[DMVlite infection]

I've been infected by DMVlite. This is what hijacker says. Any ideas about how I can get this off my computer? By the way, Great site!


Logfile of HijackThis v1.99.0
Scan saved at 8:49:32 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dupuis\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [bpxxqh] c:\windows\system32\bpxxqh.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F1E069-897A-4F3A-940A-D278F72B4826}: NameServer = 151.164.11.201 151.164.30.104
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

 

Hi footdoc911 and welcome. I modified your thread title a little and moved it to a section that should get it better attention.

Not nearly the usual amount of entries in your Hijackthis log. Did you run it from safe mode or with lots of stuff unchecked in msconfig? If so, we need to see one run from normal mode and all the msconfig startup stuff set to start. Otherwise pieces of infection can hide out too easily.

Also, you need to move the hijackthis.exe file a regular folder (so not a temp one) some place other than your desktop. I like c:\hjt personally. Otherwise when we get to removing things with it, you will have trash strewn around the desktop.

Please give us another log file when you've done the above.

 

thanks for the reply

I did what you said and here is what it said.

Logfile of HijackThis v1.99.0
Scan saved at 10:53:43 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Dupuis\My Documents\hijack\HijackThis.exe

O4 - HKLM\..\Run: [bpxxqh] c:\windows\system32\bpxxqh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F1E069-897A-4F3A-940A-D278F72B4826}: NameServer = 151.164.11.201 151.164.30.104
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

 

Hi

Like Newt say's we need to see a log taken when everything that you have disabled with any startup manager has been re-enabled.
do that after >

Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Hit fix checked and close Hijackthis.
O4 - HKLM\..\Run: [bpxxqh] c:\windows\system32\bpxxqh.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
=================
When it fixs those services say no to the prompt to restart the PC. exit then restart manualy

Install update and run bot SpyBot 1.3 and Ad-Aware SE 1.5
Scanning with Spybot and Ad-Aware : http://www.windowsbbs.com/showpost.php?p=159029&postcount=2
always let them restart the PC if its suggested.

Post a new hiajckthis log