Jump to content

Caught Backdoor.Bot Early Enough?


Recommended Posts

Yesterday I ran MBAM in Safe Mode. It found only one file associated with Backdoor.Bot. It did not find any other infected traces in processes or in the registry. I instructed MBAM to remove/quarantine the file which it did.

For backgound, I had during the previous week run both MBAM and MS Security Essentials full scans after regular Windows 7 startup. No trace of Backdoor.Bot was reported by any prior scan.

I also ran another MBAM scan in Safe Mode today. It found no malware.

When I searched for some information on Backdoor.Bot, I read a thread on the Bleeping Computer forum. It suggested that any system infected by Backdoor.Bot was at extreme risk. It said that, short of reformatting and re-installing the whole system, the computer and my online activity would always be at risk. It suggested contacting banks and taking other identity theft precautions.

So far I have changed my system's passwords while I was offline, but I have not taken other actions.

2 Questions:

Did I catch the Backdoor.Bot early enough (as ONE file being infected and removed so that I am not at dire risk?

Is Bleeping Computer a reputable forum?

Thank you.

Link to post
Share on other sites

:)

Can you post the scan results where MBAM detected it?

Did I catch the Backdoor.Bot early enough (as ONE file being infected and removed so that I am not at dire risk?

This is what I use for a backdoor bot:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Is Bleeping Computer a reputable forum?
Yes they are.
Link to post
Share on other sites

Scan Log File:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5900

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

2/28/2011 3:54:31 PM

mbam-log-2011-02-28 (15-54-31).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 300256

Time elapsed: 24 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I completed all the steps above.

As would be expected, the quarantine log is now empty.

However, the formerly-quarantined, false-positive file (icardagt.exe) has not been re-instated to the location from which it was quarantined.

Do I just copy the icardagt.exe from the system32 folder into the location from which its namesake had been removed by MBAM?

Thank you for your guidance.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.