Luxio Posted October 25, 2010 ID:333392 Share Posted October 25, 2010 Hi -Today, I scanned my pc with mbam. It detected conime.exe as infected;C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.Not sure if it is really infected or it is an infection, though.Here is the log, if needed:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4940Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/25/2010 2:36:14 PMmbam-log-2010-10-25 (14-36-14).txtScan type: Quick scanObjects scanned: 181941Time elapsed: 11 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
nosirrah Posted October 25, 2010 ID:333437 Share Posted October 25, 2010 Our testing would have picked this up if it were a FP so there may be something else going on here. Please zip and attach a copy of conime.exe to your next post. Link to post Share on other sites More sharing options...
Luxio Posted October 26, 2010 Author ID:333952 Share Posted October 26, 2010 Hello nosirrah,I didn't know where to find the copy, so I restored the file from the quarantine, copied it to my desktop by renaming it to .old before zipping. Hope I was doing it rightWhen I scanned the selected file (c:\windows\system32\conime.exe) with mbam again, it wasn't detected as infected. I then ran a quick scan on the system (while the restored conime.exe was still onboard), and again no detection. kinda odd? Anyway, herein I attach the zipped conime.exe.old for your attention. Let me know if you need anything else. Btw, is it safe to leave the restored conime.exe under system32 folder there? (I've renamed it to .old too now).conime.exe.zip Link to post Share on other sites More sharing options...
nosirrah Posted October 26, 2010 ID:333957 Share Posted October 26, 2010 This file is clean, are you still getting this detection?If you are please get us a developers scan log:http://forums.malwarebytes.org/index.php?showtopic=3228 Link to post Share on other sites More sharing options...
Luxio Posted October 27, 2010 Author ID:334603 Share Posted October 27, 2010 This file is clean, are you still getting this detection?If you are please get us a developers scan log:http://forums.malwarebytes.org/index.php?showtopic=3228Running the scan with "mbam.exe /developer" does not detect the file as infected. Even a usual scan now doesn't either. Any idea? Link to post Share on other sites More sharing options...
nosirrah Posted October 27, 2010 ID:334660 Share Posted October 27, 2010 If there is nothing detected I don't have anything to investigate. Link to post Share on other sites More sharing options...
Luxio Posted October 28, 2010 Author ID:335230 Share Posted October 28, 2010 Hi Bruce,Out of curiosity, this morning, I restored the registry key (which I didn't restore in the earlier scan) then ran a scan with the " /developer", and mbam again detected the file and the registry key.I post the log here and attach the file conime.old.zip .Btw, once I restored the file and renamed it to .old, it seems to me that file regenerates itself with the original name conime.exe , some kind of WFP restore?Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4940Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/28/2010 9:51:01 AMmbam-log-2010-10-28 (09-51-01).txtScan type: Quick scanObjects scanned: 181669Time elapsed: 11 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [F6B3EC9599FB162A3600CDFC105E118B]anything else you need?conime.zip Link to post Share on other sites More sharing options...
nosirrah Posted October 28, 2010 ID:335495 Share Posted October 28, 2010 conime.exe <- is there any reason you would have this set to run every boot? Link to post Share on other sites More sharing options...
Luxio Posted November 1, 2010 Author ID:337822 Share Posted November 1, 2010 Hi Bruce,Sorry for the late reply. I was having quite a busy weekend.----------------------conime.exe <- is there any reason you would have this set to run every boot?I don't remember setting it to run every boot. In fact, I do not know how to set it to. Link to post Share on other sites More sharing options...
nosirrah Posted November 5, 2010 ID:339957 Share Posted November 5, 2010 We have located some evidence that this can sometimes be a legit boot process so leaving things as is should be fine.The detection should also no longer be taking place. Link to post Share on other sites More sharing options...
Luxio Posted November 8, 2010 Author ID:341457 Share Posted November 8, 2010 Thank you for the confirmation, Bruce. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now