I am running Windows Vista on an Asus g2s-a1 laptop.
World of Warcraft is telling me that it has detected the trojan Backdoor.win32.bifrose.aej
NO scanners or antivirus programs have detected it or located it.
I have spent the past 3 hours googling and researching online everything I can about it. I’ve come up with nearly squat.
No advice, no suggestions, and no ‘past fixes’ have worked or have been any help.

I desperately need some help on getting rid of this trojan. I have done everything!

What is your firewall ?

I would probably be a little suspect of World of Warcraft reporting a backdor trojan, how can it tell what is on your system ?
Have you visited the WoW forum to see if others are suffering similar issues.

http://forums.wow-europe.com/thread.html?topicId=282518345&sid=1
http://faq.wow-europe.com/en/article.php?id=1149

In the meantime you could check with some anti-spyware tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator.

I would probably be a little suspect of World of Warcraft reporting a backdor trojan, how can it tell what is on your system ?

Online games now scan for malware: both game cheats and password stealing Trojans.

I have spent the past 3 hours googling and researching online everything I can about it. I've come up with nearly squat.

I just spent 3 minutes Googling and came up with the answers: 8)

http://forums.worldofwarcraft.com/thread.html?topicId=383468716&sid=1

http://www.blizzard.com/support/wow/?id=aww02119p

When I say that I’ve come up with nearly squat, it means that what I did find did not work. Neither of the ‘answers’ in those links worked. None of them did, and there’s been a lot.

Have you run the other anti-spyware options given ?

If no AV scanner is detecting it, then it must be a new variant.

Your options are to have a look for suspicious files, possibly in the location mentioned in the forum post I found previously:

I have found a copy of this backdoor keylogger. There is only one varation on this backdoor which is an executable file placed inside C:/Program Files/ and is named "howtodo.exe".]I have found a copy of this backdoor keylogger. There is only one varation on this backdoor which is an executable file placed inside C:/Program Files/ and is named "howtodo.exe".

You can submit any suspicious files to VirusTotal for analysis.

Your next option is to contact the World of Warcraft technical support people: they seem eager to help you:

If this guide did not resolve your issue, please visit our online email webform to contact us.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:17:49 AM, on 8/12/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ChkMail\ChkMail\ChkMail.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\ASUS\ASUS Direct Console\D3DCheck.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Users\Balros\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM..\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [ChkMail] C:\Program Files\ChkMail\ChkMail\ChkMail.exe
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM..\Run: [DirectMessenger] “C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE”
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [Steam] “C:\Program Files\Steam\Steam.exe” -silent
O4 - HKCU..\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

–
End of file - 8684 bytes

Also, I have found this NvScv. I am very sure it is a trojan because that’s what googling it says. I don’t know how best to get rid of it, though!

Nevermind! It’s NvSvc, which apparently could either be a trojan or an nVidia thing.

Possibly malicious:

O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe

http://www.greatis.com/appdata/d/a/asscrpro.exe.htm

O4 - HKCU..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe

http://www.castlecops.com/s5722-msnplus_exe.html

Unknown:

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis.

Post the results here.

Freewheelin, this is one of the most helpful replies I’ve ever gotten! Thank you so much!

Okay. Here are some specs.

O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
VirusTotal reported nothing.

O4 - HKCU..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe
VirusTotal says
Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.60 2007.08.12 BDS/Bifrose.NU
Authentium 4.93.8 2007.08.11 -
Avast 4.7.1029.0 2007.08.12 -
AVG 7.5.0.476 2007.08.12 BackDoor.Generic7.QAA
BitDefender 7.2 2007.08.12 MemScan:Backdoor.Bifrose.NQ
CAT-QuickHeal 9.00 2007.08.11 -
ClamAV 0.91 2007.08.12 Trojan.Pakes-248
DrWeb 4.33 2007.08.12 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5050 2007.08.11 -
Ewido 4.0 2007.08.12 -
FileAdvisor 1 2007.08.12 -
Fortinet 2.91.0.0 2007.08.12 -
F-Prot 4.3.2.48 2007.08.10 -
F-Secure 6.70.13030.0 2007.08.12 -
Ikarus T3.1.1.12 2007.08.12 -
Kaspersky 4.0.2.24 2007.08.12 -
McAfee 5095 2007.08.10 BackDoor-CEP.svr
Microsoft 1.2704 2007.08.12 -
NOD32v2 2453 2007.08.12 -
Norman 5.80.02 2007.08.10 -
Panda 9.0.0.4 2007.08.12 Generic Backdoor
Prevx1 V2 2007.08.12 -
Rising 19.35.62.00 2007.08.12 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.11 VIPRE.Suspicious
Symantec 10 2007.08.12 -
TheHacker 6.1.7.167 2007.08.12 -
VBA32 3.12.2.2 2007.08.11 -
VirusBuster 4.3.26:9 2007.08.12 -
Webwasher-Gateway 6.0.1 2007.08.12 Trojan.Bifrose.NU
Additional information
File size: 1240957 bytes
MD5: f7c0a4d37c932577855edea7e1b16278
SHA1: 12a1200cf9d98f10fe73d5067ec1315f2c03fdfb
packers: Themida
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

How is the best way to get rid of it? And I am equally suspicious because I have not installed MSN on this machine. And it is showing the words Bifrose, which is a very key word in my trojan!

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
VirusTotal showed nothing wrong

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
VirusTotal showed nothing wrong.

Should I give you another HijackThis log? I disabled the hidden files like you asked.

Run HijjackThis! again, tick the box next to this entry and click ‘fix’:

O4 - HKCU..\Run: [{E8519905-072E-374F-38A4-F9611BD7564A}] C:\Users\Balros\AppData\Roaming\msnplus.exe

Reboot and delete the file.

And/or try the Bitdefender scanner:

BitDefender

IT WORKED!

Thank you so much, FreewheelinFrank! Your advice was very helpful and it WORKED. I now know what to do and who to come to if something like this happens again

You rock!

And where to come…
Welcome to avast forums 8)