1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

DMVlite + log. Please help! :(

Discussion in 'Malware and Virus Removal Archive' started by maryzaint, 2005/03/03.

Thread Status:
Not open for further replies.
  1. 2005/03/03
    maryzaint

    maryzaint Inactive Thread Starter

    Joined:
    2005/03/03
    Messages:
    1
    Likes Received:
    0
    So i dont know much when it comes to computers, but i am familiar with spybot, ad aware, and norton when it comes to getting rid of spyware and virus's.
    I've been getting mass amounts of pop ups lately, and I even had random icons appear on my desktop while online. I stumbled into this site and downloaded and ran hijackthis. I know for a fact I somehow have dmv lite on my pc, and when i try to remove it i just cant seem to! Please someone help! I would be forever grateful!!! :)
    Please go easy on me, again, I am a bit of a moron when it comes to technical stuff. hehe. :eek:

    here's my log....

    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:44 AM, on 3/3/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\sdlrvs.exe
    C:\windows\system32\msnavc32.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wincagk32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\ap9h4qmo.exe
    C:\DOCUMENTS AND SETTINGS\GIR\DESKTOP\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.42.87.219/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aynrpf.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aynrpf.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aynrpf.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {0BEE6A26-919C-4F3C-BE79-1C47E8F6C066} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
    O2 - BHO: (no name) - {19C24EBB-E943-451C-B1C7-CE03926A254C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {1CE702A3-EA74-4096-82BB-F65FB982B9E4} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
    O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
    O2 - BHO: (no name) - {4B5EC581-65ED-4A21-BCB7-9607739EF816} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {4B6E632F-3289-448E-9663-0CFE588743A2} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {52B98898-C9A0-4D25-B5BE-003F41ABDEFE} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
    O2 - BHO: (no name) - {69D920A2-FD4D-42B2-B970-FC273B61FF35} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {7E6263EB-4D13-42B7-8661-27650A9704C4} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {86274A99-D6D1-421F-886D-3E5F62B9F69C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: SDWin32 Class - {8F15B43D-F249-4005-8412-7DEF0259D88C} - C:\WINDOWS\System32\jhysq.dll
    O2 - BHO: (no name) - {A45617C5-8F5B-4D1F-9F2F-C9F3BD1D8423} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {A67B9772-AFD0-4F2B-8F3A-07DB037D164C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {AACD84C1-F9A9-40EB-B37C-D9064EEB3BB7} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {B5A86851-DBE6-4A8D-9441-C833A99CBC28} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {C6C5034C-E8C9-4CE9-A81F-DEE2A18AB9DC} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\System32\dsktrf.dll
    O2 - BHO: (no name) - {DCD928EA-3476-4D6C-B5D5-452AF74F749C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [rsgmrc] C:\WINDOWS\System32\rsgmrc.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\sdlrvs.exe] C:\WINDOWS\sdlrvs.exe
    O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BC957E3C-0236-4CC5-B846-B592C8BE6D86}: NameServer = 65.38.224.6 64.63.192.17
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe



    thanks for any help in advance!
     
    Last edited: 2005/03/03
    maryzaint,
    #1
  2. 2005/03/03
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Hello, welcome to the boards.
    Part of your computer's problem is that your windows is out of date, and full of security holes. You should go to windows update and get Service Pack 2 installed when your HJT log shows clean.

    Uninstall ViewPoint Manager.

    Disable System Restore, and reboot. This is important to do this as deleted files will reappear otherwise.

    Close all internet browsers, and have all Windows Explorer windows closed. Rescan with HJT and remove these items.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.42.87.219/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aynrpf.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aynrpf.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aynrpf.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {0BEE6A26-919C-4F3C-BE79-1C47E8F6C066} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O2 - BHO: (no name) - {19C24EBB-E943-451C-B1C7-CE03926A254C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {1CE702A3-EA74-4096-82BB-F65FB982B9E4} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
    O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
    O2 - BHO: (no name) - {4B5EC581-65ED-4A21-BCB7-9607739EF816} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {4B6E632F-3289-448E-9663-0CFE588743A2} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {52B98898-C9A0-4D25-B5BE-003F41ABDEFE} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
    O2 - BHO: (no name) - {69D920A2-FD4D-42B2-B970-FC273B61FF35} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {7E6263EB-4D13-42B7-8661-27650A9704C4} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {86274A99-D6D1-421F-886D-3E5F62B9F69C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: SDWin32 Class - {8F15B43D-F249-4005-8412-7DEF0259D88C} - C:\WINDOWS\System32\jhysq.dll
    O2 - BHO: (no name) - {A45617C5-8F5B-4D1F-9F2F-C9F3BD1D8423} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {A67B9772-AFD0-4F2B-8F3A-07DB037D164C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {AACD84C1-F9A9-40EB-B37C-D9064EEB3BB7} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {B5A86851-DBE6-4A8D-9441-C833A99CBC28} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {C6C5034C-E8C9-4CE9-A81F-DEE2A18AB9DC} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\System32\dsktrf.dll
    O2 - BHO: (no name) - {DCD928EA-3476-4D6C-B5D5-452AF74F749C} - C:\Program Files\ewu6j6x4\ewu6j6x4.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O4 - HKLM\..\Run: [rsgmrc] C:\WINDOWS\System32\rsgmrc.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\sdlrvs.exe] C:\WINDOWS\sdlrvs.exe
    O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

    Reboot into Safe Mode and set Windows Explorer Folder Options to "Show hidden files and folders ". Go to the toolbar at Tools\Folder Options, click on View tab. Click on the circle next to "Show hidden files and folders ", Apply then OK.

    Delete all files in the folder C:\Windows\Prefetch, and all files and folders located in the Temp folders for all users.

    Delete these folders.

    C:\Program Files\CxtPls
    C:\Documents and Settings\All Users\Application Data\msw
    C:\Program Files\ewu6j6x4
    C:\WINDOWS\System32\vmss
    C:\WINDOWS\System32\wsxsvc

    Delete these files.

    C:\WINDOWS\System32\jhysq.dll
    C:\WINDOWS\System32\dsktrf.dll
    C:\WINDOWS\System32\stlb2.dll
    C:\WINDOWS\System32\AUNBHO.dll
    C:\WINDOWS\System32\rsgmrc.exe
    C:\WINDOWS\sdlrvs.exe
    C:\windows\system32\msnavc32.exe
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\System32\netsync.exe
    C:\WINDOWS\System32\ap9h4qmo.exe
    C:\WINDOWS\System32\windll32.exe
    C:\WINDOWS\System32\sysmonnt
    This last one may be in the windows folder or windows\system32 folder.
    E6F1873B.DLL

    Clear out the Recycle Bin, surf for a bit, and then post a new log.
     
    markp62,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...