TrojanSpy.Win32.Briss.e in my computer. Help!

Discussion in 'adware, spyware & hijack cleaning' started by Kirby, May 4, 2004.

Thread Status:
Not open for further replies.
  1. Kirby

    Kirby Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Hello everyone. I just found this place, when searching with Google. Well, I found some Trojans at my computer some weeks ago. Now, I need help with two Trojans: Briss.e and TrojanClicker.Win32.Delf.r. Delf is in C:\WINDOWS\5_0_1BROWSERHELPER5.DLL. I get the Delf warning every time when I open a new Interner Explorer window. Briss was in a file like C:\WINDOWS\A.EXE if I remember right. Can someone help me? Please! o_O

    P.S Sorry about my very bad english. I live in Finland, and I´m born in here, so... :D
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Kirby - You might also want to give the fully working evaluation trial of Trojan Remover a shot at it, from here: Trojan Remover website/d/l page . HTH Pete
     
  4. Kirby

    Kirby Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Thank you very much. I got rid of Briss - wohoo!! :D
    But the Trojan Remover was unable to scan the 5_0_1BROWSERHELPER5.DLL-file wich contains Delf.r-Trojan. Is Delf dangerous and how can I remove it?

    -Kirby
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Did you scan in "Safe" mode with TrojanRemover?

    Did you update the program from this page before running the scan?

    Have you re-booted since attempting to remove it? Pete
     
  6. Kirby

    Kirby Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    What "Safe" mode? (Sorry, I´m stupid, I know.)
    I scanned my computer again - no Trojans were found. I found this in the log file, though.

    ------------------------------
    21:08:03: Scanning ----- BROWSER HELPER OBJECTS -----
    C:\OHJELMATIEDOSTOT\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - this Browser Helper Object has been left in place
    C:\OHJELMATIEDOSTOT\COMET\INSTALL\TEMP\BRBHO.DLL - this Browser Helper Object has been left in place
    C:\OHJELMATIEDOSTOT\COMET\BIN\CSBHO.DLL - this Browser Helper Object has been left in place
    C:\OHJELM~1\INCRED~1\BHO\BHO.DLL - this Browser Helper Object has been left in place
    C:\OHJELMATIEDOSTOT\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL - this Browser Helper Object has been left in place
    C:\OHJELMATIEDOSTOT\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL - this Browser Helper Object has been left in place
    C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBHOSTIE.DLL - this Browser Helper Object has been left in place
    C:\OHJELM~1\INCRED~1\BHO\INCFIN~1.DLL - this Browser Helper Object has been left in place
    C:\WINDOWS\TWAINTEC.DLL - this Browser Helper Object has been left in place
    C:\WINDOWS\SYSTEM\BRIDGE.DLL - this Browser Helper Object has been left in place
    Error trying to process C:\WINDOWS\5_0_1browserhelper5.dll for Trojans
    C:\WINDOWS\5_0_1browserhelper5.dll - this Browser Helper Object has been left in place
    C:\WINDOWS\MSLAGENT\4B_1,0,0,8_MSLAGENT.DLL - this Browser Helper Object has been left in place
    C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL - this Browser Helper Object has been left in place
    ------------------------------

    And that browserehelper contains Delf Trojan. BTW, is Delf dangerous? What can it do to my computer? o_O
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    do as suggested in post 2

    they are all adware/spyware parasites that need removing as they cause system instabilities at the least so the hijack cleaning forum is the place to get them cleaned off safely & easily
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I concur. Pete
     
