ceres.dll keeps coming back - Free Antivirus Forum

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

ceres.dll keeps coming back

BullGuard Antivirus Forum > General Security > Spyware > ceres.dll keeps coming back

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

mtushmoo
New Member

Date Joined Nov 2004
Total Posts : 8

Posted 11-29-2004 6:45 (GMT +1)

How do I get rid of ceres? It's some kind of popup thingy that won't go away.

Here's a copy of the log from hijack this:

Thanks in advance.

Eric

Logfile of HijackThis v1.97.7
Scan saved at 12:39:41 PM, on 11/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PZOJUYY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IXPLORE.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adrerzdp] C:\WINDOWS\SYSTEM\pzojuyy.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"
O4 - HKLM\..\RunOnce: [seppukku] C:\WINDOWS\seppuku.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 17983

Posted 11-29-2004 8:49 (GMT +1)

Hey

Show hidden files-Push on the link:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html=

Please go offline

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [adrerzdp] C:\WINDOWS\SYSTEM\pzojuyy.exe
O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"

O4 - HKLM\..\RunOnce: [seppukku] C:\WINDOWS\seppuku.exe

Reboot into Safe Mode - hit F8 key untill menu shows up

Find and delete:
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTEM\pzojuyy.exe
C:\Program Files\Internet Explorer\ixplore.exe"
>>>Don’t delete this: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE, it is a legal file
C:\WINDOWS\seppuku.exe

Reboot. Download newer Hijackthis:

http://danborg.org/spy/HJT/hijackthis.exe

and post new Hijackthis log file

Touch

Member of - Alliance of Security Analysis Professionals

mtushmoo
New Member

Date Joined Nov 2004
Total Posts : 8

Posted 11-29-2004 10:14 (GMT +1)

Heres the new log file.

So far, so good.

I added zone alarm, too - it seemed to be blocking the ads from ceres - started blocking a bunch of pings, too.

Thanks.

Eric

Logfile of HijackThis v1.98.2
Scan saved at 4:07:51 PM, on 11/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx

mtushmoo
New Member

Date Joined Nov 2004
Total Posts : 8

Posted 11-29-2004 10:23 (GMT +1)

"buddy.exe" shows up on zone alarm as trying to get to the internet. It's got the same icon as all those stupid popups I'm trying to get rid of.

It doesn't appear on hijack this (on the second scan) but it's still there on a file search.

I'd think this has to go, too, right?

mtushmoo
New Member

Date Joined Nov 2004
Total Posts : 8

Posted 11-30-2004 2:52 (GMT +1)

CoolWWW

Spy #4209d -- Research In Progress

Hot as Hell

ISTbar/AUpdate

PowerScan

PurityScan

Spy #46b42 -- Research In Progress

TinyBar

Winad

appear with a spyaudit scan.

Anything here that needs killin'?

Thanks -

No Ceres ads yet, either; so far, so good.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 17983

Posted 11-30-2004 6:00 (GMT +1)

Your log is clean ;-)

But

Download this scanner – mwav exe : http://www.spywareinfo.dk/download/mwav.exe

Activate all, in settings- Scan

Download Spybot Search and Destroy here : http://www.safer-networking.org/index.php?page=mirrors if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update

Adware: http://fileforum.betanews.com/detail/965718306/1

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Cwshredder: http://www.spywareinfo.com/~merijn/downloads.html
Or: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Go offline

Run the mwav scanner:
Activate all, in settings- Scan

Spybot, click on the Immunize button. Then "Scan System" button. When the Check is over, fix all marked with red

Adware
Push START
Perform full system scan. NEXT
To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries.
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Run cwshredder, close all other windows-Fix

Reboot

Go to Start | Run and type: cleanmgr.exe and hit enter.
When prompted what drive to clean select your hard drive c:
If asked what folders to clean in a list, tick them all to clean all temp folders, downloaded program folders, temporary internet files, etc., and the recycle/trash bin.

Reboot and tell how things are running ;-)

Touch

Member of - Alliance of Security Analysis Professionals

mtushmoo
New Member

Date Joined Nov 2004
Total Posts : 8

Posted 11-30-2004 8:46 (GMT +1)

all anything found was tracking cookies, except for a dso object that spybot found - that showed microsoft as a source.

Everything appears to be OK.

