Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

GTStangman2k1

2 Posts

413

March 12th, 2006 16:00

Browsella.dll

If I ever meet the person that made this, I swear I will cave their face in with a bat.  Anyway, here is my information from Hijack and win32delfkil. Any help would be greatly appreciated!
 
ogfile of HijackThis v1.99.1
Scan saved at 1:10:05 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hawking Technologies\HWL2 WiFi Locator Pro\HWL2.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lee\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking Technologies\HWL2 WiFi Locator Pro\HWL2.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CDFCD6C-1D6C-4EBB-A53A-F798CDE5FD6F}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEC288F0-2C52-4370-84BE-477DD85612B1}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB923D9F-054F-4AE2-BDDB-5E242FF28B73}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F01D4B85-31A6-4365-8EA9-94074D2A357F}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F54AAED1-1112-4409-A0BC-D20787E7343B}: NameServer = 85.255.114.60,85.255.112.226
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\k0080adued080.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
 
 
 
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie
 
 
BEFORE RUNNING WIN32DELFKIL
***************************
 
File(s) found in Windows directory
----------------------------------
adsldpbj.dll
alt.exe
 
File(s) found in system32 folder
--------------------------------
browsela.dll
 
SharedTaskScheduler key
-----------------------
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
   {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ  Browseui preloader
   {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ  Component Categories cache daemon
   {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} REG_SZ  DCOM Server
   {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ  Master Browsera
 
Notify key
----------
subkey browsela   is present! 
 
 
What are the steps I need to take to remove this? Thanks.

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 12th, 2006 17:00

sorry this is an error post

no ownership claimed

Message Edited by zbestwun2001 on 03-12-2006 11:17 AM

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 12th, 2006 21:00

Hi
Let's try this a bit different.

First I think we should get rid of the Vmundo infection. That might be impeding the Browsella fix.

Please download VundoFix.exe version 4.2.29 to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 13th, 2006 17:00

You need to shut off your Norton Script Blocking before doing any of these fixes

You also should run that Browsella fix with it off also again.

Steve

Message Edited by zbestwun2001 on 03-13-2006 12:06 PM

RKinner

2 Intern

 • 

5.9K Posts

March 13th, 2006 20:00

Looks like your win32delfkil didn't complete.  There should be section in the log labeled
 
AFTER RUNNING WIN32DELFKIL
**************************
 
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.

Run HijackThis and just do a Scan only. Check  then Fix Checked any of the following that remain:
 
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CDFCD6C-1D6C-4EBB-A53A-F798CDE5FD6F}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEC288F0-2C52-4370-84BE-477DD85612B1}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB923D9F-054F-4AE2-BDDB-5E242FF28B73}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F01D4B85-31A6-4365-8EA9-94074D2A357F}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{F54AAED1-1112-4409-A0BC-D20787E7343B}: NameServer = 85.255.114.60,85.255.112.226
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\k0080adued080.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll
 
Now open the win32delfkil folder and double click on fix.bat. The computer should reboot automatically (if not, restart it yourself). Post the contents of c\windelf.txt along with a new HijackThis log as a reply.
 
Ron
 
PS.  The O17 entries are for a DNS server in the Ukraine.  Instead of asking your local ISP for the correct IP address your PC is asking the Ukraine DNS for the IP address.  The Ukraine DNS server can refuse to give you addresses for antivirus sites or it may give you false IP addresses which lead you to fake sites.  Especailly a problem when you try to log on to your bank account if you get sent to a fake site and give them all of your account details.
 

 

Was this post helpful?

View All

0 events found

No Events found!

Top