Jump to content
leofelix

[Backdoor.Celofot] Possible F.P

Recommended Posts

Hi All.

I've just scanned 3 computers of mine (Laptop with Windows 7 home premim x64 - Desktop PC with Windows 7 Ultimate x86 - Virtual PC with XP SP3) with MBAM database version 3896

Backdoor.Celofot has been detected in all my computers and only as a registry entry.

Log is attached in rar format.

I believe it is a false positive, since my computers are fully up to date, I practice a safe surfing and my default browser is sanboxed and I never download from untrusted sources.

Windows 7 64 bit security software installed:

ESET NOD 32 v 4

PC Tools Firewall Plus 6

SpywareBlaster 4.2

WinPatrol 2010

on demand a-squared free and HitMan Pro 3.5

sandboxie3.44

Windows 7 Ultimate 32 bit

GData antivirus 2010

PC Tools Firewal Plus 6.

PREVX Safe OnLine 3.0.5

WinPatrol 2010

on demand a-squared free and HitMan Pro 3.5

sandboxie3.44

Virtual PC with XP SP 3

avira free 9.0

spywareblaster 4.2

a-squared free

WinPatrol 2010

sandboxie 3.44

I also just perfomed a full scan with SAS online scanner which found no malware on my Windows 7 x64.

I'm under a router

Thank you

mbam_log_2010_03_22__00_02_14_.rar

Share this post


Link to post
Share on other sites

Can confirm...Looks like an FP :huh:

Malwarebytes' Anti-Malware 1.44

Database version: 3896

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

22/03/2010 9:30:00 AM

mbam-log-2010-03-22 (09-29-52).txt

Scan type: Quick Scan

Objects scanned: 121540

Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> No action taken. [01ADCD28415F739C15682220B794E819]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

P.S This is a separate snapshot to the one that I presently beta testing 1.45

Share this post


Link to post
Share on other sites

I have the same item on my Windows 7 pc and on my XP pc - both of which are fully up to date, and have Microsoft Security Essentials, SuperAntiSpyware and HitmanPro, none of which show any problems. I also am behind a router. Very similar to you, leofelix. I am just holding until I find out whether it is a false positive.

Share this post


Link to post
Share on other sites

Hi guys. The same for me. Made update and then a fast scan and backdoor.celofot appear. Sure is a False Positive?

Share this post


Link to post
Share on other sites

Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop. :huh:

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

Share this post


Link to post
Share on other sites
Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop. :huh:

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

What does she do with your laptop? :lol:

Share this post


Link to post
Share on other sites
What does she do with your laptop? :unsure:

Hehe. . . nothing that should cause trouble. But you never know!

Share this post


Link to post
Share on other sites
Guest SFdude
Looks like the verdict is in...FP! ...but i ain't no Guru! > http://en.wikipedia.org/wiki/No_Guru,_No_Method,_No_Teacher

:unsure:

@Tarnak:

My MBAM also just detected

"backdoor.celofot" as a bad registry entry.

(Have XP SP2 fully patched,

MBAM, NoScript

and Firefox 3.5.8 running INSIDE Sandboxie).

My Question to you...

You have 3 posts so far (in this thread),

affirming that:

"...it's an FP".

Your 3d post absolutely declares about "backdoor.celofot":

"looks like the verdict is in...FP!".

Can you illuminate the rest of us mortals why you say that?

What, who and/or where does it state that it's an FP?

Thanks...

Share this post


Link to post
Share on other sites

Can anyone from malware bytes confirm this being a FP? I have seen this on everything from XP (sp0, sp1, sp2 and sp3), Vista (sp0, sp1 and sp2) and Windows 7...also all flavors 32 and 64bit

Share this post


Link to post
Share on other sites

I have it in my results so if it is confirmed as a FP what do I do to restore it? do I "ignore" it or untick it? or something else?

Share this post


Link to post
Share on other sites
Guest SFdude
This will be fixed in just a sec guys .

Thanks for you quick intervention, Nosirrah!

That's why MBAM and its community are tops! :unsure:

Share this post


Link to post
Share on other sites

Well, I think this might have messed me up a bit...

Ironically, a few hours ago a malicious file made it's way onto my desktop. Of course, I use Malwarebytes as a first resort and it picks up the F.P. everyone is getting in this thread. I removed it.

What kind of damage have I done now?

Share this post


Link to post
Share on other sites

I need to know 2 things .

After an update is anyone still getting this ?

Did this actually delete anything on anyone's system ?

Share this post


Link to post
Share on other sites
Have you determined if this is a FP? Thanks?

Has this been resolved yet or do I have the actual backdoor.celofot? ?

Share this post


Link to post
Share on other sites
Has this been resolved yet or do I have the actual backdoor.celofot? ?

I scanned about 20 mins ago, was there a more recent update Nosirrah?

Share this post


Link to post
Share on other sites
I need to know 2 things .

After an update is anyone still getting this ?

Did this actually delete anything on anyone's system ?

See my post a few up from this.

Here's the log:

Memory Processes Infected:

C:\Users\*****\AppData\Local\Temp\svchsts.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchsts (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\*****\AppData\Local\Temp\svchsts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

@Jetstar that was the FP , the rest looks like malware .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.