Jump to content

backdoor.bot in msconfig


Guest ghot
 Share

Recommended Posts

I'm running the free Malwarebytes program....I used msconfig to boot into safe mode....then ran Malwarebytes.....

the only things it found were two entries of backdoor.bot.....both related to msconfig....I removed them and while still in safemode,

tried to run msconfig......no joy!

So...I restored the two entries and msconfig works fine now....however, I'm worried about what they are doing there and why removing them, disables msconfig....any help would be appreciated.

All other scans I run from ANY AV / malware programs off or online show NO infections...even HiJack This shows nothing.

HELP!! :)

Link to post
Share on other sites

This could be the result of a false positive. Please scan your system again with the /developer switch. And post that logfile. Do not have mbam do anything with the results until I respond to you later this evening.

Results:

here is screenshot of finished scan with /developer switch....run from START / Run

mbamresultsui6.jpg

here is screen from quarantine tab.....

mbamquarnd4.jpg

here is screen of possible bug? when run from START Run mbam.exe /developer .....when i click OK the scan runs normally though. I only get this temp error when run from cmd line.

cmdlinerunai3.jpg

here is log from run with /developer switch:

Malwarebytes' Anti-Malware 1.30

Database version: 1347

Windows 5.1.2600 Service Pack 2

10/31/2008 7:35:25 PM

mbam-log-2008-10-31 (19-35-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 58445

Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Backdoor.Bot) -> No action taken. [3857535134303566687669808083153580851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

61518679931130117370778168858361677479668374708461111570897011]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe (Backdoor.Bot) -> No action taken. [3857535134303566687669808083153580851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

61518679931130117370778168858361677479668374708461111570897011]

Link to post
Share on other sites

I had the same two errors show up today

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Backdoor.Bot) -> No action taken.

Files Infected:

C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe (Backdoor.Bot) -> No action taken.

Link to post
Share on other sites

ok I re-ran in safemode and it found same entries...I quarantined them...and now typing msconfig in RUN box doesn't work....but.....msconfig is still there.....if you type: C:\WINDOWS\system32\dllcache\msconfig.exe in the RUN box it works...even with the backdoor.bot removed ?

It seems that removing the backdoor.bot entries makes the RUN box forget WHERE msconfig.exe is located.....

I am going to leave it as is till RAID gets back with a better (hopefully) solution :)

Link to post
Share on other sites

Hi All,

sorry for delay in getting back to you guys. It's definately a FP; please ignore it. We will get this fixed with the next def release. If you have already quarantined msconfig or any other exe files from the helpctr folder, please restore them.

Apologies for any inconvenience this may have caused you.

Link to post
Share on other sites

Hi all,

New to this board. MB is an incredibly effective program in removing nasties other AV's could not remove. Good job. :)

Now I update and find the same rootkit others have said MB found: backdoor.bot located in msconfig. I removed it to quarantine section of MB but am thinking like those posters above that it is a false positive.

I rescanned with MB and it again finds the backdoor.bot Unlike ghot, I am able to run msconfig from the run box.

Any advice?

Link to post
Share on other sites

Hmmm - Interesting. Raid said it was a FP but you think otherwise, ghot.

Out of curiosity, have you also rebooted after doing all this, and if so, have you searched your registry to see if there is any reference to either the .bot file and / or wierd entries referring to MSCONFIG?

@RAID - is this definitely a FP or not?

Link to post
Share on other sites

Hmmm - Interesting. Raid said it was a FP but you think otherwise, ghot.

Out of curiosity, have you also rebooted after doing all this, and if so, have you searched your registry to see if there is any reference to either the .bot file and / or wierd entries referring to MSCONFIG?

@RAID - is this definitely a FP or not?

It's definitely a FP. Following the instructions I've removed would have no longterm effect. Windows will restore it, and MBAM would again detect it using that set of definitions.

Link to post
Share on other sites

Ok I figured out how to fix the disappearing msconfig after a Malwarebytes run finds backdoor.bot and removes it...

Those instructions wouldn't have any lasting effect, as you later discovered. I have removed the instructions to prevent inexperienced users from potentially messing up the registry. :)

Link to post
Share on other sites

Hi All,

sorry for delay in getting back to you guys. It's definitely a FP; please ignore it. We will get this fixed with the next def release. If you have already quarantined msconfig or any other exe files from the helpctr folder, please restore them.

Apologies for any inconvenience this may have caused you.

I have the same problem with Backdoor.bot. I ran a regular scan it detected Backdoor.bot again then I ran a scan with Developer Switch and it then did not detect it but then I rebooted my computer and ran a scan using Malwarebytes and it detected it again. This is a False/Positive correct.?

