Evedia Posted May 24, 2009 ID:82966 Share Posted May 24, 2009 Scan came up with this tonight. A few searches point to tdss but I see no other symptoms of that so far. Malwarebytes' Anti-Malware 1.36Database version: 2173Windows 5.1.2600 Service Pack 35/23/2009 11:42:32 PMmbam-log-2009-05-23 (23-42-29).txtScan type: Quick ScanObjects scanned: 81498Time elapsed: 1 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [38575351343041443858644548363445644634364142473861524839535634513861467468838084807185615674796980888401475361368683837079855570838474807961537083787479667701527083877083614279848566777761524839535634513861467468838084807185615674796980888461368683837079855570838474807961518679]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
exile360 Posted May 24, 2009 ID:82970 Share Posted May 24, 2009 I just had the same detection (same database version as well) on XP Home SP3. I did a thorough check for rootkits, none present so I do believe this is a false positive. I'm sure it'll be fixed as soon as one of the developers sees this post . Link to post Share on other sites More sharing options...
Amethyst Posted May 24, 2009 ID:82973 Share Posted May 24, 2009 I've got 2 XP SP (one Media Center Edition and the other one XP Pro) machines showing the same scan result. I'll paste the results here next post. Link to post Share on other sites More sharing options...
mona7865 Posted May 24, 2009 ID:82975 Share Posted May 24, 2009 Same here: Malwarebytes' Anti-Malware 1.37 (final beta 2)Database version: 2173Windows 5.1.2600 Service Pack 324/05/2009 8:17:37mbam-log-2009-05-24 (08-17-29).txtScan type: Quick ScanObjects scanned: 94691Time elapsed: 5 minute(s), 35 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [38575351343041443858644548363445644634364142473861524839535634513861467468838084807185615674796980888401475361368683837079855570838474807961537083787479667701527083877083614279848566777761524839535634513861467468838084807185615674796980888461368683837079855570838474807961518679]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Amethyst Posted May 24, 2009 ID:82977 Share Posted May 24, 2009 OK, here's the developer's log from the XP Pro laptop:Malwarebytes' Anti-Malware 1.36Database version: 2173Windows 5.1.2600 Service Pack 25/24/2009 12:27:19 AMmbam-log-2009-05-24 (00-26-49).txtScan type: Quick ScanObjects scanned: 95019Time elapsed: 8 minute(s), 14 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [38575351343041443858644548363445644634364142473861524839535634513861467468838084807185615674796980888401475361368683837079855570838474807961537083787479667701527083877083614279848566777761524839535634513861467468838084807185615674796980888461368683837079855570838474807961518679]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff TeMerc Posted May 24, 2009 Staff ID:82982 Share Posted May 24, 2009 Fixed Link to post Share on other sites More sharing options...
ceomag Posted May 24, 2009 ID:82984 Share Posted May 24, 2009 My scan with Malwarebytes' Anti-Malware 1.36 also picked up Backdoor.bot. I really hope this is a false positive. I've quarantined it and I'll wait for some response. In the meantime, here's my log:Malwarebytes' Anti-Malware 1.36Database version: 2173Windows 5.1.2600 Service Pack 3 5/24/2009 3:37:44 AMmbam-log-2009-05-24 (03-37-44).txt Scan type: Quick ScanObjects scanned: 93113Time elapsed: 7 minute(s), 29 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)I've been running scans every two or three days (last full scan was 3 days ago) and haven't picked up anything in months, although I did have a problem in December. Link to post Share on other sites More sharing options...
kironvarma Posted May 24, 2009 ID:82986 Share Posted May 24, 2009 Hi,I did an updated of Malware today and after a scan i received the following as part of logRegistry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken.Should i remove this or is it a FP? Link to post Share on other sites More sharing options...
kironvarma Posted May 24, 2009 ID:82987 Share Posted May 24, 2009 Adding my log Link to post Share on other sites More sharing options...
exile360 Posted May 24, 2009 ID:82988 Share Posted May 24, 2009 Greetings . It's an FP and has been corrected (update again and do a quick scan). Link to post Share on other sites More sharing options...
ceomag Posted May 24, 2009 ID:82989 Share Posted May 24, 2009 Okay, I restored the identified problem from quarantine, updated and rescanned with Malwarebytes' Anti-Malware 1.37 and it's not picking up a problem. Must have been a false positive -- thanks for the quick work.But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep! Link to post Share on other sites More sharing options...