Thank You

Eric

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 17983

Posted 12-1-2004 10:32 (GMT +1)

Hide system files again

Install these for safer surfing:

http://www.javacoolsoftware.com/spywareblaster.html Update when downloaded, SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer.

http://www.javacoolsoftware.com/spywareguard.html Update when downloaded.

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

https://netfiles.uiuc.edu/ehowes/www/resource.htm
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites, that aren't actually innocent at all.

Privacy Keeper

http://www.unhsolutions.net/IEPK/index.shtml

Privacy Keeper Manual:

http://www.unhsolutions.net/IEPK/manual

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"

http://windowsupdate.microsoft.com/

Touch

Member of - Alliance of Security Analysis Professionals

grolschie
New Member

Date Joined Jan 2005
Total Posts : 1

Posted 1-15-2005 10:41 (GMT +1)

We found a newer variant of ceres. Same company. Hijackthis log shows:

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll

O4 - HKLM\..\Run: [omwemrhlti] C:\WINDOWS\System32\ocnoyay.exe

Surely what abetterinternet.com are doing is illegal? Their site is full of so-called "goodies" to download, yet every download page has a rogue activex.

bwillsher
New Member

Date Joined Jan 2005
Total Posts : 1

Posted 1-21-2005 3:12 (GMT +1)

I seem to have got the same problem on my computer. I get random popup ads and norton tells me every 30 seconds that its deleted an infected file. I also get a program called ceres opening on the taskbar (with ads) and DeskAdServ.exe and DeskAdKeep.exe running.

I have not downloaded anything suspicious, but I share this computer with my brother (who has a separate windows xp account). I haven't asked him yet.

How do I find out where it came from? And how the hell did it get on my computer when I have Norton Antivirus 2005 and AdAware 6?

docmikey
New Member

Date Joined Jan 2005
Total Posts : 3

Posted 1-23-2005 11:57 (GMT +1)

I have ceres.dll and I cannot get it removed. I ran hijack this and below is the log:

Logfile of HijackThis v1.99.0
Scan saved at 5:53:49 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\pdgcyc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\DllHost.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [chcfkje] C:\WINDOWS\System32\pdgcyc.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i1ru54n4.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.careplus.hfhs.org/winframe/cab/wfica.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Please help me to know what I need to do to remove this virus. I have docspyware already loaded and executed but the problem still persists.

Emilio (SVK)
Gold Member

Date Joined Jan 2005
Total Posts : 1876

Posted 1-24-2005 2:28 (GMT +1)

Hi...

Download Dr.Delete
http://www.docsdownloads.com/Tier1/dr-delete.htm

Download Mwav
http://www.spywareinfo.dk/download/mwav.exe

Download SpySweeper
http://www.webroot.com/downloads/

Download Ad-Aware SE
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

install and check for update....

--------------GO OFFLINE-----------------------------
check:
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O4 - HKLM\..\Run: [chcfkje] C:\WINDOWS\System32\pdgcyc.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i1ru54n4.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
FIX CHECKED....

Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Show hidden files:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

reboot...safe mode(administrator)...delete:(manually or with Dr.Delete)

C:\WINDOWS\System32\i1ru54n4.exe
C:\WINDOWS\System32\pdgcyc.exe
C:\WINDOWS\Ceres.dll

run scan with Mwav (all scan options)
run scan with Ad-AwareSE(full system scan)
run scan with SpySweeper
run scan with ErrorGuard

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
Empty your "Recycle Bin"

There are usally a couple of files that you will not be able to delete..this is normal.

Enable system restore.......reboot..post new log here

Emilio²⁴

>Hijackthis< , >FireFox<

Post Edited (Emilio (SVK)) : 5/29/2005 9:01:37 PM GMT

stormbringer
New Member

Date Joined Jan 2005
Total Posts : 1

Posted 1-26-2005 9:26 (GMT +1)

having tried all my antivirus and antispyware progams the only thing that sems to work is removing ceres.dll and buddy.exe and any other suspicious files with evedence eliminator.

Miriam
New Member

Date Joined Jan 2005
Total Posts : 2

Posted 1-27-2005 2:58 (GMT +1)

Hey I found a great way to delete unwanted files like ceres.dll and the buddy.exe. Use the following link: http://www.softwarepatch.com/tips/howto-delete-xp.html

Hope this is helpful!

PopUpHater
New Member

Date Joined Feb 2005
Total Posts : 1

Posted Yesterday 5:29 (GMT +1)

After a bit of research, I find that the ceres.dll file belongs to Google freaked

...specifically adwords.google.com...

