Delta009
2007-01-27, 21:00
I scanned my computer with both Spybot S&D and AD-Aware recently.
Each time I ran a scan, Spybot detected Bifrose.LA and Fake.Wget. Ad-Aware detected W32.TrojanDownloader.Agent.AM.
It looked like they were part of the same malware.
Now, Spybot doesn't detect Bifrose.LA nor Fake.Wget (it took a few scans to remove them). However, Ad-Aware still detects W32.TrojanDownloader.Agent.AM and I know (because I searched on the Internet) that it is part of the same malware as Bifrose.
Please help me!
P.S.: I just downloaded "Trojan.Bifrose Removal Tool" from http://www.winternal.org/modules.php?name=Downloads&d_op=viewdownload&cid=9
I don't know this program, nor if it is trustworthy, but this is its scan log (some of the detected files might be false positive):
Trojan.Bifrose Removal Tool
Current Build: 1.0.0.1
Infection Check Date: 1/27/2007
Inftection Check Time: 13:36:27
SCANNING LOCAL REGISTRY FOR VALUES:
--------------------------------------------------------------------------------------------------------------
Registry Value [HKLM\..\Run - startkey] does not exist...
Registry Value [HKLM\..\Run - svchost.exe] does not exist...
Registry Value [HKLM\..\Run - mysql] does not exist...
Registry Value [HKLM\..\Run - msmautoprotect] does not exist...
Registry Value [HKLM\..\Run - system] does not exist...
Registry Value [HKLM\..\{9B71D88C-C598-4935-C5D1-43AA4DB90836} - stubpath] does not exist...
Registry Value [HKLM\..\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8} - stubpath] does not exist...
Registry Value [HKCU\..\Run - startkey] does not exist...
Registry Value [HKCU\..\Run - svchost.exe] does not exist...
Registry Value [HKCU\..\Run - mysql] does not exist...
Registry Value [HKCU\..\Run - msmautoprotect] does not exist...
Registry Value [HKCU\..\Run - system] does not exist...
Registry Value [HKCU\..\Run - StartUpDate] does not exist...
Registry Value [HKLM\..\Run - QuickTime Task] does not exist...
Registry Value [HKCU\..\Run - ShutdownWithoutLjiasvt.exe] does not exist...
CHECKING LOCAL REGISTRY FOR KEYS:
--------------------------------------------------------------------------------------------------------------
Registry Key [HKLM\Software\Wget] does not exist...
Registry Key [HKLM\Software\SKav] does not exist...
Registry Key [HKLM\Software\SKavx] does not exist...
Registry Key [HKCU\Software\Wget] does not exist...
Registry Key [HKCU\Software\SKav] does not exist...
Registry Key [HKCU\Software\SKavx] does not exist...
SCANNING LOCAL DRIVES FOR FILES:
--------------------------------------------------------------------------------------------------------------
File [C:\WINDOWS\System.exe] does not exist...
File [C:\WINDOWS\system\System.exe] does not exist...
File [C:\WINDOWS\system32\System.exe] does not exist...
File [C:\WINDOWS\xmchai.exe] does not exist...
File [C:\WINDOWS\system\xmchai.exe] does not exist...
File [C:\WINDOWS\system32\xmchai.exe] does not exist...
File [C:\WINDOWS\server.exe] does not exist...
File [C:\WINDOWS\system\server.exe] does not exist...
File [C:\WINDOWS\system32\server.exe] does not exist...
File [C:\WINDOWS\lsass.exe] does not exist...
File [C:\WINDOWS\system\lsass.exe] does not exist...
Suspect File [C:\WINDOWS\system32\lsass.exe] has been found!!
File [C:\WINDOWS\mysql.exe] does not exist...
File [C:\WINDOWS\system\mysql.exe] does not exist...
File [C:\WINDOWS\system32\mysql.exe] does not exist...
File [C:\WINDOWS\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\system\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\system32\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\msmssgs.exe] does not exist...
