Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes detects a Backdoor.Bot!


  • Please log in to reply
8 replies to this topic

#1 wolyq

wolyq

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:03 AM

Posted 21 August 2014 - 09:03 AM

Hi!

I have a Dell Inspiron N5010 with Windows 7 64 bit.

I have avast free with malwarebytes premium running in background.

2 days ago during a planned daily scan, malwarebytes detected a Backdoor.bot.

Before malwarebytes displayed me a message with the detection, I was surfing the web and I noticed a slowdown.

Then I quarantined the infected file, but later I deleted it.

Now I have the doubt if my pc is safe or not!

Yesterday I did a scan both with malwarebytes and eset online scanner and they didn't find any threat.

This is the log file of malwarebytes (2 days ago):

 

---------------------------------------------------------------------------------------------------------------------------------------------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 19/08/2014
Scan Time: 18:04:25
Logfile: log malwarebytes 19-08-14.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.08.19.08
Rootkit Database: v2014.08.16.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: dell
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299374
Time Elapsed: 10 min, 17 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
Backdoor.Bot, C:\Windows\Installer\4b72b0.msi, , [84f087416912d95ddfa2446a778ac13f], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
---------------------------------------------------------------------------------------------------------------------------------------------------------
 
Thanks a lot!

Edited by wolyq, 21 August 2014 - 09:27 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 21 August 2014 - 10:29 AM

You did remove that file?

Get a second opinion.


ADW Cleaner

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • .
    .
    .
    .
  • Last run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 wolyq

wolyq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:03 AM

Posted 22 August 2014 - 06:19 AM

Hi boopme.

First of all thanks for the reply.

I regret not keeping that file in quarantine! It could be useful!

These are the logfiles of each scan:

 

AdwCleaner logfile: http://pastebin.com/32s9D1cq

 

JRT logfile: http://pastebin.com/BNxJ4gHf

 

And finally Eset Online scanner when the scan finished: http://img.ctrlv.in/img/14/08/22/53f7244d98dd0.jpg

 

P.S.: I use SRWare Iron as default browser on Windows. What do you think? Is it safe enough?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:03 PM

Posted 22 August 2014 - 06:35 AM

Looks OK -

Please download and run RKill by Grinler.


  • A black DOS box will appear for a short time and then disappear.

  • This is normal and indicates the tool ran successfully.
  • At most the tool will usually run from 30 seconds to 2 minutes
  • Copy and Paste the log back here.

IMPORTANT - Do not reboot the computer till you finish the next part ..........

 

 

Re-run Malwarebytes Anti-Malware

Copy and Paste any log.

If the scan is clean then you may be OK -

boopme will check it after those -

 

Thanks -



#5 wolyq

wolyq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:03 AM

Posted 22 August 2014 - 11:09 AM

Hi noknojon

 

Rkill logfile: http://pastebin.com/1bjQbgAP

 

Malwarebytes logfile(I apologize for the italian language of this logfile, use the logfile in my #1 post to translate it!): http://pastebin.com/5kZ8F9K5

 

P.S.: I did a Threat Scan with Malwarebytes that analyzes the most critical areas, not a Custom Scan that it is longer than the first.


Edited by wolyq, 22 August 2014 - 11:11 AM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:03 PM

Posted 22 August 2014 - 04:51 PM

Copy and Paste of NEW reply ....................... You have nothing to hide there ..........
Please let boopme look, and I would say wait based on those, unless advice is offered -
 
 
Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 08/22/2014 05:22:55 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\SysWOW64\RegService.exe (PID: 1232) [WD-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity:
 
 * No issues found.
 
Searching for Missing Digital Signatures:
 
 * No issues found.
 
Checking HOSTS File:
 
 * No issues found.
 
Program finished at: 08/22/2014 05:25:33 PM
Execution time: 0 hours(s), 2 minute(s), and 38 seconds(s)
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
Data scansione: 22/08/2014
Ora scansione: 17:27:47
File di log: malwarebytes logfile 22-08-14.txt
Amministratore: Si
Versione: 2.00.2.1012
Database malware: v2014.08.22.05
Database rootkit: v2014.08.21.01
Licenza: Premium
Protezione da malware: Attivata
Protezione da siti web nocivi: Attivata
Self-protection: Disattivata
SO: Windows 7 Service Pack 1
CPU: x64
File system: NTFS
Utente: dell
Tipo di scansione: Scansione elementi nocivi
Risultati: Completata
Elementi analizzati: 300666
Tempo impiegato: 12 min, 5 sec
Memoria: Attivata
Esecuzioni automatiche: Attivata
File system: Attivata
Archivi compressi: Attivata
Rootkit: Attivata
Heuristics: Attivata
PUP: Attivata
PUM: Attivata
Processi: 0
(No malicious items detected)
Moduli: 0
(No malicious items detected)
Chiavi di registro: 0
(No malicious items detected)
Valori di registro: 0
(No malicious items detected)
Dati di registro: 0
(No malicious items detected)
Cartelle: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Settori fisici: 0
(No malicious items detected)
 
(end)

Edited by noknojon, 22 August 2014 - 08:49 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:03 AM

Posted 22 August 2014 - 08:44 PM

You look clean..

About this backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

If you do banking or important financials on here because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Even though we found and killed the BOT. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Details of a Backdoor BOT
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 wolyq

wolyq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:03 AM

Posted 23 August 2014 - 08:31 AM

You look clean..

About this backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

If you do banking or important financials on here because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Even though we found and killed the BOT. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Details of a Backdoor BOT

 

I have Windows 7 and Debian 7 in dual boot. Can I use only Debian 7 normally or am I forced to reformat as soon as possible? I am writing each reply of this topic on Debian.

I transferred some important data in a pendrive (on Windows 7) only after the detection of this threat, but during the transfer I disconnected the PC. Can this type of threat infect removable devices (my poor pendrive)?

In this moment I have not another pc unless I buy a new one.

 

Exuse me if this post has lots of questions and possible grammar mistakes! :blush:



#9 wolyq

wolyq
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:03 AM

Posted 10 September 2014 - 11:49 AM

Ok, finally i've reformatted my pc. I've decided to use only Linux and to rest windows after this bad experience. I know, Linux isn't immune to malware, but I can't pass my life to reinstall all windows updates!


Edited by wolyq, 10 September 2014 - 03:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users