I had a suspicion that I might have acquired a trojan due to excessive lagging when running on msn's zone to play games.
I ran a fully updated Mcafee scan with no result. As I wasn't convinced that my system was clean I used the Panda scan that was recommended in one of the articles on this site.
The Panda scan found the following trojan on my system:
Virus: Trj/Briss.A
Location: C:\Windows\Downloaded Program Files\jao.dll
but was unable to remove it. :(
I ran a scan using the Trend Micro online scan and ran it just on the DPF's folder but strangely it didn't find the trojan unlike Panda.
I'm at a bit of a loss as to what to do now to remove it.
Here's my Hijack This log.
Logfile of HijackThis v1.97.7
Scan saved at 07:34:35, on 27/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\CSAFE\AUTOCHK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evertonfc.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\78c8m9zb.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: E-Color.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Thanks for any help!! :)
Full Version: Trj/Briss.A removal problems!! :(
Hi!
I can't see anything suspicious there. Maybe it was deleted?
I can't see anything suspicious there. Maybe it was deleted?
It could be all gone..but here is some back ground
super hidden bridge.dll and jao.dll
http://www.computercops.biz/postt32527.html
and
VSantivirus no. 1401 Year 8, Friday 7 of May of 2004
Troj/Briss.A. Aggregate by the finder "BlazeFind"
http://www.vsantivirus.com/troj-briss-a.htm
Name: Troj/Briss.A
Type: Trojan horse (Spyware)
Alias: Briss, Win32/Spy.Briss.H, Briss.A, TrojanSpy.Win32.Briss, TrojanSpy.Win32.Briss.H, Trj/Briss.A, Keylog-Briss
Variants: Troj/Briss.B, Troj/Briss.C, Troj/Briss.D, Troj/Briss.E, Troj/Briss.F, Troj/Briss.G, Troj/Briss.H
Date: 28/abr/04
Platform: Windows 32-bit
Briss is spyware created by BlazeFind, a finder of pages Web Usually is installed without no warning or notification, being in charge after redirecting all search made by the user.
The main component of this troyano Integra to the Explorer like an object of type BHO (Browser Helper Object). An object BHO is a DLL that is enclosed to if same in each beginning of the Explorer, being able executing predetermined events. In this case, it creates a bar search in the interface of Internet Explorer.
The troyano is updated automatically, sending information on the user, hard disks and operating system to its creators.
The main file is a installer who without no warning, creates the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
NOTE: "c:\windows\system" can vary according to the installed operating system (with that name by defect in Windows 9x and ME, like "c:\winnt\system32" in Windows NT and 2000 and "c:\windows\system32" in Windows XP and Windows Server 2003).
****************
Briss.AThreat Level: Moderate
Distribution: Medium
Damage: Low
The Threat Level varies according to the Distribution and Damage levels
Effects
Briss.A has the following effects:
It goes memory resident.
It installs other malware in the affected computer, every 24 hours, without user's consent. In order to do so, Briss.A uses a list of programs taken out from the web site www2.flingstone.com.
Some of the malware installed are: Adware/180Solutions, Trj/Revop.F, Adware/Searchcentrix, etc.
It has other functionalities, such as detecting if certain combinations of keys are pushed.
Infection strategy
Briss.A creates the following files in the Windows system directory:
A.EXE.
BRIDGE.DLL and JAO.DLL. These files are DLLs (Dynamic Link Libraries).
Briss.A creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
RunDLL = rundll32.exe %sysdir%\ bridge.dll, Load
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Systray = %sysdir%\ a.exe
where %sysdir% is the Windows system directory
By creating these entries, Briss.A ensures it is run whenever Windows is started.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\{9C691A33-7 DDA-4C2F-BE4C-C176083F35CF}
HKEY_CLASSES_ROOT\ Bridge.brdg
Briss.A registers the Browser Helper Object (an Internet Explorer toolbar) BRIDGE.DLL in these entries.
Means of transmission
Briss.A does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Panda can clean it if you set Panda to clean it
http://www.pandasoftware.com/virus_info/en...l&idvirus=46978
The troyano creates the following entrances to execute itself in each resumption of Windows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RunDLL = rundll32.exe c:\windows\system\bridge.dll, Load
Systray = c:\windows\system\a.exe
HKLM\SOFTWARE\Classes\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKLM\SOFTWARE\Microsoft\Windows
to \CurrentVersion\Explorer\Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKEY_CLASSES_ROOT\Bridge.brdg
This action loads BRIDGE.DLL in memory in each initiated session of Windows.
