a]
"InetCntrl"="C:\WINNT\system32\InetCntrl\InetCntrl.exe" [01/29/07 11:10a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/06 04:57p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [4/28/2005 9:27:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-10-09 23:52:41 ------------

[Ried]

Hello Chris,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
New HijackThis log
Update on system behavior

[drwatson]

Got that done finally, unfortunately the pc is still acting up though.

Please find tghe report.txt attached.

Thanks

Chris

SDFix: Version 1.107

Run by lcladmin on Wed 10/10/2007 at 6:27p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Remaining Files:
---------------


Files with Hidden Attributes:

Tue 27 Sep 2005 4 ...H. --- "C:\WINNT\uccspecb.sys"
Wed 14 Dec 2005 23,552 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc11.tmp"
Wed 14 Dec 2005 19,968 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc12.tmp"
Wed 14 Dec 2005 24,576 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc13.tmp"
Wed 14 Dec 2005 19,968 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc15.tmp"
Wed 14 Dec 2005 23,552 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc16.tmp"
Wed 14 Dec 2005 23,552 ...H. --- "C:\RECYCLER\S-1-5-21-1220945662-854245398-1957994488-1002\Dc17.tmp"
Mon 25 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\DRMv1.bak"
Tue 29 Aug 2000 557,056 ...H. --- "C:\Program Files\Dell\Backup\DellBckp.exe"

Finished!



Deckard's System Scanner v20070905.67
Run by lcladmin on 2007-10-10 19:44:13
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as lcladmin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:21 PM, on 10/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\lcladmin\Desktop\dss.exe
C:\DOCUME~1\lcladmin\Desktop\lcladmin.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - E:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINNT\system32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINNT\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O10 - Unknown file in Winsock LSP: inetcntrl0007.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135192468824
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\MSTask.exe (file missing)
O23 - Service: Search Engine Commando Schedule Service (SECScheduleService) - Tates Creek Software, LLC - E:\Program Files\Search Engine Commando\ScheduleService.exe

--
End of file - 5574 bytes

-- Files created between 2007-09-10 and 2007-10-10 -----------------------------

2007-10-10 18:25:53 0 d-------- C:\WINNT\ERUNT
2007-10-10 18:21:58 463636 ---h----- C:\WINNT\ShellIconCache
2007-10-09 2351 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Talkback
2007-10-09 23:05:38 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Google
2007-10-09 23:05:15 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Mozilla
2007-10-09 23:00:37 0 d-------- C:\Documents and Settings\lcladmin\Application Data\Identities
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Templates
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\Start Menu
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\SendTo
2007-10-09 23:00:32 0 dr-h----- C:\Documents and Settings\lcladmin\Recent
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\PrintHood
2007-10-09 23:00:32 339968 --ah----- C:\Documents and Settings\lcladmin\NTUSER.DAT
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\NetHood
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\My Documents
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Local Settings
2007-10-09 23:00:32 0 dr------- C:\Documents and Settings\lcladmin\Favorites
2007-10-09 23:00:32 0 d-------- C:\Documents and Settings\lcladmin\Desktop
2007-10-09 23:00:32 0 d---s---- C:\Documents and Settings\lcladmin\Cookies
2007-10-09 23:00:32 0 d--h----- C:\Documents and Settings\lcladmin\Application Data
2007-10-09 21:04:18 0 d-------- C:\Documents and Settings\Riley\Application Data\Google
2007-10-09 21:03:36 0 d-------- C:\Documents and Settings\Riley\Application Data\Talkback
2007-10-09 21:03:07 0 d-------- C:\Documents and Settings\Riley\Application Data\Mozilla
2007-10-09 21:02:03 0 d-------- C:\Documents and Settings\Riley\Application Data\Identities
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Templates
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\Start Menu
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\SendTo
2007-10-09 21:01:56 0 dr-h----- C:\Documents and Settings\Riley\Recent
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\PrintHood
2007-10-09 21:01:56 225280 --ah----- C:\Documents and Settings\Riley\NTUSER.DAT
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\NetHood
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\My Documents
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Local Settings
2007-10-09 21:01:56 0 dr------- C:\Documents and Settings\Riley\Favorites
2007-10-09 21:01:56 0 d-------- C:\Documents and Settings\Riley\Desktop
2007-10-09 21:01:56 0 d---s---- C:\Documents and Settings\Riley\Cookies
2007-10-09 21:01:56 0 d--h----- C:\Documents and Settings\Riley\Application Data
2007-10-09 21:01:56 0 d---s---- C:\Documents and Settings\Riley\Application Data\Microsoft
2007-10-09 20:33:22 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2007-09-22 13:45:06 1364 --a------ C:\Documents and Settings\All Users.WINNT\Application Data\QTSBandwidthCache


