942,962 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > MBAM False positive - Avast skin chooser
Ad:
Permalink
Oct 1st, 2009
0

MBAM False positive - Avast skin chooser

Expand Post »
Hi all, I hope you are well. I was just performing a routine quick scan of my laptop this morning and was horrified to see that MBAM picked up 19 malicious items! I am a safe web surfer, do not use torrents or visit suspect sites, so imagine my horror when 19 were found!
Now, I used MBAM to scan and here's my log:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 09:43:15
mbam-log-2009-10-01 (09-43-15).txt

Scan type: Quick Scan
Objects scanned: 99936
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

I have quarantined the blighters, but to my surprise, Avast will now not load:

"Application cannot load skin. FUnction "usiGetSkin" failed ".

So, my first instinct was that MBAM has reported a false positive and removed a file that was indeed not malicious -- actskin4.ocx. As far as I can tell, this file seems to be a skin loader for the Avast user interface. I spent some time googling, but did not find any useful information regarding this file. What do you think?

EDIT: A few days ago, I licenced the free version of avast, so perhaps this is when actskin4.ocx was installed, as MBAM had never picked it up before....
Last edited by majestic0110; Oct 1st, 2009 at 6:17 am. Reason: see edit
Similar Threads
Reputation Points: 256
Solved Threads: 72
Nearly a Posting Virtuoso
majestic0110 is offline Offline
1,306 posts
since Oct 2007
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Interesting. After repairing Avast under control panel>>>add/remove>>>Avast>>>repair. The Avast UI loads up fine, so I thought I'd do another quick scan with MBAM. It picked up the "trojan" again! Now, I did perform a full scan with MBAM BEFORE I repaired Avast, which found 0 infected items.

Full scan before repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:35:41
mbam-log-2009-10-01 (10-35-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196146
Time elapsed: 48 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Quick scan after repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:48:57
mbam-log-2009-10-01 (10-48-53).txt

Scan type: Quick Scan
Objects scanned: 100010
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Very interesting, I hope the MBAM team are aware of this (if I am right, of course!).

EDIT: I have sent a "false positive report" to the team at MBAM, hopefully they can investigate it, as thier knowledge will be vastly greater than mine!
Last edited by majestic0110; Oct 1st, 2009 at 6:59 am. Reason: see edit note
Reputation Points: 256
Solved Threads: 72
Nearly a Posting Virtuoso
majestic0110 is offline Offline
1,306 posts
since Oct 2007
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Yes - same thing happened to me his morning. It's got to be a false positive. I saw other posts online referencing other AV or AM scanners that F.P. on that avast file. There must be something about it that the heuristics in some AM scanners pick up on.
Reputation Points: 10
Solved Threads: 1
Newbie Poster
RickNCN is offline Offline
1 posts
since Oct 2009
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Ok, well I have posted a message to the MBAM team, and when they get back to me, I will be sure to update this post. I am fairly certain at this stage that its a F.P.
Reputation Points: 256
Solved Threads: 72
Nearly a Posting Virtuoso
majestic0110 is offline Offline
1,306 posts
since Oct 2007
Permalink
Oct 1st, 2009
1

Re: MBAM False positive - Avast skin chooser

Click to Expand / Collapse  Quote originally posted by majestic0110 ...
I am fairly certain at this stage that its a F.P.
It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers
PP
Moderator
Reputation Points: 171
Solved Threads: 105
Central Scrutinizer
PhilliePhan is offline Offline
1,574 posts
since Dec 2006
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Click to Expand / Collapse  Quote originally posted by PhilliePhan ...
It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers
PP
This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.
Moderator
Featured Poster
Reputation Points: 725
Solved Threads: 339
Posting Expert
jholland1964 is offline Offline
5,493 posts
since Jul 2008
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Quote ...
This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.
Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?
Last edited by majestic0110; Oct 1st, 2009 at 6:54 pm.
Reputation Points: 256
Solved Threads: 72
Nearly a Posting Virtuoso
majestic0110 is offline Offline
1,306 posts
since Oct 2007
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Click to Expand / Collapse  Quote originally posted by majestic0110 ...
Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?
Database version: 2881
The scan was run today. Today's first update brought it to 2886 and latest one this afternoon brings it to 2888.

Notice PP said;
Quote ...
Update your MBAM to database version 2886 or later and you should have no more issues with this.
meaning if you update it to this version or later the False Positive issue was corrected with the database version of 2886.
This means that the MBA-M people were aware of the FP issue in the 2881 version and did an update to correct it. So update as PP advised and run the scan again. If the FP shows again then we will do something else.
Last edited by jholland1964; Oct 1st, 2009 at 7:19 pm.
Moderator
Featured Poster
Reputation Points: 725
Solved Threads: 339
Posting Expert
jholland1964 is offline Offline
5,493 posts
since Jul 2008
Permalink
Oct 1st, 2009
0

Re: MBAM False positive - Avast skin chooser

Give Malwarebytes some credit - they got this corrected fairly quickly.

What bothers me is that so much of their detections and removal seems to rely on heuristics and I am seeing a ton of questionable items being removed ( read: Deleted) by this tool in many forums and the volunteers are ignoring these items.
I realize that all forums are overwhelmed and it is not worth taking the time to question these - the time is just not there + MBAM is such a valuable asset in the fight against malware.....

So, a lot of legit programs get borked or have components removed and it all gets classified as "collateral damage" to the malware infection.....

-- I should say that I have been volunteering in various forums long enough to remember when there were no such (effective) tools as MBAM - The folks at malwarebytes do a tremendous job keeping up with the latest threats and it is great to have a tool such as MBAM in the fight against malware. I am just saying that everybody should keep a keener eye on what is being removed and perhaps be a bit more selective.....

/end mini rant

Cheers
PP
Moderator
Reputation Points: 171
Solved Threads: 105
Central Scrutinizer
PhilliePhan is offline Offline
1,574 posts
since Dec 2006

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: deathtesting.ru
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Firefox keeps opening multiple tabs by itself everytime I open Firefox





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC