1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

I'm New Here, And Would Like Some Advice [Ceres.dll - HJT log]

Discussion in 'Malware and Virus Removal Archive' started by IDLERACER, 2005/06/24.

Thread Status:
Not open for further replies.
  1. 2005/06/24
    IDLERACER

    IDLERACER Inactive Thread Starter

    Joined:
    2005/06/24
    Messages:
    136
    Likes Received:
    0
    First, I should explain that my operating system is Windows 98. My computer is equipped with the free versions of Avast, Spyware Doctor, Hijack This and CWShredder. I just recently added the last two, after browsing around several of the posts made in these forums.

    I've had a Ceres.dll file on my computer in the C:\\Windows folder for some time now and of course, am unable to dislodge it. So far, it has caused me nothing but minor annoyances, such as taking me to a phony search engine whenever I click on the Explorer icon, but I really would like to get rid of it.

    Here is my most recent Hijack This Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:30:46 AM, on 6/24/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
    C:\ATI\ATIDESK\ATISCHED.EXE
    C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
    O2 - BHO: IE SP2 AddOn - {1FC78E00-CF08-11D9-B235-0008541E34D8} - C:\WINDOWS\SYSTEM\SPOBZ.DLL
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunOnce: [InstallHelper C:\Program Files\Common Files\Motive] "C:\Program Files\Common Files\Motive\InstallHelper.exe" "/DIR=C:\Program Files\Common Files\Motive "
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
    O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
    O4 - Startup: ATI Scheduler.lnk = C:\ati\atidesk\atisched.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2558d87cec413928d705/netzip/RdxIE601.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

    If it's of any help, here is my latest Spyware Doctor log as well:

    Infection Name Location Risk
    CWS.Search For multiple High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}## High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid## High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32 High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32## High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib## High
    Common Components for Transponders HKCR\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib##Version High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}## High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1 High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1## High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\FLAGS High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\FLAGS## High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0 High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0## High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0\win32 High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0\win32## High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\HELPDIR High
    Common Components for Transponders HKCR\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\HELPDIR## High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1## High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##UninstallString High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##DisplayName High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##URLInfoAbout High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Publisher High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##HelpLink High
    Common Components for Transponders HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Contact High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj## High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj\CLSID High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj\CLSID## High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj\CurVer High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj\CurVer## High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj.1 High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj.1## High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj.1\CLSID High
    Transponder.Ceres HKCR\CeresDll.CeresDllObj.1\CLSID## High
    Transponder.Ceres HKCU\Software\Ceres High
    Transponder.Ceres HKCU\Software\Ceres## High
    Transponder.Ceres HKCU\Software\Ceres##CSI4d3OfSDist High
    Transponder.Ceres HKCU\Software\Ceres##CSI4d3OfSInst High
    Transponder.Ceres HKCU\Software\Ceres##CSC4n3trMsgSDisp High
    Transponder.Ceres HKCU\Software\Ceres##CST4o3pListSPos High
    Transponder.Ceres HKCU\Software\Ceres##CSs4t3icky1S High
    Transponder.Ceres HKCU\Software\Ceres##CSs4t3icky2S High
    Transponder.Ceres HKCU\Software\Ceres##CSs4t3icky3S High
    Transponder.Ceres HKCU\Software\Ceres##CSs4t3icky4S High
    Transponder.Ceres HKCU\Software\Ceres##CSC1o4d3eOfSFinalAd High
    Transponder.Ceres HKCU\Software\Ceres##CST4i3m6eOfSFinalAd High
    Transponder.Ceres HKCU\Software\Ceres##CSD4s3tSSEnd High
    Transponder.Ceres HKCU\Software\Ceres##CS4N3a6tionSCode High
    Transponder.Ceres HKCU\Software\Ceres##CSP4D3om High
    Transponder.Ceres HKCU\Software\Ceres##CST4h3rshSCheckSIn High
    Transponder.Ceres HKCU\Software\Ceres##CST4h3rshSMots High
    Transponder.Ceres HKCU\Software\Ceres##CSM4o3deSSync High
    Transponder.Ceres HKCU\Software\Ceres##CSI4n3ProgSCab High
    Transponder.Ceres HKCU\Software\Ceres##CSI4n3ProgSEx High
    Transponder.Ceres HKCU\Software\Ceres##CSI4n3ProgSLstest High
    Transponder.Ceres HKCU\Software\Ceres##CSE4v3nt High
    Transponder.Ceres HKCU\Software\Ceres##CSL4a3stMotsSDay High
    Transponder.Ceres HKCU\Software\Ceres##CSL4a3stSSChckin High
    Transponder.Ceres HKCU\Software\Ceres##CSB4D3om High
    Transponder.Ceres HKCU\Software\Ceres##CST4h3rshSBath High
    Transponder.Ceres HKCU\Software\Ceres##CST4h3rshSysSInf High
    Transponder.Ceres HKCU\Software\Ceres##CSL4n3Title High
    Transponder.Ceres HKCU\Software\Ceres##CSC4u3rrentSMode High
    Transponder.Ceres HKCU\Software\Ceres##CSC4n3tFyl High
    Transponder.Ceres HKCU\Software\Ceres##CSI4g3noreS High
    Trojan Common Components HKLM\software\vendor\xml Medium
    Trojan Common Components HKLM\software\vendor\xml## Medium
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} High
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\ProgID High
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\VersionIndependentProgID High
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\Programmable High
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\InprocServer32 High
    Transponder.Ceres HKCR\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\TypeLib High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\ProgID High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\VersionIndependentProgID High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\Programmable High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\InprocServer32 High
    Transponder.Ceres HKLM\Software\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\TypeLib High
    Transponder.Ceres C:\WINDOWS\CERES.DLL High
    Transponder.Ceres C:\WINDOWS\SYSTEM\dfeldl.exe High
    Common Components for Transponders C:\WINDOWS\TEMP\drp2091.TMP\thnall5c.exe High
    Common Components for Transponders C:\WINDOWS\TEMP\drp1223.TMP\thnall5c.exe High

