Jump to content


Photo

False Positive?


  • Please log in to reply
19 replies to this topic

#1 dook

dook

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 03:14 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5900

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

28/02/2011 07:59:21
mbam-log-2011-02-28 (07-59-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 341842
Time elapsed: 41 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I tried searching about this .exe and I can't tell if it's genuine backdoor or not. I ran in safe mode, full scan. Also ran AVG in safemode cmd prompt and it was clean.

I removed the file to be safe, but want to know if this was a real threat before I bother changing all passwords etc. and do a full format.

#2 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 28 February 2011 - 04:10 AM

I'm getting this file flagged after the most recent update as well. MSE scan is clean on the file. I tried to rar the file to attach it along with the log in this post but I get access denied. Any ideas on this being a FP or not?

Attached Files



#3 dook

dook

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 04:21 AM

Glad to know I'm not alone. I think I was a little quick to delete the file, and I'm glad you didn't yet. Could you double check your one is in the same directory as mine? I had two directories almost identical, with only a few char difference.

#4 dook

dook

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 04:25 AM

sorry for double reply.

I checked your log and the filepath is identical to mine.

Seen as you still have the file and I don't, could you upload it to totalvirus and see what you get? It should show you the hash for the file there too, which you could check against http://www.faultwire....exe*56113.html which is the only result in google when you put the filepath in.

#5 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 28 February 2011 - 04:28 AM

Made a copy of file to my desktop and was able to get it rar'd from there.

Attached Files



#6 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 28 February 2011 - 04:37 AM

From VirusTotal

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 2fe97a3052e847190a9775431292a3a3
Date first seen: 2010-01-26 13:07:46 (UTC)
Date last seen: 2010-11-19 07:53:54 (UTC)
Detection ratio: 0/43

#7 dook

dook

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 04:42 AM

All signs point to false positive I guess, but will wait to here from one of the topdogs around here before I let out a sigh of relief just yet :)

#8 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 28 February 2011 - 05:00 AM

All signs point to false positive I guess, but will wait to here from one of the topdogs around here before I let out a sigh of relief just yet :)

I believe it's probably a FP too but I'll wait for an official word as well. The whole reason I ran this scan was because the hotmail account I use for random forums and stuff got "locked" for violating their TOS (usually due to someone getting into the account and sending out spam according to the little FAQ it gave me) so I went through the little process to get it unlocked, logged in and nothing seemed out of the ordinary. No random emails in the sent folder or anything like that. However someone did get into that account a few months back due to just a weak pw I believe and did send out a bunch of spam (there was lots of stuff in my sent folder and lots or failed delivery stuff in my inbox back then) which kind of leads me to believe the locking of the account was due to that incident a few months back and that they just now got around to reviewing it. If this does turn out to be a FP talk about a coincidence to make you paranoid tho lol.

#9 Ocelot

Ocelot

    New Member

  • Members
  • Pip
  • 1 posts

Posted 28 February 2011 - 05:09 AM

I've got this on both of my computers also. Only deteced after updating to the 5900 database.
I did find the one file and delete it on the first computer I found it on, but after having it pop up on the second computer, in a few spots (either windows\winsxs or windows\System32) I figured I'd try to find out more about this, and I'm hoping it's a false positive.

#10 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 28 February 2011 - 05:23 AM

This will be fixed in just a minute.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 dook

dook

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 05:24 AM

So was it a false positive then mate?

#12 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 28 February 2011 - 05:34 AM

Yes and should now be fixed.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 28 February 2011 - 05:42 AM

Yup all clean with database version 5901.

#14 jean2422

jean2422

    New Member

  • Members
  • Pip
  • 2 posts

Posted 28 February 2011 - 07:20 AM

I quarantined icardagt.exe but did not permanently delete it. Now I can't restore it. When I click restore it dissapears, but then reappears in the trojan list when i return to that tab. The file still exists in the proper folder, but still shows as a threat even with the new update. If i reboot mbam wants to make changes, but I stopped it. should i allow? Any help? thanks.

#15 dontspywaremebro

dontspywaremebro

    New Member

  • Members
  • Pip
  • 2 posts

Posted 28 February 2011 - 07:59 AM

I registered this morning realizing this too. I as well thought it was a false-positive, since I ran a scan after the Service Pack 1 update, but continued to register here just in case. So all signs point to this being a false-positive? I was quick as well to quarantine and remove this file from my computer as from the description "backdoor.bot" sounded like a nasty bug; however all signs point to icardagt.exe being a legit program for Microsoft for Net Access 2.0 (If I re-call correctly.)

So, in-short I'm looking for just reassurance from the big-dogs. Is this truly a false-positive?


P.S., is this file essential at all if it truly is a false positive?

Thanks!

#16 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 28 February 2011 - 08:03 AM

The file still exists in the proper folder


Please confirm that the file that was detected is still in its correct folder and not deleted. If this is the case it was likely restored by windows itself.

If this is the case all you need to do is delete the file from quarantine.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 dontspywaremebro

dontspywaremebro

    New Member

  • Members
  • Pip
  • 2 posts

Posted 28 February 2011 - 08:09 AM

Please confirm that the file that was detected is still in its correct folder and not deleted. If this is the case it was likely restored by windows itself.

If this is the case all you need to do is delete the file from quarantine.


So, then Microsoft should automatically restore this file for those of whom deleted it? This is truly a False-Positive? This had me B) when I saw it.

Sorry, if I'm making you repeat yourself, just need the reassurance! B)

#18 jean2422

jean2422

    New Member

  • Members
  • Pip
  • 2 posts

Posted 28 February 2011 - 08:15 AM

It's in the right folder. Mbam wanted to delete it after a restart. When I did restart and mbam came up i didn't allow it to run, or make changes. (win7). Then I got a blue screen with a memory problem. I restored back 4 days on the registry and booted. My orig file was still there, mbam still showed it in the trojan list. I delete it from the list, but it seems to keep reappearing. Is there any other way to get it off the quarantine list?

#19 buzzard302

buzzard302

    New Member

  • Members
  • Pip
  • 1 posts

Posted 28 February 2011 - 09:19 AM

I had the same detection, with an identical path and file name. I was also on database version 5900. I will restore the file after work today as long as it is concluded that this was a true false positive.

#20 tetherton

tetherton

    New Member

  • Members
  • Pip
  • 5 posts

Posted 28 February 2011 - 10:14 AM

I encountered this issue last night while scanning my g/f's C: drive that I had hooked up as an eSATA slave to my PC (she was having problems with the drive). The OS is Windows 7 Professional 64bit.

One thing I noticed about the false positive is that it would only alert about the BACKDOOR.BOT trojan when the icardagt.exe file was outside of the C:\windows\system32 directory; it would scan clean from within c:\windows\system32. I verified this on 4 different computers of mine. I'm assuming the error must have been related to the software thinking it was a trojan due to it being in the incorrect location. Interestingly for me, when I was scanning my g/f's C: drive, it was connected via eSATA to my PC and showed as the H:\ drive, so MBAM alerted me to the H:\windows\system32 copy as well - presumably since it, too, is outside of C:\windows\system32.

This problem did not exist with the scanning DB version from 2/20 that I tested by restoring an image from then to my PC. It only happened with version 5900 that I pulled last night. Today's 5904 seems to have corrected the false positive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users