Share via

do i have a backdoor in my pc i found this "\Microsoft\Windows\NetTrace\GatherNetworkInfo"

Anonymous
2024-04-29T15:28:48+00:00

It Says "BehavesLike.VBS.Backdoor.mp

Matches rule DECODE_IP_OPTION_SET at Snort registered user ruleset

bad-unknown

Matches rule PSNG_UDP_PORTSWEEP_FILTERED at Snort registered user ruleset

bad-unknown

Matches rule DECODE_IP4_DST_BROADCAST at Snort registered user ruleset

misc-activity

Matches rule DECODE_IP4_SRC_THIS_NET at Snort registered user ruleset

misc-activity

Matches rule ARPSPOOF_UNICAST_ARP_REQUEST at Snort registered user ruleset

protocol-command-decode

Unique rule identifier:

This rule belongs to a private collection.

Dynamic Analysis Sandbox Detections The sandbox Dr.Web vxCube flags this file as: MALWARE

Crowdsourced Sigma Rules

Matches rule WScript or CScript Dropper by Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community at Sigma Integrated Rule Set (GitHub)

Detects wscript/cscript executions of scripts located in user directories

Matches rule Dumping of Sensitive Hives Via Reg.EXE by Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 at Sigma Integrated Rule Set (GitHub)

Detects the usage of "reg.exe" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY

Matches rule Potential PowerShell Command Line Obfuscation by Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) at Sigma Integrated Rule Set (GitHub)

Detects the PowerShell command lines with special characters

Matches rule WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript by Michael Haag at Sigma Integrated Rule Set (GitHub)

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Matches rule Suspicious PowerShell Invocation From Script Engines by Florian Roth (Nextron Systems) at Sigma Integrated Rule Set (GitHub)

Detects suspicious powershell invocations from interpreters or unusual programs

Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) at Sigma Integrated Rule Set (GitHub)

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent."

MalwareBytes didnt detect it nor did windows defender

Windows for home | Windows 11 | PC Health Checker

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-30T09:48:37+00:00

    Hello Harvcker tech, welcome to the Microsoft community.

    Based on your feedback, you want to know if there is a backdoor in your computer.

    GatherNetworkInfo is part of Microsoft's network components, it uses Microsoft's CorrEngine and Nettrace DLL to improve Windows' network performance.

    You need to recheck with antivirus software.

    You can also do the following:

    Call up Task Manager with the Ctrl+Shift+ESC combination, find the corresponding PID value, right-click to end the process.

    Windows comes with a powerful intrusion detection tool - the Netstat command to check for trojans.

    Explanation of the netstat command:

    1. netstat -a -a shows all connections and listening ports, including TCP ports or UDP ports used for local and remote system connections, external connections on the local machine and the system we are remotely connected to, as well as the status of local and remote system connections. Using this parameter can check if the computer's system services are normal, determine if the system has been infected with a trojan, if abnormal ports and services are found, they should be closed in a timely manner.

    Hope the above information is helpful to you.

    Kirito | Microsoft Community Support Specialist

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-08-13T13:12:01+00:00

    I have problem, i used autorun and Skyhigh (SWG) gave me this:BehavesLike.VBS.Backdoor.mp for gathernetworkinfo.vbs i think its just false positive( event its not even if its not positive) its just junk antivirus or smth, what do you think

    0 comments