?
Solved

Backdoor.Bot reported by Malwarebytes in regsvr.exe

Posted on 2010-01-08
7
Medium Priority
?
1,007 Views
Last Modified: 2013-11-22
I just ran Malwarebytes Anti-Malware software on a Windows 2003 server that was severely out-of-date with Windows updates.  This server is not even running SP2 or SP2.  This software found and deleted (quanantined) the file "C:\Windows\system32\Regsvr.exe" and removed the registry key "C:\Windows\system32\Regsvr.exe" in "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\".
Now I am concerned as I believe this is a required system file but don't know the best method of replacing.
Any help?
0
Comment
Question by:wwITman
  • 3
  • 3
7 Comments
 
LVL 21

Expert Comment

by:farazhkhan
ID: 26213140
Hi,

Open malwayre byte go to quarantine section and undelete this file.

Regards,
Faraz H. Khan
0
 

Author Comment

by:wwITman
ID: 26213269
Yes, I realize I can un-quarantine but that would be assumming that is was a false positive.
0
 
LVL 21

Accepted Solution

by:
farazhkhan earned 1000 total points
ID: 26213328
Hi,

For me this is a real bot go ahead and delete it.

If you want you can take registry backup and other.

Regards,
Faraz H. Khan
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:wwITman
ID: 26213568
But isn't "regsvr.exe" a required system file?  I think it is... my question was what is the best method to replace the deleted with a ligitimate one...
0
 
LVL 21

Expert Comment

by:farazhkhan
ID: 26213818
Hi,

Apply the latest service packs and patches by running windows update. or you can repair Windows to replace the file.

Regards,
Faraz H. Khan
0
 
LVL 6

Assisted Solution

by:kennyhenao
kennyhenao earned 1000 total points
ID: 26213890
No, it is not a system file. The correct file is regsvr32.exe
You can remove this file.
0
 

Author Comment

by:wwITman
ID: 26213943
Well, that is good to know.  I assumed it was legit as another server on the same network also had this file.
I will be do a SFC scan to check this server.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question