Author Topic: Backdoor.win32.Bifrose.aej HELP!!  (Read 10133 times)

0 Members and 1 Guest are viewing this topic.

Echoen

  • Guest
Backdoor.win32.Bifrose.aej HELP!!
« on: August 11, 2007, 12:04:40 PM »
I am running Windows Vista on an Asus g2s-a1 laptop.
World of Warcraft is telling me that it has detected the trojan Backdoor.win32.bifrose.aej
NO scanners or antivirus programs have detected it or located it.
I have spent the past 3 hours googling and researching online everything I can about it. I've come up with nearly squat.
No advice, no suggestions, and no 'past fixes' have worked or have been any help.


I desperately need some help on getting rid of this trojan. I have done everything!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #1 on: August 11, 2007, 02:57:31 PM »
What is your firewall ?

I would probably be a little suspect of World of Warcraft reporting a backdor trojan, how can it tell what is on your system ?
Have you visited the WoW forum to see if others are suffering similar issues.

http://forums.wow-europe.com/thread.html?topicId=282518345&sid=1
http://faq.wow-europe.com/en/article.php?id=1149

In the meantime you could check with some anti-spyware tools.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #2 on: August 11, 2007, 08:49:30 PM »
Quote
I would probably be a little suspect of World of Warcraft reporting a backdor trojan, how can it tell what is on your system ?

Online games now scan for malware: both game cheats and password stealing Trojans.

Quote
I have spent the past 3 hours googling and researching online everything I can about it. I've come up with nearly squat.

I just spent 3 minutes Googling and came up with the answers:  8)

http://forums.worldofwarcraft.com/thread.html?topicId=383468716&sid=1

http://www.blizzard.com/support/wow/?id=aww02119p
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Echoen

  • Guest
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #3 on: August 11, 2007, 09:05:13 PM »
When I say that I've come up with nearly squat, it means that what I did find did not work. Neither of the 'answers' in those links worked. None of them did, and there's been a lot.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #4 on: August 11, 2007, 09:18:29 PM »
Have you run the other anti-spyware options given ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #5 on: August 11, 2007, 09:48:36 PM »
If no AV scanner is detecting it, then it must be a new variant.

Your options are to have a look for suspicious files, possibly in the location mentioned in the forum post I found previously:

Quote
I have found a copy of this backdoor keylogger. There is only one varation on this backdoor which is an executable file placed inside C:/Program Files/ and is named "howtodo.exe".]I have found a copy of this backdoor keylogger. There is only one varation on this backdoor which is an executable file placed inside C:/Program Files/ and is named "howtodo.exe".

You can submit any suspicious files to VirusTotal for analysis.

Your next option is to contact the World of Warcraft technical support people: they seem eager to help you:

Quote
If this guide did not resolve your issue, please visit our online email webform to contact us.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Echoen

  • Guest
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #6 on: August 12, 2007, 11:36:23 AM »
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:17:49 AM, on 8/12/2007
Platform: Windows Vista  (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ChkMail\ChkMail\ChkMail.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\ASUS\ASUS Direct Console\D3DCheck.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Users\Balros\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ChkMail] C:\Program Files\ChkMail\ChkMail\ChkMail.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

--
End of file - 8684 bytes


Also, I have found this NvScv. I am very sure it is a trojan because that's what googling it says. I don't know how best to get rid of it, though!

Echoen

  • Guest
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #7 on: August 12, 2007, 11:37:10 AM »
Nevermind! It's NvSvc, which apparently could either be a trojan or an nVidia thing.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #8 on: August 12, 2007, 12:03:40 PM »
Possibly malicious:

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe

http://www.greatis.com/appdata/d/a/asscrpro.exe.htm

O4 - HKCU\..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe

http://www.castlecops.com/s5722-msnplus_exe.html

Unknown:

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.

Post the results here.
« Last Edit: August 12, 2007, 12:08:36 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Echoen

  • Guest
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #9 on: August 12, 2007, 09:10:19 PM »
Freewheelin, this is one of the most helpful replies I've ever gotten! Thank you so much!

Okay. Here are some specs.

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
VirusTotal reported nothing.

O4 - HKCU\..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe
VirusTotal says
Antivirus     Version     Last Update     Result
AhnLab-V3   2007.8.9.2   2007.08.10   -
AntiVir   7.4.0.60   2007.08.12   BDS/Bifrose.NU
Authentium   4.93.8   2007.08.11   -
Avast   4.7.1029.0   2007.08.12   -
AVG   7.5.0.476   2007.08.12   BackDoor.Generic7.QAA
BitDefender   7.2   2007.08.12   MemScan:Backdoor.Bifrose.NQ
CAT-QuickHeal   9.00   2007.08.11   -
ClamAV   0.91   2007.08.12   Trojan.Pakes-248
DrWeb   4.33   2007.08.12   -
eSafe   7.0.15.0   2007.08.10   -
eTrust-Vet   31.1.5050   2007.08.11   -
Ewido   4.0   2007.08.12   -
FileAdvisor   1   2007.08.12   -
Fortinet   2.91.0.0   2007.08.12   -
F-Prot   4.3.2.48   2007.08.10   -
F-Secure   6.70.13030.0   2007.08.12   -
Ikarus   T3.1.1.12   2007.08.12   -
Kaspersky   4.0.2.24   2007.08.12   -
McAfee   5095   2007.08.10   BackDoor-CEP.svr
Microsoft   1.2704   2007.08.12   -
NOD32v2   2453   2007.08.12   -
Norman   5.80.02   2007.08.10   -
Panda   9.0.0.4   2007.08.12   Generic Backdoor
Prevx1   V2   2007.08.12   -
Rising   19.35.62.00   2007.08.12   -
Sophos   4.20.0   2007.08.12   -
Sunbelt   2.2.907.0   2007.08.11   VIPRE.Suspicious
Symantec   10   2007.08.12   -
TheHacker   6.1.7.167   2007.08.12   -
VBA32   3.12.2.2   2007.08.11   -
VirusBuster   4.3.26:9   2007.08.12   -
Webwasher-Gateway   6.0.1   2007.08.12   Trojan.Bifrose.NU
Additional information
File size: 1240957 bytes
MD5: f7c0a4d37c932577855edea7e1b16278
SHA1: 12a1200cf9d98f10fe73d5067ec1315f2c03fdfb
packers: Themida
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

How is the best way to get rid of it? And I am equally suspicious because I have not installed MSN on this machine. And it is showing the words Bifrose, which is a very key word in my trojan!



O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
VirusTotal showed nothing wrong


O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
VirusTotal showed nothing wrong.


Should I give you another HijackThis log? I disabled the hidden files like you asked.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #10 on: August 12, 2007, 11:05:16 PM »
Run HijjackThis! again, tick the box next to this entry and click 'fix':

O4 - HKCU\..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe

Reboot and delete the file.

And/or try the Bitdefender scanner:

BitDefender
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Echoen

  • Guest
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #11 on: August 13, 2007, 04:54:18 AM »
IT WORKED!

Thank you so much, FreewheelinFrank! Your advice was very helpful and it WORKED. I now know what to do and who to come to if something like this happens again :)

You rock!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Backdoor.win32.Bifrose.aej HELP!!
« Reply #12 on: August 14, 2007, 03:59:25 AM »
I now know what to do and who to come to if something like this happens again :)
And where to come...
Welcome to avast forums 8)
The best things in life are free.