Jump to content

backdoor.bot


Evedia

Recommended Posts

Scan came up with this tonight. A few searches point to tdss but I see no other symptoms of that so far.

Malwarebytes' Anti-Malware 1.36

Database version: 2173

Windows 5.1.2600 Service Pack 3

5/23/2009 11:42:32 PM

mbam-log-2009-05-23 (23-42-29).txt

Scan type: Quick Scan

Objects scanned: 81498

Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I just had the same detection (same database version as well) on XP Home SP3. I did a thorough check for rootkits, none present so I do believe this is a false positive. I'm sure it'll be fixed as soon as one of the developers sees this post ;) .

Link to post
Share on other sites

Same here: ;)

Malwarebytes' Anti-Malware 1.37 (final beta 2)

Database version: 2173

Windows 5.1.2600 Service Pack 3

24/05/2009 8:17:37

mbam-log-2009-05-24 (08-17-29).txt

Scan type: Quick Scan

Objects scanned: 94691

Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK, here's the developer's log from the XP Pro laptop:

Malwarebytes' Anti-Malware 1.36

Database version: 2173

Windows 5.1.2600 Service Pack 2

5/24/2009 12:27:19 AM

mbam-log-2009-05-24 (00-26-49).txt

Scan type: Quick Scan

Objects scanned: 95019

Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken. [3857535134304144385864454836344564463436414247386152483953563451386146746883808

48071856156747969808884014753613686838370798555708384748079615370837874796677015

2

70838770836142798485667777615248395356345138614674688380848071856156747969808884

6

1368683837079855570838474807961518679]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

My scan with Malwarebytes' Anti-Malware 1.36 also picked up Backdoor.bot. I really hope this is a false positive. I've quarantined it and I'll wait for some response. In the meantime, here's my log:

Malwarebytes' Anti-Malware 1.36Database version: 2173Windows 5.1.2600 Service Pack 3
5/24/2009 3:37:44 AMmbam-log-2009-05-24 (03-37-44).txt
Scan type: Quick ScanObjects scanned: 93113Time elapsed: 7 minute(s), 29 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

I've been running scans every two or three days (last full scan was 3 days ago) and haven't picked up anything in months, although I did have a problem in December.

Link to post
Share on other sites

Hi,

I did an updated of Malware today and after a scan i received the following as part of log

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> No action taken.

Should i remove this or is it a FP?

Link to post
Share on other sites

Okay, I restored the identified problem from quarantine, updated and rescanned with Malwarebytes' Anti-Malware 1.37 and it's not picking up a problem. Must have been a false positive -- thanks for the quick work.

But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep! ;)

Link to post
Share on other sites

Extremely quick fixed with database version 2174 :

Malwarebytes' Anti-Malware 1.37

Database version: 2174

Windows 5.1.2600 Service Pack 3

24/05/2009 10:12:46

mbam-log-2009-05-24 (10-12-46).txt

Scan type: Quick Scan

Objects scanned: 94760

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

;)

Thank you.

Link to post
Share on other sites

sorry, being a newbie I have one minor question. I have Xp Sp2 and did find the backdoor issue on a FULL scan. Your instructions, which I am following, are to update, which I did, but then do a quick scan(after restoring from quarantine, which I did). My question is since I have to assume that a quick scan will be less extensive than a complete scan (otherwise why the name change for the scan) isn't it possible a quick scan might miss what a full scan picked up?

Link to post
Share on other sites

Greetings ;) . This question actually comes up quite often. The truth is, the way the quick scan is designed it should be able to detect all the malware that MBAM possibly can thus making the full scan option largely unnecessary. The only cases I could think of where a full scan might be useful is if you had other hard drives that might have gotten infected by something. In this particular case, since the entry was in the registry either scan type would find it because part of the quick scan is to scan the keys where malware is known to show up in the registry, that's why most of the posters here (including myself) got this false positive doing only a quick scan ;) .

Link to post
Share on other sites

WOW, YOU GUYS ARE GREAT; Thank you so much for such a fast reply. I will now turn my full scan off (after getting no hits on the quick scan) and get some good sound sleep, finally. THANK YOU MUCHLY

Link to post
Share on other sites
But I am going to have to get out of the habit of scanning at 4:00 AM (US EDT). Now I need to unwind before I'll get to sleep! ;)

:) I know what you mean! I scan the desktop PC daily at the end of the day after everyone in the family has stopped using it for the day...and hence I was up a couple of hours later than I intended to be last night. ;)

The first thing I do if Malwarebytes finds something now is take a deep breath and check this forum. I'm glad people were posting about this right away and I am amazed at how quickly Malwarebytes developers deal with the FP's, so a big thank you goes to them, too. :D

Link to post
Share on other sites

Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC?

Link to post
Share on other sites
Okay...I may have a problem. I got this false positive and then promptly deleted it from quarantine. Yes, I now realize that was really stupid, but in my defense I was half asleep at the time. Is having deleted this going to cause any problems with my PC?

I'm not an expert, so I can't tell you if having this registry key missing will cause problems or not. However, you should be able to restore your registry to a point prior to this key being quarantined by running System Restore. There are instructions here:

http://support.microsoft.com/kb/322756

Near the end of the page is the part to "restore the registry" for both XP and Vista. I use XP, and rather than use the Start-Run thing, I would just go to Start-All Programs-Accessories-System Tools-System Restore (because to me that looks easier ;))

When it's done, you can check the registry and see if the key has been restored.

Hope that helps. ;)

Link to post
Share on other sites

Well, I tried the system restore, but it didn't work. After the restart a message came up saying something like "The system restore failed. No changes were made." And the registry is still missing whatever it was I deleted. However, my computer doesn't seem to be malfunctioning in any way, so maybe it doesn't matter. Anyhoo, thanks for the advice Amethyst!

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.