Need help to get rid of Trojan horse PSW.Briss.E

Discussion in 'adware, spyware & hijack cleaning' started by tvanryn, May 20, 2004.

Thread Status:
Not open for further replies.
  1. tvanryn

    tvanryn Registered Member

    Joined:
    May 20, 2004
    Posts:
    2
    Hello,

    I've had this PSW.Briss.E virus that AVG cannot delete, anyone can help? Thanks in advance

    I've run HijackThis:


    Logfile of HijackThis v1.97.7
    Scan saved at 15:52:05, on 20/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\BQTray.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\rnathchk.exe
    C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\msbb.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\thomas van ryn\Local Settings\Temporary Internet Files\Content.IE5\6H3O5WJM\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [msbb] c:\docume~1\thomas~1\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [ngzinyr] C:\WINDOWS\ngzinyr.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\file.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/182f0b44f78505db9520/netzip/RdxIE601_fr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi tvanryn,

    Have only HijackThis running and fix :

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [msbb] c:\docume~1\thomas~1\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [ngzinyr] C:\WINDOWS\ngzinyr.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\file.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/182f0b4...RdxIE601_fr.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Make sure all hidden files and folders are shown : Here's How

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\System32\bridge.dll <- this file
    c:\docume~1\thomas~1\locals~1\temp\msbb.exe <- this file
    C:\WINDOWS\ngzinyr.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Can you also give us the exact location where AVG finds it (path) on your PC?

    Thnx

    Cheers,
     
  3. tvanryn

    tvanryn Registered Member

    Joined:
    May 20, 2004
    Posts:
    2
    Hi,

    Thanks for your help.

    I've had HijackThis fixing the mentionned files, but then when in Safe Mode I couldn't find C:\WINDOWS\System32\bridge.dll nor C:\WINDOWS\ngzinyr.exe
    About c:\docume~1\thomas~1\locals~1\temp\msbb.exe, I have been unable to remove it.

    Is it normal?

    When running AVG again after that, a new trojan appeared: Revop.C but it has beed moved to the virus vault.

    Any way to prevent these ¤¤¤¤¤trojans to get in?

    Regarding the place where AVG found them in my PC, I don't know how to give you that info, but I will do it with pleasure if you tell me how to.

    Thanks for your help anyway
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.