Avast Home 4.8 indicated a “Warning” for the following:

Sign of “Win32:Bifrose-EGW [Trj]” has been found in “C:\WINDOWS\Installer\78604.msp”

At the time it appeared, I was running a SUPERAntiSpyware system scan, which is something I do regularly as well as running a MalwareBytes’ Anti-Malware scan. I run the scans consecutively (not concurrently). I also use SpywareBlaster as part of my desktop’s security.

I tried to find specific information on the above detection on the AVAST forums but to no avail. Furthermore, it would not allow me to quarantine the file as it stated it was in use so my only option was to delete it.

Running XP SP3 (with IE8). Everything else is up to date (MS security patches, SAS, MBAM, most recent version of Java, etc).

Could you please advise if the above detection is a valid or a false positive? If required I can post a HJT or other log files if necessary. In the interim, I will run another full AVAST scan pending your reply.

Thanks in advance.

Upload the file to VirusTotal and post results.

Unless you have made a type, the file name or rather the file type looks strange .MSP (though could be a Windows Installer patch file) when MS installer files are usually .MSI.

The nondescript numeric file name is also strange as they tend to be a little more descriptive of what program (or possibly in this case Patch) they represent.

So it certainly warrants further investigation at VT as mentioned by Jtaylor83.

You may need to take some additional actions to upload it to VT without avast blocking it:
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Thanks for the prompt replies. Unfortunately I couldn’t send it to the Virus Chest at the time it was identified, the only option was to delete it.

As for a possible typo, I doubt it as I cut and pasted the info directly when the Warning splash box appeared. It was definitely a .msp file extension. I tossed the info copied directly into a notepad file.

I have since completed a full system scan with Avast and nothing out of the ordinary was detected.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. I would sooner ignore than delete and investigate.

It is strange that it couldn’t be sent to the chest but could be deleted, what errors were given for not being able to send to the chest ?

You can’t do a system wide scan with VirusTotal it is a multi engine scanner and you upload single files for scanning by multiple engines, this is for confirmation purposes.

I just realized I couldn’t do a system wide scan with VirusTotal (as you just indicated).

The message I was getting at the time is that the file could not be moved to the Chest as it was actively running (or in use) and I didn’t try the Ignore option, I simply deleted it.

(PS - Sorry, I used the terminology “quarantine” as opposed to “Chest” in my initial post which may have added to the confusion).

I always follow the same steps when running my security scans. I close all browser windows, use ATF Cleaner to dump cache, then run the scans. The only thing weird about the process is that SAS was running and about 50% complete when the Avast Warning appeared.

I have had this same problem today. I couldn’t move the file or delete it. I think it’s because my administrator account is disabled and I only have power user privileges. Does this sound right?

Just to add to the Bifrose-EGW [Trj] discussion:

Sign of “Win32:Bifrose-EGW [Trj]” has been found in “C:\WINDOWS\Installer\50de86.msp”

I am pretty sure this is a false one, got it with todays defs only, and in a file that has stayed there for years.

Tried uploading it to VT, but the speed of my upload is very low so I had to cancel that.

There often is a .msp file behind a .msi file and I have a lot of .msp files.

I let it alone.

It would be fine if somebody could upload such a file to Virustotal.

Whatever you do, don’t delete it.

Regards
HL

Today, during a scan with Avast, I also got a warning for this Trojan. I was able to move it to the chest and was surprised to find out this file was on my pc since 2006, and only now came up as a Trojan. Could this be a false positive?

Hi Pernikkel,

Could be a false positive, whenever this is not found in the registry:
Win32.Bifrose.ri creates the following registry key to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Services\SecSvc

polonus

Hi Polonus;

Nothing of that kind in my registry, a FP I think, but can’t prove it, of course.

HL

Goeienavond Polonus

No such key in my registry either.

I sent from the virus chest to alwil team

Win\installer\8c22ad.msp\win32:Bifrose-EGW (trj)

hope this helps to get answers of what we are dealing with.

thank you for your work. I very much appreciate the answers I find here.

Becky

Hoi Pernikkel,

Hou het wat mij betreft dan maar op een vals positieve vondst. Voor de zekerheid kun je hem nog opladen naar virustotal.com en naar avast. Meestal halen ze FP’s er snel uit en kan die met een volgende avast update al verdwenen zijn,

groetjes en een fijn weekend,

@specklebird,

I bet it is a FP. Let’s see. They will repair this soon I guess,

polonus

When this happens then you should use the unique feature of avast the boot-time scan where the file won’t be in use, as windows hasn’t fully started.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

I to believe this could possibly be a false positive detection, but since it has been deleted there really is no way to investigate further. Since we have other detections on the same file type we may be able to get to the bottom of it.

You could submit the file to virustotal as I outlined in Reply #2 above, that should give us a quick answer one way or the other.

I digged into my file and it was a hotfix from MS concerning Office XP.

As far as I could find out, my file was the installer for a patch for:

MS SharePointTeamServices for Office XP which is on my machine.
KB 911701, fullfile Norwegian version.

Thanks

HL

My Aunt just called to tell me she had a Trojan and that it was in the Chest. Ran over here to check it out, and it’s the identical Trojan that everyone else is talking about in this thread. The “offending” file is currently residing in the Chest.

On checking the information about the file, I show it’s been on this laptop since my Aunt purchased it. I was very concerned while I was driving over here, since this has never happened before. Now, along with some others, will be watching to see if this file turns out to be a false positive. Been using Avast! for years, and still highly recommend it, even with a false positive!

Thanks for such a great group of people! I’ll be watching the forum on a regular basis now.

JoP
St. Louis, MO
USA

Hallo Polonus

Ok. Ik kijk het nog even aan voor ik wat onderneem.

Ook een aangenaam weekend toegewenst.

This is an English language forum, use PM for personal messages.

Regards
HL