Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I fear multiple virus's... (worm.win32.netbooster) [CLOSED]


  • This topic is locked This topic is locked

#1
sam_at2001

sam_at2001

    New Member

  • Member
  • Pip
  • 4 posts
Hi guys

I have got the 'worm.win32.netbooster' virus (when the desktop is replaced with a warning, multiple pop-ups etc)...I've downloaded smitfraud fix to try and fix it, however I am unable to load cmd.exe (it fails to initialize), so I'm a bit screwed. Here is the hijackthis log (I've had to save this on my laptop as my computer is becoming next to unusable now...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:38, on 03/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: fdkowvbp - {FB3486FF-2A37-4536-B847-D999BA4E7776} - F:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [lphcamwj0elqk] F:\WINDOWS\system32\lphcamwj0elqk.exe
O4 - HKLM\..\Run: [SMrhcemwj0elqk] F:\Program Files\rhcemwj0elqk\rhcemwj0elqk.exe
O4 - HKLM\..\Run: [BM97ed6ffb] Rundll32.exe "F:\WINDOWS\system32\ivlhnnxs.dll",s
O4 - HKLM\..\Run: [e79abffb] rundll32.exe "F:\WINDOWS\system32\yhtsonax.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175616320046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {CE6BFF02-054C-4D55-8B27-BFB0E81B2A3E} - http://www.mtnsys.co...stall/setup.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers...eminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: hmrkwn.dll
O21 - SSODL: wnslvxtf - {B75EC61A-B37D-4B57-9BD3-A6D9EBF60957} - F:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {4665CDE6-73DB-428F-A002-63395ABF27F7} - F:\WINDOWS\eqvwamkl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: TVersityMediaServer - Unknown owner - F:\Program Files\TVersity\Media Server\MediaServer.exe
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
sam_at2001

sam_at2001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply, however I am unable to run 'runthis.bat', as I get the cmd.exe error message and it fails to open...
  • 0

#4
sam_at2001

sam_at2001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
EXTRA:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 16%
Physical Memory (total/avail): 2046.42 MiB / 1715.95 MiB
Pagefile Memory (total/avail): 3942.48 MiB / 3802.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.86 MiB

A: is Removable (No Media)
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Fixed (NTFS) - 465.75 GiB total, 91.06 GiB free.
G: is Fixed (NTFS) - 465.76 GiB total, 156.97 GiB free.
H: is Removable (FAT)
I: is CDROM (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3500630AS - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - G:

\\.\PHYSICALDRIVE1 - SATA ST350063 SCSI Disk Device - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.75 GiB - F:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device - 1913.99 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1914.38 MiB - H:

