[cfishus]

I am running xp. AVG 7.0 just found trojan horse Dropper Bridge.A in my machine. It is located at c\doc & settings\hi\local settings\temp internet files\content IE5\ and ect. I have tried to find it to delete, but following the trail I can not find Content IE5 in my temp internet files to continue the path. Also, I ran Housecall on the internet and it did not find the trojan horse - wonder why. Any help cleaning this up would be appreciated.

[Byteman]

Hi, Although I can tell you how to delete those files, it might be best if you post a hijackthis log from that computer, as where there is one item like that, there is very likely to be more.

That is an ad-ware type malware, and may be associated with more things to remove correctly.

There are directions here to do it:

Download it here:

http://tools.radiosplace.com/HijackThis.exe

It's a direct download so be ready with the folder for it.

Basically, you create a new folder, the desktop is OK provided you make a folder, name it something like HJT, and download TO that folder, run hijackthis.exe from there.

When it is done scanning> the Save log button will become available, save the log as hijackthis.txt which will open with Notepad. Go back to TSG, open your post, and copy and paste the entire logfile into a reply in your thread (here) and wait for advice.

Please do NOT use HJT yourself> nor the other programs yet. There are some cases where other steps are taken!

[cfishus]

Logfile of HijackThis v1.98.2
Scan saved at 6:57:02 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\YCPlus\YANKCLIP.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hi\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Yankclip.lnk = C:\Program Files\YCPlus\YANKCLIP.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72CCBAEC-B6F2-4AB5-8F72-F0DFE0979E52}: NameServer = 209.244.0.3 209.244.0.4

[Byteman]

Hi,
Well let's delete those temp files> do this:

Quote:

Originally Posted by flrman1

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

_________

Nothing really bad shows in your log. However, there are some things apparently turned off by using msconfig, we have to see the full startups...please do:
'
Start>Run> msconfig

Put checks into all that is unchecked, you can make a note of items that are unchecked now and set those as they are again, when we are done.

Please post a new log after you have done the above.

[cfishus]

Logfile of HijackThis v1.98.2
Scan saved at 7:24:09 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\YCPlus\YANKCLIP.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Hi\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [YankClip] C:\Program Files\YCPlus\YANKCLIP.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Startup: Yankclip.lnk = C:\Program Files\YCPlus\YANKCLIP.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72CCBAEC-B6F2-4AB5-8F72-F0DFE0979E52}: NameServer = 209.244.0.3 209.244.0.4

[cfishus]

I deleted the temp files in the safe mode, than ran AVG 7.0 and the trogan horse is still here. What else should I do to delete it, and wondering if I should of left the system restore on during the deletion. thanks for your help

[Byteman]

Hi, No, turning off System Restore is fine, that would be a step anyway, as you have to turn off Restore to flush all the infected Restore Points> nothing can touch infected files in the Restore area.

After we are done and you are scanning clean, you can turn Restore back on and create a new Restore Point.

The stubborn file in the Temp directory will have to go another way.

If AVG detects it, are you having it put in the Virus vault?

If so, it can be deleted from the Vault itself.

If it does not show in there, try Tests/Results- there should be a mention of anything the program has detected and action...what is important is to note the ContentIE folder it is in...the random looking folder name.

In Safe Mode, you can go to that folder in Windows Explorer, highlight that one ContentIE folder and then at the top of the window, use the EDIT> Select All button to get rid of everything inside that folder. There may also be copies in any of the other ContentIE subfolders...

You may have more than one user profile, so you have to browse down through the various usernames, and clean out all the LocalSettings/temp files>

I think it may help if you log on as any other users too.
Then run through those temp file deletion steps again. Make sure you get down to the

C:\Documents and Settings\\Default User\Local Settings\Temp folder.


Try this online scanner, too:

http://www.pandasoftware.com/actives..._principal.htm

Or this: No antivirus program/scanner finds everything, so best to double check.

http://onlinecheck.emsisoft.com/en/

If you do not have AdAware, get it:

This is the newest version, v. 1.05 SE personal edition (free) Use the Search for Updates before you scan with it.

http://www.majorgeeks.com/downloads31.html

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

[cfishus]

I'm back again, baffled. AVG still shows I have the trogan. It can not be moved to the vault nor can it clean it. It is called an embedded object. Adware, Pandasoftware, Housecall and Onlinecheck do not find it, and come to think about that the old version of AVG 6.0 did not find it either, I had just installed AVG 7.0 a couple of days ago than it found this. And by the file name I can tell I had it long ago from downloading a game two or three weeks ago - does not make sense to me. Ok, I have shut off system restore. Went into safe mode and thru Windows Explorer to delete the files. In safe mode I can only get to document & setting/ Hi/ than NO folder is there for LOCAL SETTINGS so cant go on to find the temp internet files. Can you figure that out? As in the regular mode I can find the Local Settings folder, so I deleted all the temp internet files there, did not help. I do have show hidden files and folders checked, and hide protected operating system files and hide extensions for known file types unchecked. Any more ideas as to how I can delete this or do I just have to live with it? And will is cause a problem in my computer? Adware and Spybot find no bad entries. Thanks so much for you advise and this is sure confusing.

[Byteman]

Hi, Does what you see when AVG 7 finds that Trojan resemble this below?

Hit that link and let me know if you see that or similar message....this detection is for some items in the Sun Java cache and easily fixable!

http://www.smartcomputing.com/messag...=&pg=11&uname=

[cfishus]

Some of the messages you gave me thru the site are very similiar to what I get on AVG 7.0. especially the embedded one. ? could I be passing this one to others without knowing it. thanks

[Byteman]

Hi, No, not if it is the Java cache....

Let's try clearing the cache, do this:

Open the Control Panel, and select the Java Plug In icon...double click to open, when the window for it opens, across the top line, look for the Cache button, then see "Clear" hit that to clear the cache.

Then, try your AVG and see if finds the same stuff it did.
Here is some other info on doing this right from the Sun Microsystems site:

http://www.java.com/en/download/help/cache_virus.jsp


And here is some stuff I found about this specific Dropper.Bridge.A thing:

http://www.faqfarm.com/Computer/Virus/23140

The Housecall (TrendMicro) online scan should take care of it.

[cfishus]

Thanks for all the advise and sources you lead me too. After going thru all the steps you recomended the trogan horse would not go away. I now downloaded Avast freeware, ran it and it found the trogan and deleted it. Think I found a product that works for me. Perhaps, you can advise others of my success with Avast. You sure provide an excellent service, thanks.

[Byteman]

Hi, Well glad you got it found and fixed-- it could have been some kind of newer variant and perhaps the other scanners were just not seeing it or able to remove it...

good work! Post again if anything comes up.

Visit Windows Updates as there may a hole that is not patched... even tho you have SP2.