Need help to remove Win32.Bifrose, or Troj/HazifKit

Discussion in 'Malware Help (A Specialist Will Reply)' started by skybay, Mar 25, 2009.

  1. skybay

    skybay Private E-2

    I have obviously downloaded some malware and am trying to make sure it is completely cleaned off my system. Ad-Aware recently found (deep scan) Win32.Bifrose. Google connects that to Troj/Hazif, a backdoor password stealer.

    I'm a newbie to help forums and to the best of my ability I have followed each step outlined in READ & RUN ME FIRST: Malware Removal Guide, and Windows XP Cleaning. I've attached the SAS, malwarebytes, combofix, and MGTools logs.

    Thank you for any help you send my way!

    skybay
     

    Attached Files:

    skybay, Mar 25, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why don't you have an antivirus installed and also you need a real bidirectional firewall?

    Your logs are clean but I have a question and a minor fix to do.

    What are the below folders for?
    Code:
    2009-03-11 00:36 . 2009-03-11 00:36 <DIR> d-------- C:\IPMx5
2009-03-11 00:36 . 2009-03-11 00:36 <DIR> d-------- C:\IPMx4
2009-03-11 00:36 . 2009-03-11 00:36 <DIR> d-------- C:\IPMx3
2009-03-11 00:36 . 2009-03-11 00:36 <DIR> d-------- C:\IPMx2
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)
    O2 - BHO: (no name) - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -
    O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} -
    O16 - DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} (IAMCE Class) -
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

    After clicking Fix, exit HJT.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Mar 29, 2009
    #2
  3. skybay

    skybay Private E-2

    First off, many heartfelt thanks for the reply and offer of help. I have never posted on a site for help and so had no idea what to expect. After I posted I realized I probably should have included more details and almost added to my post until I realized that was the Big No-No called a "bump". Unfortunately, other malware-type things have occurred since my original posting. I used HJT, Ad-Aware, and Systernals for tweaking, and have been diligent with CCleaner, but I probably only know enough to be dangerous! Sorry if I messed up, but I had no idea when to expect a reply and I wanted to be as protected as possible! I’m not sure if perhaps you want me start all over? So you can have fresh logs? I know the “funky” stuff seems to happen after a reboot. The trouble seems to have to do with logon, system restore, desktop (maybe), changing the registry, and blocking antivirus. If that helps at all?

    RE: no antivirus - part of the problem was the havoc malware was doing to my antivirus. I could not disable my AVG to run one of the programs needed to send you. I tried to uninstall, reinstall - no luck. As soon as I sent my post off I downloaded COMODO antivirus and firewall (thanks to MajorGeeks I realized my lack of outgoing firewall protection). Also of note, auto protection would suddenly stop working, or antivirus program would just shut down. Even HijackThis would just load then disappear. In addition, I now think I may have had this before Christmas, and I may have more than one malware. I used IE exclusively (my bad!) and it ran/loaded so-o-o-o slow. I kept trying basic pc maintenance to solve the problem. In December I switched to Chrome it ran blazingly fast and I thought my problem solved.

    RE: Files IPMx5, IPMx4, IPMx3, IPMx2 – they are Intel® Chipset Device Software installer files. I had been trying to update my chipset drivers and truthfully, I been unsuccessful so far. Everything I know about my pc I have had to learn by Google and lots of time reading. Like I said - I probably know enough just to be dangerous.

    RE: O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)
    O2 - BHO: (no name) - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -
    O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} -
    O16 - DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} (IAMCE Class) -
    These had already been deleted – after studying HijackThis more closely.

    RE: O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    It was still there and I deleted as you instructed. After I rebooted I ran HJT and have attached that log.

    AFTER my post to MajorGeeks:

    RE: COMODO – I can’t figure out how to open its log, but in quarantine I can see -
    3/25/09
    19 items including Unclassified Malware, ApplicUnsafe.Win32, Worm.Win32.Pykse.A. (dbrmdwb.exe).
    3/29/09
    Unclassified Malware as Qoobox dbxDgrevCheck.dll.vir, and in the SystemVolume_restore - A0087273.dll
    If you would like more information just direct me how to send it.

    RE: MalwareBytes –
    3/29/09
    Adware.Speedapp Files Infected:
    C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP475\A0071735.exe (Adware.Speedapps) -> Quarantined and deleted successfully.

    I’m going to leave it at that and wait for your instructions. I promise not to run, modify or delete anything until I hear back. And one question – is the malware I have/had possible to get rid of entirely? I worry about that backdoor issue and passwords, banking. Geez … this is such a waste of everyone’s time and for no good reason.

    Thank you AGAIN for your help - I really really appreciate it,

    skybay
     
    skybay, Mar 29, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not play with HJT on your own. It should only be used with the guidance of an expert.


    Not really. You need to tell me what exact problems you are having.

    These may not even be malware. They couldbe related to DigitalRiver. See: http://www.siteadvisor.nl/sites/digitalriver.com/downloads/462905/

    Does any of that look familiar? As stated in the link, this is one of those items that some would consider adware and some would not. If you are the one who installed any software related to it, you may be one of those who consider it not to be a problem.

    And note that System Volume Information is just System Restore and is not a problem since we would clean that up when we get to final instructions.

    Again this is just System Restore and Malwarebytes is wrong. They did not quarantine and delete it since nothing can delete files from System Restore. They are removed only by disabling System Restore.

    You did not have any real malware problems.


    If you are having any real new and current malware problems, please explain them. Otherwise I'm expecting that we are done and I will give you final instructions.
     
    chaslang, Apr 1, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds