Jump to content


Photo

Problems removing PSW.briss.E


  • Please log in to reply
6 replies to this topic

#1 alaska

alaska

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 May 2004 - 05:31 PM

Hi,

I have AVG running (amongst others) and it has detected PSW.briss.E trojan in file c:/windows/system32/bridge.dll, but it is saying it cannot be removed.

I have viewed all related topics in this forum on the briss virus, trying a few programs suggested, and cannot get rid of the trojan.

I have also downloaded hijackthis. Can you tell me how to generate the file to post so you can help me with this.

Thanks
Alaska

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 18 May 2004 - 05:54 PM

Run HJT, then click "Scan." Click "Save Log" - it's where "Scan" was a few seconds ago - then copy and paste all the text from the window that pops up into a reply to this thread.
Signature file is under revision. This will be back shortly.

#3 alaska

alaska

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 May 2004 - 05:57 PM

Thanks Tuxedo,

Here is the log file

Logfile of HijackThis v1.97.7
Scan saved at 8:56:35 AM, on 19/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Codeman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8111.9605208333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D94F4183-07EA-44EE-9C89-3EC324D067F3}: NameServer = 203.49.70.92 139.134.2.190

Pls help

#4 jonboy1

jonboy1

    Member

  • New Member
  • Pip
  • 1 posts

Posted 19 May 2004 - 01:20 PM

I'm in the same boat. I've tried AVG in safe mode, downloaded trojan removers, and swearing at my screen. I have not tried throwing my stupid laptop against the wall...

If you have any better ideas, please help me.... :(

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 19 May 2004 - 04:35 PM

Jonboy, follow Tuxedo Jack's advice above, and post the results IN YOUR OWN THREAD
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#6 viper91180

viper91180

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 24 May 2004 - 05:40 PM

hey guys, i have the same problem any ideas on how to remove it, im using avg but it cant clean it out???? help

#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 25 May 2004 - 04:49 PM

viper91180, please start your own thread.

alaska, there are traces of a coolweb infestation in your log. to clean it out, please download CWShredder
This was written to deal with Coolweb and all its variants.

Download and run the program. Let it fix everything it finds, and reboot.


There is no sign of the bridge.dll file in your log. Search for and delete the file. It may be a hidden file. See HERE for how to show hidden files.

Run Hijack this again, and post a fresh log so we can deal with whatever is left.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button