TechSpot

trojan trouble: bifrose.LA

By ccel
Sep 8, 2007
  1. Hello Techboard community.

    I can't rid my system of a trojan that Spybot identifies as bifrose.LA

    Ad-Aware finds Win32.Backdoor.bifrose and Win32.TrojanDownloader.Ag

    Online scan with House Call also finds the trojan.

    None of the programs can rid me of it; after re-boot it re-appears.

    I think it's connected with the program svhost.exe (NB not a typo for svchost.exe). This program is located in AppData / Roaming.

    I've attached the logs for AVG & HJT. Combofix ran all night and did not complete. It did produce a 140 GB size file in its folder, though...

    This is the first post I've made so let me know if I've missed anything.

    I'd be grateful for any help and input.
     
  2. Rik

    Rik Banned Posts: 4,985

    Please follow the instructions in step 12 in this thread - http://www.techspot.com/vb/topic58138.html then post your combofix log and a fresh HJT log. If it wont run then we will have to try something else.


    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ccel

    ccel TS Rookie Topic Starter

    Hi Rik.

    Thanks a lot for taking the time. I ran ComboFix again, but all it does is use up all my spare disk space. Dunno why...

    Also, I *cough* hadn't run AVG Anti-Root Kit before posting. It does find a hidden system file. Name seems random. I've attached a screenshot of it.

    Also attaching fresh HJT log.

    Again, thanks for taking the time.
     
  4. Rik

    Rik Banned Posts: 4,985

    I cant see anything seriously bad in your HJT log, however, do know and trust the following entry.

    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')

    Do you recognize the user?


    After doing some more research, you could try this - http://www.paretologic.com/xoftspy/se/newlp/xray/?uid=owq1f - if it doesn't do the job or asks for money then uninstall it an i will look for something else.



    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. ccel

    ccel TS Rookie Topic Starter

    No, I don't, really. No user on this computer uses Welcome Center; it is a standard feature of Vista, though, so I haven't suspected it.

    XSoft won't run on Vista, so I was unable to try that.

    As for further research, I'm kind of at a loss. What little I can do myself I've tried, so am thankful for any further help.

    Thanks again for your time.
     
  6. Rik

    Rik Banned Posts: 4,985

    After some consultation.

    Delete the "svhost.exe" you mentioned in your first post and see if that helps.

    If avg anti-rootkit sees the same result as the one in your picture, have it fix it.



    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. ccel

    ccel TS Rookie Topic Starter

    1) Deleted svhost.exe manually. It re-surfaced, but bizarrely isn't visible. (Yes, I use "show hidden files") When I search for it explorer locates it in the same folder I deleted it from.
    2) Had AVG Anti-Root kit remove the hidden driver. It re-surfaced under a different seemingly random name.
    3) Had Spybot remove Bifrose.LA. It's back...

    Time to toss everything and start afresh? I would have, already, but computers no longer ship with OS disks, so will have to contact HP to get one...
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Before resorting to a reformat, which may yet still be needed, let`s try a couple of things and see if they help at all.

    Please note: because you`re running Vista, I don`t know if this will run on your OS.

    Download and install DrWebCureit:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    http://spywareinfo.dk/download/drweb-cureit.exe to your desktop.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
    It will first make a quick scan of your system, let it clean what it find, and when it says "done"
    Click on the green screwdriver-
    Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
    Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

    After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
    Save the report to your desktop. The report will be called DrWeb.csv
    Close Dr.Web Cureit.

    Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    Attach the DrWeb.csv log.

    Regards Howard :wave: :wave:

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. ccel

    ccel TS Rookie Topic Starter

    Hello again.

    Dr Web worked fine on Vista; took a solid 12 hrs to run, though.

    Thanks for looking into this
    ---
    edit: system says .csv is not a permitted file. What to do?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Can you please give me the file path to .csv and any error message you receive?

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. ccel

    ccel TS Rookie Topic Starter

    I'm sorry, I wasn't clear. I'm not allowed to upload the file format .csv to TechSpot.

    I'm attaching the log as a textfile. Hoping that will do.
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ah, now I see.

    I can`t see any problems there.

    How`s your system running?

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. ccel

    ccel TS Rookie Topic Starter

    System seems OK, everything running pretty well. It's just that I'm a bit spooked since bifrose is supposed to be a dialler?

    The registry entry that I'm concerned about which I've deleted a number of times is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components. I've attached a snapshot of the key entries.

    I dunno. A false positive? Maybe I should re-format after all; I've only had the machine for two weeks so it's not the end of the world at this point.

    Thanks for all the time you guys put in. It's truly appreciated.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Thanks for the jpeg, that helps to explain things so much better.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Regards Howard :)

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. ccel

    ccel TS Rookie Topic Starter

    Thanks, but it doesn't work with Vista.

    I miss my XP...
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Sorry, I had forgot you were running Vista, try this instead.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svhost.exe<Not to be confused with svchost.exe

    Close task manager.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\windows\system32\win32\svhost.exe
    C:\windows\system32\win32

    Reboot into normal mode and rehide your protected OS files.

    Please let me know the results.

    Regards Howard :)

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. ccel

    ccel TS Rookie Topic Starter

    OK, here goes:

    1) svhost.exe was not running in processes.
    2) Ran Pocket Killbox, delete went well. It took out svhost.exe and another file, klog.dat (I added it in Killbox, thought it safe since you had the folder down for delete; saved a copy of klog.dat and altered it to klog.txt if needed for reference).
    3) the registry entry (see my last post) is still there.
    4) Both SpyBot and Ad-Aware still find problems with that entry. Attaching screenshots of what they found.
    5) AVG scan finds nothing

    So, good news is that svhost.exe is gone. Can/should I delete the registry entry manually?
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes, delete the registry entry manually.

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Now, navigate to the registry entry and delete it.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. ccel

    ccel TS Rookie Topic Starter

    I'm happy to say that everything seems settled now! When I ran Ad-Aware yesterday I ticked the box asking the program to fix the issue it had found, something I'd done a number of times while trying to solve this issue. This time it worked; when I opened the registry this morning the entry was gone and deleted. :)

    In other words, there was no need to delete it manually, and neither Ad-Aware nor SpyBot found anything.

    Thank you very much for all the help. I'm very grateful. :) :)
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s good new and thanks for letting us know.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.