File [C:\WINDOWS\system\msmssgs.exe] does not exist...
File [C:\WINDOWS\system32\msmssgs.exe] does not exist...
File [C:\WINDOWS\winampxp.exe] does not exist...
File [C:\WINDOWS\system\winampxp.exe] does not exist...
File [C:\WINDOWS\system32\winampxp.exe] does not exist...
File [C:\WINDOWS\plugin1.dat] does not exist...
File [C:\WINDOWS\system\plugin1.dat] does not exist...
File [C:\WINDOWS\system32\plugin1.dat] has been found!!
File [C:\WINDOWS\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\system\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\system32\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\SysPr.prx] does not exist...
File [C:\WINDOWS\system\SysPr.prx] does not exist...
File [C:\WINDOWS\system32\SysPr.prx] does not exist...
File [C:\WINDOWS\filenameplugin.dat] does not exist...
File [C:\WINDOWS\system\filenameplugin.dat] does not exist...
File [C:\WINDOWS\system32\filenameplugin.dat] does not exist...
File [C:\svchost.exe] has been found!!
File [C:\pligde.exe] does not exist...
File [C:\WINDOWS\System.exe] does not exist...
File [C:\WINDOWS\explorer.scf] has been found!!
File [C:\Documents and Settings\Mathieu\Local Settings\systemlogin.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\jiasvt.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\pligde.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\pligde.dat] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\SysPr.prx] does not exist...
File [C:\Windows\SERVER29-3C-ASPR.EXE] does not exist...
CHECKING FOR RUNNING PROCESS'S:
--------------------------------------------------------------------------------------------------------------
Suspect Process [lsass.exe] has been found!!
Suspect Process [svchost.exe] has been found!!
--------------------------------------------------------------------------------------------------------------
SCAN COMPLETE!
End Time: 13:36:34
Scan Time: Approximately 7 Seconds
Scan Infection Status: No Immediate Signs Of Infection Found, Only Suspect Files Found...
Each time I ran a scan, Spybot detected Bifrose.LA and Fake.Wget. Ad-Aware detected W32.TrojanDownloader.Agent.AM.
It looked like they were part of the same malware.
Now, Spybot doesn't detect Bifrose.LA nor Fake.Wget (it took a few scans to remove them). However, Ad-Aware still detects W32.TrojanDownloader.Agent.AM and I know (because I searched on the Internet) that it is part of the same malware as Bifrose.
Please help me!
P.S.: I just downloaded "Trojan.Bifrose Removal Tool" from http://www.winternal.org/modules.php?name=Downloads&d_op=viewdownload&cid=9
I don't know this program, nor if it is trustworthy, but this is its scan log (some of the detected files might be false positive):
Trojan.Bifrose Removal Tool
Current Build: 1.0.0.1
Infection Check Date: 1/27/2007
Inftection Check Time: 13:36:27
SCANNING LOCAL REGISTRY FOR VALUES:
--------------------------------------------------------------------------------------------------------------
Registry Value [HKLM\..\Run - startkey] does not exist...
Registry Value [HKLM\..\Run - svchost.exe] does not exist...
Registry Value [HKLM\..\Run - mysql] does not exist...
Registry Value [HKLM\..\Run - msmautoprotect] does not exist...
Registry Value [HKLM\..\Run - system] does not exist...
Registry Value [HKLM\..\{9B71D88C-C598-4935-C5D1-43AA4DB90836} - stubpath] does not exist...
Registry Value [HKLM\..\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8} - stubpath] does not exist...
Registry Value [HKCU\..\Run - startkey] does not exist...
Registry Value [HKCU\..\Run - svchost.exe] does not exist...
Registry Value [HKCU\..\Run - mysql] does not exist...
Registry Value [HKCU\..\Run - msmautoprotect] does not exist...
Registry Value [HKCU\..\Run - system] does not exist...
Registry Value [HKCU\..\Run - StartUpDate] does not exist...
Registry Value [HKLM\..\Run - QuickTime Task] does not exist...
