Remove Ceres.dll

Well...I have had other spyware situations and never had as much trouble as I have had with this one.
I keep thinking I get it all off and then boom it is back.

I have ran Spybot, AdAware, did a full (with up to date updates) Symantec virus scans.
I also removed the Ceres section from the regcleaner program I use.

I am running WinXP SP2


I have went into safe mode and manually removed the Ceres.Dll and buddy program.

I am not sure if I got this thing from the Kazaa Lite Resurrected program or my wife installing some IE Search Tool bar....I have uninstalled both of those programs but can not remember the name of the Tool Bar that was on.

Here is the HiJack this Log file.


Logfile of HijackThis v1.99.0
Scan saved at 5:47:53 PM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\qggwftu.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system32\calc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MMS\My Documents\Recordings\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [qggwftu] c:\windows\system32\qggwftu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



I have deleted the ceres section on this one as well but it comes back again.
Any help would be appreciated, I am sure there is some part that I am missing but for the life of me I can not catch it.

Thanks in advanced.

 

You missed because it is well hidden by some very clever programmers.

Take a look Here for more information on what you have and some specifics for doing a manual removal of this particular VX2 beast.

 

Disable System Restore XP, and reboot. This is one thing that would put it right back, as the below files exists in the windows folders and SR thinks they should be there.

Delete all files and folders located in all your user temp folders.

Remove these with HJT.

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O4 - HKLM\..\Run: [qggwftu] c:\windows\system32\qggwftu.exe

Reboot and delete these files.
C:\WINDOWS\Ceres.dll
c:\windows\system32\qggwftu.exe

Did you happen to have Windows Calculator open while making the HJT log? If you did not, I would advise a online AV scan.
RAV Online Scan

 

Thanks for the help....it seems to have done the trick.

I guess I made two errors when trying to fix the problem.

Not recognizing the qggwftu.exe....and also not turning off the system restore.
Now I am ok with missing the first, but had to smack myself for forgetting about the system restore.

Thanks again, your help was greatly appreciated.