Need help to get rid of Trojan horse PSW.Briss.E

Hello,

I've had this PSW.Briss.E virus that AVG cannot delete, anyone can help? Thanks in advance

I've run HijackThis:


Logfile of HijackThis v1.97.7
Scan saved at 15:52:05, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\BQTray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Fichiers communs\Real\Update_OB\rnathchk.exe
C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\msbb.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\thomas van ryn\Local Settings\Temporary Internet Files\Content.IE5\6H3O5WJM\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [msbb] c:\docume~1\thomas~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [ngzinyr] C:\WINDOWS\ngzinyr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\file.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/182f0b44f78505db9520/netzip/RdxIE601_fr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

 

Hi tvanryn,

Have only HijackThis running and fix :

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msbb] c:\docume~1\thomas~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [ngzinyr] C:\WINDOWS\ngzinyr.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\file.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/182f0b4...RdxIE601_fr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Make sure all hidden files and folders are shown : Here's How

Restart PC after doing so in Safe Mode : Here's How and remove :

C:\WINDOWS\System32\bridge.dll <- this file
c:\docume~1\thomas~1\locals~1\temp\msbb.exe <- this file
C:\WINDOWS\ngzinyr.exe <- this file

Clean temp internet files

Restart again in normal mode

Can you also give us the exact location where AVG finds it (path) on your PC?

Thnx

Cheers,

 

Hi,

Thanks for your help.

I've had HijackThis fixing the mentionned files, but then when in Safe Mode I couldn't find C:\WINDOWS\System32\bridge.dll nor C:\WINDOWS\ngzinyr.exe
About c:\docume~1\thomas~1\locals~1\temp\msbb.exe, I have been unable to remove it.

Is it normal?

When running AVG again after that, a new trojan appeared: Revop.C but it has beed moved to the virus vault.

Any way to prevent these ¤¤¤¤¤trojans to get in?

Regarding the place where AVG found them in my PC, I don't know how to give you that info, but I will do it with pleasure if you tell me how to.

Thanks for your help anyway

 

https://www.wilderssecurity.com/showthread.php?t=27971

And post a new HijackThis log so we can check if at least everything got disabled.

Regards,

Pieter