Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible backdoor.bifrose, and related NCH/Conduit


  • Please log in to reply
1 reply to this topic

#1 teacuppansy

teacuppansy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:43 AM

Posted 07 April 2012 - 10:16 PM

On 30 March I received an email from a local community group. They seemed legit as they mentioned some people involved in the project that I knew, but I didn't know who this group was so I clicked on their link to their website. The real website did show for about 2 seconds before I saw it was rediverting to a site that ended with .ru. The moment that happened I killed the browser. The new site was showing one of those "you have been infected, download this antivirus..." ads.

I have AVG free and that picked up and removed backdoor.bifrose.exe I have no idea if it ran as nothing apparent happened over the next few days.

To complicate matters, I recently switched from ADSL to fibre and in the process there seems to have been a muck up as my ISP (even though they arranged the install) claim they don't know about my move to fibre. Anyway, short story is that my internet has been on and off and connecting has been slow/fine, so that has made it really hard to tell whether I actually have issues that are not to do with my ISP.

As part of that, before I knew that my ISP didn't transfer me over to fibre, I decided I should uninstall Chrome and reinstall it, and then do the same for Firefox. When I reinstalled Chrome, the NCH toolbar had attached itself and was busy sending me to sites I didn't want. Some time back I had actually acquired this toolbar via some free cd software and it was a combination of hand deleting things out of the registry and Revo that seemed to get rid of it. Back them NCH seemed to have attached itself to both Firefox and Chrome (but not MSIE...) but Firefox is not showing the NCH toolbar this time.

So now I'm also not sure if this is a legacy - that NCH was hiding out somewhere, waiting for the right moment. Or whether its a new infiltration.

I tried deleting any NCH/Conduit entries from both registry and files shown in Explorer. But either I miss some or they come back. Revo won't work (I think I used it the max time for free, now it needs a key).

I guess to summarise:
1. Need to get rid of NCH
2. need someone who can check if I have bifrose.

I've run Malware Bytes and AVG several times, both say I am in the clear. I guess neither of them see NCH as a problem, as I found articles about getting NCH removed dating back to 2010?

Thanks.

Edited by teacuppansy, 07 April 2012 - 10:21 PM.


BC AdBot (Login to Remove)

 


#2 teacuppansy

teacuppansy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:43 AM

Posted 08 April 2012 - 04:27 AM

Hey all, just want to close this one. A friend of mine and I tackled it this afternoon using hijack this.
At least, the NCH is gone, but we didn't know how to check for bifrose.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users