mona7865 Posted May 24, 2009 ID:82990 Share Posted May 24, 2009 Extremely quick fixed with database version 2174 :Malwarebytes' Anti-Malware 1.37Database version: 2174Windows 5.1.2600 Service Pack 324/05/2009 10:12:46mbam-log-2009-05-24 (10-12-46).txtScan type: Quick ScanObjects scanned: 94760Time elapsed: 5 minute(s), 29 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Thank you. Link to post Share on other sites More sharing options...
kironvarma Posted May 24, 2009 ID:82993 Share Posted May 24, 2009 Thanks for the past response Link to post Share on other sites More sharing options...
exile360 Posted May 24, 2009 ID:82994 Share Posted May 24, 2009 Yeah, I believe Nosirrah, one of the developers, saw this thread and promptly corrected it . Those guys are really quick. Link to post Share on other sites More sharing options...
IDamian Posted May 24, 2009 ID:83016 Share Posted May 24, 2009 sorry, being a newbie I have one minor question. I have Xp Sp2 and did find the backdoor issue on a FULL scan. Your instructions, which I am following, are to update, which I did, but then do a quick scan(after restoring from quarantine, which I did). My question is since I have to assume that a quick scan will be less extensive than a complete scan (otherwise why the name change for the scan) isn't it possible a quick scan might miss what a full scan picked up? Link to post Share on other sites More sharing options...
exile360 Posted May 24, 2009 ID:83019 Share Posted May 24, 2009 Greetings . This question actually comes up quite often. The truth is, the way the quick scan is designed it should be able to detect all the malware that MBAM possibly can thus making the full scan option largely unnecessary. The only cases I could think of where a full scan might be useful is if you had other hard drives that might have gotten infected by something. In this particular case, since the entry was in the registry either scan type would find it because part of the quick scan is to scan the keys where malware is known to show up in the registry, that's why most of the posters here (including myself) got this false positive doing only a quick scan . Link to post Share on other sites More sharing options...
IDamian Posted May 24, 2009 ID:83022 Share Posted May 24, 2009 WOW, YOU GUYS ARE GREAT; Thank you so much for such a fast reply. I will now turn my full scan off (after getting no hits on the quick scan) and get some good sound sleep, finally. THANK YOU MUCHLY Link to post Share on other sites More sharing options...
exile360 Posted May 24, 2009 ID:83023 Share Posted May 24, 2009 You're very welcome, sleep well . Link to post Share on other sites More sharing options...
Amethyst Posted May 24, 2009 ID:83026 Share Posted May 24, 2009 But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep! I know what you mean! I scan the desktop PC daily at the end of the day after everyone in the family has stopped using it for the day...and hence I was up a couple of hours later than I intended to be last night. The first thing I do if Malwarebytes finds something now is take a deep breath and check this forum. I'm glad people were posting about this right away and I am amazed at how quickly Malwarebytes developers deal with the FP's, so a big thank you goes to them, too. Link to post Share on other sites More sharing options...
Evedia Posted May 24, 2009 Author ID:83032 Share Posted May 24, 2009 Thanks for the ultra quick response Link to post Share on other sites More sharing options...
Onikirimaru Posted May 24, 2009 ID:83038 Share Posted May 24, 2009 Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC? Link to post Share on other sites More sharing options...
Amethyst Posted May 24, 2009 ID:83088 Share Posted May 24, 2009 Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC?I'm not an expert, so I can't tell you if having this registry key missing will cause problems or not. However, you should be able to restore your registry to a point prior to this key being quarantined by running System Restore. There are instructions here:http://support.microsoft.com/kb/322756Near the end of the page is the part to "restore the registry" for both XP and Vista. I use XP, and rather than use the Start-Run thing, I would just go to Start-All Programs-Accessories-System Tools-System Restore (because to me that looks easier )When it's done, you can check the registry and see if the key has been restored. Hope that helps. Link to post Share on other sites More sharing options...
Onikirimaru Posted May 26, 2009 ID:83611 Share Posted May 26, 2009 Well, I tried the system restore, but it didn't work. After the restart a message came up saying something like "The system restore failed. No changes were made." And the registry is still missing whatever it was I deleted. However, my computer doesn't seem to be malfunctioning in any way, so maybe it doesn't matter. Anyhoo, thanks for the advice Amethyst! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted May 26, 2009 Staff ID:83629 Share Posted May 26, 2009 Onikirimaru, please don't worry, this key will recreate automatically again if needed Link to post Share on other sites More sharing options...
Onikirimaru Posted May 26, 2009 ID:83677 Share Posted May 26, 2009 Onikirimaru, please don't worry, this key will recreate automatically again if needed I...did not know that. That is a relief. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now