Spyware connects to the site "www2.flingstone.com" reporting the collected data, and unloading and installing updates of if same.
Procedure of automatic desinstalación:
Select "Flingstone Bridge" in "Adding or clearing programs" of the Control Panel and puncture in "Clearing".
Manual repair
Note: We recommended to use a program type firewall (fire-resistant) like the ZoneAlarm, which will stop and notice the connection of this and any other troyano with Internet, as well as any attempt to accede to our system.
ZoneAlarm (gratuitous for its personal use), in addition to being excellent fire-resistant ones, also prevents the execution of any associate with possibilities of having virus (with no need to have to update it with each new version of a virus).
More information:
How to form Zone Alarm 3.x
http://www.vsantivirus.com/za.htm
Antivirus
1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected
To erase manually archives added by the virus
From the Explorer of Windows, it locates and it erases the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".
To publish the registry
Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.
1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER
2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrances:
RunDLL
Systray
NOTE: "Systray" does not confuse (bórrelo), with "SystemTray" (DOES NOT ERASE IT, is a legitimate entrance of Windows.
4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Classes
\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
5. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
to \Explorer
to \Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
7. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
8. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_CLASSES_ROOT\Bridge.brdg
9. Puncture in the folder "Bridge.brdg" and bórrela.
10. Use "Registry", "To leave" to leave the publisher and to confirm the changes.
11. Reinitiate its computer (Beginning, To extinguish the system, To reinitiate).
Procedure to recover page of beginning and page search in Internet Explorer
Flingstone Bridge description:
Opens pop-up windows and tries to download files from flingstone.com.
Flingstone Bridge properties:
• Shows commercial adverts
• Hides from the user
• Stays resident in background
super hidden bridge.dll and jao.dll
http://www.computercops.biz/postt32527.html
and
VSantivirus no. 1401 Year 8, Friday 7 of May of 2004
Troj/Briss.A. Aggregate by the finder "BlazeFind"
http://www.vsantivirus.com/troj-briss-a.htm
Name: Troj/Briss.A
Type: Trojan horse (Spyware)
Alias: Briss, Win32/Spy.Briss.H, Briss.A, TrojanSpy.Win32.Briss, TrojanSpy.Win32.Briss.H, Trj/Briss.A, Keylog-Briss
Variants: Troj/Briss.B, Troj/Briss.C, Troj/Briss.D, Troj/Briss.E, Troj/Briss.F, Troj/Briss.G, Troj/Briss.H
Date: 28/abr/04
Platform: Windows 32-bit
Briss is spyware created by BlazeFind, a finder of pages Web Usually is installed without no warning or notification, being in charge after redirecting all search made by the user.
The main component of this troyano Integra to the Explorer like an object of type BHO (Browser Helper Object). An object BHO is a DLL that is enclosed to if same in each beginning of the Explorer, being able executing predetermined events. In this case, it creates a bar search in the interface of Internet Explorer.
The troyano is updated automatically, sending information on the user, hard disks and operating system to its creators.
The main file is a installer who without no warning, creates the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
NOTE: "c:\windows\system" can vary according to the installed operating system (with that name by defect in Windows 9x and ME, like "c:\winnt\system32" in Windows NT and 2000 and "c:\windows\system32" in Windows XP and Windows Server 2003).
****************
Briss.AThreat Level: Moderate
Distribution: Medium
Damage: Low
The Threat Level varies according to the Distribution and Damage levels
Effects
Briss.A has the following effects:
It goes memory resident.
It installs other malware in the affected computer, every 24 hours, without user's consent. In order to do so, Briss.A uses a list of programs taken out from the web site www2.flingstone.com.
Some of the malware installed are: Adware/180Solutions, Trj/Revop.F, Adware/Searchcentrix, etc.
It has other functionalities, such as detecting if certain combinations of keys are pushed.
Infection strategy
Briss.A creates the following files in the Windows system directory:
A.EXE.
BRIDGE.DLL and JAO.DLL. These files are DLLs (Dynamic Link Libraries).