-- Find3M Report ---------------------------------------------------------------

2007-10-09 23:00:39 0 d-------- C:\Program Files\Common Files
2007-08-17 00:00:50 0 d-------- C:\Program Files\RegCleaner
2007-08-13 17:16:43 0 d-------- C:\Program Files\Orwell
2007-08-07 20:01:00 664 -----n--- C:\WINNT\system32\d3d9caps.dat
2007-08-04 15:19:30 93248 -----n--- C:\WINNT\Orwell Uninstaller.exe
2007-08-03 21:44:44 16384 --------t C:\WINNT\system32\Perflib_Perfdata_344.dat
2007-07-18 22:29:02 31 -----n--- C:\WINNT\J


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/17/03 06:40a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"gcasServ"="E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [11/15/05 12:12p]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [05/25/04 10:16a]
"InetCntrl"="C:\WINNT\system32\InetCntrl\InetCntrl.exe" [01/29/07 11:10a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/06 04:57p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [4/28/2005 9:27:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-10-10 19:44:46 ------------

[Ried]

I'm not yet convinced the malware I did see is to blame here as the files are missing. Also, note the entries in the Event Log in the extra.txt:

Quote:

Event Record #/Type68288 / Warning
Event Submitted/Written: 10/08/2007 09:07:37 AM
Event ID/Source: 12103 / WMI
Event Description:
The registry path () passed by a kernel mode driver is invalid. The driver device object is in the additional data.

Just the same, I'd like to run one more tool:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[drwatson]

I ran the file as requested and killed the "InetCntrl" process since it pertains to my Bsafe Online, firewall and virus scanner. When I am able to kill that process early enough on login, I have not had any similar occurances.

Coould it be that the inetcntrl just became corrupt or infected?

Here is the the file results:

ComboFix 07-10-09.3 - lcladmin 10/10/2007 23:46:43.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.372 [GMT -5:00]
Running from: C:\Documents and Settings\lcladmin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-10 23:46 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2cc.dat
2007-10-10 19:54 <DIR> d-------- C:\SAV32CLI
2007-10-10 18:25 <DIR> d-------- C:\WINNT\ERUNT
2007-10-09 23:42 <DIR> d-------- C:\Deckard
2007-10-09 23:22 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-09 23:06 <DIR> d-------- C:\Documents and Settings\lcladmin\Application Data\Talkback
2007-10-09 23:05 <DIR> d-------- C:\Documents and Settings\lcladmin\Application Data\Google
2007-10-09 21:04 <DIR> d-------- C:\Documents and Settings\Riley\Application Data\Google
2007-10-09 21:03 <DIR> d-------- C:\Documents and Settings\Riley\Application Data\Talkback
2007-10-09 20:33 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-17 05:00 --------- d-----w C:\Program Files\RegCleaner
2007-08-17 04:54 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\RegistrySmart
2007-08-17 04:10 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\Uniblue
2007-08-13 22:16 --------- d-----w C:\Program Files\Orwell
2007-08-13 21:45 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\Notepad++
2007-08-11 19:38 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\eBookPro6
2007-08-04 20:19 93,248 ------w C:\WINNT\Orwell Uninstaller.exe
2004-04-07 14:07 271 ---h--w C:\Program Files\DESKTOP.INI
2004-04-07 14:07 21,952 ---h--w C:\Program Files\FOLDER.HTT
2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Tue 10-09-2007_23.24.53.07 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-28 03:03:23 C:\WINNT\ERUNT\SDFIX\ERDNT.EXE
----a-w 339,968 2007-10-11 03:25:54 C:\WINNT\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 98,304 2007-10-11 03:25:55 C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-28 03:03:23 C:\WINNT\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 335,872 2007-10-10 23:26:01 C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 98,304 2007-10-10 23:26:01 C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 280,269 2007-10-11 00:24:39 C:\WINNT\system32\InetCntrl\AV\avvclean.dat
----a-w 9,070,405 2007-10-11 00:24:36 C:\WINNT\system32\InetCntrl\AV\avvnames.dat
----a-w 223,413 2007-10-11 00:24:36 C:\WINNT\system32\InetCntrl\AV\avvscan.dat
----a-w 3,253 2007-10-11 00:25:16 C:\WINNT\system32\InetCntrl\Data\progctrl.bin
----a-w 67,173 2007-10-11 04:46:36 C:\WINNT\system32\InetCntrl\Data\userpolicy.bin
.
----a-w 280,109 2007-10-10 00:13:50 C:\WINNT\system32\InetCntrl\AV\avvclean.dat
----a-w 9,065,365 2007-10-10 00:13:47 C:\WINNT\system32\InetCntrl\AV\avvnames.dat
----a-w 223,381 2007-10-10 00:13:47 C:\WINNT\system32\InetCntrl\AV\avvscan.dat
----a-w 3,173 2007-10-10 04:05:50 C:\WINNT\system32\InetCntrl\Data\progctrl.bin
----a-w 67,129 2007-10-10 04:05:27 C:\WINNT\system32\InetCntrl\Data\userpolicy.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/17/03 06:40a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"gcasServ"="E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [11/15/05 12:12p]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [05/25/04 10:16a]
"InetCntrl"="C:\WINNT\system32\InetCntrl\InetCntrl.exe" [01/29/07 11:10a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/06 04:57p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
discfix.lnk - C:\DELL\discfix.cmd [1980-01-01 01:00:00]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2005-04-28 21:27:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll

