Daily Posted November 11, 2017 ID:1181411 Share Posted November 11, 2017 Hi. Today I discovered that my laptop was infected by a backdoor.bot. I've been using this laptop for 5 years. I use it to access my emails and buy things online occasionally. I've run approximately 7 scans today(3 in the morning and 4 this evening) and I've picked up 1 or 2 backdoor.bots every single time. In addition, I've been picking up many pup.conduits, pup.ASK and pup.trovi in my scans. In the scan I just finished running(currently 12:30pm) did not pick up the backdoor.bots. I'm at a loss of knowing what to do. Please help. This is a copy of the scan log that was recorded at approximately 9pm. -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 386309 Threats Detected: 6 Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 2 hr, 29 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 6 Backdoor.Bot, C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\SCANRESULTS\POSTBUILD.EXE-K.MBAM, No Action By User, [48], [456339],0.0.0 Backdoor.Bot, C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\SCANRESULTS\POSTBUILD.EXE-U.MBAM, No Action By User, [48], [456339],1.0.3226 PUP.Optional.Trovi, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, No Action By User, [4983], [454808],1.0.3226 PUP.Optional.ASK, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, No Action By User, [527], [454829],1.0.3226 PUP.Optional.Conduit, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, No Action By User, [579], [454835],1.0.3226 PUP.Optional.Trovi, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, No Action By User, [4983], [454808],1.0.3226 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Daily Posted November 11, 2017 Author ID:1181417 Share Posted November 11, 2017 Also, I've been rebooting the system every time the backdoor.bot was picked up. Link to post Share on other sites More sharing options...
Daily Posted November 11, 2017 Author ID:1181419 Share Posted November 11, 2017 Here's a copy of the most recent scan. I'll probably conduct another scan in about 3-6 hours when I wake up. I fell extremely paranoid and anxious :/ -Log Details- Scan Date: 11/10/17 Scan Time: 10:28 PM Log File: 867c1598-c6a9-11e7-9d4f-08606e8b88da.json Administrator: Yes -Software Information- Version: 3.2.2.2029 Components Version: 1.0.212 Update Package Version: 1.0.3228 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: VirgilYau-PC\Virgil Yau -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 386344 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 49 min, 38 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 PUP.Optional.Trovi, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, Replaced, [4983], [454808],1.0.3228 PUP.Optional.Conduit, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, Replaced, [579], [454835],1.0.3228 PUP.Optional.Trovi, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, Replaced, [4983], [454808],1.0.3228 PUP.Optional.ASK, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, Replaced, [527], [454829],1.0.3228 PUP.Optional.Trovi, C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Secure Preferences, Replaced, [4983], [454808],1.0.3228 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Aura Posted November 11, 2017 ID:1181523 Share Posted November 11, 2017 Hi Daily If you look at the location of the Backdoor.bot files, you'll see that they are inside a Malwarebytes folder. Which means, they are probably old threats that were quarantined (so already detected and deleted) back then by Malwarebytes. In other words, they aren't active. As for the PUP detections, can you .zip these two files and PM me the .zip? C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data C:\USERS\VIRGIL YAU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Secure Preferences Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181659 Share Posted November 12, 2017 I'm unable to find app data in my user/Virgil Yau file :/ Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181662 Share Posted November 12, 2017 Never mind. I found them. They aren't zip files though. They are jsut diagnosed as FILE Link to post Share on other sites More sharing options...
Aura Posted November 12, 2017 ID:1181782 Share Posted November 12, 2017 Can you upload these two files to VirusTotal, and post their report URLs here? C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\SCANRESULTS\POSTBUILD.EXE-K.MBAM C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\SCANRESULTS\POSTBUILD.EXE-U.MBAM Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181866 Share Posted November 12, 2017 I'm not able to find these two files :/. I'm only able to find JSON files in the scanresults folder. Link to post Share on other sites More sharing options...
Aura Posted November 12, 2017 ID:1181894 Share Posted November 12, 2017 But if you run new scans, the Backdoor.bot files aren't detected anymore, right? Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181903 Share Posted November 12, 2017 I haven't completed any scans today yet. But, yesterday night I only picked the backdoor.bot files once which was a scan run at 9:42pm. I'm running a scan right now. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181917 Share Posted November 12, 2017 I've done 1 scan and I haven't detected the backdoor.bot files. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181924 Share Posted November 12, 2017 Started another scan and the backdoor.bot files were detected. Link to post Share on other sites More sharing options...
floridakeyslover Posted November 12, 2017 ID:1181928 Share Posted November 12, 2017 Hello Daily. I am having the same problem with Backdoor.Bot in my scan results and located in the same files. I am also seeing Virus.Xpaj as well in the same files. I just posted this in case you would like to read it. https://forums.malwarebytes.com/topic/214753-need-help-with-these-scan-results/?tab=comments#comment-1181927 Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181932 Share Posted November 12, 2017 I found them in SCANRESULTS just now Aura. Here are the URLs https://www.virustotal.com/#/file/d075b277eaa965a2ce130a8a0ffdef6b35d347ed03617f34b4317a123fbb4215/detection This is Postbuild.exe-u.mbam https://www.virustotal.com/#/file/d075b277eaa965a2ce130a8a0ffdef6b35d347ed03617f34b4317a123fbb4215/detection This is Postbuild.exe-k.mbam Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181936 Share Posted November 12, 2017 I tried to delete the files. But, I cannot because apparently I need administrator permissions even though I'm the owner of the laptop. Link to post Share on other sites More sharing options...
floridakeyslover Posted November 12, 2017 ID:1181938 Share Posted November 12, 2017 If you are not the admin then go into user accounts in the control panel and make yourself admin. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181939 Share Posted November 12, 2017 I am admin though. That's the thing. Link to post Share on other sites More sharing options...
floridakeyslover Posted November 12, 2017 ID:1181945 Share Posted November 12, 2017 Did you get this message? https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ It made no sense to me. I can see it being used for another file but why in the world would malwarebytes scn file be infected. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181946 Share Posted November 12, 2017 I got a message about who can post on others forums. I think the file is just labelled as mbam. Not completely sure though. Link to post Share on other sites More sharing options...
floridakeyslover Posted November 12, 2017 ID:1181948 Share Posted November 12, 2017 12 minutes ago, Daily said: I am admin though. That's the thing. If you are getting a message that is giving you a choice when you try to delete it then click on continue to bypass it and you should be able to then. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181949 Share Posted November 12, 2017 I tried that but all it says after is you need administrator's permissions to make changes. Link to post Share on other sites More sharing options...
floridakeyslover Posted November 12, 2017 ID:1181950 Share Posted November 12, 2017 I just uninstalled Malwarebytes using their uninstall tool and I also went into Program Data (hidden file) and deleted it out of there as well. I ran CCleaner to get rid of registries. I will let you know what happen after I reinstall it. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181951 Share Posted November 12, 2017 Alright. Link to post Share on other sites More sharing options...
Daily Posted November 12, 2017 Author ID:1181955 Share Posted November 12, 2017 (edited) I just saw 2 more postbuild.exe show up and disappear in the ScanResults folder. Malwarebytes isn't picking up the 2 postbuilds.exe that are residing in the scanresults folder currently. Edited November 12, 2017 by Daily Link to post Share on other sites More sharing options...
Aura Posted November 12, 2017 ID:1181958 Share Posted November 12, 2017 (edited) Scrach what I just said. Looks like false positives to me. I'll ask someone from the Research Team to take a look. Edited November 12, 2017 by Aura Link to post Share on other sites More sharing options...
Recommended Posts