Please help remove DMVLite - HiJackThis log attached

Please help. I see that someone else on this forum has been hijacked by DMVLite. Newt asked them to run AdAware and Search&Destroy (all of which I have previously done) and to post their "Hijackthis log ". I am posting my HijackThis log in the hopes that Newt or somebody else might help me.

I also tried to attach a FindIt Nt-2k-xp log -- in case that was any help -- but an error message said my post was too long. If it helps, I can post it again.


Also, I think I may have more problems than just DMVlite. Panda keeps finding trojans. It neutralizes them but doesn't remove them permenantely.


Please help.

And thank you very much.

 

Try RAV Online Scan.

First, Disable System Restore, important you do this.

Uninstall P2P Networking and reboot.
Uninstall Virtual Bouncer and reboot. You do not want either of these. P2P is not what it's name implies, it is just part of what is infecting you.
Virtual Bouncer isn't what it seems.

Remove these.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [lCj4FPi1.exe] C:\documents and settings\d'arcy\local settings\temp\lCj4FPi1.exe
O4 - HKLM\..\Run: [ixVUJGv.exe] C:\documents and settings\d'arcy\local settings\temp\ixVUJGv.exe
O4 - HKLM\..\Run: [lCj4FPi1] C:\documents and settings\d'arcy\local settings\temp\lCj4FPi1.exe
O4 - HKLM\..\Run: [ixVUJGv] C:\documents and settings\d'arcy\local settings\temp\ixVUJGv.exe
O4 - HKLM\..\Run: [y9csn.exe] C:\documents and settings\d'arcy\local settings\temp\y9csn.exe
O4 - HKLM\..\Run: [y9csn] C:\documents and settings\d'arcy\local settings\temp\y9csn.exe
O4 - HKLM\..\Run: [xlaGuvg] C:\documents and settings\miranda\local settings\temp\xlaGuvg.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\janet\local settings\temp\c.exe
O4 - HKLM\..\Run: [SysEntry] forces_elite.exe
O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe
O4 - HKLM\..\Run: [zCnhTaq] C:\windows\zCnhTaq.exe
O4 - HKLM\..\Run: [004aebf582c1] C:\WINDOWS\System32\clcd1662.exe
O4 - HKLM\..\Run: [svuexc] C:\WINDOWS\System32\svuexc.exe
O4 - HKLM\..\Run: [ufetxc] C:\WINDOWS\System32\ufetxc.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [us5O37X] ckcman.exe
O4 - HKCU\..\Run: [fBuERXb7V] cimec.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: (HKLM)
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.147/060570/ca/adult1/adult1.exe

Reboot and delete all files and folders in this folder.
C:\documents and settings\d'arcy\local settings\temp
Delete these folders.
C:\Program Files\VBouncer
C:\WINDOWS\System32\P2P Networking
C:\Program Files\Toolbar

Delete these files, they may be Hidden.
forces_elite.exe
C:\WINDOWS\System32\dnsping.exe
C:\windows\zCnhTaq.exe
C:\WINDOWS\System32\clcd1662.exe
C:\WINDOWS\System32\svuexc.exe
C:\WINDOWS\System32\ufetxc.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
ckcman.exe
cimec.exe

Go to Start\Run, type in CMD and press Enter, do this commands at the prompt.
del c:\windows\downlo~1\search3.dll
exit

 

Thank you very much Mark. I hope you enjoy the good Karma your generating.

It took sometime, but I've done all the things you outlined. However, I still seem to be infected with something. My IE start page is still going to about:blank and I'm occasionally taken to porno addresses and receive pop-up phoney warning messages.

I could not find forces_elite.exe or tibs3.exe on my system (even with search for hidden files enacted). Rav online scan found 11 viruses (my Panda software says there isn't any ???) but it could not delete them.

Here is my new Hijackthis log:

 

Hi Guys

Part of what you have is aka trusted zone crappie.
Currently its changing habits.
We have a tool to take it out but first get a report from this tool so we can be sure to target all of it.

IT must be unzipped and ran in safe mode.
Do this please.
Download this zipped file FindRK-files.zip
http://forums.net-integration.net/index.php?act=Attach&type=post&id=125644
Unzip the files inside.
Restart the PC into safe mode
it has to be ran in safe mode fr it to work correctly.
open the folder and run the RKFILES.BAT, sit back and wait untill its finished.
===============
Restart back to a normal windows session and post the text located here C:\Log.txt please

 

I am going to make a wild guess and assume the reason RAV cannot delete them is because they are in the SR folder. Windows will not allow anything to be deleted from the System Restore folder, but by disabling it and rebooting it is cleared out of everything. When clean, enable SR, and you will have a clean restore point created.
Edit:
Lonny has posted while I was doing research on this, and he has a good idea for this.

 

Than you Mark and Lonny.

Unfortunately, my system stills seems to be hijacked by something. It is constantly taking me to **** pages.

Lonny, I ran the FindRK_files program, but the log it created had nothing in it but the directory where the FindRK program itself was running. Did I do something wrong ( i tried twice)?

I've run RAV- Antivirus again. After much work, I'm now down to 2 viruses found but not deleted:

Any suggestions on how I get rid of them?

And here's the latest HJT log:

Thanks again for your efforts.

 

You have new stuff appearing, and others disappearing from the previous log.
You have more than the 2 that RAV has found. The file Getdns.Exe has disappeared, it was in the previous log as a running process.
Stop the MSN messenger from startup in Msconfig, reboot so it isn't running and then uninstall Messenger Plus!, it is adware. Reboot when done.
Uninstall Limeshop and reboot if possible.

Disable System Restore and reboot, some of these files are will reappear if you do not.

