Jump to content

Backdoor.Bot npf.sys


Recommended Posts

Hello - I would be grateful for someone's help please.

 

My son has a HP Touchsmart desktop PC running Windows Vista, Service Pack 1 and using both Firefox and Chrome as web browsers.  His PC is on our home network and, like the other 2 desktop PCs on the network, he is protected by Malwarebytes AntiMalware Premium, MalwareBytes Anti-Exploit (Free version) and Norton Internet Security.

 

Following a recent issue with an apparent false-positive of Backdoor.Bot on Chrome on the other 2 PCs on the network (as identified on this forum a couple of days ago), I checked my son's PC and discovered that there was a Backdoor.Bot quarantined file located under C:\Windows\System32\drivers\npf.sys , and this was logged on 10.11.14 (I have attached a screenshot of same).  This clearly predates the false-positive above and does not seem to be linked to Chrome (hence this new posting on the forum).

 

I hadn't been aware of this issue before, as each MBAM & NIS scan before and since this date have stated no threats or infections.

 

Since it is in quarantine, can I take it that this means the threat was blocked and stopped by MBAM Premium?

 

Do I need to take any further action?  I am somewhat concerned given what I have read of this malware threat.

 

I have tried following the self-help guide on this site, however Norton Internet Virus prevents me from downloading FRST.

 

I'd be grateful of any help, please.

 

Thank you.

post-181321-0-22552500-1420815455_thumb.

Link to post
Share on other sites

Hi, again, brutons:
 
In addition to David's expert advice, it might help the staff to see a scan log (and perhaps some diagnostic logs). :)
 
Instructions for posting a scan log as an attachment to your next reply here are below.
Instructions for posting the 3 diagnostic logs are here: Diagnostic Logs
 
Thanks,
-----------------

How to get scan logs:
(Export log to save as a txt file for posting in the forum when requested)

  • Open MBAM.
  • Click on the HISTORY tab > APPLICATION LOGS.
  • Double-click on the SCAN LOG which shows the date and time of the scan just performed (or the one you are asked to post).
  • Click EXPORT.
  • Click TEXT FILE (*.txt)
  • In the "Save File" dialog box which appears, click on DESKTOP.
  • In the FILE NAME box, type a name for your scan log.
  • A message box named "File Saved" should appear, stating that "Your file has been successfully exported".
  • Click OK.
  • Attach the saved log to your next reply.
Link to post
Share on other sites

Firstly, David - thank you for your message.  In answer to your question, no, the computer isn't using a version of Wireshark or other software using WinPCAP.  I recently paired down the PC in question, which is simply set up for my son (a 10-year old) and it merely has Microsoft Office, Apple iTunes & iCloud and limited other items of basic software.

 

I'll be honest, I haven't heard of the software you referred to, but have checked that such is not installed on the PC.

Link to post
Share on other sites

I now have some logs for you to review; alas I cannot obtain the diagnostic logs as Norton is still blocking access for FRST

 

I've attached logs from the date when the malware was first observed by MBAM and have also attached today's logs - I hope that I have done this correctly!

 

Please let me know if you need anything further.

 

Many thanks

Daniel Protection log 9.1.15.txt

Daniel Protection log 10.11.14.txt

Daniel Scan log 9.1.15.txt

Daniel Scan log 10.11.14.txt

Link to post
Share on other sites

brutons:

 

Based upon your reply, malware may have installed some Packet Capture software which can/may be associated with a Backdoor Trojan.

 

We'll parse those logs but most likely we may suggest you seek assistance in the Malware Removal sub-forum.

Link to post
Share on other sites

Hi:
 
Your logs show some findings consistent with possible malware infection or damage from infection.

 

GroupPolicyUsers\S-1-5-21-511449885-838023294-3041479094-1003\User: Group Policy restriction detected <======= ATTENTION

It might be a good idea to get some expert help with a deeper look at the system.

We are not permitted to work on possible malware-related issues here in this section of the forum.

So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue.

 

>>>As you have already run FRST, you just need to start a new topic in the malware removal section of the forum. Please include the SAME FRST logs with that new post. Then, please wait for one of the malware experts to help you. The helper will guide you, step-by-step, through the process.

Thanks,

Link to post
Share on other sites

OK fine - thank you daledoc1, your help is appreciated.

 

I take it that the apparent false-positive Google Chrome related backdoor.bot detections of a more recent date (6.1.15) are unconnected with this?  Or do I need to re-check this?  If not, is there anything else I should do to try and protect the other 2 PCs on the network.  They don't show signs of the same quarantined files, merely the Google Chrome related files are quarantined

Link to post
Share on other sites

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 09/01/2015

Scan Time: 14:30:07

Logfile: Daniel Scan log 9.1.14.txt

Administrator: Yes

Version: 2.00.4.1028

Malware Database: v2015.01.09.09

Rootkit Database: v2015.01.07.01

License: Premium

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

OS: Windows Vista Service Pack 1

CPU: x86

File System: NTFS

User: Daniel

 

Your log also shows that you are running a non-supported version of the Windows OS.

Vista SP1 has been "dead" for a long time, and, without the current security patches, is particularly vulnerable to malware infection.

 

A single negative scan -- even with MBAM -- doesn't necessarily mean you are clean.

The complexity of finding, preventing, and cleanup from malware

And your FRST logs show changes that could indicate infection.

 

Under the circumstances, it might be a good idea to follow the advice already provided to seek a bit of free, expert help with taking a deeper look at the system for hidden malware in the designated area of the forum or at the help desk.

 

It's up to you, of course. :)

However, that would be our advice.

It will only cost you a bit of your time.

 

Thank you again,

Link to post
Share on other sites

That's absolutely fine, daledoc1 - your advice is important to me.  I have now posted under the sub-forum you have suggested and am happy to spend whatever time is required to try and resolve the issue.

 

I hadn't realised that the Windows OS version wasn't supported - I haven't been prompted to install SP2, even when running a Windows Update just now...however I now see that there are a number of failed updates in history.  I guess I should not do anything further on this until I hear back from your malware removal guys?

Link to post
Share on other sites

That's absolutely fine, daledoc1 - your advice is important to me.  I have now posted under the sub-forum you have suggested and am happy to spend whatever time is required to try and resolve the issue.

No problem -- I was just trying to steer you the appropriate area of the forum for efficient help, before things became overly complicated here. :)

 

I hadn't realised that the Windows OS version wasn't supported - I haven't been prompted to install SP2, even when running a Windows Update just now...however I now see that there are a number of failed updates in history.  I guess I should not do anything further on this until I hear back from your malware removal guys?

Correct -- please be sure to mention the Windows Updating issue to your helper.

It may have to be addressed separately or in a different venue (such as the PC Help section), AFTER he gives you the "all clear" from a malware standpoint.

 

Thanks,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.