Jump to content

[Backdoor.Celofot] Possible F.P


leofelix

Recommended Posts

Hi All.

I've just scanned 3 computers of mine (Laptop with Windows 7 home premim x64 - Desktop PC with Windows 7 Ultimate x86 - Virtual PC with XP SP3) with MBAM database version 3896

Backdoor.Celofot has been detected in all my computers and only as a registry entry.

Log is attached in rar format.

I believe it is a false positive, since my computers are fully up to date, I practice a safe surfing and my default browser is sanboxed and I never download from untrusted sources.

Windows 7 64 bit security software installed:

ESET NOD 32 v 4

PC Tools Firewall Plus 6

SpywareBlaster 4.2

WinPatrol 2010

on demand a-squared free and HitMan Pro 3.5

sandboxie3.44

Windows 7 Ultimate 32 bit

GData antivirus 2010

PC Tools Firewal Plus 6.

PREVX Safe OnLine 3.0.5

WinPatrol 2010

on demand a-squared free and HitMan Pro 3.5

sandboxie3.44

Virtual PC with XP SP 3

avira free 9.0

spywareblaster 4.2

a-squared free

WinPatrol 2010

sandboxie 3.44

I also just perfomed a full scan with SAS online scanner which found no malware on my Windows 7 x64.

I'm under a router

Thank you

mbam_log_2010_03_22__00_02_14_.rar

Link to post
Share on other sites
  • Replies 71
  • Created
  • Last Reply

Can confirm...Looks like an FP :huh:

Malwarebytes' Anti-Malware 1.44

Database version: 3896

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

22/03/2010 9:30:00 AM

mbam-log-2010-03-22 (09-29-52).txt

Scan type: Quick Scan

Objects scanned: 121540

Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> No action taken. [01ADCD28415F739C15682220B794E819]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

P.S This is a separate snapshot to the one that I presently beta testing 1.45

Link to post
Share on other sites

I have the same item on my Windows 7 pc and on my XP pc - both of which are fully up to date, and have Microsoft Security Essentials, SuperAntiSpyware and HitmanPro, none of which show any problems. I also am behind a router. Very similar to you, leofelix. I am just holding until I find out whether it is a false positive.

Link to post
Share on other sites

Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop. :huh:

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

Link to post
Share on other sites
Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop. :huh:

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

What does she do with your laptop? :lol:

Link to post
Share on other sites
Guest SFdude
Looks like the verdict is in...FP! ...but i ain't no Guru! > http://en.wikipedia.org/wiki/No_Guru,_No_Method,_No_Teacher

:unsure:

@Tarnak:

My MBAM also just detected

"backdoor.celofot" as a bad registry entry.

(Have XP SP2 fully patched,

MBAM, NoScript

and Firefox 3.5.8 running INSIDE Sandboxie).

My Question to you...

You have 3 posts so far (in this thread),

affirming that:

"...it's an FP".

Your 3d post absolutely declares about "backdoor.celofot":

"looks like the verdict is in...FP!".

Can you illuminate the rest of us mortals why you say that?

What, who and/or where does it state that it's an FP?

Thanks...

Link to post
Share on other sites

Well, I think this might have messed me up a bit...

Ironically, a few hours ago a malicious file made it's way onto my desktop. Of course, I use Malwarebytes as a first resort and it picks up the F.P. everyone is getting in this thread. I removed it.

What kind of damage have I done now?

Link to post
Share on other sites
I need to know 2 things .

After an update is anyone still getting this ?

Did this actually delete anything on anyone's system ?

See my post a few up from this.

Here's the log:

Memory Processes Infected:

C:\Users\*****\AppData\Local\Temp\svchsts.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchsts (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\*****\AppData\Local\Temp\svchsts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

@Jetstar that was the FP , the rest looks like malware .

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.