Member Avatar for majestic0110

Hi all, I hope you are well. I was just performing a routine quick scan of my laptop this morning and was horrified to see that MBAM picked up 19 malicious items! I am a safe web surfer, do not use torrents or visit suspect sites, so imagine my horror when 19 were found!
Now, I used MBAM to scan and here's my log:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 09:43:15
mbam-log-2009-10-01 (09-43-15).txt

Scan type: Quick Scan
Objects scanned: 99936
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

I have quarantined the blighters, but to my surprise, Avast will now not load:

"Application cannot load skin. FUnction "usiGetSkin" failed ".

So, my first instinct was that MBAM has reported a false positive and removed a file that was indeed not malicious -- actskin4.ocx. As far as I can tell, this file seems to be a skin loader for the Avast user interface. I spent some time googling, but did not find any useful information regarding this file. What do you think?

EDIT: A few days ago, I licenced the free version of avast, so perhaps this is when actskin4.ocx was installed, as MBAM had never picked it up before....

Edited by majestic0110 because: see edit
  • 4 Contributors
  • 8 Replies
  • 126 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 8 Replies

Member Avatar for majestic0110

Interesting. After repairing Avast under control panel>>>add/remove>>>Avast>>>repair. The Avast UI loads up fine, so I thought I'd do another quick scan with MBAM. It picked up the "trojan" again! Now, I did perform a full scan with MBAM BEFORE I repaired Avast, which found 0 infected items.

Full scan before repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:35:41
mbam-log-2009-10-01 (10-35-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196146
Time elapsed: 48 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Quick scan after repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:48:57
mbam-log-2009-10-01 (10-48-53).txt

Scan type: Quick Scan
Objects scanned: 100010
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Very interesting, I hope the MBAM team are aware of this (if I am right, of course!).

EDIT: I have sent a "false positive report" to the team at MBAM, hopefully they can investigate it, as thier knowledge will be vastly greater than mine!

Edited by majestic0110 because: see edit note
Member Avatar for RickNCN

Yes - same thing happened to me his morning. It's got to be a false positive. I saw other posts online referencing other AV or AM scanners that F.P. on that avast file. There must be something about it that the heuristics in some AM scanners pick up on.

Member Avatar for majestic0110

Ok, well I have posted a message to the MBAM team, and when they get back to me, I will be sure to update this post. I am fairly certain at this stage that its a F.P.

Member Avatar for PhilliePhan

I am fairly certain at this stage that its a F.P.

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

Member Avatar for jholland1964

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.

Member Avatar for majestic0110

This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.

Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?

Edited by majestic0110 because: n/a
Member Avatar for jholland1964

Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?

Database version: 2881
The scan was run today. Today's first update brought it to 2886 and latest one this afternoon brings it to 2888.

Notice PP said;

Update your MBAM to database version 2886 or later and you should have no more issues with this.

meaning if you update it to this version or later the False Positive issue was corrected with the database version of 2886.
This means that the MBA-M people were aware of the FP issue in the 2881 version and did an update to correct it. So update as PP advised and run the scan again. If the FP shows again then we will do something else.

Edited by jholland1964 because: n/a
Member Avatar for PhilliePhan

Give Malwarebytes some credit - they got this corrected fairly quickly.

What bothers me is that so much of their detections and removal seems to rely on heuristics and I am seeing a ton of questionable items being removed ( read: Deleted) by this tool in many forums and the volunteers are ignoring these items.
I realize that all forums are overwhelmed and it is not worth taking the time to question these - the time is just not there + MBAM is such a valuable asset in the fight against malware.....

So, a lot of legit programs get borked or have components removed and it all gets classified as "collateral damage" to the malware infection.....

-- I should say that I have been volunteering in various forums long enough to remember when there were no such (effective) tools as MBAM - The folks at malwarebytes do a tremendous job keeping up with the latest threats and it is great to have a tool such as MBAM in the fight against malware. I am just saying that everybody should keep a keener eye on what is being removed and perhaps be a bit more selective.....

/end mini rant

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.