Tech Support Forum - View Single Post

palguy · 03-11-2005, 08:18 AM

Hello bigbone32 and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Right click Del015Domains and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D if you don't have it already. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Updater.exe
C:\windows\system32\bepfdqif.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

I see you have P2P software installed on your machine (i.e. Ares). We are not here to pass judgement on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to a re-infection. It is certainly a contributor to your current situation. I will make recommendations for removal, which you can choose to ignore where this P2P application is involved. It's your decision, but I recommend doing it now.

Viewpoint
Ares
WinTools

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtco.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtco.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [bepfdqif] c:\windows\system32\bepfdqif.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [wmerror] C:\WINDOWS\System32\wmerror.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUEif they still exist.

[b]C:\Program Files\Viewpoint
C:\Program Files\Ares
C:\Program Files\Common Files\WinTools
C:\windows\system32\bepfdqif.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\ceres.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\wmerror.exe

Updater.exe--->You will need to search for and delete this file.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

03-11-2005, 08:18 AM	#3 (permalink)
palguy Registered User Join Date: Nov 2004 Posts: 369 OS: xp	Hello bigbone32 and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Right click Del015Domains and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D if you don't have it already. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Updater.exe C:\windows\system32\bepfdqif.exe C:\WINDOWS\System32\wsxsvc\wsxsvc.exe C:\WINDOWS\System32\vmss\vmss.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: I see you have P2P software installed on your machine (i.e. Ares). We are not here to pass judgement on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to a re-infection. It is certainly a contributor to your current situation. I will make recommendations for removal, which you can choose to ignore where this P2P application is involved. It's your decision, but I recommend doing it now. Viewpoint Ares WinTools Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtco.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtco.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll (file missing) O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing) O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe O4 - HKLM\..\Run: [bepfdqif] c:\windows\system32\bepfdqif.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [wmerror] C:\WINDOWS\System32\wmerror.exe O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: .popuppers.com O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUEif they still exist. [b]C:\Program Files\Viewpoint C:\Program Files\Ares C:\Program Files\Common Files\WinTools C:\windows\system32\bepfdqif.exe C:\WINDOWS\System32\wsxsvc\wsxsvc.exe C:\WINDOWS\System32\vmss\vmss.exe C:\WINDOWS\ceres.dll C:\WINDOWS\systb.dll C:\WINDOWS\System32\nvms.dll C:\WINDOWS\System32\mscb.dll C:\WINDOWS\System32\msbe.dll C:\WINDOWS\wdskctl.exe C:\WINDOWS\farmmext.exe C:\WINDOWS\farmmext.ini C:\WINDOWS\wupdt.exe C:\WINDOWS\System32\wmerror.exe Updater.exe--->You will need to search for and delete this file. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.