Cannot delete browsela.dll nohow noway...help?

H

H.Pol Sixe

A lot of people have had this problem and some seem to have success, but;

I've tried Trend Sysclean and Online, Killbox, HijackThis, Microsoft Anti
Spyware, Mcafee Command Line Scanner (seemed to find and clear the most
objects), Ad-aware (froze up until Mcafee cleanup) in regular, safe mode,
cmd mode, with and without system restore - they all recognize it, look
like something is happening, but every boot up it's back, and re-installs
alt.exe, some of the time. Opens up some TCP connection to someone in Hong
Kong, I think, unless there's something else doing that. How does the bloody
thing stay in there? Is there another seed file *.dll that has to be
deleted I'm missing/leaving? Anyone know anymore tricks?

I'm not sure if it's even doing any harm anymore, just "bugs" me that I
can't expunge the file.

Hank Pol Sixe
(e-mail address removed)
 
L

Leythos

Where is the file located? I will write a small program to remove it. Have
you tried Ewido?

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/[removed]
Click to expand...

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

Ask yourself if you really want to trust the advice and files provided
by a person that has all of their posts deleted, hides by 20+ different
identities, and has foul content on their website that they post links
too in Usenet.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
 
T

tosime

My sympathies Hank Pol Sixe.

I had a similar problem with another malware, but it was solved by a "Hijack
This" post to the Aumha.net forum.

It turned out that Spybot was restoring the malware entry in my registry. I
solved the problem by turning off Tea Timer in Spybot. This allowed the
anti-spyware programs to complete the clean up.

What you might try is a program called File Monitor. After you run it, it
provides a running log of all activity on your system. It might point to
what is happening during or after a cleanup.

Good luck...Tony

You can find File Monitor at: www.sysinternals.com
 
D

David H. Lipman

From: "H.Pol Sixe" <[email protected]>

| A lot of people have had this problem and some seem to have success, but;
|
| I've tried Trend Sysclean and Online, Killbox, HijackThis, Microsoft Anti
| Spyware, Mcafee Command Line Scanner (seemed to find and clear the most
| objects), Ad-aware (froze up until Mcafee cleanup) in regular, safe mode,
| cmd mode, with and without system restore - they all recognize it, look
| like something is happening, but every boot up it's back, and re-installs
| alt.exe, some of the time. Opens up some TCP connection to someone in Hong
| Kong, I think, unless there's something else doing that. How does the bloody
| thing stay in there? Is there another seed file *.dll that has to be
| deleted I'm missing/leaving? Anyone know anymore tricks?
|
| I'm not sure if it's even doing any harm anymore, just "bugs" me that I
| can't expunge the file.
|
| Hank Pol Sixe
| (e-mail address removed)
|

It's the following Trojan; "Trojan-Downloader.Win32.Delf.aeo"

Delete the following...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela
HKEY_CLASSES_ROOT\CLSID\{31EE3286-D785-4E3F-95FC-51D00FDABC01}


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Delete the following job...
{31EE3286-D785-4E3F-95FC-51D00FDABC01}

Reboot and re-scan the computer using the McAfee, Sophos or Kaspersky scanner in the
following tool...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
P

pcbutts1

Warning Leythos is an obsessed stalker.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



Leythos said:
Where is the file located? I will write a small program to remove it.
Have
you tried Ewido?

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/[removed]
Click to expand...

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

Ask yourself if you really want to trust the advice and files provided
by a person that has all of their posts deleted, hides by 20+ different
identities, and has foul content on their website that they post links
too in Usenet.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
Click to expand...
 
L

Leythos

pcbutts1 said:
Warning Leythos is an obsessed stalker.
Click to expand...

Prove what I've said below to be wrong, prove that you don't violate
security norms, prove that MS is not pulling all of your posts from
their servers when they detect them, prove that you don't host files
against the vendors/authors wishes, prove that and you won't hear from
be again.

Here is what I post when you VIOLATE SECURITY NORMS, prove it wrong:

Ask yourself if you really want to trust the advice and files provided
by a person that has all of their posts deleted, hides by 20+ different
identities, and has foul content on their website that they post links
too in Usenet.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
 
P

pcbutts1

You want proof, don't reply to this post. If you are not a stalker then
ignore this post by not replying and don't reply to any of my posts in any
NG even the MS ones that you keep saying I am banned in for 24 hours. Prove
you are not an obsessed stalker. It's 3pm your time starts now.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
L

Leythos

You want proof, don't reply to this post. If you are not a stalker then
ignore this post by not replying and don't reply to any of my posts in any
NG even the MS ones that you keep saying I am banned in for 24 hours. Prove
you are not an obsessed stalker. It's 3pm your time starts now.
Click to expand...

