I have this thread at BleepingComputer (http://www.bleepingcomputer.com/forums/index.php?s=&showtopic=51309&view=findpost&p=280687) which appears to have a false positive in the ewido report. I see the same thing in this thread (http://www.geekstogo.com/forum/index.php?s=&showtopic=106879&view=findpost&p=628421)at geeks to go.

I also reported a similar problem at Malware Research (http://malware-research.co.uk/index.php?topic=953.0) back in December.

Here is the report with no action takenthis time. The entries have been deleted or quarantined before, but always return after reboot. Any Advice?

ewido anti-malware - Scan Report
---------------------------------------------------------

+ Created at: 10:59:37 AM 5/6/2006

+ Scan result:

Links provided by poster. Margin blowing log removed - Ron

This thread over at CastleCops sheds some light on this:

http://www.castlecops.com/p754810-Midaddle_false_positives.html

Yes, I read that thread before I posted.
It still leaves many unanswered questions.

In the two links I posted, no signs of MidAddle were present to begin with.
No browser object, run keys or any files identified as MidAddle components.

I have read several descriptions of MidAddle infections and none include the registry keys that ewido has flagged.
I don't know much about hardware, but those registry keys seem to be related to integrated audio control on a laptop.
What the heck is MidAddle hijacking there?

http://www3.cai.com/securityadvisor/pest/pest.aspx?id=453088187
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfetch.html
http://vil.nai.com/vil/content/v_132577.htm

-{ Quote: "I don't know much about hardware, but those registry keys seem to be related to integrated audio control on a laptop" }-
The Reg keys are legitimate and are related to Realtek, and I'm willing to bet that it is a Realtek file (or Explorer.exe) putting them back each time ewido removes them!

If it was my system, I would configure RegDefend to protect values on the following Key:-

HKEY_LOCAL_MACHINE\SYSTEM\*Controlset*\Control\DeviceClasses**

then allow ewido to remove the entries, I would then wait and see what pop-ups RD gave. That would soon tell you what program is re-writing the entries.

Ewido has not found a single Reg change known to be related to MidAddle, nor has it found a single .dll or .exe file known to be part of MidAddle.

Of course this is a false positive.

-{ Quote: "Ewido has not found a single Reg change known to be related to MidAddle, nor has it found a single .dll or .exe file known to be part of MidAddle.

Of course this is a false positive." }-

Yes, but since this is the Official ewido Support Forum, I would prefer that someone from ewido confirm that.

While their was no reply to the thread at Malware Research, the other false positive I reported in December is no longer flagged.

I would like to see the definitions updated for this one as well.

Please locate this detected registry entry with the Windows Registry Editor (use
regedit.exe), create a *.reg backup file of this key and then send us this reg
backup file:
http://www.ewido.net/en/malware/

Thanks, karl.

The registry file has been sent.