Registry Value [HKCU\..\Run - ShutdownWithoutLjiasvt.exe] does not exist...
CHECKING LOCAL REGISTRY FOR KEYS:
--------------------------------------------------------------------------------------------------------------
Registry Key [HKLM\Software\Wget] does not exist...
Registry Key [HKLM\Software\SKav] does not exist...
Registry Key [HKLM\Software\SKavx] does not exist...
Registry Key [HKCU\Software\Wget] does not exist...
Registry Key [HKCU\Software\SKav] does not exist...
Registry Key [HKCU\Software\SKavx] does not exist...
SCANNING LOCAL DRIVES FOR FILES:
--------------------------------------------------------------------------------------------------------------
File [C:\WINDOWS\System.exe] does not exist...
File [C:\WINDOWS\system\System.exe] does not exist...
File [C:\WINDOWS\system32\System.exe] does not exist...
File [C:\WINDOWS\xmchai.exe] does not exist...
File [C:\WINDOWS\system\xmchai.exe] does not exist...
File [C:\WINDOWS\system32\xmchai.exe] does not exist...
File [C:\WINDOWS\server.exe] does not exist...
File [C:\WINDOWS\system\server.exe] does not exist...
File [C:\WINDOWS\system32\server.exe] does not exist...
File [C:\WINDOWS\lsass.exe] does not exist...
File [C:\WINDOWS\system\lsass.exe] does not exist...
Suspect File [C:\WINDOWS\system32\lsass.exe] has been found!!
File [C:\WINDOWS\mysql.exe] does not exist...
File [C:\WINDOWS\system\mysql.exe] does not exist...
File [C:\WINDOWS\system32\mysql.exe] does not exist...
File [C:\WINDOWS\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\system\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\system32\SERVER29-3C-ASPR.exe] does not exist...
File [C:\WINDOWS\msmssgs.exe] does not exist...
File [C:\WINDOWS\system\msmssgs.exe] does not exist...
File [C:\WINDOWS\system32\msmssgs.exe] does not exist...
File [C:\WINDOWS\winampxp.exe] does not exist...
File [C:\WINDOWS\system\winampxp.exe] does not exist...
File [C:\WINDOWS\system32\winampxp.exe] does not exist...
File [C:\WINDOWS\plugin1.dat] does not exist...
File [C:\WINDOWS\system\plugin1.dat] does not exist...
File [C:\WINDOWS\system32\plugin1.dat] has been found!!
File [C:\WINDOWS\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\system\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\system32\drivers\oreans32.sys] does not exist...
File [C:\WINDOWS\SysPr.prx] does not exist...
File [C:\WINDOWS\system\SysPr.prx] does not exist...
File [C:\WINDOWS\system32\SysPr.prx] does not exist...
File [C:\WINDOWS\filenameplugin.dat] does not exist...
File [C:\WINDOWS\system\filenameplugin.dat] does not exist...
File [C:\WINDOWS\system32\filenameplugin.dat] does not exist...
File [C:\svchost.exe] has been found!!
File [C:\pligde.exe] does not exist...
File [C:\WINDOWS\System.exe] does not exist...
File [C:\WINDOWS\explorer.scf] has been found!!
File [C:\Documents and Settings\Mathieu\Local Settings\systemlogin.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\jiasvt.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\pligde.exe] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\pligde.dat] does not exist...
File [C:\Documents and Settings\Mathieu\Local Settings\SysPr.prx] does not exist...
File [C:\Windows\SERVER29-3C-ASPR.EXE] does not exist...
CHECKING FOR RUNNING PROCESS'S:
--------------------------------------------------------------------------------------------------------------
Suspect Process [lsass.exe] has been found!!
Suspect Process [svchost.exe] has been found!!
--------------------------------------------------------------------------------------------------------------
SCAN COMPLETE!
End Time: 13:36:34
Scan Time: Approximately 7 Seconds
Scan Infection Status: No Immediate Signs Of Infection Found, Only Suspect Files Found...