Tema: trj/downloader.et

[rafelitoes]

hola despues de varios dias tratando ya me   doy por vencido, este troyano que aparecio a mediados de mayo segun panda no logro eliminarlo el panda siempre dice informado y no pasa de ahi, a ver si me ayudan a eliminar este indeseable, muchas gracias

[choche]

Quitarlo manualmente no lo sé, en el panda debe ponerlo. Pero podrías probar algun antitroyanos a ver si lo detecta y lo elimina.

[rafelitoes]

el asunto es mas complicado porque el panda siempre da el troyano como informado y nunca lo elimina, el servicio tecnico de panda me pide que le envie el archivo y el archivo no se deja ver ni modificando las propiedades de carpeta, he pasado el antivirus muchas veces y siempre es igual solo informa, la solucion que ofrece panda es eliminarlo de la carpeta restore pero si a mi nunca me lo desinfecta, el troyano esta donde mismo, puse el sistema a prueba de fallos y pase el antivirus y nada, bueno seguire buscando, gracias por las respuestas
carlos

[FatsGordon]

Carlos, esperame un poco porque tengo una solución, pero está en inglés. La voy a publicar igual y si necesitás traducción por favor avisame (el Spanglish, o espanglés que hay ahí ya estaba en el original):

super hidden bridge.dll and jao.dll

http://www.computercops.biz/postt32527.html

and

VSantivirus no. 1401 Year 8, Friday 7 of May of 2004

Troj/Briss.A. Aggregate by the finder "BlazeFind"
http://www.vsantivirus.com/troj-briss-a.htm

Name: Troj/Briss.A
Type: Trojan horse (Spyware)
Alias: Briss, Win32/Spy.Briss.H, Briss.A, TrojanSpy.Win32.Briss, TrojanSpy.Win32.Briss.H, Trj/Briss.A, Keylog-Briss
Variants: Troj/Briss.B, Troj/Briss.C, Troj/Briss.D, Troj/Briss.E, Troj/Briss.F, Troj/Briss.G, Troj/Briss.H
Date: 28/abr/04
Platform: Windows 32-bit

Briss is spyware created by BlazeFind, a finder of pages Web Usually is installed without no warning or notification, being in charge after redirecting all search made by the user.

The main component of this troyano Integra to the Explorer like an object of type BHO (Browser Helper Object). An object BHO is a DLL that is enclosed to if same in each beginning of the Explorer, being able executing predetermined events. In this case, it creates a bar search in the interface of Internet Explorer.

The troyano is updated automatically, sending information on the user, hard disks and operating system to its creators.

The main file is a installer who without no warning, creates the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll

NOTE: "c:\windows\system" can vary according to the installed operating system (with that name by defect in Windows 9x and ME, like "c:\winnt\system32" in Windows NT and 2000 and "c:\windows\system32" in Windows XP and Windows Server 2003).

****************
Briss.AThreat Level: Moderate
Distribution: Medium
Damage: Low

The Threat Level varies according to the Distribution and Damage levels

Effects

Briss.A has the following effects:

It goes memory resident.
It installs other malware in the affected computer, every 24 hours, without user's consent. In order to do so, Briss.A uses a list of programs taken out from the web site www2.flingstone.com.
Some of the malware installed are: Adware/180Solutions, Trj/Revop.F, Adware/Searchcentrix, etc.
It has other functionalities, such as detecting if certain combinations of keys are pushed.

Infection strategy

Briss.A creates the following files in the Windows system directory:

A.EXE.
BRIDGE.DLL and JAO.DLL. These files are DLLs (Dynamic Link Libraries).
Briss.A creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
RunDLL = rundll32.exe %sysdir%\ bridge.dll, Load
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Systray = %sysdir%\ a.exe
where %sysdir% is the Windows system directory
By creating these entries, Briss.A ensures it is run whenever Windows is started.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\{9C691A33-7 DDA-4C2F-BE4C-C176083F35CF}
HKEY_CLASSES_ROOT\ Bridge.brdg
Briss.A registers the Browser Helper Object (an Internet Explorer toolbar) BRIDGE.DLL in these entries.

Means of transmission

Briss.A does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Panda can clean it if you set Panda to clean it
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=46978

The troyano creates the following entrances to execute itself in each resumption of Windows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RunDLL = rundll32.exe c:\windows\system\bridge.dll, Load
Systray = c:\windows\system\a.exe

HKLM\SOFTWARE\Classes\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }

HKLM\SOFTWARE\Microsoft\Windows
to \CurrentVersion\Explorer\Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }

HKEY_CLASSES_ROOT\Bridge.brdg

This action loads BRIDGE.DLL in memory in each initiated session of Windows.

Spyware connects to the site "www2.flingstone.com" reporting the collected data, and unloading and installing updates of if same.

Procedure of automatic desinstalación:

Select "Flingstone Bridge" in "Adding or clearing programs" of the Control Panel and puncture in "Clearing".

Manual repair

Note: We recommended to use a program type firewall (fire-resistant) like the ZoneAlarm, which will stop and notice the connection of this and any other troyano with Internet, as well as any attempt to accede to our system.

ZoneAlarm (gratuitous for its personal use), in addition to being excellent fire-resistant ones, also prevents the execution of any associate with possibilities of having virus (with no need to have to update it with each new version of a virus).

More information:

How to form Zone Alarm 3.x
http://www.vsantivirus.com/za.htm

Antivirus

1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected

To erase manually archives added by the virus

From the Explorer of Windows, it locates and it erases the following archives:

c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll

Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".

To publish the registry

Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.

1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER

2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run

3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrances:

RunDLL
Systray

NOTE: "Systray" does not confuse (bórrelo), with "SystemTray" (DOES NOT ERASE IT, is a legitimate entrance of Windows.

4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Classes
\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }

5. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.

6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
to \Explorer
to \Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }

7. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.

8. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:

HKEY_CLASSES_ROOT\Bridge.brdg

9. Puncture in the folder "Bridge.brdg" and bórrela.

10. Use "Registry", "To leave" to leave the publisher and to confirm the changes.

11. Reinitiate its computer (Beginning, To extinguish the system, To reinitiate).

Procedure to recover page of beginning and page search in Internet Explorer

Flingstone Bridge description:
Opens pop-up windows and tries to download files from flingstone.com.

Flingstone Bridge properties:

• Shows commercial adverts
• Hides from the user
• Stays resident in background

[rafelitoes]

muchas gracias creo que ya lo tengo eliminado, en un post decia que usara el ad-ware, lo tenia y lo actualice, lo pase y a la primera detectado y eliminado, luego pase el panda y sin virus, reinicie y volvi a pasar panda y ad-ware y nada parece que lo quemo vivo, de todas maneras ahora voy con el outpost firewall todo el tiempo, gracias a todos los que se han interesado,  me quedare como asiduo de este foro
un abrazo
carlos

[destroyer]

Hola:
 Bienvenido al foro rafaelito. Me alegro que lo solucionases..  

               Solo hacerte una indicacion y es que si usas Win Me o Win xp  desactives el restaurador de sistema, reinicies y lo vuelvas a poner nuevamente pero ya la copia de restauracion actual será con  el pc como lo tienes actualmente,  limpio.

Un saludo