Foros de daboweb
SEGURIDAD INFORMATICA, Firewall, parches, vacunas, antivirus, anti troyanos, spyware etc => Seguridad Informatica - Firewall - Virus - Troyanos - Spyware - Ad Aware - Malware => Mensaje iniciado por: rafelitoes en 28 de Mayo de 2004, 08:52:34 am
-
hola despues de varios dias tratando ya me :cry: doy por vencido, este troyano que aparecio a mediados de mayo segun panda no logro eliminarlo el panda siempre dice informado y no pasa de ahi, a ver si me ayudan a eliminar este indeseable, muchas gracias
-
Quitarlo manualmente no lo sé, en el panda debe ponerlo. Pero podrías probar algun antitroyanos a ver si lo detecta y lo elimina.
-
el asunto es mas complicado porque el panda siempre da el troyano como informado y nunca lo elimina, el servicio tecnico de panda me pide que le envie el archivo y el archivo no se deja ver ni modificando las propiedades de carpeta, he pasado el antivirus muchas veces y siempre es igual solo informa, la solucion que ofrece panda es eliminarlo de la carpeta restore pero si a mi nunca me lo desinfecta, el troyano esta donde mismo, puse el sistema a prueba de fallos y pase el antivirus y nada, bueno seguire buscando, gracias por las respuestas
carlos
-
Carlos, esperame un poco porque tengo una solución, pero está en inglés. La voy a publicar igual y si necesitás traducción por favor avisame (el Spanglish, o espanglés que hay ahí ya estaba en el original):
super hidden bridge.dll and jao.dll
http://www.computercops.biz/postt32527.html
and
VSantivirus no. 1401 Year 8, Friday 7 of May of 2004
Troj/Briss.A. Aggregate by the finder "BlazeFind"
http://www.vsantivirus.com/troj-briss-a.htm
Name: Troj/Briss.A
Type: Trojan horse (Spyware)
Alias: Briss, Win32/Spy.Briss.H, Briss.A, TrojanSpy.Win32.Briss, TrojanSpy.Win32.Briss.H, Trj/Briss.A, Keylog-Briss
Variants: Troj/Briss.B, Troj/Briss.C, Troj/Briss.D, Troj/Briss.E, Troj/Briss.F, Troj/Briss.G, Troj/Briss.H
Date: 28/abr/04
Platform: Windows 32-bit
Briss is spyware created by BlazeFind, a finder of pages Web Usually is installed without no warning or notification, being in charge after redirecting all search made by the user.
The main component of this troyano Integra to the Explorer like an object of type BHO (Browser Helper Object). An object BHO is a DLL that is enclosed to if same in each beginning of the Explorer, being able executing predetermined events. In this case, it creates a bar search in the interface of Internet Explorer.
The troyano is updated automatically, sending information on the user, hard disks and operating system to its creators.
The main file is a installer who without no warning, creates the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
NOTE: "c:\windows\system" can vary according to the installed operating system (with that name by defect in Windows 9x and ME, like "c:\winnt\system32" in Windows NT and 2000 and "c:\windows\system32" in Windows XP and Windows Server 2003).
****************
Briss.AThreat Level: Moderate
Distribution: Medium
Damage: Low
The Threat Level varies according to the Distribution and Damage levels
Effects
Briss.A has the following effects:
It goes memory resident.
It installs other malware in the affected computer, every 24 hours, without user's consent. In order to do so, Briss.A uses a list of programs taken out from the web site www2.flingstone.com.
Some of the malware installed are: Adware/180Solutions, Trj/Revop.F, Adware/Searchcentrix, etc.
It has other functionalities, such as detecting if certain combinations of keys are pushed.
Infection strategy
Briss.A creates the following files in the Windows system directory:
A.EXE.
BRIDGE.DLL and JAO.DLL. These files are DLLs (Dynamic Link Libraries).
