MBAM False positive - Avast skin chooser

Question

majestic0110 187 Nearly a Posting Virtuoso

15 Years Ago

Hi all, I hope you are well. I was just performing a routine quick scan of my laptop this morning and was horrified to see that MBAM picked up 19 malicious items! I am a safe web surfer, do not use torrents or visit suspect sites, so imagine my horror when 19 were found!
Now, I used MBAM to scan and here's my log:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 09:43:15
mbam-log-2009-10-01 (09-43-15).txt

Scan type: Quick Scan
Objects scanned: 99936
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

I have quarantined the blighters, but to my surprise, Avast will now not load:

"Application cannot load skin. FUnction "usiGetSkin" failed ".

So, my first instinct was that MBAM has reported a false positive and removed a file that was indeed not malicious -- actskin4.ocx. As far as I can tell, this file seems to be a skin loader for the Avast user interface. I spent some time googling, but did not find any useful information regarding this file. What do you think?

EDIT: A few days ago, I licenced the free version of avast, so perhaps this is when actskin4.ocx was installed, as MBAM had never picked it up before....

windows-virus

Edited 15 Years Ago by majestic0110 because: see edit

4 Contributors
8 Replies
126 Views
19 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by PhilliePhan

RickNCN 0 Newbie Poster

15 Years Ago

Yes - same thing happened to me his morning. It's got to be a false positive. I saw other posts online referencing other AV or AM scanners that F.P. on that avast file. There must be something about it that the heuristics in some AM scanners pick up on.

PhilliePhan 171 Central Scrutinizer

15 Years Ago

I am fairly certain at this stage that its a F.P.

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

majestic0110 187 Nearly a Posting Virtuoso · Answer 1 · 2009-10-01T15:49:17+00:00

Interesting. After repairing Avast under control panel>>>add/remove>>>Avast>>>repair. The Avast UI loads up fine, so I thought I'd do another quick scan with MBAM. It picked up the "trojan" again! Now, I did perform a full scan with MBAM BEFORE I repaired Avast, which found 0 infected items.

Full scan before repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:35:41
mbam-log-2009-10-01 (10-35-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196146
Time elapsed: 48 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Quick scan after repairing Avast:

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 10:48:57
mbam-log-2009-10-01 (10-48-53).txt

Scan type: Quick Scan
Objects scanned: 100010
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\actskin4.ocx (Trojan.Agent) -> No action taken.

Very interesting, I hope the MBAM team are aware of this (if I am right, of course!).

EDIT: I have sent a "false positive report" to the team at MBAM, hopefully they can investigate it, as thier knowledge will be vastly greater than mine!

majestic0110 187 Nearly a Posting Virtuoso · Answer 2 · 2009-10-01T19:16:01+00:00

Ok, well I have posted a message to the MBAM team, and when they get back to me, I will be sure to update this post. I am fairly certain at this stage that its a F.P.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 3 · 2009-10-02T03:06:35+00:00

It is.
Update your MBAM to database version 2886 or later and you should have no more issues with this.
Cheers :)
PP

This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.

majestic0110 187 Nearly a Posting Virtuoso · Answer 4 · 2009-10-02T03:54:12+00:00

This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.

Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2009-10-02T04:18:09+00:00

Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?

Database version: 2881
The scan was run today. Today's first update brought it to 2886 and latest one this afternoon brings it to 2888.

Notice PP said;

Update your MBAM to database version 2886 or later and you should have no more issues with this.

meaning if you update it to this version or later the False Positive issue was corrected with the database version of 2886.
This means that the MBA-M people were aware of the FP issue in the 2881 version and did an update to correct it. So update as PP advised and run the scan again. If the FP shows again then we will do something else.

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 6 · 2009-10-02T05:09:57+00:00

Give Malwarebytes some credit - they got this corrected fairly quickly.

What bothers me is that so much of their detections and removal seems to rely on heuristics and I am seeing a ton of questionable items being removed ( read: Deleted) by this tool in many forums and the volunteers are ignoring these items.
I realize that all forums are overwhelmed and it is not worth taking the time to question these - the time is just not there + MBAM is such a valuable asset in the fight against malware.....

So, a lot of legit programs get borked or have components removed and it all gets classified as "collateral damage" to the malware infection.....

-- I should say that I have been volunteering in various forums long enough to remember when there were no such (effective) tools as MBAM - The folks at malwarebytes do a tremendous job keeping up with the latest threats and it is great to have a tool such as MBAM in the fight against malware. I am just saying that everybody should keep a keener eye on what is being removed and perhaps be a bit more selective.....

/end mini rant

Cheers :)
PP