Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jao/dll - Spy.Briss H HKEY_LOCAL_MACHINE infection.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Chris

Chris

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 24 November 2004 - 09:48 AM

Hi,

I’m running Windows 98 and I was infected with some variant of the About: Blank virus that was showing in the HKEY_LOCAL_MACHINE directories etc., and which messed with my ‘Trusted Sites’ settings and dropped Trojans & spyware & homepage-redirections every time I opened an IE browser.

I manually deleted all the dubious entries on the HijackThis log and used just about every anti-spyware freeware I could find (inc. CWShredder, AboutBuster and ‘Adware Away’). In the end, I’ve managed to get rid of the yezzm.dll and the IERN32.DLL BHO that seemed to be causing all the problems and thought I had suppressed all the above symptoms.

HOWEVER… the online RAV and BitDefender anti-virus scans are still showing me with the following infection that they cannot disinfect:

C:\WINDOWS\Downloaded Program Files\jao.dll: infected with Trojan.Spy.Briss.H

And the trouble is, I can’t find (much less delete) the hidden jao.dll file from the Downloaded Program Files folder even when I render all files visible.

I’ve worked through some other threads with similar problems which seem to suggest that I need to sort out the HKEY entries using regedit. But the courses they suggest all seem to refer to later versions of Window and don’t give paths that I can follow.

I have posted my HijackThis log below. It’s pretty bare and really only shows that no problems are visibly returning. I could post a list of those entries I deleted, if that would be any more help.

I must stress that I really don’t have any visible symptoms (pop ups, redirects) of a problem at present. But I know this type of infection is used to collect the keystroke data, so I’m paranoid now about conducting any on-line financial transactions or the like until I can remove the Spy.Briss.H.

So if any of you guys can suggest how I might proceed, I’d be seriously grateful.

Logfile of HijackThis v1.98.2
Scan saved at 14:28:41, on 24/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

PS. I really know v. little about PC's, so if anyone is able to answer I'd be grateful if you could presume I was ignorant of all but the basics.

Many thanks again. Chris.

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:14 AM

Posted 24 November 2004 - 06:00 PM

Hi

Download aČ Free, update it and run it in SafeMode.
http://www.emsisoft.com/en/software/download/

Also try this one: TrojanHunter
http://www.misec.net/trojanhunter/
Update the definitions and run it also in SafeMode.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files
Press the Clear Selected Items button.
Close the program.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Chris

Chris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 November 2004 - 07:18 AM

Hi Cryo -

Sorry for the delay in replying, but I've literally just found your reply. (I thought I was prefrence-set for e-mail notifications, and I stopped manually checking the thread yesterday.)

I'll try everything that you've suggested and get back as soon as I've done so.

Thanks ever so much for the advice.

Chris.

#4 Chris

Chris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 November 2004 - 10:14 AM

Hi again Cryo,

The a2 freeware did the trick! It deleted the Spy.Briss.K virus that was in (or simply ‘was’?) the jao.dll file – and I’m presuming this is entirely identical, nomenclature aside, with the Spy.Briss.H infection my virus scans had pointed out. Certainly BitDefender and RAV are now scanning me as completely clean. Thanks so much. It’s been really bothering me for days.

The only very slight concern I now have is that although the Trojan-Hunter scan found no Trojans at all, it did highlight the following cryptic HKEY register queries in RED:

(Trojan-Hunter) Registry scan
Registry key exists: HKEY_CLASSES_ROOT\.dl (matches SubSeven.190)
Registry key exists: HKEY_CLASSES_ROOT\.dl (matches Subseven.200)

If you have any chance to reply, could I just ask whether you believe these should cause me any concern?

Many thanks, once more, for your time and advice.

Chris.

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:14 AM

Posted 26 November 2004 - 04:22 PM

Hi

Good job :thumbsup:

these should cause me any concern ?

I don't know. You can ask here this question: http://forum.misec.net/
It is the TrojanHunter support forum.

Many thanks, once more, for your time and advice

You're welcome !
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 Chris

Chris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 January 2005 - 06:16 PM

Dear Cryo,

Sorry to bother you again. You very kindly showed me, about a month ago, how to remove a variant of the About:Blank virus / Trojans etc from my PC.

I did what you advised, and all the symptoms and problems disappeared (see the thread above). However, a couple of days ago I chanced to notice that there was an website entry (the only entry, in fact) in my internet ‘Trusted Sites’ list. A quick Google showed this was a legacy of the virus infection. So I deleted the entry from the list. But then today I did a HijackThis scan and found that I now suddenly have a new ‘015 – Trusted IP range: (HKLM)’ entry on the log. (I’ve attached the scan below).

Trouble is that HijackThis seems unable to remove the entry. I keep checking and fixing it – but it’s still there when I do another scan.

In safe mode, and with all updates applied, I have tried many time to delete it using: HJT, AboutBuster, Remove About Blank Buddy, and CW Shredder. All to no avail.

I have also used AVG anti-virus, Ad-Aware SE, SpyBot, a-Squared, and have SpywareBlaster installed.

Is it possible you can think of anything else I might try?

And should I actually be worried? By which I mean, is the 015 HKLM entry actually doing anything that should concern me? (There are no trusted sites appearing in my Control Panel / Trusted Sites list.)

Many thanks again for any help you can offer. It's immensely appreciated.

Best regards, Chris.


Logfile of HijackThis v1.99.0
Scan saved at 23:02:18, on 04/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:14 AM

Posted 05 January 2005 - 10:01 AM

Hi

Download the inf file (right click, --> Save Target As) and save it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

This should clear out those trusted entries that will not be removed.

REBOOT and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 Chris

Chris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 05 January 2005 - 03:42 PM

Hi Cryo,

Many thanks, once again.

Your download had the problem fixed before I even realized I had managed to install the file properly!

I've posted the HJT log as you asked, but only to show that all's (apparently) clear.

Thanks, and all the very best for 2005,

Chris.


Logfile of HijackThis v1.99.0
Scan saved at 20:29:31, on 05/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:14 AM

Posted 05 January 2005 - 03:55 PM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.

Happy New Year !


! This is very important !: Update your outdated Internet Explorer browser. Doing this will make your computer more secure. Please visit Windows Update (follow this link: http://www.windowsupdate.com) to update your browser. Follow the instructions on the screen. You may have to visit more then once Windows Update to install all updates.
Not updating Internet Explorer will leave your computer vulnerable to malware and attacks.

Edited by cryo, 05 January 2005 - 03:56 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 Chris

Chris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 06 January 2005 - 06:49 PM

Just a quick note to say a final thanks, Cryo.

I updated the Int Explorer, set SpyBot to teatimer, and did just about any and everthing else your link suggested. I guess only a complete imbecile could achieve re-infection now. Which means you'll probably hear from me some time around Easter...

Well, hopefully not. (I have, actually, taken most of the security lessons on board.)

In any case, thanks a million for all the help. Much appreciated.

Chris.

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:14 AM

Posted 07 January 2005 - 05:59 AM

You're Welcome ! Happy surfing :thumbsup:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by Daisuke, 29 January 2005 - 07:44 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users