I included log files below also a hijackthis log.

ksaari

Malwarebytes' Anti-Malware 1.30

Database version: 1347

Windows 5.1.2600 Service Pack 3

10/31/2008 9:25:34 PM

mbam-log-2008-10-31 (21-25-34).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 74113

Time elapsed: 29 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Backdoor.Bot) -> Quarantined and deleted successfully. [3857535134303566687669808083153580851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

61518679931130117370778168858361677479668374708461111570897011]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe (Backdoor.Bot) -> Quarantined and deleted successfully. [3857535134303566687669808083153580851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

61518679931130117370778168858361677479668374708461111570897011]

----------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:58:37 PM, on 10/31/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\SPAMfighter\sfus.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\AutoSizer\AutoSizer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [AlcxMonitor] "C:\WINDOWS\ALCXMNTR.EXE"

O4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [LTMSG] "C:\WINDOWS\LTMSG.exe" 7

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1223536128671

O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223666426046

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

--

End of file - 7591 bytes

Link to post
Share on other sites

Try updating to Database version: 1352 and scan again.

Then re-submit your logs here: HijackThis Logs.

I have the 1354 Database version. I first restored it then I did a update then a scan. Same problem. Below is the Malwarebytes log and highjack this log. I clicked on ignore for now because I don't know what else to do.

IS THIS A False/Positive.?

ksaari

Same problem.

Malwarebytes' Anti-Malware 1.30

Database version: 1354

Windows 5.1.2600 Service Pack 3

11/1/2008 4:08:23 PM

mbam-log-2008-11-01 (16-08-18).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 73284

Time elapsed: 29 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:58:37 PM, on 10/31/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\SPAMfighter\sfus.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\AutoSizer\AutoSizer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [AlcxMonitor] "C:\WINDOWS\ALCXMNTR.EXE"

O4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [LTMSG] "C:\WINDOWS\LTMSG.exe" 7

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1223536128671

O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223666426046

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

--

End of file - 7591 bytes

Link to post
Share on other sites

Ok I ran MB in normal windows mode...found nothing....

Ran again in Safe mode and if found the same backdoor.bot as shown in screenshot.....

mbamresultssafemodenb0.jpg

I realize that white listing this backdoor.bot is A solution......however, I would rather have it OFF my system than have it JUST whitelisted. Further...after 2 updates.....THIS time it only found the one in the screen shot and not the one in:

C:\WINDOWS\pchealth\helpctr\binaries

You have a fantastic program here....but like I said..whitelisting items that shouldn't be ON my computer, might steer others away from MB...which is NOT a good idea :)

Link to post
Share on other sites

Ok I ran MB in normal windows mode...found nothing....

Ran again in Safe mode and if found the same backdoor.bot as shown in screenshot.....

mbamresultssafemodenb0.jpg

I realize that white listing this backdoor.bot is A solution......however, I would rather have it OFF my system than have it JUST whitelisted. Further...after 2 updates.....THIS time it only found the one in the screen shot and not the one in:

C:\WINDOWS\pchealth\helpctr\binaries

You have a fantastic program here....but like I said..whitelisting items that shouldn't be ON my computer, might steer others away from MB...which is NOT a good idea :)

I suspect you misunderstood what we mean by Whitelisting. The application wasn't a malware program, it was a false positive with our software. The whitelisting is on specific locations, only. Not file contents. It's part of an advanced hueristics engine.

Please, update and scan again.

Link to post
Share on other sites

I give up on trying to remove Backdoor.bot. :) I'm going to put my chances on it being a F/P.

In the mean while I would like to send thanks to every one for their concern and great support. :)

CHEERS

ksaari

Please use the developer switch when posting a log you suspect might be for False Positives.

Link to post
Share on other sites

I suspect you misunderstood what we mean by Whitelisting. The application wasn't a malware program, it was a false positive with our software. The whitelisting is on specific locations, only. Not file contents. It's part of an advanced hueristics engine.

Please, update and scan again.

This IS a safe mode scan from the latest update...I just tried at 8:27PM EST to update and it said no further updates....but I now understand what you mean by white listing now. I just checked the registry and no backdoor.bot where MB said it should be :)

So even though I don't really understand all the inner workings of MB...it DOES seem to be a false positive...I think lol

BUT.....removing it with MB still causes msconfig to flake out and not work.

P.S. I'm Using the latest free version of MB ....FYI

notherebz1.jpg

Link to post
Share on other sites

This IS a safe mode scan from the latest update...I just tried at 8:27PM EST to update and it said no further updates....but I now understand what you mean by white listing now. I just checked the registry and no backdoor.bot where MB said it should be :)

So even though I don't really understand all the inner workings of MB...it DOES seem to be a false positive...I think lol

BUT.....removing it with MB still causes msconfig to flake out and not work.

P.S. I'm Using the latest free version of MB ....FYI

notherebz1.jpg

currently it still showing backdoor.bot (only in safe mode scan) with definition version 1354

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.