Jump to content

Windows_update.exe (Backdoor.Bot)


Recommended Posts

Hi Guys,

Can someone tell me if this "Backdoor.Bot" in the following scan report is a true or false positve? I already deleted it. How can I retrieve it from quarantine?

Malwarebytes' Anti-Malware 1.34

Database version: 1882

Windows 5.1.2600 Service Pack 3

3/21/2009 08:30:50

mbam-log-2009-03-21 (08-30-31).txt

Scan type: Quick Scan

Objects scanned: 71555

Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\Windows_update.exe (Backdoor.Bot) -> No action taken.

Thanks In Advance!

Link to post
Share on other sites

You should probably leave it in quaranteen until you get a reply back from one of the developers. However, they really need a dev log in order to be able to tell why it was flagged.

If you are comfortable with temporarily restoring it (From what I've found on google it is probably malware, so it is possible restoring it may be a bad idea), you should be able to restore it from quaranteen and then run a developer mode scan with MBAM by following these steps:

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

This scan should find it again and then remove it. Leave it in quaranteen until you get back from the developers.

Also, if the .exe file is small enough you may want to upload it to http://www.virustotal.com/ They will scan it with 39 different antivirus scanners so you can get an idea of whether it is likely to be a fp or not.

Link to post
Share on other sites

I'm not an expert by any means, but I can't really see this being a legit file. If you google the file, it only comes up with reports of it being malware.

It seems nothing was detected on your last log. For the dev's to really be able to tell if its a fp or not, you need the dev log to catch the infection. Ie you would have to go to your quaranteen, select the 'Windows_update.exe' and restore it, THEN run a developer log. It will look similar to your first log with a big string of numbers on the end of the infection.

PLEASE BE AWARE that if the file IS malware (which I suspect it is) you may end up worse off if you restore it as you are effectively re-infecting yourself so that MBAM can catch it again. I reccommend you leave it in quaranteen and only restore it if one of the developers asks you to.

As for your other question, I'm pretty sure that when MBAM discovers some malware (it's been ages since I've had an infection and can't remember exactly what happens) it will give you the option to remove it. When you hit this it should send it to quaranteen, while deleting it from it's old location.

When malware is in quaranteen it is encoded in such a way that it cannot execute or load. It's merely an encrypted version of the file so that if you need to restore it, you can. There's no real need to delete it from quaranteen, as it's perfectly safe once it's there.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.