R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R2 dmsmbios;dmsmbios;\??\C:\WINNT\System32\dmsmbios.sys
R2 SECScheduleService;Search Engine Commando Schedule Service;E:\Program Files\Search Engine Commando\ScheduleService.exe
R3 BrScnUsb;Brother USB Still Image driver;C:\WINNT\system32\Drivers\BrScnUsb.sys
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINNT\system32\Drivers\BrSerIf.sys
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINNT\system32\Drivers\BrUsbSer.sys
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 23:48:05
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 10/10/2007 23:49:10
C:\ComboFix2.txt ... 10/09/07 11:25p
.
--- E O F ---

[Ried]

It sounds quite likely that it has been corrupted somehow if your system works fine when you stop the process.

I would suggest uninstalling BSafe and reinstalling it to see if that resolves the issue.

You ran ComboFix twice. I'd like to see what happened in the first run of the tool. Please post the C:\ComboFix 2.txt

[drwatson]

Here is the requested info:

ComboFix 07-10-09.3 - lcladmin 10/09/2007 23:23:26.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\lcladmin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-09 23:22 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-09 23:06 <DIR> d-------- C:\Documents and Settings\lcladmin\Application Data\Talkback
2007-10-09 23:05 <DIR> d-------- C:\Documents and Settings\lcladmin\Application Data\Google
2007-10-09 21:04 <DIR> d-------- C:\Documents and Settings\Riley\Application Data\Google
2007-10-09 21:03 <DIR> d-------- C:\Documents and Settings\Riley\Application Data\Talkback
2007-10-09 20:33 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-17 05:00 --------- d-----w C:\Program Files\RegCleaner
2007-08-17 04:54 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\RegistrySmart
2007-08-17 04:10 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\Uniblue
2007-08-13 22:16 --------- d-----w C:\Program Files\Orwell
2007-08-13 21:45 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\Notepad++
2007-08-11 19:38 --------- d-----w C:\Documents and Settings\cwatson.CWATSONHM\Application Data\eBookPro6
2007-08-10 01:34 --------- d-----w C:\Program Files\SEO Elite
2007-08-04 20:19 93,248 ------w C:\WINNT\Orwell Uninstaller.exe
2004-04-07 14:07 271 ---h--w C:\Program Files\DESKTOP.INI
2004-04-07 14:07 21,952 ---h--w C:\Program Files\FOLDER.HTT
2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/17/03 06:40a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"gcasServ"="E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [11/15/05 12:12p]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" [05/25/04 10:16a]
"InetCntrl"="C:\WINNT\system32\InetCntrl\InetCntrl.exe" [01/29/07 11:10a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/06 04:57p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 23:24:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 10/09/2007 23:25:56
.
--- E O F ---

[Ried]

Thank you.

Let's do a little 'test'. Uninstall BSafe and try a different AntiVirus and see if your issues remain.

Before you uninstall, here are 2 very good free Anti Virus products which are available:

• Avast!
• AVG

Select one of these, or another of your choice and download it. Do not install it until you've uninstalled BSafe.

After you've uninstalled BSafe via the Add or Remove programs, install the AV you downloaded, update definitions, and run a full system scan.

How is the system behaving?

[drwatson]

I contacted bSafe who stated that had upgraded their servers and had a software upgrade that should fix the issue.

I uninstalled the old version and installed the new and the symptoms went away.

Thanks for your help, we can change this status to resolved.

[Ried]

Thanks for letting us know.

You're welcome, drwatson.