5 replies to this topic

[george222]

Hello,
A full scan with MBAM found only one infection, but in an .xls file in the Windows\Installer
folder. No registry infections. Is this a false positive, or should I start acting as if my
identity has been stolen? I have to know which it is. Is Backdoor.Bot a known keystroke
logger? The other thing is, the file is now quarantined, but will this mean Windows cannot
reboot again? (The installer folder is so important it is normally hidden.) Should I reinstate
the file?
Log file is below. Help, please.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

13/09/2009 11:40:13 PM
mbam-log-2009-09-13 (23-40-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 261912
Time elapsed: 1 hour(s), 16 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Installer\{2D5C886B-878A-46A0-ABB6-E583D4D9C904}\Icon2D5C886B1.xls (Backdoor.Bot) ->

Quarantined and deleted successfully.

[GT500]

I don't see anything on Google for that file.

Please upload a sample to our UploadNET.

[george222]

GT500, on Sep 15 2009, 09:43 PM, said:

I don't see anything on Google for that file.

Please upload a sample to our UploadNET.

[george222]

GT500, on Sep 15 2009, 09:43 PM, said:

I don't see anything on Google for that file.

Please upload a sample to our UploadNET.

Oops, I misunderstood that button in my post#2, sorry.

Thanks for your reply. I have now uploaded as requested. I'm not sure which of the 2 files I uploaded is (was) the .xls file with the Backdoor.Bot, the other infected file was just Adware.EGDAccess found in my first quick scan by MBAM (which, by the way, also found 7 registry key infections by EGDAccess, Adware.NetOptimizer, and Trojan.Agent which I am not too worried about). I also uploaded the 2 backup files, maybe they contain the original file names? That makes a total of 4 files I have uploaded: QUAR1.62068, QUAR1.23242, and two BACKUP1 files with the same numbers.

[george222]

george222, on Sep 16 2009, 09:45 AM, said:

Oops, I misunderstood that button in my post#2, sorry.

Thanks for your reply. I have now uploaded as requested. I'm not sure which of the 2 files I uploaded is (was) the .xls file with the Backdoor.Bot, the other infected file was just Adware.EGDAccess found in my first quick scan by MBAM (which, by the way, also found 7 registry key infections by EGDAccess, Adware.NetOptimizer, and Trojan.Agent which I am not too worried about). I also uploaded the 2 backup files, maybe they contain the original file names? That makes a total of 4 files I have uploaded: QUAR1.62068, QUAR1.23242, and two BACKUP1 files with the same numbers.

GT500, were you able to retrieve these uploads?

[GT500]

george222 said:

GT500, were you able to retrieve these uploads?

I don't analyze uploads, but if the file is still being detected then go ahead and allow removal.