Jump to content

Backdoor.bot Infections on Database 5233

stinkpalmd
 Share

Recommended Posts

stinkpalmd

stinkpalmd

Posted
Posted

All,

We have had a rash of infections of Backdoor.bot items in Malwarebytes, nearly all of them showing up in C:\windows\system32. All of these seem to be from scans running Malwarebytes Database 5233. Is anyone experiencing this in their work places? I see that Database 5234 has already been released this afternoon. I am convinced that these are false positives because of the shear number of infections all at the same time. Any thoughts out there?

Thanks in advance for your help.

-Ted

Link to post
Share on other sites
ToniVC

ToniVC

Posted
Posted
We have had a rash of infections of Backdoor.bot items in Malwarebytes, nearly all of them showing up in C:\windows\system32. All of these seem to be from scans running Malwarebytes Database 5233. Is anyone experiencing this in their work places? I see that Database 5234 has already been released this afternoon. I am convinced that these are false positives because of the shear number of infections all at the same time. Any thoughts out there?

I've hade the same incidence in one computer at work. It was running v1.45 with 5223 database, and an scheduled scan showed 180 infections of "Bacdoor.bot" items. I checked many of the supposedly infected files on Jotti.org and NONE give any positive at all. Most of the files where on c:\windows\system32. I take no actions and updatet Malwarebytes to the last version and database and run the scan again: ZERO infections...

Link to post
Share on other sites
ToniVC

ToniVC

Posted
Posted
I've hade the same incidence in one computer at work. It was running v1.45 with 5223 database, and an scheduled scan showed 180 infections of "Bacdoor.bot" items. I checked many of the supposedly infected files on Jotti.org and NONE give any positive at all. Most of the files where on c:\windows\system32. I take no actions and updatet Malwarebytes to the last version and database and run the scan again: ZERO infections...

I meant database 5233. And sorry for the many typos :D

Link to post
Share on other sites
stinkpalmd

stinkpalmd

Posted
  • Author
Posted

Just as an FYI, this issue royally messed us up today. We have had multiple people who got close to 150 "bacdoor.bot" infections which Malwarebytes "fixed." This basically hosed the system files and the computers were rendered useless and all had to be repaired. This was definitely a case of false positives and the fallout is still continuing today. Thankfully, the update to Database 5234 has fixed this.

Link to post
Share on other sites
ToniVC

ToniVC

Posted
Posted
Just as an FYI, this issue royally messed us up today. We have had multiple people who got close to 150 "bacdoor.bot" infections which Malwarebytes "fixed." This basically hosed the system files and the computers were rendered useless and all had to be repaired. This was definitely a case of false positives and the fallout is still continuing today. Thankfully, the update to Database 5234 has fixed this.

I was lucky because I did not trust Malwarebytes and didn't let him "fix" the supposed "backdoor.bot" infected files. As I said, none of the ones I submitted to Jotti.org were detected as infected by any othe antivirus, so I simply ignored the report, updated Malwarebytes to the last program version and database, and din the scan again, which gave me no infected files at all. So I assumed it was a massive case of false positives, but still was a little bit anxious about what happened... until I read your message.

I'm sorry you got messed up.

Link to post
Share on other sites
d3matt

d3matt

Posted
Posted

I've just had two reports of customer's PCs that have lost Windows system files this morning and are now unable to boot up. One of them the user did see the results of last nights automatic Malwarebytes scan and there were 253 backdoor.bot infections.

I now have two PCs which need the operating system restoring. :D:):lol:

Link to post
Share on other sites
ToniVC

ToniVC

Posted
Posted

Well, I'm sorry, but I was wrong with the database version again: it was 5232, with 1.45 engine. I still have a normal log, I don't know if it can be useful for you...

Just one more note: the thing that made me suspect it was a case of false positives was that one of the reported infected files was C:\Windows\Fonts\jsmalle.fon. AFAIK, it doesn't make sense a .fon file could get infected by a virus, spyware or whatever...

Also, I have the option "Download and install program update if available" selected, but it seems it doesn't work since I still had v1.45 instead of v1.50. Any idea?