Briss.A creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
RunDLL = rundll32.exe %sysdir%\ bridge.dll, Load
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Systray = %sysdir%\ a.exe
where %sysdir% is the Windows system directory
By creating these entries, Briss.A ensures it is run whenever Windows is started.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\{9C691A33-7 DDA-4C2F-BE4C-C176083F35CF}
HKEY_CLASSES_ROOT\ Bridge.brdg
Briss.A registers the Browser Helper Object (an Internet Explorer toolbar) BRIDGE.DLL in these entries.
Means of transmission
Briss.A does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Panda can clean it if you set Panda to clean it
http://www.pandasoftware.com/virus_info/en...l&idvirus=46978
The troyano creates the following entrances to execute itself in each resumption of Windows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RunDLL = rundll32.exe c:\windows\system\bridge.dll, Load
Systray = c:\windows\system\a.exe
HKLM\SOFTWARE\Classes\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKLM\SOFTWARE\Microsoft\Windows
to \CurrentVersion\Explorer\Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKEY_CLASSES_ROOT\Bridge.brdg
This action loads BRIDGE.DLL in memory in each initiated session of Windows.
Spyware connects to the site "www2.flingstone.com" reporting the collected data, and unloading and installing updates of if same.
Procedure of automatic desinstalación:
Select "Flingstone Bridge" in "Adding or clearing programs" of the Control Panel and puncture in "Clearing".
Manual repair
Note: We recommended to use a program type firewall (fire-resistant) like the ZoneAlarm, which will stop and notice the connection of this and any other troyano with Internet, as well as any attempt to accede to our system.
ZoneAlarm (gratuitous for its personal use), in addition to being excellent fire-resistant ones, also prevents the execution of any associate with possibilities of having virus (with no need to have to update it with each new version of a virus).
More information:
How to form Zone Alarm 3.x
http://www.vsantivirus.com/za.htm
Antivirus
1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected
To erase manually archives added by the virus
From the Explorer of Windows, it locates and it erases the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".
To publish the registry
Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.
1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER
2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrances:
RunDLL
Systray
NOTE: "Systray" does not confuse (bórrelo), with "SystemTray" (DOES NOT ERASE IT, is a legitimate entrance of Windows.
4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Classes
\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
5. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
to \Explorer
to \Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
7. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
8. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_CLASSES_ROOT\Bridge.brdg
9. Puncture in the folder "Bridge.brdg" and bórrela.
10. Use "Registry", "To leave" to leave the publisher and to confirm the changes.
11. Reinitiate its computer (Beginning, To extinguish the system, To reinitiate).
Procedure to recover page of beginning and page search in Internet Explorer
Flingstone Bridge description:
Opens pop-up windows and tries to download files from flingstone.com.
Flingstone Bridge properties:
• Shows commercial adverts
• Hides from the user
• Stays resident in background
But my best guess is as follows..
do you see all these scans you have made a different sites ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Well each one of them can put removal signatures for trojans, worm, etc in your downloaded program files...and it is not uncommon for one scanner to think the signature of the others has an active component calling it then the actual trojan.
I think that might have happened in your case and it is a false positive.
do you see all these scans you have made a different sites ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Well each one of them can put removal signatures for trojans, worm, etc in your downloaded program files...and it is not uncommon for one scanner to think the signature of the others has an active component calling it then the actual trojan.
I think that might have happened in your case and it is a false positive.
:thumb:
Alrighty, I am a complete comp newb.
I have found out that I have the troj/briss.h
I am also having trouble getting rid of it. Mine seems to be stuck in a Hijackthis back-up that I have deleted, but it still shows up.
Here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 1:36:55 AM, on 6/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\JoAnn Arndt\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe
C:\WINNT\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\System32\bridge.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load
O4 - HKLM\..\Run: [msbb] c:\docume~1\joanna~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [wtalox] C:\WINNT\wtalox.exe
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7562.9663773148
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DECD601-9CD1-46EA-A312-7BCDEED52F9F}: NameServer = 198.81.17.134
I have run the trend micro virus scan and gotten rid of all that I can.
I have deleted the suspicious programs I was sure of.
Here are the ones I am unsure of:
b3d projector
Bridge
CommonNameToolBar 3.1
Error Search Assistant Reset
Search Assistant reset
Search Button Reset
Web Contextual Reset
I would appreciate any and all help you guys could give me.
