Author Topic: Help plz! Win32:Bifrose-DYG [Trj]  (Read 4668 times)

0 Members and 1 Guest are viewing this topic.

zloyeb

  • Guest
Help plz! Win32:Bifrose-DYG [Trj]
« on: February 28, 2009, 06:32:18 PM »
Hi,

first of all I am not familiar with viruses and threats and stuff so I need your help and don't mind me for being a noob..

Problem is that i keep getting same virus alert from Win32:Bifrose-DYG [trj], actually it seems
like it is creating random .exe files such as qj.exe, wn.exe, yy.exe, gp.exe .... and sometimes
he finds it in temp IE.5 folder.
Here I'll copy my log file for you.. you'll prolly figure this out better..

Quote
21/Feb/09 15:47:06   SYSTEM   1416   Sign of "HTML:Agent-L [Expl]" has been found in "http://85.17.52.45/pay/enter.php?id=2" file. 
25/Feb/09 22:54:52   SYSTEM   1676   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\All Users\Documents\tunrdj.exe" file. 
26/Feb/09 00:34:02   SYSTEM   1676   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\mf.exe" file. 
26/Feb/09 17:20:01   SYSTEM   1676   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\yy.exe" file. 
26/Feb/09 20:20:52   SYSTEM   1676   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\gp.exe" file. 
26/Feb/09 22:59:12   SYSTEM   1676   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\dv.exe" file. 
27/Feb/09 01:26:27   SYSTEM   1676   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\wn.exe" file. 
27/Feb/09 03:47:48   SYSTEM   1676   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\cl.exe" file. 
28/Feb/09 18:02:35   LOCAL SERVICE   1672   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NFOF3K15\z[1]" file. 
28/Feb/09 18:03:03   LOCAL SERVICE   1672   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\qj.exe" file. 
28/Feb/09 18:24:00   LOCAL SERVICE   1672   Sign of "Win32:Bifrose-DYG [trj]" has been found in "C:\WINDOWS\system32\eu.exe" file. 
 
There is a rootkit-gen aswell but i successfully resolved that problem with boot-scan.

Altho avast finds those .exe files and i delete them asap they keep poping out over and over again! same Bifrose virus.
Haven't found anything useful on the web how to solve this problem and i really need you assistance because it is
very annoying having virus alert poping XX times a day. sometimes i have only 1 alert per days and today i had like 15.

Help me get rid off this Bifrose for good of my system please!

Sry for my English and thx in advance!
« Last Edit: February 28, 2009, 06:44:08 PM by zloyeb »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Help plz! Win32:Bifrose-DYG [Trj]
« Reply #1 on: February 28, 2009, 07:46:53 PM »
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Help plz! Win32:Bifrose-DYG [Trj]
« Reply #2 on: February 28, 2009, 09:02:35 PM »
Hi zloyeb,

Consider this info: http://www.threatexpert.com/report.aspx?md5=fa3edac08e58f243c6fee96c934e525a
The manual removal instructions:
Step 1 : Use Windows File Search Tool to Find Backdoor.Bifrose Path

   1. Go to Start > Search > All Files or Folders.
   2. In the "All or part of the the file name" section, type in "Backdoor.Bifrose" file name(s).
   3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
   4. When Windows finishes your search, hover over the "In Folder" of "Backdoor.Bifrose", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Backdoor.Bifrose in the following manual removal steps.

Step 2 : Use Windows Task Manager to Remove Backdoor.Bifrose Processes

   1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
   2. Click on the "Image Name" button to search for "Backdoor.Bifrose" process by name.
   3. Select the "Backdoor.Bifrose" process and click on the "End Process" button to kill it.
   4. Remove the "Backdoor.Bifrose" processes files:

msconf.exe
~565.exe
ap0.exe
ap2.exe
backdoor.bifrose.a.exe
xvid-1.0.3-beta3-setup.exe
msconf.exebackdoor.bifrose.a_(319).exe
~565.exe
ap0.exe
ap2.exe
backdoor.bifrose.a.exe
xvid-1.0.3-beta3-setup.exe
backdoor.bifrose.a_(319).exe

Step 3 : Use Registry Editor to Remove Backdoor.Bifrose Registry Values

   1. To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
   2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
   3. To delete "Backdoor.Bifrose" value, right-click on it and select the "Delete" option.
   4. Locate and delete "Backdoor.Bifrose" registry entries:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runstartkey
HKEY_LOCAL_MACHINE\software\xvid
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run startkeyHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xvid
HKEY_LOCAL_MACHINE\software\xvid
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xvid


Step 4 : Use Windows Command Prompt to Unregister Backdoor.Bifrose DLL Files

   1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
   2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Backdoor.Bifrose DLL file is located and press the "Enter" button on your keyboard. If you don't know where Backdoor.Bifrose DLL file is located, use the "dir" command to display the directory's contents.
   3. To unregister "Backdoor.Bifrose" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Backdoor.Bifrose.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
   4. Search and unregister "Backdoor.Bifrose" DLL files:


pxwma.dll
system.dll

Step 5 : Detect and Delete Other Backdoor.Bifrose Files

   1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
   2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
   3. To change directory, type in "cd name_of_the_folder".
   4. Once you have the file you're looking for type in "del name_of_the_file".
   5. To delete a file in folder, type in "del name_of_the_file".
   6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
   7. Select the "Backdoor.Bifrose" process and click on the "End Process" button to kill it.
   8. Remove the "Backdoor.Bifrose" processes files:

pxwma.dll
system.dll
msconf.exe
~565.exe
ap0.exe
ap2.exe
backdoor.bifrose.a.exe
xvid-1.0.3-beta3-setup.exe
backdoor.bifrose.a_(319).exe
uninstall.lnk


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!