trojan trouble: bifrose.LA

Status
Not open for further replies.
C

ccel

Posts: 14   +0
Hello Techboard community.

I can't rid my system of a trojan that Spybot identifies as bifrose.LA

Ad-Aware finds Win32.Backdoor.bifrose and Win32.TrojanDownloader.Ag

Online scan with House Call also finds the trojan.

None of the programs can rid me of it; after re-boot it re-appears.

I think it's connected with the program svhost.exe (NB not a typo for svchost.exe). This program is located in AppData / Roaming.

I've attached the logs for AVG & HJT. Combofix ran all night and did not complete. It did produce a 140 GB size file in its folder, though...

This is the first post I've made so let me know if I've missed anything.

I'd be grateful for any help and input.
 
Hi Rik.

Thanks a lot for taking the time. I ran ComboFix again, but all it does is use up all my spare disk space. Dunno why...

Also, I *cough* hadn't run AVG Anti-Root Kit before posting. It does find a hidden system file. Name seems random. I've attached a screenshot of it.

Also attaching fresh HJT log.

Again, thanks for taking the time.
 
I cant see anything seriously bad in your HJT log, however, do know and trust the following entry.

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')

Do you recognize the user?


After doing some more research, you could try this - http://www.paretologic.com/xoftspy/se/newlp/xray/?uid=owq1f - if it doesn't do the job or asks for money then uninstall it an i will look for something else.



This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
rik said:
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')

Do you recognize the user?
Click to expand...

No, I don't, really. No user on this computer uses Welcome Center; it is a standard feature of Vista, though, so I haven't suspected it.

XSoft won't run on Vista, so I was unable to try that.

As for further research, I'm kind of at a loss. What little I can do myself I've tried, so am thankful for any further help.

Thanks again for your time.
 
After some consultation.

Delete the "svhost.exe" you mentioned in your first post and see if that helps.

If avg anti-rootkit sees the same result as the one in your picture, have it fix it.



This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
1) Deleted svhost.exe manually. It re-surfaced, but bizarrely isn't visible. (Yes, I use "show hidden files") When I search for it explorer locates it in the same folder I deleted it from.
2) Had AVG Anti-Root kit remove the hidden driver. It re-surfaced under a different seemingly random name.
3) Had Spybot remove Bifrose.LA. It's back...

Time to toss everything and start afresh? I would have, already, but computers no longer ship with OS disks, so will have to contact HP to get one...
 
Hello and welcome to Techspot.

Before resorting to a reformat, which may yet still be needed, let`s try a couple of things and see if they help at all.

Please note: because you`re running Vista, I don`t know if this will run on your OS.

Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
http://spywareinfo.dk/download/drweb-cureit.exe to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Attach the DrWeb.csv log.

Regards Howard :wave: :wave:

This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hello again.

Dr Web worked fine on Vista; took a solid 12 hrs to run, though.

Thanks for looking into this
---
edit: system says .csv is not a permitted file. What to do?
 
I'm sorry, I wasn't clear. I'm not allowed to upload the file format .csv to TechSpot.

I'm attaching the log as a textfile. Hoping that will do.
 
System seems OK, everything running pretty well. It's just that I'm a bit spooked since bifrose is supposed to be a dialler?

The registry entry that I'm concerned about which I've deleted a number of times is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components. I've attached a snapshot of the key entries.

I dunno. A false positive? Maybe I should re-format after all; I've only had the machine for two weeks so it's not the end of the world at this point.

Thanks for all the time you guys put in. It's truly appreciated.
 
Thanks for the jpeg, that helps to explain things so much better.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Regards Howard :)

This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Sorry, I had forgot you were running Vista, try this instead.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svhost.exe<Not to be confused with svchost.exe

Close task manager.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\windows\system32\win32\svhost.exe
C:\windows\system32\win32

Reboot into normal mode and rehide your protected OS files.

Please let me know the results.

Regards Howard :)

This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, here goes:

1) svhost.exe was not running in processes.
2) Ran Pocket Killbox, delete went well. It took out svhost.exe and another file, klog.dat (I added it in Killbox, thought it safe since you had the folder down for delete; saved a copy of klog.dat and altered it to klog.txt if needed for reference).
3) the registry entry (see my last post) is still there.
4) Both SpyBot and Ad-Aware still find problems with that entry. Attaching screenshots of what they found.
5) AVG scan finds nothing

So, good news is that svhost.exe is gone. Can/should I delete the registry entry manually?
 
Yes, delete the registry entry manually.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Now, navigate to the registry entry and delete it.

Let me know the results.

Regards Howard :)

This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I'm happy to say that everything seems settled now! When I ran Ad-Aware yesterday I ticked the box asking the program to fix the issue it had found, something I'd done a number of times while trying to solve this issue. This time it worked; when I opened the registry this morning the entry was gone and deleted. :)

In other words, there was no need to delete it manually, and neither Ad-Aware nor SpyBot found anything.

Thank you very much for all the help. I'm very grateful. :) :)
 
That`s good new and thanks for letting us know.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of ccel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

midian182
Ad for a cheap BMW was used as Trojan horse in Russian cyberattack on Ukrainian diplomats
Replies
1
Views
338
Jaabaaar
Jaabaaar
S
Inactive Windows starts but doesn't finish
Replies
5
Views
3K
Broni
Broni
D
Solved Very Slow on Startup, Constantly Unresponsive and Script and Plugin Errors
Replies
21
Views
13K
Broni
Broni

Latest posts

Back