71 replies to this topic

[leofelix]

Hi All.

I've just scanned 3 computers of mine (Laptop with Windows 7 home premim x64 - Desktop PC with Windows 7 Ultimate x86 - Virtual PC with XP SP3) with MBAM database version 3896

Backdoor.Celofot has been detected in all my computers and only as a registry entry.
Log is attached in rar format.

I believe it is a false positive, since my computers are fully up to date, I practice a safe surfing and my default browser is sanboxed and I never download from untrusted sources.

Windows 7 64 bit security software installed:
ESET NOD 32 v 4
PC Tools Firewall Plus 6
SpywareBlaster 4.2
WinPatrol 2010
on demand a-squared free and HitMan Pro 3.5
sandboxie3.44

Windows 7 Ultimate 32 bit
GData antivirus 2010
PC Tools Firewal Plus 6.
PREVX Safe OnLine 3.0.5
WinPatrol 2010
on demand a-squared free and HitMan Pro 3.5
sandboxie3.44

Virtual PC with XP SP 3
avira free 9.0
spywareblaster 4.2
a-squared free
WinPatrol 2010
sandboxie 3.44

I also just perfomed a full scan with SAS online scanner which found no malware on my Windows 7 x64.

I'm under a router

Thank you

Attached Files

•  mbam_log_2010_03_22__00_02_14_.rar   571bytes   31 downloads

[Tarnak]

Can confirm...Looks like an FP

Malwarebytes' Anti-Malware 1.44
Database version: 3896
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

22/03/2010 9:30:00 AM
mbam-log-2010-03-22 (09-29-52).txt

Scan type: Quick Scan
Objects scanned: 121540
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> No action taken. [01ADCD28415F739C15682220B794E819]

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


P.S This is a separate snapshot to the one that I presently beta testing 1.45

[JohnBurns]

I have the same item on my Windows 7 pc and on my XP pc - both of which are fully up to date, and have Microsoft Security Essentials, SuperAntiSpyware and HitmanPro, none of which show any problems. I also am behind a router. Very similar to you, leofelix. I am just holding until I find out whether it is a false positive.

[Tarnak]

I bet my bottom dollar it is a FP.

[pulsar68]

Hi guys. The same for me. Made update and then a fast scan and backdoor.celofot appear. Sure is a False Positive?

[Hurin]

Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop.

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

[jurtti]

Hello!

Same problem here. Win 7 64 bit

[Tarnak]

Looks like the verdict is in...FP! ...but i ain't no Guru! > http://en.wikipedia....hod,_No_Teacher

[pulsar68]

Hurin, on Mar 22 2010, 12:52 AM, said:

Glad to find this thread! I was about to enter "panic mode" since I occasionally use the laptop showing this apparent false positive for some secure stuff at work.

Same exact issue as described above. Use Firefox with noscript, MSSE as antivirus, and computer comes up otherwise completely clean. The only possible vector I would consider at all likely is that my wife sometimes uses this laptop.

Here's something else odd. . . when I went to go find the registry entry it was describing (prior to having MBAM delete it), it wasn't even actually there (unless it's somehow hidden or transient). So, it appears MBAM is possibly seeing a phantom registry value?

Best,

H

What does she do with your laptop?

[chimpy]

Just got the same result here too!

[Hurin]

pulsar68, on Mar 21 2010, 05:08 PM, said:

What does she do with your laptop?

Hehe. . . nothing that should cause trouble. But you never know!

[pulsar68]

Hurin, on Mar 22 2010, 01:12 AM, said:

Hehe. . . nothing that should cause trouble. But you never know!

That's right... we never know!

[nosirrah]

This will be fixed in just a sec guys .

[virus_monkey]

Can anyone from malware bytes confirm this being a FP? I have seen this on everything from XP (sp0, sp1, sp2 and sp3), Vista (sp0, sp1 and sp2) and Windows 7...also all flavors 32 and 64bit

[chimpy]

I have it in my results so if it is confirmed as a FP what do I do to restore it? do I "ignore" it or untick it? or something else?

[Tarnak]

SFdude, on Mar 22 2010, 10:18 AM, said:

Can you illuminate the rest of us mortals why you say that?
What, who and/or where does it state that it's an FP?

Thanks...

all care no responsibility http://craigdavis.tumblr.com/page/2

[Jetstar]

Well, I think this might have messed me up a bit...

Ironically, a few hours ago a malicious file made it's way onto my desktop. Of course, I use Malwarebytes as a first resort and it picks up the F.P. everyone is getting in this thread. I removed it.

What kind of damage have I done now?

[A8AWD]

nosirrah, on Mar 21 2010, 08:22 PM, said:

This will be fixed in just a sec guys .

Have you determined if this is a FP? Thanks?