trojanspy.win32.briss.j

Eurorunner · 15-11-2004 7:25pm #1

I cant seem to shake this little bástard off. F-secure says its found it but cant deal with it. c:\systemvolum...\A0006327.exe - although i cant locate it!

Doesnt seem to be info out there ref. its removal. Thought maybe some of you who do deal with this sort of thing day in/day out might be able to shed some light on it?

dogs · 15-11-2004 8:14pm

Moved to more appropriate board.

Please read the stickies before posting.

jessy · 16-11-2004 12:49am

Some info on the Trojan,
http://www.pestpatrol.com/PestInfo/t/trojanspy_win32_briss_d.asp

muffen · 16-11-2004 1:40am

Try deleting the file from a cmd prompt.

If that doesn't work, press ctrl+alt+del and see if you can see the file running (if so, kill the process and then go to a cmd prompt and delete it).

If that doesn't work, search your entire registry for the filename, and delete any reference to it. Then reboot they system and then go to a cmd prompt and delete the file.

If that doesn't work, reboot your system in safemode, scan the registry for the filename, delete any reference to it, then delete the file from a cmd prompt.

...

Also, get a personal firewall... atleast that way the trojan won't be able to communicate out any information.

daggeredge · 17-11-2004 3:39pm

try stinger.exe from Mcafee
http://vil.nai.com/vil/stinger/
hasn't left me down yet.....

Eurorunner · 23-11-2004 2:44am

Im running F-secure internet security 2005 - with firewall/virus protection. It finds the trojan but renames the file - so i cant find it on the system. It keeps detecting it from time to time.

Im downloading stinger now - but from what i see from the list, i dont think it includes this little blighter....

Woden · 23-11-2004 3:05am

with the suggestions mentioned above disable system restore if you're on xp or ME and do it all from safe mode

Frank Drebin · 25-11-2004 7:07pm

I'm having a problem with the: Win32 Trojano-214(trj).
My antivirus picks it up and deletes it easy enough but when I turn my pc on again it's back.

jessy · 26-11-2004 3:07pm

Frank Drebbin wrote:

I'm having a problem with the: Win32 Trojano-214(trj).
My antivirus picks it up and deletes it easy enough but when I turn my pc on again it's back.

What AV are you using? Are the System Restore Folders left out of the scan? You should check to see if they are. if so the deselect all folders that are left out and scan again.

Eurorunner · 26-11-2004 5:57pm

@Dataisgod: Switching off system restore seems to have done the trick alright.

thanks.

Frank Drebin · 26-11-2004 6:06pm

I use the avast antivirus.
I have traced the virus to an exe file in WINNT called 'Polall1r.exe'.
I deleted it to recycle bin and I'll see what happens when I start up again.

Anyone have any idea what this 'Polall1r.exe' is?

jessy · 26-11-2004 8:12pm

Frank Drebbin wrote:

I use the avast antivirus.
I have traced the virus to an exe file in WINNT called 'Polall1r.exe'.
I deleted it to recycle bin and I'll see what happens when I start up again.

Anyone have any idea what this 'Polall1r.exe' is?

what Firewall are you using?

Some info on how to get rid of the trojan.
http://www.pestpatrol.com/PestInfo/m/mx-targeting.asp

Frank Drebin · 26-11-2004 9:04pm

jessy wrote:

what Firewall are you using?

Some info on how to get rid of the trojan.
http://www.pestpatrol.com/PestInfo/m/mx-targeting.asp

I don't use a firewall. I used to but I found it lagged my counter strike.
It dose not help to delete the 'polall1r.exe' either. The little bastard is always there when I start up. Just got the eircom broadband magazine today and funny enough there is an article with some advice on getting rid of trojans. They say to right click my computer icon, then properties, then to system restore tab, and switch off system restore.... Thing is; When I right click my computer and then properties, I don't get a system restore tab.
I use windows 2000. Is there another way.

I had a look at that web site and it all seems very complicated for my simple little mind!

jessy · 26-11-2004 11:15pm

Its suicide not to use a firewall, and it not supposed to help to remove any kind of worm or virus or trojan it supposed to allow you to control acces to the newtork. you should read the link i posted above. it tells you how to manually remove the trojan.

Frank Drebin · 27-11-2004 4:49pm

First things first! I'm busy downloadind zone alarm firewall. I'll install that and then see what I can do about this fecking trojen....

Frank Drebin · 27-11-2004 5:46pm

Some info on how to get rid of the trojan.
http://www.pestpatrol.com/PestInfo/m/mx-targeting.asp

I've been to this site and can't make head or tail of it; very technical. I don't think I could manage that lot manually.
Is there not another way to sort this little sh*t of a virus?
I've also tried reserching this win32 trojano-214(trj) on the net but came up with nothing. Seen a few sites on the win32 trojano-213 though but no easy way to get rid of that either.

Got the firewall running now by the way.

Frank Drebin · 28-11-2004 4:37pm

After a bit of research looking for 'the easy way'. I found this little program called highjackthis which is a log file analizer. Which obviously analizes your log files and brings up a bunch of files that may have been highjacked by a virus. You then just delete the individual files. You have to be careful though that you don't delete something important and crash your system. I went in blindly and with a stroke of luck managed to delete the correct file. Now I'm trojan free. Here's the link for anyone with the same problem;

http://members.home.nl/edeijl/download/hijackthis.exe

Bahamagal · 07-12-2004 4:17pm

Hi Im trying to help my inlaws to fix thier computer long distance. They tell me that they are getting 2 different messages of viruses through AVG

Trojan Horse Downloader.agent.as

Also they are getting another warning:

POLALL1R.EXE
C:/temp/thi49e.tmp

Please help!
I tried to get them to put SpySubtract on their computer but it wouldnt install cause it said it was missing a File from Microsoft MDAC aswell as a ODBC Driver Manager.

Got them to do all their windows updates, update AVG. What do I do ????

Mr. Presentable · 07-12-2004 4:22pm

http://www.2-spyware.com/file-trojanspy-win32-briss-j-exe.html

Explanation and removal tool

Bahamagal · 07-12-2004 5:10pm

Is that supposed to be a fix for my problem
with the trojan downloader.agent.as
and this POLALL1R.EXE??

Are these two different viruses or parts of the same?

Frank Drebin · 07-12-2004 8:16pm

I had the 'Win32 Trojano-214(trj) virus' and the only thing that helped me was 'highjackthis'. I posted the link earlier in this thread. You should give it a wack. I also had this 'Polar1r.exe' but it was in my WINNT folder.
You'll have to look on the net for instructions on how to use it though....
Good luck!

Bahamagal · 08-12-2004 3:44am

Heres the log file for the HIJACKTHIS now what to remove what not to?????

HELP!!!!!!!!!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 9:33:29 PM, on 12/7/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\REQUESTER.6.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.citcom.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jan1a8yi.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~2.DLL
O2 - BHO: (no name) - {88BF1FC0-E8D3-11D8-93E2-00C0C767115C} - C:\WINDOWS\SYSTEM\EJLNKFA.DLL (file missing)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM301.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\SYSTEM\requester.6.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PD (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\NETSCAPE\NAVIGA~1\PROGRAM\PLUGINS\NpQtw32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38141.5998958333
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4e2fe0f01d3c952e6d384697f56ea291d476d6a5c3fb7feba963d66d2d60b787f8baff8b35c2c5cfc39ca44b4686764c90ad2d0ea95e2dc68c0c85897c6d99a421:1616f1ee1695779646f1667345607db7
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = citcom.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 206.74.254.2,204.116.57.2

trojanspy.win32.briss.j

Comments