Please help, Trojan horse from nowhere

[kevbeck]

I turned on my system today and am greeted with a red avast pop up "Trojan Horse Blocked" .

Object: c:\users\Computer1\AppData\Local\Temp\WER2142.tmp.hdmp
Infection: Win32:Bifrose- FCQ {Trj]
action: Moved to chest
Process: C:\windows\SysWOW64\werfault.exe

I am the only one that uses this system and am puzzled in denial as to how i got an infection because i am very careful on what sites i visit and how i interact with the internet and connecting removable devices etc. I have not used the system for about a whole day and when i left it, it was fine

1. Can someone please tell me the best way to scan for infection (is safemode the best way?)
2. I tried locating the folder "AppData" but it is nowhere to be found. Could this be a location for Safezone?
3. Where can i find detailed events leading up to the infection and when and where i obtained the infection on my system?
4. I browse with cookies, history turned off so this stuff is not collected by my browser (safe internet browsing ).

Please answer my questions and help. Thanks

[polonus]

Hi kevback,

WerFault.exe is Windows Error Reporting, if it is in a normal path there is not much to worry there. The WerFault action though might have come through a recent software install, which came with a backdoor that has been detected by avast as Win32:Bifrose- FCQ {Trj]. What software did you install before you got that trojan horse blocked alert. Go here provide us with the logs: http://forum.avast.com/index.php?topic=53253.0 attached to your next posting and a qualified removal expert will look into it,

polonus

[DavidR]

If this is an old file (been on your system for some time without problem ?) then it could be a possible FP from an update in the virus signatures that now detects it. The file type indicates it is a dump file as a result of an error using the main WER2142 file.

Before I would contemplate the generation of these logs would be to scan this file for confirmation it is a good detection or otherwise.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

[kevbeck]

Hi kevback,

WerFault.exe is Windows Error Reporting, if it is in a normal path there is not much to worry there. The WerFault action though might have come through a recent software install, which came with a backdoor that has been detected by avast as Win32:Bifrose- FCQ {Trj]. What software did you install before you got that trojan horse blocked alert. Go here provide us with the logs: http://forum.avast.com/index.php?topic=53253.0 attached to your next posting and a qualified removal expert will look into it,

polonus

Thank you for the help.

I don't recall installing any software before the trojan pop up occurred. How can i double check and confirm that there was no installation of new software on my system? Would there be a log of this activity on my computer?

Can you please tell me what logs i will be providing and how? Do these contain personal info?

Not sure if this matters or not but i've scanned full system with avast and MBAM Pro and they detected nothing (in normal boot up mode). Does this mean i am in the clear?

[Pondus]

Does this mean i am in the clear?

follow guide and attch (not copy and paste)  logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

[kevbeck]

If this is an old file (been on your system for some time without problem ?) then it could be a possible FP from an update in the virus signatures that now detects it. The file type indicates it is a dump file as a result of an error using the main WER2142 file.

Before I would contemplate the generation of these logs would be to scan this file for confirmation it is a good detection or otherwise.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

i am unable to locate the file on my system.  Can you tell me how to locate this in order to run it through an online virus scanner? I may have misunderstood. Please break it down for my simple mind:/.

[DavidR]

You already gave the location of this file in your first post, it is in the avast virus chest and my instructions indicate you should start by opening the avast chest and then extract the file (right click the file in the chest and select extract) to a temporary location.

This temporary location is also explained explained, plus the fact that you need to exclude it otherwise avast will probably alert when you extract the file from the chest into that location. I don't know of any other way to explain it other than as I already have.

Did you Open the chest and was the file there ?
See image example showing the chest being Open (selected by right clicking it) and the drop down menu with the options, the Extract one is the one you use.


####
If you couldn't find c:\users\Computer1\AppData\Local\Temp\, this folder may be hidden, so you need to change the windows explorer Tools > Folder Options > View > and check the Show hidden files and folders option. But as you sent it to the chest it shouldn't be in that location anyway.

[kevbeck]

If this is an old file (been on your system for some time without problem ?) then it could be a possible FP from an update in the virus signatures that now detects it. The file type indicates it is a dump file as a result of an error using the main WER2142 file.

Before I would contemplate the generation of these logs would be to scan this file for confirmation it is a good detection or otherwise.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

I know this response is late but i havent had much time to ensure my system is safe to use and free if malware. I would like to know first, If i extract the file to a temp location, could this cause my system to become reinfected or simply affected by the trojan if it is not a FP?

Also, I want to make sure my computer is fully clean, is it required for me to access the registry and delete info there?

I know in the "infected/malware/worms" section on these forums it offers a guideline to removing infections, but where do the programs mentioned come from and what company creates them - rogue killer... etc...?

[DavidR]

1. For a system to become reinfected, the malware has to be active, for that to happen it would have to be in its original location or any command or program trying to run it wouldn't know where to find it. That is the whole point of NOT using Restore as that sends it back to the original location.

There are times in your life when you have to trust that some people have your best interests at heart and wouldn't be asking you to do something that was harmful (if there is any risk involved that would generally be mentioned). This is why you need to know those helping you are qualified malware removal specialists, ant not someone with half a dozen posts. Anyone trying to help of unknown ability is usually jumped on by regular forum members, avast! Evangelist or avast! Überevangelist.

2. Generally it isn't necessary to do anything in the registry manually, but there may be rare occasions that it may be necessary (no one can say it isn't required ever), but should it be necessary then it would be explained what you had to do.

3. For the most part the tools are either made by time served malware fighters or have been found and tested by malware removal specialists and again they aren't going to suggest using something that is malicious or untested.