I got a backdoor virus, it won't go away

[Misuzu]

Well, either my family member got it, or I did by downloading something from The Sims 3 website (A PC video game).
MBAM found it and said it successfully removed it.

Malwarebytes' Anti-Malware 1.44
Database version: 3896
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/21/2010 6:47:46 PM
mbam-log-2010-03-21 (18-47-46).txt

Scan type: Quick Scan
Objects scanned: 107925
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


How can I be sure this is truly gone?
I'm going to do another scan now...
Thanks in advance!

[Misuzu]

Oh no... I did another quick scan and it's still there...

Malwarebytes' Anti-Malware 1.44
Database version: 3896
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/21/2010 6:58:28 PM
mbam-log-2010-03-21 (18-58-28).txt

Scan type: Quick Scan
Objects scanned: 108011
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_ie (Backdoor.Celofot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How can I get rid of it?

EDIT: I did another quick scan and it's still there. The exact same malware... I'll do a scan with Avast next.

[polonus]

Hi Misuzu,

Here is the removal info described in extenso:
http://www.threatexpert.com/report.aspx?md5=6fa353fa19179dbfdb82633585384316
This is the detecting item: Files by MD5  MD5: 961E1E064B81D1FB9011C3C3C483EC2C Size: 15360

One could also use the Bitdefender Removal Tool for this form of backdoor hacktool removal:
http://www.bitdefenderthailand.com/download/removaltools/BDMalwareRemoval.zip

polonus

[Pondus]

@polonus
you are the expert but are you sure you posted the correct link to ThreatExpert ?
the bug in your link is called W32:SpyAgent ?

Here is about Backdoor.Celofot
http://www.threatexpert.com/report.aspx?md5=553b0f01e56f8ef6fe7006882c536e43

[Misuzu]

Thank you both for the help.

So basically you can get this virus from downloading something? I probably got it then. :/

Sorry to ask, but I never heard of this Bitdefender Removal Tool before, is it safe? (I'm sure it is, but I've heard of people getting viruses from downloads of removal tools).

Thanks so much for the help!

EDIT: Avast couldn't find anything by the way.

[Pondus]

Sorry to ask, but I never heard of this Bitdefender Removal Tool before, is it safe?

Here in the avast forum we only recomend tools that are not safe..........


Cant fiend the tool Polonus recomended but Bitdefender have an online scanner you can try........and yes it is safe
http://www.bitdefender.com/scanner/online/free.html

[Misuzu]

Sorry to ask, but I never heard of this Bitdefender Removal Tool before, is it safe?

Here in the avast forum we only recomend tools that are not safe..........

I'm sorry, but I believe I got a virus from a link that someone posted once from YouTube (I hear it has quite a bit of viruses).

I apologize polonus. I hope I didn't offend you. I'll download the tool right away.

I'm a virus-freak and I'm pretty sure I did get a virus from a link someone posted here, but who knows, maybe I didn't. Oh well, no need worrying about that now.  

Thank you both for your help.
I apologize again, I didn't want to offend either one of you, I'm just a virus-freak.  

EDIT: I checked the Bitdefender website, I should have did that first because that website looks really safe. Hehe... I am so sorry.

[polonus]

Hi Pondus,

Bitdefender is a reputable regular av solution, see: http://www.bitdefender.com/
The link I found on a cleansing posting for the mentioned malware, and it could well be the ThreatExpert link is the one you mentioned....

I checked it with DrWeb online scanner here: http://www.bitdefenderthailand.com/download/removaltools/BDMalwareRemoval.zip redirects to http://www.bitdefender.com/world/download/removaltools/BDMalwareRemoval.zip

Checking: http://www.bitdefender.com/world/download/removaltools//themes/bd10/scripts/curvycorners.src.js
File size: 15.80 KB
File MD5: 31b99a550edbc11a5688f012e9e66df2

http://www.bitdefender.com/world/download/removaltools//themes/bd10/scripts

polonus

[Misuzu]

I see that now. It worked very well. It found 1 virus like MBAM did.

Okay, I have the logfile up and the BitDefender Quickscan tab still on my internet browser, what do I do to get rid of the virus with BitDefender?

It just says:

BitDefender QuickScan

Found 1 infected file!   View log
Find more.

What should I do?
Thanks.

EDIT: I just hit the BitDefender icon on the bottom of my Internet Browser and it did a very very quick scan and it said I had no infected files now... Did simply just scanning with BitDefender get rid of it?

[polonus]

Hi Misuzu,

Run the tool here: http://www.bitdefender.com/world/download/removaltools/BDMalwareRemoval.zip
and give it a twirl,

polonus

[Misuzu]

Hi Misuzu,

Run the tool here: http://www.bitdefender.com/world/download/removaltools/BDMalwareRemoval.zip
and give it a twirl,

polonus

Thank you.
I did that, and it said I had no infections (Even though I didn't quarantine anything... Or does BitDefender just automatically get rid of the infections?). That website was the one I went to in the first link you posted.
Unfortunately MBAM still says I have the same virus.

[burrellbuzzman]

hi, would just like to say that i have got the same problem, along with a "Hijack.DisplayProperties" 'virus'

The hijack display properties one is something that has come up numerous times after reformatting and reinstalling windows, in this case i have just got rid of it, but then discovered the same 'virus' described in your thread... again this hasn't come up before when i have reformatted windows, but baring in mind i have litterally just installed the OS and it has only been conected to the internet to download the windows updates and update my virus programs i suspect this is likely to be a false positive... i am 100% sure but considering i havnt even surfed the net i don't know why this would come up

I'll ask on MBAM forums and send a link if i get any helpful information :-)

Rob

[burrellbuzzman]

didn't need to post anything! so i suspect this is a common problem heres a link with some information

http://forums.malwarebytes.org/index.php?showtopic=44113

[burrellbuzzman]

just updted MBAM and the problem is gone, just a false positive, do another scan and if it is still their then maybe it is the real thing

[Misuzu]

just updted MBAM and the problem is gone, just a false positive, do another scan and if it is still their then maybe it is the real thing

Oh I see, I was wondering if it was a FP, but I thought that was a little unlikely, but apparently it may just be that.

Thank you for posting this!  

What version of MBAM do you use?

I'm going to update and scan MBAM now and see what happens.


EDIT: Okay I updated MBAM and did another quick scan and it was gone!  

You was right burrellbuzzman. It was a FP. Thanks for posting that information!

Thanks so much for helping everyone! I really appreciate it!
 

EDIT: Um, I deleted the false positive "Backdoor.Celofot" from MBAM's quarantine, would that hurt my computer because I deleted a item that wasn't really a virus, but rather a FP?