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\uTorrent\\utorrent.exe"="F:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"F:\\Documents and Settings\\Sam\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe"="F:\\Documents and Settings\\Sam\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe:*:Enabled:ElectronicArts_Patcher_000"
"F:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"="F:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Enabled:Football Manager 2007"
"F:\\Program Files\\Valve\\Steam\\SteamApps\\sam_at2001\\counter-strike source\\hl2.exe"="F:\\Program Files\\Valve\\Steam\\SteamApps\\sam_at2001\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\Internet Explorer\\iexplore.exe"="F:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"F:\\Program Files\\Mountain Systems, Inc\\Behringer FCB1010 MIDI PC Editor Utility\\FCB1010.exe"="F:\\Program Files\\Mountain Systems, Inc\\Behringer FCB1010 MIDI PC Editor Utility\\FCB1010.exe:*:Enabled:FCB1010"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Program Files\\WEMADE Entertainment\\Legend of Mir\\Mir2Patch.exe"="F:\\Program Files\\WEMADE Entertainment\\Legend of Mir\\Mir2Patch.exe:*:Enabled:Mir2Patch"
"F:\\Program Files\\Real\\RealPlayer\\realplay.exe"="F:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"F:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="F:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"G:\\3dsmax7\\3dsmax.exe"="G:\\3dsmax7\\3dsmax.exe:*:Enabled:3ds max 7"
"F:\\Program Files\\backburner 2\\monitor.exe"="F:\\Program Files\\backburner 2\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"F:\\Program Files\\backburner 2\\manager.exe"="F:\\Program Files\\backburner 2\\manager.exe:*:Enabled:backburner 2.3 manager"
"F:\\Program Files\\backburner 2\\server.exe"="F:\\Program Files\\backburner 2\\server.exe:*:Enabled:backburner 2.3 server"
"F:\\Program Files\\CapCom\\Lost Planet Extreme Condition\\LostPlanetDx9.exe"="F:\\Program Files\\CapCom\\Lost Planet Extreme Condition\\LostPlanetDx9.exe:*:Enabled:LostPlanetDx9"
"F:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe"="F:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe:*:Enabled:Redlightcenter"
"F:\\Program Files\\Bonjour\\mDNSResponder.exe"="F:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"F:\\WINDOWS\\system32\\PnkBstrA.exe"="F:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"F:\\WINDOWS\\system32\\PnkBstrB.exe"="F:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"F:\\Program Files\\LIvVE\\System\\mIC.exe"="F:\\Program Files\\LIvVE\\System\\mIC.exe:*:Enabled:mIC"
"F:\\Program Files\\Unreal Tournament 3 (LG)\\Binaries\\UT3.exe"="F:\\Program Files\\Unreal Tournament 3 (LG)\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"
"F:\\Program Files\\Duke Nukem 3D 2006\\eduke32.exe"="F:\\Program Files\\Duke Nukem 3D 2006\\eduke32.exe:*:Enabled:eduke32"
"F:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="F:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"F:\\Program Files\\Hasbro Interactive\\Monopoly\\Monopoly.exe"="F:\\Program Files\\Hasbro Interactive\\Monopoly\\Monopoly.exe:*:Enabled:Monopoly"
"F:\\Documents and Settings\\Sam\\My Documents\\Downloads\\Programs\\WoW-BurningCrusade-enUS-Installer-downloader.exe"="F:\\Documents and Settings\\Sam\\My Documents\\Downloads\\Programs\\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader"
"F:\\Documents and Settings\\Sam\\My Documents\\Downloads\\Programs\\WoW-BurningCrusade-enGB-Installer-downloader_2.exe"="F:\\Documents and Settings\\Sam\\My Documents\\Downloads\\Programs\\WoW-BurningCrusade-enGB-Installer-downloader_2.exe:*:Enabled:Blizzard Downloader"
"F:\\Program Files\\DigiGuide TV Guide\\DigiGuide.exe"="F:\\Program Files\\DigiGuide TV Guide\\DigiGuide.exe:*:Enabled:DigiGuide"
"F:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="F:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"F:\\Program Files\\iTunes\\iTunes.exe"="F:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"F:\\Program Files\\Kontiki\\KService.exe"="F:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"F:\\WINDOWS\\system32\\dpvsetup.exe"="F:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"F:\\WINDOWS\\system32\\rundll32.exe"="F:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"F:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="F:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"F:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"="F:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe:*:Enabled:rct"
"F:\\WINDOWS\\explorer.exe"="F:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"F:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"="F:\\Program Files\\TVersity\\Media Server\\MediaServer.exe:*:Enabled:TVersity Media Server"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Sam (admin)
Deidre (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type6073 / Error
Event Submitted/Written: 08/03/2008 05:44:11 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type6072 / Error
Event Submitted/Written: 08/03/2008 05:44:10 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type6071 / Error
Event Submitted/Written: 08/03/2008 05:44:10 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type6070 / Error
Event Submitted/Written: 08/03/2008 05:44:10 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type6069 / Error
Event Submitted/Written: 08/03/2008 05:44:10 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23151 / Error
Event Submitted/Written: 08/03/2008 05:42:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type23150 / Error
Event Submitted/Written: 08/03/2008 05:42:01 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type23149 / Error
Event Submitted/Written: 08/03/2008 05:41:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type23146 / Error
Event Submitted/Written: 08/03/2008 05:37:36 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type23137 / Error
Event Submitted/Written: 08/03/2008 05:37:06 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-08-03 17:44:42 ------------