"...the AdWords system analyzes search terms for region or city names that show what area a person is looking for. It also looks for the searcher's internet protocol (IP) address to determine what region that person is searching from. AdWords will then display your ads based on these location-specific cues."

It's their new ad loophole to all the ad blockers. Whereas it's our way to find out how to delete it or deinstall it.... I have a better idea.

Basically all the companies buying the ads pay "...a nominal, one-time activation fee for Google AdWords. After that, you pay only for clicks on your AdWords ads, and you can control that by telling us how much you are willing to pay per click and per day."

We need a script that will allow the Ceres window to be tagged (since it will cause the advertiser to pay Google), let it go to the new site (on low priority so we can continue what we were doing) then close.

I know it's a pain in the butt... but doing it would make the cheap prices of advertising in this way go sky high. It'd be nice to see the advertisers aggravated for once.

It's time for payback.

MotaXC
New Member

Date Joined May 2005
Total Posts : 3

Posted 5-26-2005 12:01 (GMT +1)

Alright, I've got Ceres.dll on my computer along with buddy.exe. Usually I can get rid of these viruses/spyware etc without many problems, but this one keeps coming back. I've been able to temporarily delete these, but I must be missing something that allows these to regenerate. While running spybotSD, a message keeps coming up with something trying to add the cursed BHO 00000049-8F91-4D9C-9573-F016E7626484. I have windows ME. Any help is appreciated. I'd like to know how you guys can tell what's a legal running process and what's garbage. Anyway, here's the hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 6:47:21 AM, on 5/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ELITELXY32.EXE
C:\WINDOWS\SYSTEM\BEVZPX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\CALC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.cod.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITELXY32.EXE
O4 - HKLM\..\Run: [bevzpx] c:\windows\system\bevzpx.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSRUTI] C:\WINDOWS\SYSTEM\MSRUTI.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [QQMQ] C:\PROGRAM FILES\COMMON FILES\QQMQ\QQMQM.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.231.212.4/activex/AxisCamControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe

MotaXC
New Member

Date Joined May 2005
Total Posts : 3

Posted 5-28-2005 4:52 (GMT +1)

bump

Luffy
Trusted Member

Date Joined May 2005
Total Posts : 150

Posted 5-28-2005 10:42 (GMT +1)

1. My Computer -> Way at the top choose Tools ->Folder Options -> View -> Select Show Hidden Files --> Uncheck protected operating system files (recommended) --> Say Yes --> Click ok.

2. Right Click My computer -> Performance Tab -> File System Button -> Troubleshooting -> Check Disable System restore.

3. When you are ask to restart say YES, if it doesn't restart anyway. While your computer is restarting Press F1 or one of the F keys to boot into safe mode.

4. Run Hijackthis and check the following.

C:\WINDOWS\SYSTEM\BEVZPX.EXE
C:\WINDOWS\SYSTEM\ELITELXY32.EXE
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

The following 04 list are unknown programs to me, they might associate with one of the program you use, if you know what they are then leave it alone otherwise remove it.

O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITELXY32.EXE
O4 - HKLM\..\Run: [bevzpx] c:\windows\system\bevzpx.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSRUTI] C:\WINDOWS\SYSTEM\MSRUTI.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [QQMQ] C:\PROGRAM FILES\COMMON FILES\QQMQ\QQMQM.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

5. Restart your computer as you normally do and do an online virus scan here when the scan is finish repost your log.

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

spywareguru
New Member

Date Joined May 2005
Total Posts : 6

Posted 5-29-2005 8:45 (GMT +1)

GarbageClean removes ceres.dll.

MotaXC
New Member

Date Joined May 2005
Total Posts : 3

Posted 6-2-2005 7:40 (GMT +1)

Thank you very much for the help. I had deleted some of the files you asked already, but others I wasn't sure about. The virus scan came up with 16 infecteds after all that, most of which were familiar from the other files. stlb2.dll and e6f1873b.dll could not be deleted through the 'housecall' so I went into safe mode and deleted them manually. Everything runs quickly now, with only the primary running processes, and I haven't seen a single pop-up.

Forum Information

Currently it is Saturday, February 04, 2012 6:16 AM (GMT +1)
There are a total of 82.631 posts in 18.627 threads.
In the last 3 days there were 3 new threads and 16 reply posts. View Active Threads