Security → W32/Backdoor2.EMEB flagging

Yesterday I got disinfection flags on all three computers from IOLO saying it had intercepted W32/Backdoor2.EMEB and deleted the files associated with the Trojan.

All three instances of FTP.EXE in Windows have been deleted and attempts to restore known good files are met with the same results.

Three files in system restore were also flagged and deleted.

Googling the W32 variant shows numerous posts about the same thng from folks using various a/v programs.

Has anyone figured this one out yet?

Yes!
I received the same infection notice on two PC's.
Right after they came out of standby, IOLO reported the same infection (W32/Backdoor2.EMEB) and did the same thing...it deleted system32.FTP.EXE and my SP3 backup copy.

Now this morning, it deleted a system volume file:
C:\SYSTEM VOLUME INFORMATION\{somehugenumber}\RP989\A0121157.EXE becuase of the same W32/Backdoor2.EMEB infection.

I reported this to IOLO...
Their highly technical reply was: “Do you still receive notification of this occurring?”

I hope IOLO's anti virus isn't running amok!

this explination was added by a person (Jintan) claiming to be from - »MalwareCrypt dot com added in the comments section of this link »answers.yahoo.com/questi ··· 9AACbLzw
It seems plusable for now.

I would like to caution you on what you are experiencing there. ATT and other ISP's are providing their users with a free version of a combination of Freedom and RadialPoint softwares. Both of these vendors have a long, long history of producing mediocre to even poor quality antivirus and other softwares, and more often cause problems instead of being beneficial. If you do a web search for "Backdoor2.EMEB" you will see many other concerned posts from people who also have ISP provided security software, so again probably this Freedom/RadialPoint combination. Or Iolo's latest antivirus package, which also has a renamed and reworked version of an older and long-known poor quality software.

That ftp.exe file is a legit MS file, used for FTP - File Transfer Protocol functions. As such, it can be mistaken as some "backdoor" malicious program, but only by the very poorest of security softwares. And if your security software is removing legitimate system files then yes, you would start get notifications of altered system files, as these newer and necessary files get removed.

I would suggest you de-quarantine that file your security software removed, return it, and then follow the suggestion already provided to run a scan with Malwarebytes, or SuperAntiSpyware or other known anti-malware software.

Then as soon as you can uninstall that ISP provided software, and replace it with either a paid, well-known software, or use a free one like Avast. If you continue to have problems you may want to follow up with a request at MalwareCrypt.com or any of the other free malware removal help forums.

I'd be uploading it to virus total myself

IOLO went downhill a long time ago.

I am still waiting for tech support answers from six months ago.

I've had the same problem on my PC with Virgin PCguard. I deleted the FTP.EXE file as well, not knowing any better. Is there any way I can get it back, and if not how will it effect the performance of my PC?

I have to join in on this topic. Yes My Iolo professional 8 security flagged & deleted this file. It's the last draw with this software package. I've complained to them that many application software is not loading. I complained that my firewall isn't working either. There's & others. The system mechanic software is suppose to prevent these type problems. Now I get an alert from the real- time protection saying it deleted my w32/backdoor2.emeb. I then get an alert from windows saying key files have been removed or changed-Please insert system software disc. It's no coincidence to me. what do you think & what should I do?

This is their last chance.

No satisfaction, end of sub, and I will tell everyone why.

I also deleted the file thinking that it was a virus. I got a pop up box saying to install the sp3 CD that i don't have.I did a previous restore point and was able to restore the file. So far I haven't got that pop up box again.

I deleted the file on saturday afternoon. Is it posible to restore it to that point? I've only had a PC for 5 months, so I'm pretty clueless about this kind of thing.

if the AV deleted it can it be restored from quarantine, assuming there is one, or from recycle bin if deleted by user

Cudni

IOLO was unable to clean or quarantine the file, it was just deleted.

I restored the file from known good images, and each time it was restored, the warning flag came up and the file was deleted again.

It will be interesting if IOLO answers this one.

Same thing happen to me on Saturday. My ISP av has quarantined them. I am waiting until Monday to see if any techs have info on this. If I restore them, they just get quarantined again. My bad, I use the bell av package that is Radialpoint. I did run extra full scans with Malwarebytes and Super Anti Spyware, all clean, and I also use Spywareblaster. I really want to just use the firewall in the bell package. Can the av be shut off and a different av like Avast be used without a con-flick? I ask this because all the services are run under one manager and who knows when bell will get around to fixing this W23/Backdoor2.EMEB thing.

I use Iolo System Mechanic Professional 8 on 2 XP and 1 W2K machine. Only 1 XP machine reported a W32/Backdoor2.EMEB virus alert.

My experience with iolo technical support has been terrible. They are totally useless. The product includes some feature a broad range of features. If they cleaned up their act IMO it would be a better value than Symatec's system utility suites.

I stopped using their support a awhile ago. I haven't gotten around to replacing it. This could be the last straw.

Their security components come from Antheium. I believe it's their main/only product line/business. It's hard to understand how they can be surviving without doing a decent job.

