Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.bifrose infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 antonf

antonf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:06:15 PM

Posted 24 February 2009 - 02:49 AM

Hi all. Norton 360 full scan shows up that I have backdoor.bifrose infection. I am not experiencing problems at the moment although Outlook Express thought it wasn't my default mail program a minute ago. Norton 360 could not fix the problem with some message about the file being a read only file and sent me to chat with Norton operators who suggested I pay them $140 to fix the problem by remote access to my computer. (You pay them $100 to buy the program for a year and then they want $140 to fix one virus!).
Spybot S&D doesn't show it on a search of my computer but I have heard that it can be a nasty infection.
Anyway here is the log.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Anton & Rachael at 18:22:31.71 on Tue 24/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1311 [GMT 11:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ofps.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Anton & Rachael.ANTONS-COMPUTER\Desktop\HiJackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Anton & Rachael.ANTONS-COMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: {BC2EF93F-3F27-4446-AE76-18E5150AD0BA} - No File
BHO: {D949773F-55C6-4A84-AEFF-BFAC6F3BA85D} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E624EF7B-2F54-49B9-A485-2C83EF407AF0} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [GBB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [2008-12-25 9728]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-8 1245064]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-3-23 826752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-8 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090223.036\NAVENG.SYS [2009-2-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090223.036\NAVEX15.SYS [2009-2-24 876144]
S2 ksi32sk;ksi32sk;\??\c:\windows\system32\drivers\ksi32sk.sys --> c:\windows\system32\drivers\ksi32sk.sys [?]
S3 BroadCamService;BroadCam Service;c:\program files\nch software\broadcam\broadCam.exe [2008-6-14 368644]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2008-3-8 19776]

=============== Created Last 30 ================

2009-02-22 19:27 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-02-22 19:26 <DIR> --d----- c:\windows\SHELLNEW
2009-02-20 00:21 <DIR> --d----- c:\docume~1\anton&~1.ant\applic~1\Steinberg
2009-02-19 23:02 <DIR> --d----- c:\program files\Steinberg
2009-02-19 14:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-02-19 14:57 <DIR> --d----- c:\docume~1\anton&~1.ant\applic~1\Propellerhead Software
2009-02-19 14:54 <DIR> --d----- c:\program files\Propellerhead
2009-02-13 22:22 206 a------- c:\windows\system32\MRT.INI
2009-02-13 02:01 5,189 a------- c:\windows\system32\uacinit.dll
2009-02-13 02:00 19,214 a------- c:\windows\system32\sf.ico
2009-02-13 02:00 13,942 a------- c:\windows\system32\m3.ico
2009-02-13 02:00 4,286 a------- c:\windows\system32\s.ico
2009-02-13 02:00 3,182 a------- c:\windows\ios.dat
2009-02-13 02:00 126,976 a------- c:\windows\system32\fejokt.dll
2009-02-13 02:00 127 a------- c:\windows\system32\UACxxiocbke.dat
2009-02-13 00:02 155,181 a------- c:\windows\system\xccef090131.exe
2009-02-13 00:02 351 a------- c:\windows\xccwinsys.ini
2009-02-13 00:02 <DIR> --d----- c:\windows\system32\inf
2009-02-12 23:57 <DIR> --d----- c:\program files\FormatFactory
2009-02-12 23:54 10,752 a------- c:\windows\system32\2599.dll
2009-01-30 03:05 268 a---h--- C:\sqmdata19.sqm
2009-01-30 03:05 244 a---h--- C:\sqmnoopt19.sqm
2009-01-28 14:25 268 a---h--- C:\sqmdata18.sqm
2009-01-28 14:25 244 a---h--- C:\sqmnoopt18.sqm
2009-01-28 03:12 268 a---h--- C:\sqmdata17.sqm
2009-01-28 03:12 244 a---h--- C:\sqmnoopt17.sqm
2009-01-25 23:29 0 a------- c:\windows\ViewNX.INI
2009-01-25 23:11 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-25 23:11 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-25 23:08 268 a---h--- C:\sqmdata16.sqm
2009-01-25 23:08 244 a---h--- C:\sqmnoopt16.sqm
2009-01-25 23:07 200,704 a----r-- c:\windows\system32\Strato7.dll
2009-01-25 23:07 110,592 a----r-- c:\windows\system32\RCSigProc.dll
2009-01-25 23:07 6,475,096 a------- c:\windows\system32\NEFcodec.dll
2009-01-25 22:48 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-01-25 22:47 <DIR> --d----- c:\program files\common files\muvee Technologies
2009-01-25 22:47 <DIR> --d----- c:\program files\Nikon
2009-01-25 22:45 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-01-25 22:23 82 a------- c:\windows\system32\RPRID.KEY
2009-01-25 22:19 286,720 a------- c:\windows\iun507.exe
2009-01-25 22:19 <DIR> --d----- c:\program files\RescuePRO

==================== Find3M ====================

2009-01-25 22:45 106,496 a------- c:\windows\system32\ATL71.DLL
2009-01-21 22:28 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-01-21 22:28 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-01-09 15:44 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 15:44 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-09 15:44 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 15:44 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-31 17:04 691,560 a------- c:\windows\system32\OGACheckControl.dll
2008-12-31 17:04 528,744 a------- c:\windows\system32\OGAVerify.exe
2008-12-31 17:04 502,120 a------- c:\windows\system32\OGAAddin.dll
2008-12-23 00:34 2,707 a------- c:\windows\system32\TDSSnhvw.dll
2008-12-22 11:53 705 a------- C:\kgxvqe.exe
2008-12-21 10:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 22:41 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 15:13 87,608 a------- c:\docume~1\anton&~1.ant\applic~1\inst.exe
2008-10-24 15:13 47,360 a------- c:\docume~1\anton&~1.ant\applic~1\pcouffin.sys
2008-06-26 00:10 320 a------- c:\docume~1\anton&~1.ant\applic~1\momento_log.dat
2008-03-10 16:01 1,159 a------- c:\program files\INSTALL.LOG
2008-03-10 12:45 604 a---h--- c:\program files\STLL Notifier
2002-07-31 20:55 108 ---sh--- c:\windows\WSYS049.SYS
2008-09-05 12:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 18:22:52.75 ===============

Hope someone can help....thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 antonf

antonf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:06:15 PM

Posted 27 February 2009 - 06:22 PM

:thumbup2:
SO SORRY!!!. What an idiot I am - ithe virus wasn't on my computer so much as it was on a disk in a DVD drive. How embarrassing!
All fixed.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:15 AM

Posted 01 March 2009 - 05:48 PM

Thanks for informing us.

And good luck now.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users