Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.brisv.a


  • Please log in to reply
7 replies to this topic

#1 leighba

leighba

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 February 2009 - 04:31 AM

My NIS picked this up the other day I tried the symantec removal tool and it didn't work, after that I am quite stuck, any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 09 February 2009 - 12:03 PM

Have you tried running your AV scans in "Safe Mode"? If not, please do so. If that does not help, then do this:

Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 leighba

leighba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 10 February 2009 - 06:15 AM

Hi, as you can see it didn't find anything, but the virus is still there.

I had already run the symantec specific removal tool for this trojan in safe mode about 4 days ago but it didn't work.



Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 6.0.6001 Service Pack 1

10/02/2009 21:11:56
mbam-log-2009-02-10 (21-11-56).txt

Scan type: Quick Scan
Objects scanned: 57715
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by leighba, 10 February 2009 - 07:26 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 10 February 2009 - 10:06 AM

Please download Avira AntiRootkit and save it to your desktop.
  • Extract (unzip) the file and it will create a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on setup.exe.
  • Click Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Click Next again and Install to finalise the installation process.
  • Click Finish to complete the installation.
  • Go to Start > All Programs > Avira RootKit Detection and select Avira RootKit Detection
  • Click Ok when a message window pops up.
  • Click Start scan and let it run.
  • When the scan is complete, click View report and copy the contents of the report in your next reply.
Note: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
-- Post the log in your next reply and let us know how your computer is running.

Edited by quietman7, 10 February 2009 - 10:08 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 leighba

leighba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 11 February 2009 - 11:38 AM

With the 'complete scan' on drweb it took 7 hours, didn't save the report altough I asked it to and found 2 'trojan.wmaloader' files which showed as 'cured' I clicked onto select all anyway but wouldn't let me. I am know off to bed as its 02:38 and will leave a NIS scan running to see what it picks up.



Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started 11 February 2009 - 17:22:11
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 149.05 GB
- Working disk free size : 12.18 GB (8 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/2687
Registry items: 0/0
Processes: 0/0
Scan time: 00:00:13
--------------------------------------------------------------------------------------------------------
Active processes:
========================================================================================================
- Scan finished 11 February 2009 - 17:22:25
========================================================================================================
Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started 11 February 2009 - 17:22:52
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 149.05 GB
- Working disk free size : 12.18 GB (8 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/130470
Registry items: 0/423770
Processes: 0/73
Scan time: 00:13:59
--------------------------------------------------------------------------------------------------------
Active processes:
- fzyfvjqe.exe (PID 4820) (Avira AntiRootkit Tool - Beta)
- SearchFilterHost.exe (PID 6012)
- System (PID 4)
- smss.exe (PID 496)
- csrss.exe (PID 572)
- csrss.exe (PID 616)
- wininit.exe (PID 624)
- winlogon.exe (PID 664)
- services.exe (PID 700)
- lsass.exe (PID 712)
- lsm.exe (PID 724)
- svchost.exe (PID 868)
- svchost.exe (PID 936)
- svchost.exe (PID 1076)
- svchost.exe (PID 1108)
- svchost.exe (PID 1120)
- audiodg.exe (PID 1240)
- SLsvc.exe (PID 1268)
- svchost.exe (PID 1308)
- svchost.exe (PID 1476)
- wlanext.exe (PID 1608)
- aawservice.exe (PID 1672)
- dwm.exe (PID 1820)
- igfxtray.exe (PID 1928)
- hkcmd.exe (PID 1936)
- igfxpers.exe (PID 1956)
- SynTPEnh.exe (PID 1964)
- PDVDServ.exe (PID 1976)
- spoolsv.exe (PID 524)
- taskeng.exe (PID 540)
- CCSVCHST.EXE (PID 536)
- tsnp2std.exe (PID 1464)
- svchost.exe (PID 1208)
- igfxsrvc.exe (PID 2000)
- AppleMobileDeviceService.exe (PID 2312)
- mDNSResponder.exe (PID 2352)
- GoogleUpdaterService.exe (PID 2420)
- NBService.exe (PID 2556)
- IoctlSvc.exe (PID 2620)
- svchost.exe (PID 2636)
- RichVideo.exe (PID 2656)
- svchost.exe (PID 2700)
- svchost.exe (PID 2760)
- SearchIndexer.exe (PID 2832)
- XAudio.exe (PID 2892)
- vsnp2std.exe (PID 3092)
- GrooveMonitor.exe (PID 3192)
- realsched.exe (PID 3364)
- CCSVCHST.EXE (PID 3472)
- iTunesHelper.exe (PID 3660)
- jusched.exe (PID 3668)
- sidebar.exe (PID 3696)
- Skype.exe (PID 3712)
- ehtray.exe (PID 3732)
- msnmsgr.exe (PID 3740)
- wmpnscfg.exe (PID 3748)
- RMTray.exe (PID 3756)
- IR_SERVER.exe (PID 3780)
- WinManager.exe (PID 3788)
- ehmsas.exe (PID 3824)
- wmpnetwk.exe (PID 3968)
- sidebar.exe (PID 1224)
- iPodService.exe (PID 4252)
- SynTPHelper.exe (PID 4396)
- skypePM.exe (PID 4788)
- taskeng.exe (PID 5132)
- AluSchedulerSvc.exe (PID 5220)
- symlcsvc.exe (PID 5684)
- WUDFHost.exe (PID 5444)
- mobsync.exe (PID 1776)
- SearchProtocolHost.exe (PID 4360)
- explorer.exe (PID 3860)
- avirarkd.exe (PID 5708)
========================================================================================================
- Scan finished 11 February 2009 - 17:36:51
========================================================================================================

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 11 February 2009 - 12:00 PM

Let me know if the AV scan finds anything, what it was and if the AV was able to remove it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 leighba

leighba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 12 February 2009 - 03:55 AM

The latest norton full system scan didn't find anything, it appears that Dr.web cureit was the solution, although it didn't identify the virus as trojan.brisv.a it located them as trojan.wma loader.

But appears to be all clear now, thanks so much for your help :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 12 February 2009 - 07:28 AM

it didn't identify the virus as trojan.brisv.a

Each security vendor uses their own naming conventions to identify various types of malware. See Understanding virus names.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users