Infected with Trojan.Brisv.A!inf

[BWise38]

My computer has been infected with the Trojan.Brisv.A!inf trojan for some months now and I still havent been able to remove it. I've tried Symnatecs removal tool, but its been no help. I've scanned my PC with Malwarebytes Anti Malware, SuperAntiSpyware Pro, CCleaner and the like, with no results.

Your help would be greatly appreaciated in removing this nuisance.

Thanks

 

[kritius]

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• Malwarebytes
  
• SAS
  
• Hijackthis

Dont forget to make sure that Malwarebytes is set to remove the results.

 

[Bobbye]

A note: to the information kritius left for you: you have indicated that you have scanned with both Malwarebytes and SuperAntispyware, but you have not provided a logs for either. You will need to UPDATE each of these programs and run new scans. Then attack those two logs on your next post.

Download and run HijackThis AFTER you have scanned with the other two programs and also include that log.

There are additional steps in the link kritius left for you. It's best you follow all of those steps. Some malware requires special cleaning programs but unless we see the logs, we cannot make that determination.

 

[BWise38]

Here are my logs.

 

[kritius]

Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
  
• log.txt <will be maximized and info.txt <will be minimized
• Please attach both logs in the next reply.
  

 

[BWise38]

I've attached the Log.txt and Info.txt files as requested.

 

[kritius]

I'm not seeing anything particularly bad in the logs. Are you still having problems?

Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.candystand.com/ca/play.do?id=18434"

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

I would like you to do an online scan so that we can what else may be in your system,

Run Kaspersky online scanner

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed

Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.

Do not go surfing while your resident protection is disabled!

Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.



Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  o Extended (If available, otherwise use standard)
  
  o Scan Options:
  
  o Scan Archives
  
  o Scan Mail Bases
  
• Click OK
  
• Under select a target to scan, select My Computer
  
• The scan will take a while so be patient and let it run.
  
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
  
  
  
  
• In the Save as... prompt, select Desktop
  
• In the File name box, name the file
  
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
  
  
  
  
• Include the report in your next post.

 

[BWise38]

I'm not seeing anything particularly bad in the logs. Are you still having problems?

Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.candystand.com/ca/play.do?id=18434"

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

I would like you to do an online scan so that we can what else may be in your system,

Run Kaspersky online scanner

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed

Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.

Do not go surfing while your resident protection is disabled!

Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.



Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  o Extended (If available, otherwise use standard)
  
  o Scan Options:
  
  o Scan Archives
  
  o Scan Mail Bases
  
• Click OK
  
• Under select a target to scan, select My Computer
  
• The scan will take a while so be patient and let it run.
  
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
  
  
  
  
• In the Save as... prompt, select Desktop
  
• In the File name box, name the file
  
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
  
  
  
  
• Include the report in your next post.

I tried the Kaspersky Online Scanner but it keeps telling me 'You need to install Java version 1.6 or later to run Kaspersky Online Scanner 7.0' even though I have Java 6 Update 12 installed. So thus far i cannot perform a scan.

 

[kritius]

PANDA ONLINE SCAN
Please go >here< to run Panda's ActiveScan

• Once you are on the Panda site, click the Scan your PC now button
• A new window will open...click the Scan Now button
• Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
• Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
• When the scan has finished, click on Export To
• Save the file as Activescan.txt to your Desktop
• Close the Activescan window then go to your Desktop
• Double-click on Activescan.txt and it will open in Notepad, attach it.

 

[BWise38]

PANDA ONLINE SCAN
Please go >here< to run Panda's ActiveScan

• Once you are on the Panda site, click the Scan your PC now button
• A new window will open...click the Scan Now button
• Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
• Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
• When the scan has finished, click on Export To
• Save the file as Activescan.txt to your Desktop
• Close the Activescan window then go to your Desktop
• Double-click on Activescan.txt and it will open in Notepad, attach it.

Panda Activescan.txt attached.

 

[kritius]

Please Download VirtumundoBeGone by secured2k

• Save the file to your desktop
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and attach the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Also run a fresh scan with HJT

How is the computer running?

You also don't need to quote me in your responses

 

[BWise38]

Attached the VBG.txt filed.

As for how the computer is running, its running well. I havent recieved the message of infection in a few hours, so I'll see how it goes tomorrow and the days following. Hopefully the problems been fixed.

Thanks for all your help.

 

[kritius]

Posta fresh HijackThis and we'll see how things look.

 

[BWise38]

Unfortuntaely when I turned on my computer this morning I got the same message from Norton that I'm still infected.

Heres the fresh Hijack log.

 

[Bobbye]

You are saying this doesn't work?

Trojan.Brisv.A!inf:

Follow these steps to download and run the tool:

1. Download the FixBrisvA.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixBrisvA.exe.
2. Save the file to a convenient location, such as your Windows desktop.
3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.

Risk Level 2: Low
Download Removal Tool > http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-3029-99
Important:

* Note: Symantec strongly recommends that you run this removal tool in Safe mode.
* If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-3029-99&tabid=3

 

[BWise38]

Thanks for all those who contributed to my thread.

I re ran the symnatec removal tool in safe mode and this time it did the trick. So once again, thanks to the senior members at techspot for their assistance.

Is there anything you recommend I do to safe guard my pc from these type of infections in the future?

BWise

 

[Bobbye]

I thought that you might not have used Safe Mode. Glad that worked for you.

Is there anything you recommend I do to safe guard my pc from these type of infections in the future?

Yes, keep in mind that YOU are the first line of security for your computer! Where you go, what you do, how you handle mails and attachments, where you leave your email address. So, if you'll forgive me, I'm going to put your user name to 'use:

BWise is which site you surf to.
BWise and don't click on pop-ups.
BWise and don't open email from someone you don't know.
BWise and don't open attachments EVEN if they are from someone you know unless you know they are coming and what the content is.
BWise and never leave your personal email address on the internet.
BWise and install one good antivirus program, one firewall and at least 2 spyware/adware programs. Update and scan with them regularly.
BWise and stay away from file sharing programs and sites.
BWise and be careful of what you down;oad and the site you download from.
BWise and only have those processes starting on boot that you need: the antivirus, firewall (if you have 3rd. party firewall, touchpad for laptop, possible network process.
BWise and do regular maintenance on the system: disc cleanups, error check, defrag, uninstall any program you aren't using.

If you are really this 'wise', you should have safe and enjoyable computing!

 

[kritius]

Good post Bobbye

 

[Bobbye]

Thanks kritius. I sure hope BWise has a sense of humor and doesn't rush out to change that user name!