MAIN

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-03 17:42:48
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 2 Restore Point(s) --
2: 2008-08-03 15:16:07 UTC - RP2 - Last known good configuration
1: 2008-08-03 15:15:59 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44:00, on 03/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\Explorer.exe
F:\Documents and Settings\Administrator\Desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2DA6D7FA-FA98-4681-8C9F-4021B6506DA5} - F:\WINDOWS\system32\xxywVlIY.dll
O2 - BHO: {63c30653-b865-79fb-4294-1ee788d863e3} - {3e368d88-7ee1-4924-bf97-568b35603c36} - F:\WINDOWS\system32\hmrkwn.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - F:\WINDOWS\system32\wtcmpusf.dll
O2 - BHO: (no name) - {55D17579-F6FF-4A63-981B-6683F99B9972} - F:\WINDOWS\system32\xxywTNhh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: QXK Olive - {B763BE68-B1D1-41F4-9087-8BF71BB93155} - F:\WINDOWS\nfavxwdbdfm.dll
O2 - BHO: (no name) - {F7091A4C-1D81-4DAB-BEB6-B5B3CAB90094} - F:\WINDOWS\system32\tgrhyotx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: fdkowvbp - {FB3486FF-2A37-4536-B847-D999BA4E7776} - F:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [lphcamwj0elqk] F:\WINDOWS\system32\lphcamwj0elqk.exe
O4 - HKLM\..\Run: [SMrhcemwj0elqk] F:\Program Files\rhcemwj0elqk\rhcemwj0elqk.exe
O4 - HKLM\..\Run: [BM97ed6ffb] Rundll32.exe "F:\WINDOWS\system32\ivlhnnxs.dll",s
O4 - HKLM\..\Run: [e79abffb] rundll32.exe "F:\WINDOWS\system32\yhtsonax.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175616320046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {CE6BFF02-054C-4D55-8B27-BFB0E81B2A3E} - http://www.mtnsys.co...stall/setup.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers...eminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: hmrkwn.dll
O20 - Winlogon Notify: xxywTNhh - F:\WINDOWS\SYSTEM32\xxywTNhh.dll
O21 - SSODL: wnslvxtf - {B75EC61A-B37D-4B57-9BD3-A6D9EBF60957} - F:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {4665CDE6-73DB-428F-A002-63395ABF27F7} - F:\WINDOWS\eqvwamkl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: TVersityMediaServer - Unknown owner - F:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6373 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - f:\windows\system32\giveio.sys
R0 speedfan - f:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 CLEDX (Team H2O CLEDX service) - f:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 vaxscsi - f:\windows\system32\drivers\vaxscsi.sys