Using file/path names just doesn't make sense. Too many possible false positives and too easy for hackers to change.

I was/am hoping this is another false alarm, but I'm less certain this time then previously. I tried replacing ftp.exe with a file extracted from XP SP3. That triggered another set of virus alerts.

Countless searches for any detail on detection profiles have produced virtually nothing. The following link makes me concerned:
»blog.tigertech.net/posts ··· reading/

Ftp.exe is on all machines. The virus is being detected on only 1. That indicates something other then the file name and legitimate content is triggering the alert. It is possible that a hidden process/program is altering ftp.exe within seconds after a new copy is created. The compressed copy ftp.ex_ is not triggering an alert.

I have run rootkitrevealer on the suspect system and a W2K system. The exceptions listed appear to be normal/legitimate. No new viruses were found during a follow-up scan on the disinfected system.

Prior cases of false positives were corrected in subsequent definition updates. I will use some additional rootkit scanning tools in case there is a hidden active or inactive reinfection process.

Disclaimer: I am not a security specialist.

If there is something hidden on disk I thought of an approach to "surgically" remove it avoiding a complete system rebuild/install.

Assuming virus scanners protection extends to everything visible to the OS/standard api's exposure is limited to unallocated storage.

Combine use of an un-delete and shredder should nuke anything hiding on disk. I believe the additional scanners mentioned above include memory and kernel utilities.

I don't know if it is really feasible, but IMO it's worth a try.

I had this issue just now on 2 of my 3 systems.

The temporary solution is to do a full scan. Let it complete, go to the settings and go to the real time and the on demand tabs and add ftp.exe to the exclusions.

I've had to do this in the past on 4 prior occasions with the software.
- once was for deleting my LapLink.EXE as a worm.
- once for deleting Sun's Java interpreter (specifically JavaW.EXE) as a virus.
- once for Helios Textpad.EXE as a virus.
- once for a file called SNMPAPI.DLL.

Oops... forum cut off the last paragraph

Once the file is in the excludes... you can restore it or get it from the CD and continue working until you find out one way or the other.

I have the same issue on a network and when the ftp.exe gets removed, my workstations will not log on to the domain anymore. Ironically, I went back to an image I had from last June and extracted the ftp.exe file. When I ran this one through iolo, it didn't identify a virus or delete it. I am not sure if it is a different version or not. Anyway, I am here on Sunday struggling to get ten workstations back on line with little luck.

528,

That solved it for now.

I have had an e-mail from IOLO so we are working on it, as well as a long lost ticket on why IOLOAV started killing mail sends thru port 587 when I am away and off my normal system.

so is everyone saying that this is not a real trojan?

sorry, I am replying instead. So is this a real trojan or just a problem with IOLO, which I am using?

That's the way it looks.

Talked to a computer engineer friend of mine who is using Norton and he had no problems.

I also scanned the file with Spybot and it came up clean.

I am suspicious of this file... Not sure if iolo is right yet, BUT, when I scan any of the ftp.exe files I have here since December, they all come up with the virus flag. However, the ftp.exe file I have from last June does not. And, bottom line is, everytime I restore an image, it boots OK AND logs onto the domain - Once. When I try again, I am locked out. I am in process of restoring a June image right now... I'll let you know how I make out.

IOLO Antivirus keeps finding it over and over. And then I run the Malwarebyte's Anti Malware and it doesn't find anything.

Oops, there it goes again, but now it is finding "HTML/IFRAME"

What's that?

I hope this is good news. There is a post at the bell support site that someone had tested the files that have been quarantined using a xp sp3 cd, the old virus definition (April 14, 2009) and the new virus definition (May 29, 2009). Also tested with AVG. No detection with the old virus definition and AVG. Quarantined with the new virus definition. Now we will have to wait until a new virus definition comes out to correct the problem.

»forums.bell.ca/viewtopic ··· 001f582d

This morning's AV update seems to have eliminated the problem.

FTP.EXE can now be copied back to its proper locations without problems.

Anybody have a good substitute for IOLO System Mechanic 8 Pro?

I had another deletion this morning of a system volume file.
Not sure if it was before or after the current 91520 update.

Now, where will I find a copy of FTP.exe for XP pro SP3?
Maybe running the SP3 update again (yikes) will repair the install, or break the OS.

I just switched to Sunbelt Software's Vipre. I had been using their I Hate Spam and Counterspy for years. Now they have released Vipre which is a combination of Counterspy and a Virus scanner (ie; takes care of spyware and malware/viruses). It runs very light on memory and is working with System Mechanic OK so far (install iolo without their anti-virus). Vipre is also available for enterprise installations. BTW, we are still having issues with log-on to the domain and hope to debug and fix today. If we get it right, will post what we did.

Anybody get the AntiSpyware 2009 trojan and/or virus after installing Fios Internet Security (Radialpoint third-party software).

Quasimotor.

My favorite version of Iolo is version 5.
System Mechanic 5 was fast and lean.
Other versions such as 6,7,7.5,8 all are bloated.