    In the past, I have dug into the Registry Editor and have gotten rid of anything that this software has revealed to be a nuisance, but unfortunately, just about anything that includes the word "Ceres" in it, can't even be deleted from the registry. Any advice would be much appreciated. Also please let me know if there's anything else I should be getting rid of that's in the Hijack This log
     
    IDLERACER,
    #1
  2. 2005/06/24
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    IDLERACER - Welcome to the Board :)

    Please observe Posting Rules #3 - Meaningful Subject, As you are new here I have edited your thread title.

    BTW - please desist from posting in bold - just follow the general practice of the BBS and use 'normal' type. Bold should be used only to emphasize the occasional word or phrase. I have edited your post.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2005/06/24
    IDLERACER

    IDLERACER Inactive Thread Starter

    Joined:
    2005/06/24
    Messages:
    136
    Likes Received:
    0
    Sorry, I only used the bold and color functions to make it easier to distinguish between my questions and my computer's logs. Anyhow, does anybody have any advice? :cool:
     
    IDLERACER,
    #3
  5. 2005/06/24
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    How to delete Ceres.Dll
    Restart in Dos Mode, and do these commands at the prompt, pressing Enter at the end of each line:
    smartdrv
    deltree c:\windows\history
    deltree c:\windows\temp
    deltree c:\windows\tempor~1
    deltree C:\WINDOWS\CERES.DLL
    deltree C:\WINDOWS\SYSTEM\dfeldl.exe
    deltree C:\WINDOWS\SYSTEM\SPOBZ.DLL
    Type a Y that you want to delete, check for typos at this time. When done, reboot. The folders I have up there will be rebuilt clean as windows starts up.

    When done, rescan with HJT and remove these items.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: IE SP2 AddOn - {1FC78E00-CF08-11D9-B235-0008541E34D8} - C:\WINDOWS\SYSTEM\SPOBZ.DLL

    Get About:Buster, update it, and run it twice, back to back.
    Did you update CWS before you used it, as the infection is in the log.

    BTW, you can go into Control Panel\Add Remove Program, click on Windows setup, and uninstall Universal Plug and Play, or use UnPlug n' Pray from here to disable it. It isn't needed and was not included with 98. Something else installed it, maybe you used a Internet Connection Sharing setup file from XP?
     
    markp62,
    #4
  6. 2005/06/25
    IDLERACER

    IDLERACER Inactive Thread Starter

    Joined:
    2005/06/24
    Messages:
    136
    Likes Received:
    0
    I think I should explain that I have virtually no experience whatsoever with working in the Dos mode, so I'm going to need a little help here. When I click on the Dos icon, a black screen opens up that looks like this:

    Microsoft(R) Windows 98
    (C)Copyright Microsoft Corp 1981-1998

    C:\Windows>_

    Now what exactly is the very first thing I should do? Just typing in smartdrv and pressing enter obviously isn't correct. By the way, I greatly appreciate your help.
     
    IDLERACER,
    #5
  7. 2005/06/26
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    No problem :) You must start the computer in DOS mode - not access a DOS prompt from within Windows.

    Shut down the computer.

    Boot the computer and as soon as you hear the BIOS beep hit the F8 key repeatedly.

    You should get the screen shown below with a choice of start up options - select #5 Command Prompt only > Enter

    The computer then starts to the C:> prompt as shown below.

    Now follow markp62's instructions ....

    Type smartdrv > Enter and so on.

    Where would we be without digital cameras :D

    HTH
     
    PeteC,
    #6
  8. 2005/06/27
    IDLERACER

    IDLERACER Inactive Thread Starter

    Joined:
    2005/06/24
    Messages:
    136
    Likes Received:
    0
    Thanks markp62 and PeteC! It worked like a charm. The only question I don't understand is this:

    "Did you update CWS before you used it, as the infection is in the log. "

    How does one go about updating CWS? I downloaded it off of Download.com.
     
    IDLERACER,
    #7
  9. 2005/06/27
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Glad to hear that 'you're fixed' :)
    I can only think that markp62 was implying that you did not have the latest version of CWS which is v 2.15 - released May 2005 and available here. Quite possible that download.com have an older version.
     
    PeteC,
    #8
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...