Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing Backdoor.bot.MSIL and potentially related trojan or rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 infectasaurus

infectasaurus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 19 August 2015 - 07:16 AM

Hello,

 

Been reading and using these forums for a long time now. Very helpful, thanks! Hoping someone can help me remove a nasty trojan infection.

 

A friend of a friend downloaded some questionable software on my machine and when things seemed off, I ran a few virus scans. MalwareBytes found and removed Backdoor.bot.MSIL (and a few PUP variants but I've removed them and am not worried about those).

 

Some dubious processes running are MSOSYNC.EXE (wasn't running before, I'm always checking pretty regularly what's running), conhost.exe, dllhost.exe / COM Surrogate, and csrss.exe processes are looking different, but can't remember what they are normally. Also more svchost.exe processes than typical.

 

I ran TDSSKiller, MalwareBytes anti-rootkit tool, RogueKiller and none of them found anything else, but I'm very wary of this trojan. Normally I fix these things myself on the rare occassion that I get anything and am usually helping others with this stuff. However, I'm stressing out about some deadlines and worried about not removing all of the trojan/virus(es) and compromising client data.

 

Attached are FRST, HijackThis and aswMBR logs. I also have Wireshark logs and can send those privately but I don't want to post it publicly. Take a look when you have a moment. Any and all help would be appreciated.

 

Thanks!

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 20 August 2015 - 09:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 

Some dubious processes running are MSOSYNC.EXE (wasn't running before,

Read about it.
http://www.addictivetips.com/windows-tips/what-is-msosync-exe-process-delete-document-cache-in-office-2010/
===

Is the file in bold something you rename?
(Trend Micro Inc.) C:\Users\snowflake\Desktop\fakenaym.exe
If you know what it is and you want to keep it remove these lines in bold below from the code box before you save the FixList.txt file.

(Trend Micro Inc.) C:\Users\snowflake\Desktop\fakenaym.exe
C:\Users\snowflake\Desktop\fakenaym.exe



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Trend Micro Inc.) C:\Users\snowflake\Desktop\fakenaym.exe
C:\Users\snowflake\Desktop\fakenaym.exe
AVAST Software) C:\Users\snowflake\Desktop\aswmbr.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2596612273-4009746374-335098238-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2596612273-4009746374-335098238-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2596612273-4009746374-335098238-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz136; \??\C:\Users\ANAISA~1\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\snowflake\AppData\Local\Temp\tmp1E4A.tmp [X]
U3 aswMBR; \??\C:\Users\ANAISA~1\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\ANAISA~1\AppData\Local\Temp\aswVmm.sys [X]
AlternateDataStreams: C:\ProgramData\Temp:0E08FC17
AlternateDataStreams: C:\Users\snowflake\AppData\Roaming\Comma Separated Values (Windows).EML:OECustomProperty
AlternateDataStreams: C:\Users\snowflake\AppData\Roaming\Microsoft Excel 97-2003.EML:OECustomProperty

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 infectasaurus

infectasaurus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 20 August 2015 - 11:25 PM

Hi nasdaq,

 

Thanks so much for responding. Yes, the fakename file was just me renaming HijackThis since I rename all of the anti-malware tools before running to avoid detection by the virus. I know what MSOSYNC is, I was just concerned that it was infected. I think it's probably okay, though.

 

I will run FRST with that script (after I've replaced snowflake with the actual name) and let you know. I will delete a few lines because I don't want/need anti-virus tools like combofix and aswmbr deleted. I don't see anything in the FRST script that would necessarily be related to the Backdoor.bot.MSIL / Backdoor.MSIL.bot trojan. Are there any particular things here you think could be related to the trojan?

 

Computer is running okay now but I'm paranoid that I'm still infected with the Backdoor trojan. I've looked at my network traffic in Wireshark, manually reviewed Windows scheduled tasks in Task Scheduler, searched through the Registry, and looked through Event Viewer logs. However, from what I've read about the Backdoor.bot trojans, they can hide tasks and registry settings and do things like temporarily turn off event logging easily. I went through and blocked some ports and made a few changes in the Windows firewall settings. I know a bit about networking but really am no network/security expert so I could easily have missed suspicious network traffic.

 

Here's some information I found about the virus, maybe this will give you some ideas?: http://www.bitdefender.com/free-virus-removal/#Backdoor.MSIL.Bot.A

 

I appreciate your time and any other assistance you may be able to provide. No pressure if you're busy.

 

 

Thanks,

"Infectasaurus" :)



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 21 August 2015 - 10:47 AM

The program may still have been running when you executed the FRST scan.
There is not need for this programs to run.
C:\Users\snowflake\Desktop\aswmbr.exe
===

(Trend Micro Inc.) C:\Users\snowflake\Desktop\fakenaym.exe
C:\Users\snowflake\Desktop\fakenaym.exe

Again this rename HijackThis was running when your ran the FRST tool.
you can delete the lines before saving the FixList.txt file.


Save the revised FixList.txt and run the FRST to clean everything else.
===

backdoor.msil.bot

Is this still being reported and by which program?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 26 August 2015 - 07:51 AM

Are you still with me?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 01 September 2015 - 08:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users