super hidden bridge.dll and jao.dll

GeneF · Cadet Joined: Apr 14, 2004 Posts: 1 Location: USA

I located bridge.dll and joa.dll in XP under Windows\Downloaded program files. Although I have all viewing restrictions relaxed, I couldn't see 7 of 10 files iin the folder. I was able to view them in Command prompt.

Does anyone know anything about JAO.DLL. Several web searches yielded nothing. Also, does anyone know how to overcome the Super Hide in XP. (I know XP supports user defined file attributes, but as a programmer, I have never tried t ouse them.

Hope this is the right forum for this post.

Thanks

dineshcooper · Cadet Joined: May 03, 2004 Posts: 2 Location: Uk

Hi
I noticed an entry in my registry at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
in a value called RunDLL there was a call to rundll32.exe bridge.dll

so I deleted it but it kept coming back, so I wrote a script to monitor that
location in the registry and what i found is that everytime i opened
the browser or even my computer the entry was being written back.

I then made the script delete that entry everytime it was being written and rebooted, then i deleted bridge.dll, bridge.inf and jao.dll.
Changed my browser's homepage back to google and everything seemed
fine but lo and behold my browser is going back to that goddamn search page, it hasnt written to the registry and those files aren't back so there has to be some other files sitting somewhere thats causing it to come back.

Im trying to locate it, we'll see what happens.
This spyware stuff is driving me nuts.

If i find anything i'll post it here again.
But if anyone else has any ideas please post it here too

82jumper · Cadet Joined: May 07, 2004 Posts: 1 Location: USA

My system was recently infected by Trojan Revop.C, then followed up today with a PSW.Bliss.E. virus. AVG was not able to remove it to the vault. I found this thread and followed its directions. NOw it is gone. But I noticed that there were several other .exe's added when the bridge.dll was created. Should I remove these as well, via DOS:
jao.dll, stkid.exe, uninstall.exe, and auto_update_uninstall.exe
They were created with two minutes of the bridge.dll

dineshcooper · Cadet Joined: May 03, 2004 Posts: 2 Location: Uk

Hi

I found this posting and this finally got rid of the searchx.cc
for good:

by DanR at
http://www.computing.net/windowsxp/wwwb...02521.html

The post goes as follows:

Name: DanR
Date: May 07, 2004 at 03:07:13 Pacific
Subject: Searchx.cc IE start page

Reply:
I had this same problem in IE where when you open it, it shows about:blank in the Address bar and shows a search page that takes you to searchx.cc. But I finally found the fix. Before you start you should have the latest Adaware 6. You will need it.
I had run Adaware 6 and it removed it temporarily but it kept coming back after a few hours or days. It somehow kept re-infecting my machine.

After many hours of hard work, I finally figured out how to remove it for good. The key to removing this is the registry key called

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.

Let me know if this works for you.

- from DanR the computer guy

(By the way, the only reason why I spent so much time figuring this out is because Merijn doesn't seem to be able to. I've been waiting a long time for him to figure it out but it seems he hasn't been able to so I got sick of waiting and just did it myself. Maybe he'll copy this into CWShredder now that he knows how to do it.)

CoolBeans2665 · Corporal Joined: Jul 19, 2003 Posts: 55 Location: USA

Well Done, dineshcooper! Thumbs Up

Finally rid of the little stinker!

A strange thing that coincided with the arrival of searchx, on my system, is that spyware blaster became disabled. I installed and reinstalled but was still getting a message that SWB would not run because there was either a bad sector on my hard drive (which I ruled out) or I had a virus. But after using the fix, SWB is back to normal.

Thanks!


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 763 pages served in previous 5 minutes. Page Rendered: 0.432 seconds.