Another hit by DMVlite

Another hit

Hi,

I'm also new to this site, but have found some of the information very useful. I to have got DMVLite, I have read through some of the other threads but they all seem to be different I have used HIjackThis and got these results

Logfile of HijackThis v1.99.0
Scan saved at 13:13:40, on 26/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\msupd4.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\william\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {400694D4-F3C4-2912-8BD5-26FBE001E146} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bvet.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bvet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F9FD1D-8DEA-4177-9E03-47245991377C}: NameServer = 10.0.10.1,195.12.4.247
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bvet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bvet.co.uk
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe


Any ideas?

 

Welcome to WindowsBBS Dodge981734 Sorry for the delayed response.

You should print this out and/or save it to text where you can access it in safe mode.

** You may need to shut down Spybot's TeaTimer for any of this to work.

Go to start>run and type services.msc. Locate Miscrosoft Updates Service 4 in the list, right click and select properties. Stop the service and set to disabled, click apply and OK out.

Download CWShredder 2.0 from here. Save it to the desktop. Double click to install.

Make sure you're using Ad-aware SE 1.05, update then install the vx2plugin
found here.
http://www.lavasoft.de/software/addons/vx2cleaner.shtml
Run it as described on that page from inside ad-aware. Reboot.
Do a full scan and delete all it finds.

Download LSPFix.zip If you lose internet connectivity after running Ad-aware, or if the O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll entry is still present in the next HijackThis scan, unzip LSPFix and run. Place the aklsp.dll entries in the remove column, check the box I know what I am doing and click finish.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {400694D4-F3C4-2912-8BD5-26FBE001E146} - (no file)
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Open CWShredder from the new shortcut on the desktop, close ALL other windows and click fix.

Open C:\WINDOWS\system32 and delete the file msupd4.exe and folders vmss and wsxsvc.
Open C:\Program Files and delete the folder Toolbar.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

Hi thanks for the reply, I tried to stick to directions, but I'm on a network so I wasn't able to log in to my account in safe mode, but I managed to access my user area through an administration login. Everything else was done.

Here's the RAV scan
Scan started at 28/01/2005 10:54:13

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\doloknhx.exe - TrojanProxy:Win32/Agent.CJ -> Infected
C:\WINDOWS\system32\ehytkxcv.exe - TrojanProxy:Win32/Agent.CJ -> Infected
C:\WINDOWS\system32\ithldcer.exe - TrojanProxy:Win32/Agent.CJ -> Infected
C:\WINDOWS\system32\xbdzboyv.exe - TrojanProxy:Win32/Agent.CJ -> Infected

Scanned
============================
Objects: 17522
Directories: 1645
Archives: 580
Size(Kb): -1467756
Infected files: 4

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 76

And here's the HIjack log

Logfile of HijackThis v1.99.0
Scan saved at 10:51:02, on 28/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\william\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\userinit.exe

O2 - BHO: (no name) - {400694D4-F3C4-2912-8BD5-26FBE001E146} - (no file)
O2 - BHO: (no name) - {575481E3-48CF-CFBB-E3D6-61D7351523F0} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bvet.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = bvet.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F9FD1D-8DEA-4177-9E03-47245991377C}: NameServer = 195.12.4.247
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bvet.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bvet.co.uk
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

 

Fix these two entries.

O2 - BHO: (no name) - {400694D4-F3C4-2912-8BD5-26FBE001E146} - (no file)
O2 - BHO: (no name) - {575481E3-48CF-CFBB-E3D6-61D7351523F0} - (no file)

Locate and delete the infected files then empty the recycle bin. Reboot and run another RAV scan. Post one more HJT log also.

 

For some reason hjt won't remove them. They just reappear on the next scan

 

I've attached a zip file. Download it and reboot to safe mode. Extract the file inside and double click it to merge to the registry. Reboot and scan. Let us know the results.

Did you run another RAV scan?