HA HA HA - you still can't prove anything, can you. I didn't reply to
any of your "The Game" posts, as they are not a security threat, they
are not taking credit for other vendors/authors works, they are not
unethical. If I was a stalker I would have followed ALL of your posts
with a reply, as it is, I only post when I see (content, not author) you
(or anyone) posting in a security threatening or unethical manner.

So, I guess this means that everything I said was true about you - since
you don't care to disprove any of it.
 
L

Leythos

pcbutts1 said:
WOW 17 minutes is all it took STALKER.
Click to expand...

Wow yourself - been several months and you've not disproved anything
anyone's claimed about your pirating their software, about you hosting
files that vendors have publically asked you to take off your site, that
you still make posts that are serious security threats, that you have
your posts to the MS Newsgroups yanked from the MS Usenet servers, that
you actually impersonate myself and other Usenet regulars....

You continue to post links to files where the vendors have publically
asked you to NOT host their files.

You continue to pirate others works

You continue to make posts that don't provide credit to the authors and
then accept that thanks when users reply to you - and you don't even
have the courtesy to mention the author when thanked...

You have never disproved any claims against you.....

Oh, and you're not being stalked, when I see ANYONE doing what you do I
post a warning about it.
 
S

Stephen Howe

You want proof, don't reply to this post.

I WANT PROOF OF YOUR CLAIMS.
PLEASE SUPPLY A GOOGLE REFERENCE WHERE LETHOS HAS IMPERSONATED YOU.
YOU HAVE 3 DAYS
FAILURE MEANS YOU ARE A DAMN LIAR !!!!

Stephen Howe
 
P

Peter Seiler

pcbutts1 - 15.01.2006 23:39 :
Warning Leythos is an obsessed stalker.
Click to expand...

another bad example of your penetrant usenet behavior:

1. unnecessary fullquoting of ~ 120! quoting lines again. And all that
inserted in your SIG. You should know: a SIG should be only of about 4
lines! Please learn to quote.

2. you change the subjects as you want to "STALKER ALERT!" and then
shortly after to "STALKER ALERT." This also is no good usenet behavior.

Are you absolutely not learnable?
 
P

Peter Seiler

pcbutts1 - 16.01.2006 18:32 :
You need to get a new news reader and learn how to count. You are making a
fool of yourself.
Click to expand...

it NOT depends on counting the quoting lines exactly but it is a
principle of your usenet/NG behavior.

Now in this post of yours there are *about* 60 unnecssary quoting lines
coming up after your SIG delimter. All lines after a SIG delimiter are
components of a SIG!

Is it really so difficult to you posting *only* these quotinglines you
are concrete referring to? Googling you can find enough about right
quoting and SIG using by google. Please do that favour. Otherwise I
could find it out for you and post it to you.
 
H

H.Pol Sixe

No, didn't work. browsela.dll still stays in C:\windows\system32. Kapersky
scanlog found: c:\WINDOWS\SYSTEM32\BROWSELA.DLL packed: UPX
c:\WINDOWS\SYSTEM32\BROWSELA.DLL infected: Trojan-Downloader.Win32.Delf.aeo

I've tried all three, Mcafee, Sophos and Kapersky as per the described
procedure with no luck. Guess I'll keep trying. Thanks for the input.

H.Pol. Sixe
(e-mail address removed)
 
D

David H. Lipman

From: "H.Pol Sixe" <[email protected]>

| No, didn't work. browsela.dll still stays in C:\windows\system32. Kapersky
| scanlog found: c:\WINDOWS\SYSTEM32\BROWSELA.DLL packed: UPX
| c:\WINDOWS\SYSTEM32\BROWSELA.DLL infected: Trojan-Downloader.Win32.Delf.aeo
|
| I've tried all three, Mcafee, Sophos and Kapersky as per the described
| procedure with no luck. Guess I'll keep trying. Thanks for the input.
|
| H.Pol. Sixe
| (e-mail address removed)
|

Did you Remove Registry entries as suggested ?

The following has been scripted to remove many in the Delf Trojan family including this one.

Use the tool in Normal Mode then in Safe Mode.

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *
 
P

pcbutts1

I have created a tool that will replace your infected browsela.dll file. You
will need 1 blank floppy disk. Download the tool from the link below. Run
the file and it will copy the necessary files to the floppy disk. Once
created put that floppy in the infected computer and reboot it (Note: the
computer must be set to allow booting from the floppy) Follow the prompts
and agree to the license agreement. At the A: prompt type "browsdll" without
the quotes and press enter. If successful it will tell you. Reboot. If not
then let me know.

If your root drive is C:\windows then click here
http://216.122.228.48/downloads/dllfix.exe

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
Top