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted

Hi ToniVC -

Please try a reinstall of the program with the method below - You do not state your O/S so I have listed both versions -

To Fully Remove and Reinstall a Fresh New Copy of Malwarebytes - Read Carefully

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important !
  • Download and run mbam-clean.exe from ->Here

It will ask to restart your computer, please allow it to do so, very important

After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from ->Here

Windows Vista and Windows 7:

  • Click on the Start button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important !
  • Download and run mbam-clean.exe from ->Here

It will ask to restart your computer, please allow it to do so, very important

After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from ->Here

Note: You will need to reactivate the program using the license you were sent via email if using the Paid version only

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now reset any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications.

You may use the guides posted in the FAQ's here or ask me and I'll explain how to do it.

Note : This is only a 5 min job , but if you want to keep old logs , please move them to Notepad prior to starting -

Thank You - :lol:

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted

Hi Toni -

If you have a clean copy of the program and are happy with it , then there is no need to reinstall -

This was only posted because I thought you may have missed the update or part of it -

Always check the program is fully updated (I do a manual check every morning) -

(do you still have any problems now ??) -

Thanks for replying

Link to post
Share on other sites
FutonDog

FutonDog

Posted
Posted

Hi, all:

My daily morning scan flagged the following two instances of backdoor.bot:

Files Infected:

C:\WINDOWS\Temp\Perflib_Perfdata_1b8.dat (Backdoor.Bot) -> No action taken.

C:\WINDOWS\Temp\Perflib_Perfdata_23c.dat (Backdoor.Bot) -> No action taken.

It first appeared during this morning's scan (app. ver. = 1.46; db ver. = 5237). I update the db and quick-scan once daily. Yesterday, everything was clean (app. ver. = 1.46; db ver. = 5232).

As indicated in the scan-log excerpt above, Malwarebytes took no action, and not knowing what these files are, neither did I.

Googling the files earlier this morning I see that Perflib_Perfdata_* (Performance Library - Performance Data) files are created by either the OS or by any program that has a system monitoring function. So they appear to be normal and "clean" files.

I run on XP Home SP3.

Good luck to all,

Ron

Link to post
Share on other sites
System Force IT

System Force IT

Posted
Posted

We had this problem with several clients' computers today.

Here is our solution.

If you are suffering from this issue with false positives for backdoor.bot, here is the solution.

1.> browse to the quarantined files and copy them to a usb stick in a folder called mbamfix

(on Windows 7 the files are typically located in C:\programdata\malwar~1\malwar~1\Quarantine )

2.> in this folder you will find files named to the following standard:

BACKUP.xxxxx (where xxxx is typically a 5 digit numerical code)

and there will be a corresponding file called:

QUAR1.xxxxx (where the xxxxx matches the corresponding BACKUP.xxxxx file)

3.> open the first BACKUP.xxxxx in notepad (you may need a working computer for this)

This file contains the original path to the file including the filename.

4.> copy the filename, and rename the corresponding QUAR1.xxxxx to the filename you have just copied.

5.> copy the full path to the filename (including the 3= at the start of it), and paste it into a new notepad window, then press enter to insert a new line.

6.> repeat the above process for each and every file (except paste the full path into the same new notepad window)

7.> once the files are renamed, you should have a notepad window full of paths with filenames, 1 to a line.

8.> using the notepad "replace" function, find 3=C and replace it with XCOPY "D:\

then, at the end of every line in the notepad document, add a trailing " (which must not have any spaces before it)

9.> save the notepad txt file to the same folder as the BACKUP.xxxxx and give it the name "repair.bat"

10.> boot your (broken) computer using the Windows 7 cd, and when the repair / restore screen comes up,

select the "command prompt" option - if it only offers repair / restore, choose repair, then cancel, then

advanced options to access the command prompt

11.> command prompt will eventually take you to a X:\ prompt.

12.> insert the USB stick, and wait a minute or so. once the USB stick has had time to be detected, you need to find

it. in the case of the systems i was working on, it was drive G:

13.> assuming the USB drive is drive G:, at the X:\> prompt type "G:" (without the quotes)

14.> at the G:\> prompt type "CD mbamfix" (without the quotes)

15.> assuming your windows system drive is D:, you can now type "repair.bat"

16.> as each file copy is attempted, xcopy will ask you to confirm the overwrite, press Y

17.> repeat pressing Y until it is complete.

18.> reboot the pc into safe mode, disable the malwarebytes service (where appropriate) and uninstall malwarebytes.

19.> reboot the pc into normal mode, connect to the internet, download the latest malwarebytes, install it and fully update it before restarting.

20.> your PC should now be fixed.

www.SystemForce.co.uk

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.