ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Need some help with this scan report
Neur0tic0


Joined: 03 Dec 2005
Posts: 7
Location: Spain
Reply with quote
First of all I will paste it here, and i will include comments in the report, and questions, using /* and */, like it were C.

--------------------------------------

Scan started: Mon Dec 5 02:29:48 2005

ERROR: Can't open file C:\WINDOWS\system32\config\default
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\software
ERROR: Can't open file C:\WINDOWS\system32\config\system
ERROR: Can't open file C:\WINDOWS\system32\drivers\atapi.sys

/*This you told us its a matter of windows protection, everything ok*/

C:\Archivos de programa\Crystal Player\start.exe: Trojan.WinFavorites.Bridge FOUND

/*I think this could be really a troyan in my crystal player, not sure, because it have detected false troyans, youll see them down*/

C:\Documents and Settings\Neurotico\.jpi_cache\jar\1.0\loaderdmitriy.jar-766adaba-557222af.zip: Trojan.Java.ByteVerify FOUND

/*Posibly a troyan too, but in that directory a jar file, could be anything*/

C:\Documents and Settings\Neurotico\Configuraci??n local\Temp\Del381.tmp: Adware.180Solutions-15 FOUND

/*This is really a troyan, without any doubt, delete file, all going well*/

C:\Documents and Settings\Neurotico\Datos de programa\Mozilla\Profiles\default\lg5dlnks.slt\Cache\19E0188Bd01: Trojan.Downloader.Istbar-44 FOUND

/*I use 2 downloading extensions, and fasterfox, a lot of use of the cache, is this really a troyan?*/

C:\Documents and Settings\Neurotico\Datos de programa\Mozilla\Profiles\default\lg5dlnks.slt\Cache\7B283418d01: Trojan.Downloader.JS.IstBar.A-2 FOUND

/*Same as before*/

C:\Documents and Settings\NEUROTIKO\Datos de programa\Sony Ericsson\backups\351965-00-723649-9\Mi P900 2005-03-15 21.07.25.ecs: Suspect.Zip FOUND

/*Nothing suspicious, Its a security copy of a P900 memory*/

C:\juegoslujuria\Rabillo.exe: Joke.Cursor FOUND

/*Well here they are, these are games, not the usuall games, you know, you dont install them, you only play them, I have used a lot of antivirus, and this is the first time they are reported as troyans, and i havent executed them since years, well, I forgot i had them*/

C:\juegoslujuria\Rabillo.zip: Joke.Cursor FOUND

/*Same as before, this is the zip file where the game came, so if it were really a troyan, it would have been a perfect scanning*/

C:\juegoslujuria\Viagra.exe: Joke.ViagRa-2 FOUND

/*Same as before, its not a game, it only makes the mouse cursor, to grow, like it had taken some viagra, funny, not dangerous.

C:\juegoslujuria\Viagra.zip: Joke.ViagRa-2 FOUND

/*Well, same as before*/

C:\WINDOWS\system32\a.exe: Trojan.WinFavorites.Bridge FOUND

/*Bridge again, a.exe?, this really sounds like a troyan, but, system32, is a complicated folder, I think I would delete it, but not really sure*/

C:\WINDOWS\system32\bridge.dll: Trojan.WinFavorites.Bridge FOUND

/*And know a dinamic library, that its called Bridge, like the troyan, what the hell is going on here?*/

-- summary --
Known viruses: 41299
Engine version: 0.87.1
Scanned directories: 9027
Scanned files: 103956
Infected files: 12

Data scanned: 53515.16 MB
Time: 16371.394 sec (272 m 51 s)
-------------------
Completed
------------------

At the end, I dont know if I have a bridge or not, I would like to know your impression of this test, and what would you delete, and take like troyans, and what is not a troyan, I only see one posibble, that bridge, but Its strange, dont know if you understand, but I need help to know if I have to delete them or not, I dont use any of that programs, well the java one I dont know if the JVM is using it, but well, Im a little lost with this report.

Thamks for your reading.
View user's profileSend private message
mulander


Joined: 05 Dec 2005
Posts: 1
Location: Poland
Reply with quote
Hi,
I would try to scan the system with SpyBot/Ad-aware as all that you found are trojans (well at least ClamWin says so ) so if both of this programs confirm it I would start to consider deletion of the files ( or safe removal by SpyBot ).
SpyBot is freeware so I would rather suggest it over Ad-aware Wink

C:\WINDOWS\system32\bridge.dll:
This is a hard call, I would retain in detelting it, at is might be needed by your OS... You will have to wait for someone with a lot more knowledge then I have sorry Sad
If you really want to delete the bridge.dll file, at least do a good backup copy and some kind of a rescue disc to boot your OS if it fails after deleting it.
Hope I helped at least a little bit Wink
Regards,
Mulander
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
you do have the Trojan.WinFavorites.Bridge virus on ytour machine, see this description:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=60172 http://www.viruslist.com/en/viruses/encyclopedia?virusid=60172

In order to clean it you need to:
1. Kill a.exe and rundll32.exe processes using process list in task manager (ctrl-alt-del-task manager).
2. remove a.exe and bridge.dll
3. remove these values from registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"RunDLL" = "rundll32.exe "%System%\bridge.dll",Load"
"systray" = "%System%\a.exe"

As for the virus reports in the java cache I wouldn't worry about them, mostly harmless applets that are not executed by your browser anyway. You will find those on almost any PC.
View user's profileSend private message
Neur0tic0


Joined: 03 Dec 2005
Posts: 7
Location: Spain
Reply with quote
alch wrote:
you do have the Trojan.WinFavorites.Bridge virus on ytour machine, see this description:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=60172 http://www.viruslist.com/en/viruses/encyclopedia?virusid=60172

In order to clean it you need to:
1. Kill a.exe and rundll32.exe processes using process list in task manager (ctrl-alt-del-task manager).
2. remove a.exe and bridge.dll
3. remove these values from registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"RunDLL" = "rundll32.exe "%System%\bridge.dll",Load"
"systray" = "%System%\a.exe"

As for the virus reports in the java cache I wouldn't worry about them, mostly harmless applets that are not executed by your browser anyway. You will find those on almost any PC.


Thanks for the information.
View user's profileSend private message
Ruxi_arh


Joined: 16 Sep 2006
Posts: 1
Location: Romania
Reply with quote
I do have the same trojan on my machine but a new problem (I guess it got smarter)

I tried to follow the steps indicated by alch (to whom I thank for it) but when I tried to open the Task manager a message apeared
telling me that
"Task manager has been disabled by your administrator"
Can anybody tell me how to enable it back ?

Thanks!
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
hmm, maybe this info will help:
http://windowsxp.mvps.org/Taskmanager_error.htm
View user's profileSend private message
Need some help with this scan report
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic