Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.bot PLEASE HELP. URGENT.


  • This topic is locked This topic is locked
8 replies to this topic

#1 nulgathlarva123

nulgathlarva123

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 10 November 2016 - 12:13 PM

Hi, so, it must have been 1 and a half months ago or so, maybe a little longer or shorter but. I downloaded a file from a 'friend' which turned out to be a backdoor.bot, I deleted the file immediately and ran a malware-bytes scan, it found a backdoor.bot called 'lsas.exe' in my system32 directory. I restarted my computer in safe mode, ran the scan again and it 'deleted' it. A few days later it came back, again I ran in safe mode and deleted it. It has been fine for the past 3-4 weeks, but then I noticed some weird things. Random programs like minecraft spiking in CPU, skype I/O disc error etc, so I ran a scan and it has come back. Each time I remove with malware-bytes in SAFE MODE, it still comes back at a later point. This is the paid malware-bytes by the way. 

Detection - https://gyazo.com/4500b5328c7281a671c5a2c014d6cebf

 

I know what kind of replies I would get, 'Try this scan, and then this scan.' I'm willing to do all that at this point, however, why can't malware-bytes fully delete it? Is there a registry key or something?

 

IMPORTANT NOTE: Whenever I removed lsas.exe with malware-bytes in safe-mode it prompts me to restart my PC, however, when I restart my PC it is just a black screen, pressing CTRL+ALT+DELETE works so I open up task manager to find 'RunOnce*32.exe' (not sure if the *32 is there, i think it is just RunOnce.exe), is this malware-bytes or the malware trying to come back?

 

Edit: Went into system32, I found the lsas.exe and clicked properties, however, malware-bytes auto-deleted it. https://gyazo.com/bd26978c684968ca83502be95a8a40c6

I'm assuming I'm still not safe, how do I COMPLETELY remove this 'backdoor.bot'?

 

Edit2: If when malware-bytes removes the virus, it is removed but comes back at a later date I don't mind doing a daily scan and removing it every time, having it gone completely would be nice though.


Edited by nulgathlarva123, 10 November 2016 - 12:18 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 10 November 2016 - 03:12 PM

Hello, I feel it important to say this first


Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection was identified and removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


I cannot make this decision for you as to what to do. I am just providing information so you are aware and can make an informed decision but as a minimum, you should change all passwords.


If youy want to try cleaning we should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nulgathlarva123

nulgathlarva123
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 10 November 2016 - 03:35 PM

After the second time removing the backdoor, I changed my passwords from my phone, I also changed my main passwords recently (from my phone). The only thing this hacker can do is socially embarrass me by posting things on my facebook, etc.

 

Is there a reason why after I remove it with malware-bytes it seems to be 'gone'? I'm guessing they use lsas.exe as some sort of 'gateway' into my PC? And if it is deleted a the period of time that should shut down this 'gateway' right? I dunno' just theorizing.

Anyway, since the virus has been on my PC (a month or so maybe more?) no passwords have been compromised from what I see, no unauthorized payments, and a part from a few CPU spikes in programs and such, everything seems to be okay, it's just the sheer detection of the virus that worries me.

 

And if malware-bytes can't find anything further than this exe file then is there good reason to do an attempted cleaning? I can't re-install my system either, I don't have the windows 7 disc or the ID required to activate a new windows, and I'm pretty sure you need to pay someone to do it (a professional or something). Even if I don't need the windows 7 disc etc I really don't have the money to spend on it. :(



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 10 November 2016 - 04:59 PM

Ok, then do the Prep thing and we'll see if it has hooks.
Yes it is using lsas.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nulgathlarva123

nulgathlarva123
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 10 November 2016 - 05:11 PM

Okay so, while lsas is deleted does that mean it can not run in the background? Also I should mention I never see odd processes running in the task manager, and I followed a YT video and checked reg keys, they look fine.

 

I'll do the Prep guide tomorrow and will post back results, for now I gotta' go to sleep.



#6 nulgathlarva123

nulgathlarva123
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 11 November 2016 - 11:48 AM

Done the Prep guide, got the logs. I also used AdwCleaner which I have the logs for. Should I create a new thread in the logs section and link it?



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 11 November 2016 - 03:04 PM

Yes post the logs you have there and link back,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 nulgathlarva123

nulgathlarva123
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 11 November 2016 - 03:16 PM

Alright I posted the FRST addition.txt in the forum, I'll post the AdwCleaner if that's needed too.

http://www.bleepingcomputer.com/forums/t/632021/backdoorbot-logs/



#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:38 PM

Posted 11 November 2016 - 09:44 PM

Thank you

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 3 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users