S1 SCDEmu - f:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - f:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 ENTECH - f:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 L6DP - f:\windows\system32\drivers\l6dp.sys <Not Verified; Line 6; Line 6 Device Proxy>
S3 L6TPortA (Service - Line 6 TonePort UX1) - f:\windows\system32\drivers\l6tporta.sys <Not Verified; Line 6; GuitarPort>
S3 pcouffin (VSO Software pcouffin) - f:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 US122 (US122 Driver) - f:\windows\system32\drivers\us122.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-122>
S3 US122DL (US122 Firmware Downloader) - f:\windows\system32\drivers\us122dl.sys <Not Verified; Frontier Design Group; TASCAM US-122>
S3 Us122WdmService (US122 Wdm Audio) - f:\windows\system32\drivers\us122wdm.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-122>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 KService - "f:\program files\kontiki\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>
S3 TVersityMediaServer - "f:\program files\tversity\media server\mediaserver.exe"
S4 Apple Mobile Device - "f:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Autodesk Licensing Service - "f:\program files\common files\autodesk shared\service\adskscsrv.exe"
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "f:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S4 FLEXnet Licensing Service - "f:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "f:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_284B&SUBSYS_A0021458&REV_02\3&13C0B0C5&0&D8
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_284B&SUBSYS_A0021458&REV_02\3&13C0B0C5&0&D8
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 20:59:27 418 --ah----- F:\WINDOWS\Tasks\User_Feed_Synchronization-{73741AED-916E-4318-87B5-9B9FACF275D1}.job
2007-12-21 17:34:01 284 --a------ F:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 17:23:20 0 d-------- F:\Program Files\Trend Micro
2008-08-03 17:13:29 90624 --a------ F:\WINDOWS\system32\ivlhnnxs.dll
2008-08-03 17:12:43 118784 --a------ F:\WINDOWS\system32\tgrhyotx.dll
2008-08-03 17:12:41 118784 --a------ F:\WINDOWS\system32\vacijmxi.dll
2008-08-03 17:10:34 92160 --a------ F:\WINDOWS\system32\wtcmpusf.dll
2008-08-03 17:10:28 90624 --a------ F:\WINDOWS\system32\jjqycvid.dll
2008-08-03 17:09:50 0 d-------- F:\Documents and Settings\Deidre\Application Data\TmpRecentIcons
2008-08-03 16:44:09 0 d--h----- F:\Documents and Settings\Administrator\Templates
2008-08-03 16:44:09 0 dr------- F:\Documents and Settings\Administrator\Start Menu
2008-08-03 16:44:09 0 dr-h----- F:\Documents and Settings\Administrator\SendTo
2008-08-03 16:44:09 0 d--h----- F:\Documents and Settings\Administrator\Recent
2008-08-03 16:44:09 0 d--h----- F:\Documents and Settings\Administrator\PrintHood
2008-08-03 16:44:09 786432 --ah----- F:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-03 16:44:09 0 d--h----- F:\Documents and Settings\Administrator\NetHood
2008-08-03 16:44:09 0 d-------- F:\Documents and Settings\Administrator\My Documents
2008-08-03 16:44:09 0 d--h----- F:\Documents and Settings\Administrator\Local Settings
2008-08-03 16:44:09 0 d-------- F:\Documents and Settings\Administrator\Favorites
2008-08-03 16:44:09 0 d-------- F:\Documents and Settings\Administrator\Desktop
2008-08-03 16:44:09 0 d--hs---- F:\Documents and Settings\Administrator\Cookies
2008-08-03 16:44:09 0 dr-h----- F:\Documents and Settings\Administrator\Application Data
2008-08-03 16:18:49 100864 --a------ F:\WINDOWS\system32\xmdanaym.dll
2008-08-03 16:18:49 100864 --a------ F:\WINDOWS\system32\hmrkwn.dll
2008-08-03 16:16:42 80896 --a------ F:\WINDOWS\system32\yhtsonax.dll
2008-08-03 16:16:36 90624 --a------ F:\WINDOWS\system32\nkcprmkt.dll
2008-08-03 16:15:48 598901 --ahs---- F:\WINDOWS\system32\YIlVwyxx.ini2
2008-08-03 16:15:45 246272 --a------ F:\WINDOWS\system32\xxywVlIY.dll
2008-08-03 16:07:25 0 d-------- F:\Program Files\rhcemwj0elqk
2008-08-03 16:07:11 393216 --a------ F:\WINDOWS\wnslvxtf.dll
2008-08-03 16:07:11 393216 --a------ F:\WINDOWS\nfavxwdbdfm.dll
2008-08-03 16:07:11 94208 --a------ F:\WINDOWS\grswptdl.exe
2008-08-03 16:07:11 192512 --a------ F:\WINDOWS\fdkowvbp.dll
2008-08-03 16:07:11 266240 --a------ F:\WINDOWS\eqvwamkl.dll
2008-08-03 16:07:11 163840 --a------ F:\WINDOWS\edot.exe
2008-08-03 16:07:08 60928 --a------ F:\WINDOWS\system32\blphcamwj0elqk.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-08-03 16:07:06 36864 --a------ F:\WINDOWS\system32\xxywTNhh.dll
2008-08-03 16:07:06 36864 --a------ F:\WINDOWS\system32\urqQhfCv.dll
2008-08-03 16:07:01 114176 --a------ F:\WINDOWS\system32\lphcamwj0elqk.exe
2008-08-03 16:01:30 34 --ah----- F:\WINDOWS\system32\DVDConverter_sysquict.dat
2008-08-03 16:01:25 0 d-------- F:\Program Files\Abcc DVD to Mp4 Mp3 iPod MPEG AVI Ripper Pro
2008-08-03 14:00:19 0 d-------- F:\Program Files\Common Files\Adobe Systems Shared
2008-08-03 13:50:10 139264 --a------ F:\WINDOWS\system32\xvidvfw.dll
2008-08-03 13:50:10 524288 --a------ F:\WINDOWS\system32\xvidcore.dll
2008-08-03 13:50:09 0 d-------- F:\Program Files\Extra DVD to Sony PSP PS3 Ripper
2008-08-02 22:12:42 0 d-------- F:\Program Files\mkv2vob
2008-07-31 21:26:25 0 d-------- F:\Program Files\TVersity Codec Pack
2008-07-13 17:51:44 45568 --a------ F:\WINDOWS\UniFish3.exe
2008-07-12 11:40:32 0 d-------- F:\Program Files\DOSBox-0.72


