[Conte Rules]

Hi guys,

I'm a relatively computer savvy person. On my laptop I run Vista premium w/ UAC enabledI use Avira Antivir for an AV. I don't use any realtime AS ( turned defender off). I'm incredibly careful about what I install on my system. I don't surf porn, use p2p clients, or download warez. I use Firefox for a browser w/ Adblock plus and Noscript.

That's why today I was surprised to find a malware detection by MBAM. A lone registry key that I could not find much information about online. Here is my MBAM log.

Malwarebytes' Anti-Malware 1.14
Database version: 816

12:30:34 AM 6/3/2008
mbam-log-6-3-2008 (00-30-30).txt

Scan type: Quick Scan
Objects scanned: 31863
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:24 AM, on 6/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe
C:\PROGRA~1\Sun\XVMVIR~1\VBoxSVC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FPOVZDSL - Sysinternals - www.sysinternals.com - C:\Users\Rog\AppData\Local\Temp\FPOVZDSL.exe

--
End of file - 3157 bytes

[Advertisements]

I think I know what the problem is. It appears that registry key controls whether or not the "run" option is displayed on the start menu. I can watch it change as I toggle between having run on or off.

Now, "run" on the start menu is off on Vista by default and I don't remember seeing this on any other Vista machine. Perhaps this is a FP from a recent update to MBAM? I will run it on another Vista machine tomorrow and see.

Anybody else getting this?

[Conte Rules]

I think I know what the problem is. It appears that registry key controls whether or not the "run" option is displayed on the start menu. I can watch it change as I toggle between having run on or off.

Now, "run" on the start menu is off on Vista by default and I don't remember seeing this on any other Vista machine. Perhaps this is a FP from a recent update to MBAM? I will run it on another Vista machine tomorrow and see.

Anybody else getting this?

[Conte Rules]

bump... anyone?

[Conte Rules]

sorry to keep bumping this. Can somebody please take a look at this? I didn't find the same infection on another Vista machine.