Briss.A creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
RunDLL = rundll32.exe %sysdir%\ bridge.dll, Load
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Systray = %sysdir%\ a.exe
where %sysdir% is the Windows system directory
By creating these entries, Briss.A ensures it is run whenever Windows is started.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\{9C691A33-7 DDA-4C2F-BE4C-C176083F35CF}
HKEY_CLASSES_ROOT\ Bridge.brdg
Briss.A registers the Browser Helper Object (an Internet Explorer toolbar) BRIDGE.DLL in these entries.
Means of transmission
Briss.A does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Panda can clean it if you set Panda to clean it
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=46978
The troyano creates the following entrances to execute itself in each resumption of Windows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RunDLL = rundll32.exe c:\windows\system\bridge.dll, Load
Systray = c:\windows\system\a.exe
HKLM\SOFTWARE\Classes\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKLM\SOFTWARE\Microsoft\Windows
to \CurrentVersion\Explorer\Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
HKEY_CLASSES_ROOT\Bridge.brdg
This action loads BRIDGE.DLL in memory in each initiated session of Windows.
Spyware connects to the site "www2.flingstone.com" reporting the collected data, and unloading and installing updates of if same.
Procedure of automatic desinstalación:
Select "Flingstone Bridge" in "Adding or clearing programs" of the Control Panel and puncture in "Clearing".
Manual repair
Note: We recommended to use a program type firewall (fire-resistant) like the ZoneAlarm, which will stop and notice the connection of this and any other troyano with Internet, as well as any attempt to accede to our system.
ZoneAlarm (gratuitous for its personal use), in addition to being excellent fire-resistant ones, also prevents the execution of any associate with possibilities of having virus (with no need to have to update it with each new version of a virus).
More information:
How to form Zone Alarm 3.x
http://www.vsantivirus.com/za.htm
Antivirus
1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected
To erase manually archives added by the virus
From the Explorer of Windows, it locates and it erases the following archives:
c:\windows\system\a.exe
c:\windows\system\bridge.dll
c:\windows\system\jao.dll
Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".
To publish the registry
Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.
1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER
2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrances:
RunDLL
Systray
NOTE: "Systray" does not confuse (bórrelo), with "SystemTray" (DOES NOT ERASE IT, is a legitimate entrance of Windows.
4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Classes
\CLSID
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
5. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
to \Explorer
to \Browser Helper Objects
\{9c691a33-7dda-4c2f-be4c-c176083f35cf }
7. Puncture in the folder "{ 9c691a33-7dda-4c2f-be4c-c176083f35cf }" and bórrela.
8. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_CLASSES_ROOT\Bridge.brdg
9. Puncture in the folder "Bridge.brdg" and bórrela.
10. Use "Registry", "To leave" to leave the publisher and to confirm the changes.
11. Reinitiate its computer (Beginning, To extinguish the system, To reinitiate).
Procedure to recover page of beginning and page search in Internet Explorer
Flingstone Bridge description:
Opens pop-up windows and tries to download files from flingstone.com.
Flingstone Bridge properties:
• Shows commercial adverts
• Hides from the user
• Stays resident in background
-
muchas gracias creo que ya lo tengo eliminado, en un post decia que usara el ad-ware, lo tenia y lo actualice, lo pase y a la primera detectado y eliminado, luego pase el panda y sin virus, reinicie y volvi a pasar panda y ad-ware y nada parece que lo quemo vivo, de todas maneras ahora voy con el outpost firewall todo el tiempo, gracias a todos los que se han interesado, me quedare como asiduo de este foro
un abrazo
carlos
-
Hola:
Bienvenido al foro rafaelito. Me alegro que lo solucionases..
Solo hacerte una indicacion y es que si usas Win Me o Win xp desactives el restaurador de sistema, reinicies y lo vuelvas a poner nuevamente pero ya la copia de restauracion actual será con el pc como lo tienes actualmente, limpio.
Un saludo