  9. Kirby

    Kirby Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Well, I dowloaded HijackThis and now, I´m posting my log file.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:32:03, on 7.5.2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\COMMON\FSMA32.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\COMMON\FSMB32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\COMMON\FCH32.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\BACKWEB\4436233\PROGRAM\FSBWSYS.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\COMMON\FAMEH32.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\ANTI-VIRUS\FSGK32.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\DFW\PROGRAM\FSDFWD.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\ANTI-VIRUS\FSSM32.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\ANTI-VIRUS\FSAV32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\OHJELMATIEDOSTOT\COMMON FILES\KEENVALUE\KEENVALUE.EXE
    C:\OHJELMATIEDOSTOT\COMMON FILES\UPDATER\WUPDATER.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\COMMON\FSM32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\OHJELMATIEDOSTOT\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\OHJELMATIEDOSTOT\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
    C:\OHJELMATIEDOSTOT\COMMON FILES\KEENVALUE\KWM.EXE
    C:\OHJELMATIEDOSTOT\FINNISHIRC XP\FIRC.EXE
    C:\OHJELMATIEDOSTOT\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://haku.soneraplaza.fi/haku/queryie5.jsp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jippii.fi/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\OHJELM~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\OHJELMATIEDOSTOT\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\OHJELMATIEDOSTOT\COMET\INSTALL\TEMP\BRBHO.DLL (file missing)
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\OHJELMATIEDOSTOT\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\OHJELM~1\INCRED~1\BHO\BHO.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBHOSTIE.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\OHJELM~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL (file missing)
    O2 - BHO: (no name) - {FBED6A02-71FB-11D8-86B0-0002441A9695} - C:\WINDOWS\5_0_1browserhelper5.dll
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\MSLAGENT\4B_1,0,0,8_MSLAGENT.DLL (file missing)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\OHJELMATIEDOSTOT\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\Ohjelmatiedostot\PowerSearch\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBHOSTIE.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Ohjelmatiedostot\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [KeenValue] C:\Ohjelmatiedostot\Common files\KeenValue\KeenValue.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\OHJELM~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
    O4 - HKLM\..\Run: [Hotbar] C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBINST.EXE /Upgrade
    O4 - HKLM\..\Run: [updater] C:\Ohjelmatiedostot\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Ohjelmatiedostot\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [BDHUK] C:\WINDOWS\SYSTEM\BDHUK.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Ohjelmatiedostot\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [fsaa] C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\Common\fsaa.exe
    O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\OHJELMATIEDOSTOT\SONERA INTERNET TIETOTURVA\Common\FSMA32.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [spynuker_download] C:\WINDOWS\DOWNLOADED PROGRAM FILES\SPYWARENUKERINSTALLER.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Ohjelmatiedostot\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT.EXE
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
    O4 - Startup: WinZip Quick Pick.lnk = C:\Ohjelmatiedostot\WinZip\WZQKPICK.EXE
    O4 - Startup: BonziBUDDY.lnk = C:\Ohjelmatiedostot\BonziBUDDY\BonziBDY.EXE
    O4 - Global Startup: KeenValue.lnk = C:\Ohjelmatiedostot\Common files\KeenValue\keenvalue.exe
    O4 - Global Startup: updater.lnk = C:\Ohjelmatiedostot\Common files\updater\wupdater.exe
    O4 - Global Startup: Sonera Internet Tietoturva.lnk = C:\Ohjelmatiedostot\Sonera Internet Tietoturva\backweb\4436233\Program\backweb-4436233.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\OHJELM~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .midi: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://fr4-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_pack.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.microgaming.com/riverbelle/FlashAX.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://fr4-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_1019.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {142016BF-5CCA-4C8D-AC01-C4A8F4044AD5} - http://media.euniverse.com/cursorzone/files/Cat_Running_setup_td035.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38086.4045023148
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1009_1035_pack.cab
    O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_pack.cab

    EDIT: Some part of the log file it says "File missing." I have destoryed some files like everything about programs like Comet Toolbar because they were a big trouble to me once. :p
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Kirby,

    I have moved your thread from the 'trojans & backdoors' forum to the hijack cleaning forum, as dvk01 said these are adware/spyware parasites that need to be removed.

    Before you begin, please create a permanent folder for HijackThis on your C drive, and move the HijackThis.exe file into the new permanent folder. HijackThis create backups in the folder it is ran from and running it from a Temp folder, those backups will be easily lost.

    Next, check the items listed below in HijackThis.
    Close ALL other windows/browsers except Hijackthis, then click *Fixed checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\OHJELM~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

    O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\OHJELMATIEDOSTOT\COMET\INSTALL\TEMP\BRBHO.DLL (file missing)
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\OHJELMATIEDOSTOT\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\OHJELM~1\INCRED~1\BHO\BHO.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBHOSTIE.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\OHJELM~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL (file missing)

    O2 - BHO: (no name) - {FBED6A02-71FB-11D8-86B0-0002441A9695} - C:\WINDOWS\5_0_1browserhelper5.dll
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\MSLAGENT\4B_1,0,0,8_MSLAGENT.DLL (file missing)

