Jump to content

False Positive?


dook

Recommended Posts

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5900

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.7601.17514

28/02/2011 07:59:21

mbam-log-2011-02-28 (07-59-21).txt

Scan type: Full scan (C:\|)

Objects scanned: 341842

Time elapsed: 41 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I tried searching about this .exe and I can't tell if it's genuine backdoor or not. I ran in safe mode, full scan. Also ran AVG in safemode cmd prompt and it was clean.

I removed the file to be safe, but want to know if this was a real threat before I bother changing all passwords etc. and do a full format.

Link to post
Share on other sites

sorry for double reply.

I checked your log and the filepath is identical to mine.

Seen as you still have the file and I don't, could you upload it to totalvirus and see what you get? It should show you the hash for the file there too, which you could check against http://www.faultwire.com/file_detail/icardagt.exe*56113.html which is the only result in google when you put the filepath in.

Link to post
Share on other sites

From VirusTotal

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 2fe97a3052e847190a9775431292a3a3

Date first seen: 2010-01-26 13:07:46 (UTC)

Date last seen: 2010-11-19 07:53:54 (UTC)

Detection ratio: 0/43

Link to post
Share on other sites

All signs point to false positive I guess, but will wait to here from one of the topdogs around here before I let out a sigh of relief just yet :)

I believe it's probably a FP too but I'll wait for an official word as well. The whole reason I ran this scan was because the hotmail account I use for random forums and stuff got "locked" for violating their TOS (usually due to someone getting into the account and sending out spam according to the little FAQ it gave me) so I went through the little process to get it unlocked, logged in and nothing seemed out of the ordinary. No random emails in the sent folder or anything like that. However someone did get into that account a few months back due to just a weak pw I believe and did send out a bunch of spam (there was lots of stuff in my sent folder and lots or failed delivery stuff in my inbox back then) which kind of leads me to believe the locking of the account was due to that incident a few months back and that they just now got around to reviewing it. If this does turn out to be a FP talk about a coincidence to make you paranoid tho lol.

Link to post
Share on other sites

I've got this on both of my computers also. Only deteced after updating to the 5900 database.

I did find the one file and delete it on the first computer I found it on, but after having it pop up on the second computer, in a few spots (either windows\winsxs or windows\System32) I figured I'd try to find out more about this, and I'm hoping it's a false positive.

Link to post
Share on other sites

I quarantined icardagt.exe but did not permanently delete it. Now I can't restore it. When I click restore it dissapears, but then reappears in the trojan list when i return to that tab. The file still exists in the proper folder, but still shows as a threat even with the new update. If i reboot mbam wants to make changes, but I stopped it. should i allow? Any help? thanks.

Link to post
Share on other sites

I registered this morning realizing this too. I as well thought it was a false-positive, since I ran a scan after the Service Pack 1 update, but continued to register here just in case. So all signs point to this being a false-positive? I was quick as well to quarantine and remove this file from my computer as from the description "backdoor.bot" sounded like a nasty bug; however all signs point to icardagt.exe being a legit program for Microsoft for Net Access 2.0 (If I re-call correctly.)

So, in-short I'm looking for just reassurance from the big-dogs. Is this truly a false-positive?

P.S., is this file essential at all if it truly is a false positive?

Thanks!

Link to post
Share on other sites

The file still exists in the proper folder

Please confirm that the file that was detected is still in its correct folder and not deleted. If this is the case it was likely restored by windows itself.

If this is the case all you need to do is delete the file from quarantine.

Link to post
Share on other sites

Please confirm that the file that was detected is still in its correct folder and not deleted. If this is the case it was likely restored by windows itself.

If this is the case all you need to do is delete the file from quarantine.

So, then Microsoft should automatically restore this file for those of whom deleted it? This is truly a False-Positive? This had me B) when I saw it.

Sorry, if I'm making you repeat yourself, just need the reassurance! B)

Link to post
Share on other sites

It's in the right folder. Mbam wanted to delete it after a restart. When I did restart and mbam came up i didn't allow it to run, or make changes. (win7). Then I got a blue screen with a memory problem. I restored back 4 days on the registry and booted. My orig file was still there, mbam still showed it in the trojan list. I delete it from the list, but it seems to keep reappearing. Is there any other way to get it off the quarantine list?

Link to post
Share on other sites

I encountered this issue last night while scanning my g/f's C: drive that I had hooked up as an eSATA slave to my PC (she was having problems with the drive). The OS is Windows 7 Professional 64bit.

One thing I noticed about the false positive is that it would only alert about the BACKDOOR.BOT trojan when the icardagt.exe file was outside of the C:\windows\system32 directory; it would scan clean from within c:\windows\system32. I verified this on 4 different computers of mine. I'm assuming the error must have been related to the software thinking it was a trojan due to it being in the incorrect location. Interestingly for me, when I was scanning my g/f's C: drive, it was connected via eSATA to my PC and showed as the H:\ drive, so MBAM alerted me to the H:\windows\system32 copy as well - presumably since it, too, is outside of C:\windows\system32.

This problem did not exist with the scanning DB version from 2/20 that I tested by restoring an image from then to my PC. It only happened with version 5900 that I pulled last night. Today's 5904 seems to have corrected the false positive.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.