Jump to content



Recommended Posts


I rec'd an EAM detection notice in C:\WINDOWS\MBR.exe of Backdoor.Win32.IRCNite.pl!A2 a couple of days ago. At the time EAM was requesting a restart due to updates. I restarted the sytem and EAM downloaded more updates at startup. I then ran a deep scan and the infection was no longer detected. I'm asking for assistance in determining if this was a false positive or not as MBR.exe is involved. Thank you for any help in this matter.

The 1st EAM log is the initial detection of Backdoor.Win32.IRCNite.pl!A2

The 2nd EAM log is the most current with all updates.

Thanks in advance for any help


Link to comment
Share on other sites

Hi XonE32,

You previous message was removed because you posted into other user's thread

Thanks for creating the separate request as suggested

You 1st EAM report has an outdated signatures "7/25/2010" and it is a Custom Scan

Your second report is a Quick Scan - that one despite it has more recent signatures - will show only currently active processes

At the same time - it will not show inactive suspects whether those are real malware (genuine detections) or False Positives

The Smart or Deep & Custom Scans may show them

The file in question was reported as being flagged but it may be an FP ... probably you were running some Utilities by your own... GMER or others...

Therefore, irrespectively please submit the file as it's described in Submitting suspected False Positives for analysis

All log files will be reviewed by one of the malware fighters

My regards

Link to comment
Share on other sites

Hi Lynx,

Yes I saw yer note in the other thread, my bad. Forgot the anti-malware forum is more stringent as I haven't posted here in a while. Anyway, thank you for the response.

I'm a little confused and may have a setting wrong somewhere regarding the "custom scan" issue.

I have my scheduled scan to take place late at night and don't see anywhere in EAM to set it (the scheduled scan) as a "deep scan". In other words ALL of my late night scheduled scans are labeled "custom scan". Is this normal and if not can it be changed to "deep scan"?

At the time of noticing the detection I was being asked by EAM to restart (due to updates). I restarted the pc as per EAM instructions and then more updates came in at start up. After all updates were downloaded I ran a deep scan and no detection was found in MBR.exe.

I don't know what GMER is unfortunately, but I have heard of it.

In any case I have submitted MBR.exe as per option #3 below. With luck this will be resolved.

3) Submitting via e-mail as an attachment

- send the suspect(s) to [email protected]

- Before submitting, create a password protected archive (ZIP or RAR) containing the file(s). Please password protect the archive with word: “fp” (no quotes)

Read Archiving Files With Password Before The Submission

Thanks for your response and I look forward to hearing from EMSI re: the "custom scan" labeling for my scheduled scans and thanks in advance.



Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...