Backdoor.Bifrose, Rogue.AntiVirusPro, etc

March 5, 2010 at 07:09:11
Specs: Windows XP Professional Version 2002 SP3
I cannot clean the following log file from Malwarebytes. I got a clean scan the first time after running CCleaner, but the virus came back. Also got a clean scan the first time after running SpyBot, and the virus came back again. Here is the Malwarebytes log:
Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Updates\winupdate.exe (Backdoor.Bifrose) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\cgrey\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\tdservice\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\cgrey\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\tdservice\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\cgrey\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\tdservice\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\cgrey\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\tdservice\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\cgrey\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\tdservice\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\cgrey\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\tdservice\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\cgrey\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\tdservice\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.


See More: Backdoor.Bifrose, Rogue.AntiVirusPro, etc

Report •


#1
September 29, 2010 at 07:47:21
I am part of a remote IT staff and we come across this all of the time, very frustrating. The following fix has only been working half of the time to show completely zero so I hope it helps you or others with the problem.

Download and run Malwarebytes, reboot.

Download and run Hitman Pro, reboot.

Download and run Combofix, reboot.

Run Malwarebytes again, reboot.
Run last Malwarebytes to confirm deletion of objects.


Report •
Related Solutions


Ask Question