Cannot delete browsela.dll nohow noway...help?

  • Thread starter Thread starter H.Pol Sixe
  • Start date Start date
pcbutts1 said:
I have created a tool that will replace your infected browsela.dll file. You
will need 1 blank floppy disk. Download the tool from the link below. Run
the file and it will copy the necessary files to the floppy disk. Once
created put that floppy in the infected computer and reboot it (Note: the
computer must be set to allow booting from the floppy) Follow the prompts
and agree to the license agreement. At the A: prompt type "browsdll" without
the quotes and press enter. If successful it will tell you. Reboot. If not
then let me know.

If your root drive is C:\windows then click here
Click to expand...
[removed security risk link]

Ask yourself if you really want to trust the advice and files provided
by a person that has all of their posts deleted, hides by 20+ different
identities, and has foul content on their website that they post links
too in Usenet.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
 
David said:
From: "H.Pol Sixe" <[email protected]>

| No, didn't work. browsela.dll still stays in C:\windows\system32. Kapersky
| scanlog found: c:\WINDOWS\SYSTEM32\BROWSELA.DLL packed: UPX
| c:\WINDOWS\SYSTEM32\BROWSELA.DLL infected: Trojan-Downloader.Win32.Delf.aeo
|
Click to expand...

<snip>

Hi!

alternatively, if it is just that file you want to delete, you can use
the pocket killbox:
http://www.bleepingcomputer.com/files/killbox.php

Just download it and select the radio button delete on reboot, after
you have entered "c:\WINDOWS\SYSTEM32\BROWSELA.DLL" in the field "full
path to file to be delete."
It will then ask if you wish to add more files and if you klick "no" it
should ask if you would like to reboot now - click "yes."

You should still use Mr Lipmans exe though, to make sure nothing else
is left on the lose on your machine.

brgds,

Johannes
 
pcbutts1 - 18.01.2006 03:50 :

you seem really unlearnable always putting all the quoting lines in your
SIG because placing them after your SIG-delimiter. *GRRR* Please learn
to quote. THX.
 
pcbutts1 - 18.01.2006 17:32 :
You seem really hard headed in trying to make me to do something that I will
not do so get lost.
Click to expand...

you are the only one I know practicing this strange SIG/quote-behavior.
Are you proud about that? Please give me some true arguments for your
behavior. THX in advance. I'm realy learnable if I'm convinced of realy
good arguments. So I learn every day.
 
In microsoft.public.security.virus H.Pol Sixe said:
A lot of people have had this problem and some seem to have success, but;
Click to expand...
I've tried Trend Sysclean and Online, Killbox, HijackThis, Microsoft Anti
Spyware, Mcafee Command Line Scanner (seemed to find and clear the most
objects), Ad-aware (froze up until Mcafee cleanup) in regular, safe mode,
cmd mode, with and without system restore - they all recognize it, look
like something is happening, but every boot up it's back, and re-installs
alt.exe, some of the time. Opens up some TCP connection to someone in Hong
Kong, I think, unless there's something else doing that. How does the bloody
thing stay in there? Is there another seed file *.dll that has to be
deleted I'm missing/leaving? Anyone know anymore tricks?
Click to expand...

Look at the file attributes and make it read only and archived if those
are not checked. having a clean registry backup to replace after a drive
by install also helps,most of this garbage will not function without being
in the registry.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm realy learnable if I'm convinced of realy good arguments.
So I learn every day.
Click to expand...

Today you have learned how to spell "really". R-E-A-L-L-Y.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ87b2KRseRzHUwOaEQJbDgCdGIEvyUqkqIDE6H4fWm1FNqOl91AAnRwW
22mSvzSo1XK11/BuNZZgFCV1
=xbG9
-----END PGP SIGNATURE-----

--
Laura Fredericks
4Q's "wicked evil bitch of satire, parody, humor and trollism"

PGP key ID - DH/DSS 2048/1024: 0xC753039A

alt.comp.virus photo gallery:
http://www.queenofcyberspace.com/acvgallery/

usenet flamewars:
http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.
 
I have created a tool that will replace your infected browsela.dll file.
You will need 1 blank floppy disk. Download the tool from the link below.
Run the file and it will copy the necessary files to the floppy disk. Once
created put that floppy in the infected computer and reboot it (Note: the
computer must be set to allow booting from the floppy) Follow the prompts
and agree to the license agreement. At the A: prompt type "browsdll"
without the quotes and press enter. If successful it will tell you. Reboot.
If not then let me know.

If your root drive is C:\windows then click here
http://216.122.228.48/downloads/dllfix.exe
Click to expand...

Now PCButts, if you are reading this, this must be "Leythos" impersonating
you - right?
Because this is such arsehole advice from the point of security, it can't be
the genuine PCButts - right?
I assume that you will condemn this imposter impersonating you - right?

I mean after all,

1. Who would advise downloading some EXE from a unknown IP4 address (granted
you can do an IP lookup)?
2. Who would advise downloading some created EXE without either seeing the
source code to dllfix.exe or knowing anything about the programmer who
created it (like whether they can be trusted)? In the recent WMF bug, the
unofficial patch by Ilfak Guilfanov's could not only be downloaded but also
the source code viewed. That is the reason why Security companies sanctioned
it - everybody could see what it would do and why it worked. And Ilfak
Guilfanov's has credibility as a programmer.
3. Would the real PCButts advise downloading an unknown EXE without checking
to see if it is a trojan or worse?

Stephen Howe
 
No, Killbox doesn't work, believe me I've tried. I get the
"PendingFileRenameOperations Registry Data has been Removed by External
Process!" or it hangs up "not responding".


