Backdoor.Bot and Trojan.Agent

Heh, AVG and SAS won't interfere unless you have the paid for version of them, but I know TeaTimer always gets in the way.

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

Re-scan again, and remove the files, then re-enable TeaTimer, see if they come back this time.

Nope, no difference. I disabled teatimer, ran MBAM scan and got the 2 results, reboot, enable teatimer, MBAM still gives me the same two entries. Good idea though, it would've been a good fit for me if the solution turned out to be so simple after all.

Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 3

6/19/2009 1:31:54 PM
mbam-log-2009-06-19 (13-31-54).txt

Scan type: Quick Scan
Objects scanned: 93300
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.




Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 3

6/19/2009 1:43:14 PM
mbam-log-2009-06-19 (13-43-14).txt

Scan type: Quick Scan
Objects scanned: 93574
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Darn. Okay, first, update MBAM, you still have 1.37, get the newest version which is 1.38 and database version 2308.

Does 1.38 still find them?

I go to update it and the update downloads, but then gives me an error during setup saying "This program requires Windows NT version 4.0 or later."

Hmm. Try uninstalling MBAM via add/remove programs, then download and install a new setup file for 1.38

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Weird, they didn't show up this time. I'm still a bit nervous, but glad that they're not showing up anymore. Do you think it was just a fluke or something? Here's the newest log, just for posterity:

Malwarebytes' Anti-Malware 1.38
Database version: 2309
Windows 5.1.2600 Service Pack 3

6/19/2009 7:36:00 PM
mbam-log-2009-06-19 (19-36-00).txt

Scan type: Quick Scan
Objects scanned: 94229
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thank you yet again for your enormous patience and expertise!

More than likely a bug or false positive in 1.37. 1.38 has sorted that now.