    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL

    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\OHJELMATIEDOSTOT\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\Ohjelmatiedostot\PowerSearch\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\OHJELMATIEDOSTOT\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBHOSTIE.DLL (file missing)

    O4 - HKLM\..\Run: [KeenValue] C:\Ohjelmatiedostot\Common files\KeenValue\KeenValue.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\OHJELM~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
    O4 - HKLM\..\Run: [Hotbar] C:\OHJELMATIEDOSTOT\HOTBAR\BIN\4.3.6.0\HBINST.EXE /Upgrade
    O4 - HKLM\..\Run: [updater] C:\Ohjelmatiedostot\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [BDHUK] C:\WINDOWS\SYSTEM\BDHUK.exe
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT.EXE
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
    O4 - Startup: BonziBUDDY.lnk = C:\Ohjelmatiedostot\BonziBUDDY\BonziBDY.EXE

    O4 - Global Startup: KeenValue.lnk = C:\Ohjelmatiedostot\Common files\KeenValue\keenvalue.exe
    O4 - Global Startup: updater.lnk = C:\Ohjelmatiedostot\Common files\updater\wupdater.exe

    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://fr4-scripts.downloadv3.com/b...GDHTML_pack.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://fr4-scripts.downloadv3.com/b...GDHTML_1019.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {142016BF-5CCA-4C8D-AC01-C4A8F4044AD5} - http://media.euniverse.com/cursorzo...setup_td035.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...9_1035_pack.cab
    O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binari...B_1035_pack.cab


    Make sure you have all files and folders viewable: How to Show Hidden Files and Folders

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete these files highlighted in bold:
    C:\WINDOWS\ALCHEM.exe <--file
    C:\WINDOWS\SYSTEM\BDHUK.exe <--file

    And these folders highligted in bold:
    C:\Ohjelmatiedostot\Common files\KeenValue
    C:\OHJELMATIEDOSTOT\MYWEBSEARCH
    C:\OHJELMATIEDOSTOT\HOTBAR
    C:\Ohjelmatiedostot\Common files\updater
    Program Files\Lycos
    C:\WINDOWS\mslagent
    C:\Ohjelmatiedostot\BonziBUDDY
    C:\OHJELMATIEDOSTOT\COMET
    C:\Ohjelmatiedostot\PowerSearch

    Insant Access folder, which would probably be in your Ohjelmatiedostot folder.
    Also, check to make sure the EGCOMLIB_1035.dll is inside the Instant Access folder. If it isn't in there, then do a search for it and delete the EGCOMLIB_1035.dll


    Then download and install Ad-Aware.

    After installing you MUST install the latest Reference File to bring Ad-Aware's detection up-to-date. Follow these instructions.

    Then follow these instructions for setting up Adaware's scan:
    1. Click on the Settings (Gear at the top) --> Tweak button
    Under Scanning Engine: check: "Unload recognized processes during scanning."
    Under Cleaning Engine: check: "Let Windows remove files in use after reboot."
    Click "Proceed"

    2. Press the "Scan Now" button
    Put a dot in the circle for "Use Custom scanning options"
    Check option for "Activate In-Depth Scan (Recommended)"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Click "Proceed"

    3. Press "Next" to begin the scan.
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    4. Press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Once Ad-Aware has removed the items, close it and restart your computer.
    (Ad-Aware will make a backup of everything deleted, so if there is reason that you have to undo anything, you have the backup to restore from).

    -----

    I am not sure about these entries, so let's leave them as they are for now, and I'll ask an Expert to take a look at them, or if you know they were set up this way and can enlighten me, that would be helpful. :)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jippii.fi/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>


    Reboot your computer and do another scan with HijackThis and post a new log to be checked, and there will be more steps to follow (hope I haven't missed any). :)

    Regards,

    snap
     
  11. Kirby

    Kirby Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Thanks for the help, snap, but I must take my computer to a computer doctor (funny word, isn´t it?) because I never heard some of the files that you said in your post and now my firewall (Sonera Internet Tietoturva) said me (when I were in C:\WINDOWS\SYSTEM folder) that the firewall had found a Revop Trojan and TrojanDownloader.Win32.VB.aa in my computer. :'(
    I´m so sad and so mad......my computer is almost useless, thanks to those Trojans! :mad:
     
Thread Status:
Not open for further replies.