Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Bifrost - Combofix


  • Please log in to reply
2 replies to this topic

#1 wildnut

wildnut

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 22 December 2009 - 07:21 AM

Hello. I'm wondering if my copy of Combofix is infected. Now this is a new copy, just d/l'd from this website. I run a scan on the computer it finds nothing using Combofix. I then run a scan using Sunbelt's Vipre anti-virus and it finds one entry, Backdoor.Bifrost found in the registry, hkey_users....software\Wget-1 and is removed.
Can someone shed some light here please? thank you.

BC AdBot (Login to Remove)

 


#2 wildnut

wildnut
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 22 December 2009 - 08:07 AM

Hello. Just did this little experiment on another desktop.

I first scanned using Sunbelt's Vipre, nothing special, just a "quick scan" confirming no known contaminants on the desktop; downloaded Combofix and ran a scan. Interestingly enough it came up with a number of items that it quarantined and deleted, amongst them programs from Smitfraudfix.
I let the program finish, then ran another "quick scan" using Vipre and it confirmed my suspicions about Combofix. It again found Backdoor.bifrost and was quarantined.

So what gives with the program? It's wonderful, it helps remove malware but leaves you a present? I don't mean to flame or malign the author or anyone connected with the software, just seeking answers here. I fix computers for a living so am always on the lookout for tools with a good reputation for doing the job and doing the job well.

Thank you for your time.

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 PM

Posted 22 December 2009 - 02:30 PM

ComboFix is mostly a collection of batch files that uses some command line tools, some of them from NirSoft. Sunbelt security software has been, for some time, detecting some Nirsoft tools as Backdoor.Bifrost and should know better by now.

You can see the kind of tools NirSoft offers here:
http://www.nirsoft.net/

There are a number of small utilities that get flagged by various security software, usually called something like "riskware", "potentially unwanted software" and various other designations--such tools can be used for good or ill--they are warnings and so I call them near-positives because they aren't mistaken for actual malware. That is why SmitFruadFix came into this--it uses such tools as well. But Backdoor.Bifrost is an outright false positive and Sunbelt should correct that.

I would actually suggest you not use ComboFix at all. If you fix computers for a living, you should know how to do more than run automatic removal tools to fix infections, so using tools like NirSoft's would come easy to you. There is a reason ComboFix isn't offered to the public--you won't find it at download.com or any other download site. The author of ComboFix did not design it for people who are infected to use. It was designed for the people who help the people who are infected and them only, in forums like this one:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The author supports his tool in private forums for malware removal helpers. So you would have to be a malware removal helper that volunteers their time and help for free to be able to get support for CF. That is why disclaimers are plastered all over the internet that CF should not be used without supervison of a malware removal specialist. If something goes wrong, the specialist can get support from the author to resolve any issues. If CF is used unsupervised, you are on your own and could end up with a funny looking doorstop.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users