HPol Sixe.
 
The smitfraud.exe / clean.bat, clean link caused a bsod-type crash,
completely blue freezeup, or actually the windows explorer default
background with no icons or bars. I had tried this before using a
smitfraud of 540,298 bytes. The crash smitfraud has a file size 544,757.
So trying again with the 540298 smitfraud and virsu data file v4677.

18/2006 20:54:22


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

C:\RECYCLER\S-1-5-21-1741611705-2970191163-354049824-1005\Dc2266.exe ...
Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-1741611705-2970191163-354049824-1005\Dc2267.exe ...
Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-1741611705-2970191163-354049824-1005\Dc2270.exe ...
Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINDOWS\adsldpbf.dll\adsldpbf.dll ... Found the Downloader-ASC trojan !!!
The file or process has been deleted.
C:\WINDOWS\alt.exe ... Found the Generic AdClicker.c trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\browsela.dll ... Found the Generic Downloader.c trojan
!!!

A file(s) requires a reboot to complete the repair.
You are recommended to reboot the computer.

Summary report on C:\*.*
File(s)
Total files: ........... 225404
Clean: ................. 225333
Possibly Infected: ..... 6
Cleaned: ............... 0
Deleted: ............... 5
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


So I will try a reboot and safe clean also.

HPol Sixe

Time: 00:55.30
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laura Fredericks - 19.01.2006 01:23 :
Today you have learned how to spell "really". R-E-A-L-L-Y.
Click to expand...

yes, thanks. *I* now really have learned that. Sorry for
misspelling(?) but English is not my first language. But *I* 'm
really learnable.

But to make it clear: my intention is not such pedantic right
spelling but give arguments for an essential usenet behavior in
general like right quoting behavior for example. You understand the
difference?

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ89EKH2zix0ook3GEQIS5ACdHpQvV8nXyOVFIM7eHefnbB7WBeAAn0iI
vYdP9FHgbaKaupdTQcdzzsSU
=R+F4
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laura Fredericks - 19.01.2006 01:23 :

yes, thanks. *I* now really have learned that. Sorry for
misspelling(?) but English is not my first language.
Click to expand...

Really?!

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ8+IQaRseRzHUwOaEQJItACcCyjxtnK2Gkup3ztCFpMJ+Fw/fa8Anj8d
tX+/dUYeS5c9P/3NDdhCtdUl
=Z0HR
-----END PGP SIGNATURE-----

--
Laura Fredericks
4Q's "wicked evil bitch of satire, parody, humor and trollism"

PGP key ID - DH/DSS 2048/1024: 0xC753039A

alt.comp.virus photo gallery:
http://www.queenofcyberspace.com/acvgallery/

usenet flamewars:
http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.
 
Peter Seiler wrote:
[snip]
But to make it clear: my intention is not such pedantic right
spelling but give arguments for an essential usenet behavior in
general like right quoting behavior for example. You understand the
difference?
Click to expand...

well, in that case here's my argument for not pgp clearsigning your
usenet posts:

1) for the vast majority of the time, nobody will be impersonating you...
2) when someone is impersonating you, the people who care enough to
check will look at the headers first and figure out that way that it
isn't you...
3) nobody bothers checking pgp signatures on newsgroup posts...
4) anyone can attach a fake pgp signature to a newsgroup post when
they're impersonating you...
5) pgp headers and signatures take up bandwidth and are not pretty to
look at in general...
 
kurt wismer - 19.01.2006 13:47 :
well, in that case here's my argument for not pgp clearsigning your
usenet posts:

1) for the vast majority of the time, nobody will be impersonating you...
2) when someone is impersonating you, the people who care enough to
check will look at the headers first and figure out that way that it
isn't you...
3) nobody bothers checking pgp signatures on newsgroup posts...
4) anyone can attach a fake pgp signature to a newsgroup post when
they're impersonating you...
5) pgp headers and signatures take up bandwidth and are not pretty to
look at in general...
Click to expand...

Kurt, full d'accord with you! As a "regular" here you could know that
I'm not a friend of PGPing in NGs. Contrary, prior I spoke against this
behavior usually practiced by Laura Fredericks.

Example:

-----begin-----

Laura Fredericks
Jul 24 2004, 9:52 am show options
Newsgroups: alt.comp.anti-virus
From: Laura Fredericks <[email protected]> - Find messages by
this author
Date: Sat, 24 Jul 2004 13:52:32 GMT
Local: Sat, Jul 24 2004 9:52 am
Subject: Re: Good by
Reply to Author | Forward | Print | Individual Message | Show original |
Report Abuse

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If everyone would practise your pure private, flamy,
chatorientated, unnecessarely PGP-overloaded, OT,
crossspreaded unsocial behavior the Usenet/Newsgroup idea will
suffocate more and more under your and others meaningless
rubbish of immature ignorants.
Click to expand...

I'll live with it.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: MY PUBLIC KEY www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBQQJpaKRseRzHUwOaEQJtlwCeKXQPslJ8NUdJOceivalgwefPaYAAoP+q
J/ak3Hq/hFDFT3Bis2M5JKmD
=1/2E
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

-----end-----

I normally never PGPing in NGs. So my PGPing was only meant more
sarcastic as a negative example. Sorry, should have made this more
clear. Again: I fully agree with you. Hopefully even Laura Fredericks as
a generally PGP posting person read your thoughts. Thanks for your 5
assisting arguments above.
 
sorry, because of Laura Fredericks SIG delimiter within my begin/end
quotation of an earlier post the last paragraph of my posting
unfortunately was placed as SIG.
 
Back
Top