Remove these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop "
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bsui] C:\Documents and Settings\Miranda\Application Data\wtne.exe
O4 - HKCU\..\Run: [Pgqjmdxf] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: STRINGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7

Get MoveOnBoot, it adds a new item to the right click menu for files in Windows Explorer. When selecting a file to be deleted, use the Delete on next boot option, then reboot and the file(s) is/are deleted. some of these files may not be deletable at first and this will get rid of them.

Delete these folders.
C:\Program Files\LimeShop
C:\Program Files\Messenger Plus! 2

Delete these files.
C:\WINDOWS\System32\rcpie.dll
C:\WINDOWS\System32\getdns.exe
C:\WINDOWS\system32\iecust.dll
C:\WINDOWS\system32\iecust.exe
C:\Documents and Settings\Miranda\Application Data\wtne.exe
C:\WINDOWS\System32\j?vaw.exe
Find the files Strings.Exe and delete it.

Delete all files and folders located in the Temp folders for all users listed. Clear the Internet Explorer Temp folder, be sure to check the box for Offline Content when doing so.

You could remove these, backweb is borderline spy/adware, and is supposed to be some updater, associated with Logitech in this case. You do not need to delete these. More on this at this link.
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

If you want to get rid of something that you really do not need, remove this
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Then rename the file realsched.exe to realsched.old, and it will not reappear next time RealPlayer is run. It really is just extra junk.

Surf for a bit, and then post a new log. When clean you can then reenable System Restore.

If you would like some prevention for this, check out the Iepsyads link below in my signature. After unzipping just use the "ie-spy" file by just double clicking it. You will be prompted if you want to merge this information into the registry, and yes you do. Then you get a confirmation message.
Then go into Internet Options, Security tab. Click on the Restricted icon, and do a Custom setting for that Zone. Set EVERYTHING to Disable, if Disable is not there for an item use High instead, password to prompt.
You see the 015 entry in your log that you will remove with HJT? That is one of the sites that will be in the Restricted, but it has to be out of the Trusted first, as the same item cannot be in both Zones at once.
Later on, if you ever get the message "ActiveX controls are disabled for this page... ", this is the result of one of these sites being accessed and they are stopped cold. Just click Ok and forget about it. ActiveX has nothing to do with what you see on the page, it is a method for webpages to install and run programs on your computer.
The legit uses are for online scans, windows update, and Flash/Shockwave player.
A great side benefit for this is that you will collect a lot less cookies.

 

Yes, you didnt give it enough time to complete the job, try again, safe mode > run it ,just wait untill all disk activity stops a text will open when it is finished, close it and restart back to a normal windows session.

markp62 its usles fighting this thing manualy

So Pozzo now that you have partialy fixed it, you must let it come back, surf the internet do what ever with the PC for o say 2-3 hours, go into safe mnode run that batch file restart back to normal and post that log, dont fix anything on your own please.

 

Well, I tried Find_RK files again. I didn't do anything different than the last two times, but this time it produced a log (???).

Unfortunately, I have been desperately trying to remove things myself (before I read your new post Lonny). Things are just as bad as ever. I hope I haven't messed-up things to0 badly (though it is hard to see how things can get worse). Boy, this is frustrating.

Question: when I list or remove things does it matter which user I am listed under? One user (in a desperate attempt to cover their tracks, I believe) erased their profile, does that matter?


Find_RK log:

 

Hello
Hold off on trouble shooting on your ow for a bit, we have a plan


The bug you have is relativly new, we need a couple of those files, plus we need to be sure they are bad, those two in the windows folder are good guys so dont be deleteting anything yet,

They will need to be zip while in safe mode. here is a tool to help

Download "Suspicious File Packer "
http://www.safer-networking.org/en/tools/index.html
To your desktop, unzip the file inside to the desktop also.

Restart into safe mode


run sfp.exe copy paste the whole list below into it hit continue
C:\WINDOWS\system32\dnsping.exe
C:\WINDOWS\system32\GnucDNA.dll
C:\WINDOWS\system32\HyperLinker.exe
C:\WINDOWS\system32\iecust.exe
C:\WINDOWS\system32\netcfg.dll
C:\WINDOWS\system32\netssh.exe
C:\WINDOWS\system32\pingnet.exe
C:\WINDOWS\system32\sp2chek.exe
C:\WINDOWS\system32\msinfo.exe
C:\WINDOWS\system32\odcfg.exe
C:\WINDOWS\system32\sample32.exe
C:\WINDOWS\system32\subsys.exe


Restart back to a normal windows session

send the cab that will be created on the desktop to me to please
Send to lonnyjones1ATwmconnect.com
Replace at with @ and include a link back to this thread.
Do you know how to place a password on them ?
Do you use a third party zip program ?

To answer your previouse question , please stay in one account that has all administrative rights while we are cleaning up, and admin while in safe mode.

 

I have generated and sent the SFP files to your address Lonny.

After re-reading your post, I realise I didn't answer your questions about password protection (no, I don't know how to do that) and zipping the file (no I don't have a zip program). Should I download a zip program and re-send? Or is it too late? Sorry. It's just a real hardship operating on this computer now. I was just trying to get things done as quick as possible and turn-off the computer.

 

They might get through, send again just incase please



For Windows XP:
Here are the directions for creating a zip file with a password

Using Windows Explorer, locate the first file you want to zip.
(that Cab file on your desktop)
Right click on the file and select Send To and Compressed (zipped) Folder.
Right click any other files you want to compress and select Copy.
Right click on the compressed folder and select Paste. The copied files will be compressed and pasted in.
Right click on the file and select Explore.
In File select Add a Password. (Use infected)Enter the password and confirm the password.

If you still have a problem adding a password, go ahead and just send the zip file without one (I think it will get through the scanners ok)