I have found out that I have the troj/briss.h
I am also having trouble getting rid of it. Mine seems to be stuck in a Hijackthis back-up that I have deleted, but it still shows up.
Here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 1:36:55 AM, on 6/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\JoAnn Arndt\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe
C:\WINNT\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\System32\bridge.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load
O4 - HKLM\..\Run: [msbb] c:\docume~1\joanna~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [wtalox] C:\WINNT\wtalox.exe
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7562.9663773148
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DECD601-9CD1-46EA-A312-7BCDEED52F9F}: NameServer = 198.81.17.134
I have run the trend micro virus scan and gotten rid of all that I can.
I have deleted the suspicious programs I was sure of.
Here are the ones I am unsure of:
b3d projector
Bridge
CommonNameToolBar 3.1
Error Search Assistant Reset
Search Assistant reset
Search Button Reset
Web Contextual Reset
I would appreciate any and all help you guys could give me.
That last list is in your Add/Remove programs? All of it is spyware/adware (I'm not sure what that first one or the last one is) but all of these you can remove from there:
Bridge
CommonNameToolBar 3.1
Error Search Assistant Reset
Search Assistant reset
Search Button Reset
And also include Wintools if you see it in there.
What you need is FIRST (!) All the Critical Windows critical security updates - I don't see even Service Pack 1 install for your Windows XP or for Internet Explorer. A lot of the malware can stealth install on you using exploit in unpatched browsers and operating systems. So the odds of your getting reinfected right away again are very high until you get patched.
Go here to scan for what you need and get all the critical security updates recommended.
http://v4.windowsupdate.microsoft.com/en/default.asp
Next, you need some good Antispyware Scanners and we know two that are top notch (and FREE!). So let's do some precleaning with these.
You can keep these on board as well for recommended weekly updating and scanning to keep your PC clean
Updating them first is very important - please do not skip that step.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # 01R314 02.06.2004 or higher listed.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
.......................................................
Next
Download Spybot Search and Destroy
http://www.safer-networking.org/
How to Use Spybot
(click on the Tutorial link at the top in the program)
How to Update Spybot
Click on *Search for updates*. It will find and list the updates available, please make sure all are checkmarked. Choose the best download location for you at the top (middle icon) button there is a little arrow - click that and you will get a dropdown menu of locations for Europe or US. Click on the one best for you. And then *download Updates* (right icon). and when they are done you should see a green checkmark beside each update in the list.
Next, close all Internet Explorer windows, Click on *Search and Destroy* in the far left menu and then *Check for Problems*. This will start a scan of your system.
Have SpyBot remove/fix all it finds that are in RED
............................
Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
Bridge
CommonNameToolBar 3.1
Error Search Assistant Reset
Search Assistant reset
Search Button Reset
And also include Wintools if you see it in there.
What you need is FIRST (!) All the Critical Windows critical security updates - I don't see even Service Pack 1 install for your Windows XP or for Internet Explorer. A lot of the malware can stealth install on you using exploit in unpatched browsers and operating systems. So the odds of your getting reinfected right away again are very high until you get patched.
Go here to scan for what you need and get all the critical security updates recommended.
http://v4.windowsupdate.microsoft.com/en/default.asp
Next, you need some good Antispyware Scanners and we know two that are top notch (and FREE!). So let's do some precleaning with these.
You can keep these on board as well for recommended weekly updating and scanning to keep your PC clean
Updating them first is very important - please do not skip that step.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # 01R314 02.06.2004 or higher listed.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
.......................................................
Next
Download Spybot Search and Destroy
http://www.safer-networking.org/
How to Use Spybot
(click on the Tutorial link at the top in the program)
How to Update Spybot
Click on *Search for updates*. It will find and list the updates available, please make sure all are checkmarked. Choose the best download location for you at the top (middle icon) button there is a little arrow - click that and you will get a dropdown menu of locations for Europe or US. Click on the one best for you. And then *download Updates* (right icon). and when they are done you should see a green checkmark beside each update in the list.
Next, close all Internet Explorer windows, Click on *Search and Destroy* in the far left menu and then *Check for Problems*. This will start a scan of your system.
Have SpyBot remove/fix all it finds that are in RED
............................
Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
Alrighty so...
