PDA

View Full Version : Have this bug that won't go away bifrose.la



jwhite68
2006-09-21, 06:20
I recently upgraded from win 2000 to win xp pro. I was not seeing any problems till the upgrade. One of the things I noticed was a slow response from my computer. I have a custom build computer with a Athlon xp 2500+, 512 MB of ddr333 ram, three 80GB hard drives, Nvidia GeForce 5200 vid card. I have run spybot and noticed the bifrose.la and Fake.wget bugs. I fixed the problem but every time I restart they showup again. So I tried a different approach and restarted the computer in safe mode and ran spybot again. I found the problems and fixed them but they keep showing up. I did run Hijackthis and a report is attached. I have also tried to eliminate the problem with Ewido, and it did not fix the problem. I saw a previous post refering to the bifrose.la that refers to a file systemhosts.exe but this file is not on my system.

LonnyRJones
2006-09-24, 11:27
Welcome to the forum

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O4 - HKLM\..\Run: [startkey] C:\svchost.exe
O4 - HKCU\..\Run: [startkey] C:\svchost.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run SpyBot update then check for and fix any problems found.

Do a full scan with your Updated antivirus program.

Post a fresh hijackthis log please, be sure to mention any current problems.

jwhite68
2006-09-27, 02:25
I did everything you told me to, but the bug is still there. I was suspicious of

that svchost.exe entry, but I was not sure what it was. I have a few more

reports for you to look at. That entry was removed, but some script or

program keeps placing it back it the registry. I just want to figure out were

this file is so I can destroy it. There are three logs one is a netstat report of

processes and the files associated with them. The second and third are

hijackthis reports. Hopefully you might find something that I don't see.

Thanks for the help. By the way I have several computers, so I leave the

infected one off most of the time and it is never connected to the network.

Hopefully this will limit the amount of damage done to the filesystem or my

network for that matter.



Sorry about the zip file, the original txt file was too big to attach the way it was. The startup list is a complete listing.

LonnyRJones
2006-09-27, 03:11
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"startkey"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

Zip up and send this file to me C:\svchost.exe please
Send it to submitlonnyATsubratam.org
Replace AT with @ , then include a link back to this thread.
C:\svchost.exe < delete the file

Run SpyBot check for and fix any problems found.


Let me know of any problems

LonnyRJones
2006-09-27, 22:59
Thanks for sending that.
Ive farwarded to the detections team
Please do submit the sample to your antivirus vendor.

This variant is Not well detected
9/27/2006
Jotties online scan
File: svchost.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 991c19ffbc6c7ec6952aa893e6d46cba
Packers detected: OBSIDIUM
Scanner results
AntiVir Found Heuristic/Crypted (probable variant)
VBA32 Found Trojan-Downloader.Agent.11 (probable variant)
=============================================================

Delete its related files if you havent already
C:\SysPr.prx
C:\WINDOWS\system32\plugin1.dat

tashi
2006-10-05, 00:11
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.