Trojan.Brisv.A! can't find file?

Norton Security | Norton Internet Security
1

Hi,

This is my first post. Today Norton discovered the Trojan.Brisv.A!inf on my system, Windows XP.

My problem is when Norton finishes the scan, the details show the location of the trojan but I can't find the file that it names. In fact it doesn't exist where it says it does. I've run the removal tool in safe mode and it says it can't find anything but it keeps appearing in my Norton History as unresolved security problem.

 

My problem is that the file is not there and that the Fix doesn't show a problem.

 

Any help much appreciated.

Thanks

Reb 

2

Hi,

This is my first post. Today Norton discovered the Trojan.Brisv.A!inf on my system, Windows XP.

My problem is when Norton finishes the scan, the details show the location of the trojan but I can't find the file that it names. In fact it doesn't exist where it says it does. I've run the removal tool in safe mode and it says it can't find anything but it keeps appearing in my Norton History as unresolved security problem.

 

My problem is that the file is not there and that the Fix doesn't show a problem.

 

Any help much appreciated.

Thanks

Reb 

3

The file path is:

 

programs/bitcomet/downloads/classical music/op.21.mp3

 

there never was a folder for classical music in bit comet. I'm stumped.

4

Please download MalwareBytes’ AntiMalware from this LINK . Choose the free version as this does not have a real time scanner that will interfere with Norton products. Install the program and update the definitions.

Boot into Safe Mode:
Start your system and tap the F8 key until the Advanced Options Menu appears. Using the arrow keys, select Safe Mode (no networking or command prompt) and press ENTER.

Once Safe Mode is loaded, run a full scan with MBAM. Have the program fix / delete whatever it finds and make a log file. Please post the log file contents back here for review.

5

Thanks, I'll try that one tomorrow.

 

Reb

6

Please let us know if that worked for you. Otherwise we need to look for other solutions

7

Hi Reb,

 

You can also try the removal tool mentioned in this Symantec Support Article.

 

Yogesh

8

As requested here's the Malware bytes Log File which found no infections.

 

Also in reply to the Symantec removal tool, I used it in safe mode twice but it finds no problems.

 

I've read the previous postings on this infection and those posted by Quad which very informative but none that seemed to address this issue of being unable to find the file...hoping my luck will change!

 

Thanks,

 

Malwarebytes' Anti-Malware 1.38
Database version: 2375
Windows 5.1.2600 Service Pack 3

06/07/2009 6:05:46 PM
mbam-log-2009-07-06 (18-05-46).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 277921
Time elapsed: 1 hour(s), 43 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
9

Rebjen:

 

If you go to your unresolved threats and click on the Brisv A and click remove, it might say that the removal failed.  This is sometimes because the threat has been removed by another program, and Norton is not aware that it is gone.

 

If you have clicked remove and been advised of failure, the file may be under a different name in the Qbackup file.

 

In this case, you can follow the instructions for "The Fix" in this thread.  Scroll down to the bottom of Quads' post to find the instructions for the fix.

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=45354&query.id=179904#M45354

10

If I go to Unresolved Security Risks , it shows me that Trojan. BrisvA! is still a threat and dated Jan .27, 2009, 2:54:06 pm

 

I looked in Quarantine for the first time and it shows Trojan.Brisv.A! removed Jan 27, 2009 2:53:21 PM

 and there is another listing and the most recent saying it was removed again on June 5, 2009 9:23:04 am.

 

Also when I run Norton full system scan it seems rather fast to me and scans a total of about 5000 files, is that correct?

When I ran Malwarebytes it scanned at least 100,000 files. 

 

Should I run a search in my directory for the file name "Trojan.brisv.A!inf" ?

 

I'm reluctant to start up any more programs than absolutely necessary but I did discover my dvd writer no longer functions as well as all the websites being redirected though fortunately I'm able to connect with Norton!

 

Thanks

11

Hi Rebjen:

 

Short scanning of files could be an indication of a problem.  You could download GMER and attach a copy via the attachment link under the post button.

 

http://www.gmer.net/ 

12

I tried your suggestion with GMER but it won't install . Then tried their suggestion to change name of file to test.exe but still won't run.

 

Thanks

13

Well, that is not good.  Please try again in safe mode without networking.  Reboot, tap F8 repeatedly until the menu for safe comes up.

 

Let us know.

14

Yikes!!...tried Gmer in Safe Mode unfortunately it would not run either.

Is it hopeless? Have I lost everything?

 

Reb

 

15

Okay Rebjen:

 

Let's see if we can get rid of the DNS changer at least.  Please download Hijackthis and give us that log.

 

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

16

 Well, I was able to install Hijack This! . I'm a bit dubious if it did a thorough scan because it was completed in about a minute, semed very fast but I've never used it before.

Here's the results.

Thanks.

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:58 PM, on 07/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.faststone.org/ThankYou.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase 11.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71D49767-B176-4602-BF20-E050F64B0200}: NameServer = 206.126.95.243 206.126.95.244
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 7617 bytes

17

Please check the following in HiJackThis and then click on "Fix checked":

 

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

 

After than reboot and see if GMER will run now.

18

I ran the fix then went back and downloaded another randomly named GMER.exe(fingers crossed) but same thing happens. Scan button is on the right side and just won't budge when I click on it.

 

Should I try in Safe Mode as well? 

19

I tried Safe Mode and no luck.

 

Reb

20

Okay Rebjen:

 

Hang in there.  Some of these are nastier than others.  It is becoming apparent that you have a rootkit to be causing this much trouble.

 

There is a new version of Rootrepeal we can try.  Sometimes it works best when you download as a "save as" rebjen.  Rather than under it's own name.

 

http://homepages.slingshot.co.nz/~crutches/RootRepel/

 

Instructions:

 

Click on "Report"

Select all the boxes

Then your HD.

 

Then click scan

 

If it runs, attach the log using the attachment link under the post button.  Cross your fingers.