I got the major windows update, and I ran search and destroy and Ad-Aware.
Before I post my log, Norton has three files in quarantine. They can't be repaired and I want to know if I can just delete them. They are:
a.class
VerifierBug.class
WebCounter.class
Here is my fresh log
Logfile of HijackThis v1.97.7
Scan saved at 1:46:10 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Documents and Settings\JoAnn Arndt\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton AntiVirus\QConsole.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7562.9663773148
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DECD601-9CD1-46EA-A312-7BCDEED52F9F}: NameServer = 198.81.16.134
Thanks a bunch for helping me and not ridiculing me for not being 100% tech savy.
I got the major windows update, and I ran search and destroy and Ad-Aware.
Before I post my log, Norton has three files in quarantine. They can't be repaired and I want to know if I can just delete them. They are:
a.class
VerifierBug.class
WebCounter.class
Here is my fresh log
Logfile of HijackThis v1.97.7
Scan saved at 1:46:10 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Documents and Settings\JoAnn Arndt\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton AntiVirus\QConsole.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7562.9663773148
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DECD601-9CD1-46EA-A312-7BCDEED52F9F}: NameServer = 198.81.16.134
Thanks a bunch for helping me and not ridiculing me for not being 100% tech savy.
QUOTE (DCCAbbage @ Jun 7 2004, 04:47 AM)
Before I post my log, Norton has three files in quarantine. They can't be repaired and I want to know if I can just delete them. They are:
Yes, you can delete them :)
QUOTE
Thanks a bunch for helping me and not ridiculing me for not being 100% tech savy.
No one on this board would ridcule anyone seeking help. You don't have to fear that here because we don't allow it. 
I'll be back with an answer on your log just as soon as I have a few minutes to analyze it.
Good news 
That log looks clean :thumb:
So after you delete those files in Norton quarantine, and now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Get the free tool, Microsoft Baseline Security Analyzer (MBSA) to analyze your PC security for prevention purposes.
MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
And I hope all that is a help to you
P.S. Just an aside note. If you upgrade to AOL 9.0 it they now have free spyware protection too :)
That log looks clean :thumb:
So after you delete those files in Norton quarantine, and now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Get the free tool, Microsoft Baseline Security Analyzer (MBSA) to analyze your PC security for prevention purposes.
MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
And I hope all that is a help to you
P.S. Just an aside note. If you upgrade to AOL 9.0 it they now have free spyware protection too :)
:( Can anyone help me? I've been helping my Aunt remove some viruses that she got. I was able to remove all the viruses except for Troj.Briss.h until this morning. I found some help with removing the virus, but now we have problems!!!
This is what I was told to do:
go to start>run>regedit>HKEY_LOCAL_MACHINE>software>classes>CLSID>
THEN DELETE (9c691a33-7dda-4c2f-be4c-c176083f35cf).
also go to:
HKEY_CLASSES_ROOT\bridge.brdg
I did this and then tried to restart the computer.
It started to re-boot and then the windows XP screen came up and stopped. We can't get to anything now!! Will I have to re-install everything in her computer?
If anyone can help it would be greatly appreciated!!
thanks,
Rassi :unsure:
This is what I was told to do:
go to start>run>regedit>HKEY_LOCAL_MACHINE>software>classes>CLSID>
THEN DELETE (9c691a33-7dda-4c2f-be4c-c176083f35cf).
also go to:
HKEY_CLASSES_ROOT\bridge.brdg
I did this and then tried to restart the computer.
It started to re-boot and then the windows XP screen came up and stopped. We can't get to anything now!! Will I have to re-install everything in her computer?
If anyone can help it would be greatly appreciated!!
thanks,
Rassi :unsure:
It started to re-boot and then the windows XP screen came up and stopped
Does it then display any error messages ?
Can you boot up the computer in the SAFE Mode ?
see here to get into the Safe mode with the F8 method if you can not do it in windows mode.
http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4
Does it then display any error messages ?
Can you boot up the computer in the SAFE Mode ?
see here to get into the Safe mode with the F8 method if you can not do it in windows mode.
http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4
;) Hunter thanks for the info, but I ended up removing her start-up page, not sure how I did that, but we fixed it and got rid of the virus too!
thanks,
Rassi Wave.gif
thanks,
Rassi Wave.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.