-- Find3M Report ---------------------------------------------------------------

2008-08-03 14:34:35 0 d-------- F:\Program Files\Common Files\Adobe
2008-08-03 14:00:19 0 d-------- F:\Program Files\Common Files
2008-08-03 13:54:16 0 d--h----- F:\Program Files\InstallShield Installation Information
2008-08-02 22:12:24 0 d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 21:19:26 0 d-------- F:\Program Files\PeerGuardian2
2008-08-02 11:39:48 0 d-------- F:\Program Files\Electronic Arts
2008-07-31 21:38:50 0 d-------- F:\Program Files\AllToAVI
2008-07-30 19:50:25 0 d-------- F:\Program Files\DigiGuide TV Guide
2008-07-24 22:22:33 0 d-------- F:\Program Files\AltBinz
2008-07-20 11:42:49 0 d-------- F:\Program Files\Lavasoft
2008-07-13 17:51:35 0 d-------- F:\Program Files\Hasbro Interactive
2008-06-30 14:27:27 0 d-------- F:\Program Files\Avi2Dvd
2008-06-30 14:22:52 0 d-------- F:\Program Files\Atari
2008-06-30 13:21:43 0 d-------- F:\Program Files\AviSynth 2.5


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-08-03 17:44:42 ------------
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    F:\WINDOWS\system32\ivlhnnxs.dll
    F:\WINDOWS\system32\tgrhyotx.dll
    F:\WINDOWS\system32\vacijmxi.dll
    F:\WINDOWS\system32\wtcmpusf.dll
    F:\WINDOWS\system32\jjqycvid.dll
    F:\WINDOWS\system32\xmdanaym.dll
    F:\WINDOWS\system32\hmrkwn.dll
    F:\WINDOWS\system32\yhtsonax.dll
    F:\WINDOWS\system32\nkcprmkt.dll
    F:\WINDOWS\system32\YIlVwyxx.ini2
    F:\WINDOWS\system32\xxywVlIY.dll
    F:\Program Files\rhcemwj0elqk
    F:\WINDOWS\wnslvxtf.dll
    F:\WINDOWS\nfavxwdbdfm.dll
    F:\WINDOWS\grswptdl.exe
    F:\WINDOWS\fdkowvbp.dll
    F:\WINDOWS\eqvwamkl.dll
    F:\WINDOWS\edot.exe
    F:\WINDOWS\system32\blphcamwj0elqk.scr 
    F:\WINDOWS\system32\xxywTNhh.dll
    F:\WINDOWS\system32\urqQhfCv.dll
    F:\WINDOWS\system32\lphcamwj0elqk.exe
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new DSS log
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP