Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor.Bifrose.D


  • Please log in to reply

#1
Richard keuhn

Richard keuhn

    New Member

  • Member
  • Pip
  • 1 posts
So my computer got infected with a lot of different Trojans but I did many of your suggestions and I was able to get most of them handled. However, I still have one that is according to spyware doctor a high threat level it is called Backdoor.Bifrose.D also know as Trojan.Droppler.Agent.AHC. I run combofix like you suggested to another person. Now Iím not sure what to do this is what it said:

ComboFix 08-02.05.3 - Dr. Keuhn 2008-02-08 17:14:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.564 [GMT -7:00]
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\DR895A~1.KEU\MYDOCU~1\DOBE~1\?dobe\
C:\DOCUME~1\DR895A~1.KEU\MYDOCU~1\DOBE~1\rundll32.exe
C:\Documents and Settings\Dr Beggs\g2mdlhlpx.exe
C:\Documents and Settings\Dr. Keuhn\My Documents\DOBE~1
C:\Documents and Settings\Dr. Keuhn\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Dr. Keuhn\My Documents\DOBE~1\rundll32.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\sstem~1
C:\Program Files\sstem~1\csrss.exe
C:\WINDOWS\SYSTEM32\ckepjxfb.ini
C:\WINDOWS\SYSTEM32\jgxltfmv.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\s5\advcomms3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 16:51 . 2008-02-08 16:51 2,748 --a------ C:\WINDOWS\SYSTEM32\PerfStringBackup.TMP
2008-02-08 16:49 . 2008-02-08 16:49 1,529 --a------ C:\SMax.log.bak
2008-02-08 16:46 . 2008-02-08 16:48 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-02-07 11:11 . 2008-02-07 11:11 <DIR> d-------- C:\Program Files\Google
2008-02-07 11:11 . 2008-02-08 13:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-06 20:51 . 2008-02-06 21:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-06 20:51 . 2008-02-06 20:51 <DIR> d-------- C:\Documents and Settings\Dr. Keuhn\Application Data\PC Tools
2008-02-06 20:51 . 2008-02-06 20:51 <DIR> d-------- C:\DOCUME~1\DR895A~1.KEU\APPLIC~1\PC Tools
2008-02-06 20:51 . 2008-02-08 17:21 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-06 20:51 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-02-06 20:51 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-02-06 20:51 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-02-06 20:51 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-02-06 12:41 . 2008-02-06 12:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 12:41 . 2008-02-06 12:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-06 11:39 . 2008-02-06 11:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2008-02-05 13:45 . 2008-02-05 13:45 90,688 --a------ C:\WINDOWS\SYSTEM32\vmftlxgj.dll
2008-02-04 13:35 . 2008-02-04 13:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-16 12:26 . 2008-01-16 12:26 <DIR> d-------- C:\Documents and Settings\Dr. Keuhn\Application Data\pdf995
2008-01-16 12:26 . 2008-01-16 12:26 <DIR> d-------- C:\DOCUME~1\DR895A~1.KEU\APPLIC~1\pdf995
2008-01-16 12:26 . 2008-01-16 12:26 28 --a------ C:\WINDOWS\pdf995.ini
2008-01-16 11:32 . 2008-01-16 11:32 249,856 --a------ C:\WINDOWS\SYSTEM32\pdfmona.dll
2008-01-16 11:32 . 2008-01-16 11:32 51,716 --a------ C:\WINDOWS\SYSTEM32\pdf995mon.dll
2008-01-16 11:31 . 2008-01-16 11:32 <DIR> d-------- C:\Program Files\pdf995
2008-01-16 11:31 . 2008-01-16 11:31 149 --a------ C:\WINDOWS\cdPlayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:59 1,754 ----a-w C:\Documents and Settings\Dr. Keuhn\Application Data\SAS7_000.DAT
2008-01-29 18:59 1,754 ----a-w C:\DOCUME~1\DR895A~1.KEU\APPLIC~1\SAS7_000.DAT
2005-10-26 20:20 88,272 -c--a-w C:\Documents and Settings\Dr. Keuhn\Application Data\GDIPFONTCACHEV1.DAT
2005-10-26 20:20 88,272 -c--a-w C:\DOCUME~1\DR895A~1.KEU\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-07-02 18:19 40,960 -c--a-w C:\WINDOWS\INF\WG311v2\imdinst.exe
2004-06-18 05:41 386,688 -c--a-w C:\WINDOWS\INF\WG311v2\netwg311_XP.sys
2004-04-04 19:07 84,912 -c--a-w C:\WINDOWS\INF\WG311v2\FwRad17.bin
2004-04-04 19:07 83,320 -c--a-w C:\WINDOWS\INF\WG311v2\FwRad16.bin
2004-02-04 18:53 62,865 -c--a-w C:\WINDOWS\INF\WG311v2\odysseyIM3.sys
2004-02-04 18:53 12,739 -c--a-w C:\WINDOWS\INF\WG311v2\odNetInstall.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-07 11:11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 16:00 155648]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 12:03 53248]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 07:10 394952]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-07 11:11:18 125624]
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 11:32:18 450560]

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2005-04-25 18:21]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 17:21:20
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\HC4AD3.EXE
.
**************************************************************************
.
Completion time: 2008-02-08 17:24:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 00:24:47
.
2008-01-10 10:02:44 --- E O F ---
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP