False positive?

Discussion in 'ewido anti-spyware forum' started by JG427, May 6, 2006.

Thread Status:
Not open for further replies.
  1. JG427

    JG427 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    4
    I have this thread at BleepingComputer which appears to have a false positive in the ewido report. I see the same thing in this thread at geeks to go.

    I also reported a similar problem at Malware Research back in December.

    Here is the report with no action takenthis time. The entries have been deleted or quarantined before, but always return after reboot. Any Advice?

    ewido anti-malware - Scan Report
    ---------------------------------------------------------

    + Created at: 10:59:37 AM 5/6/2006

    + Scan result:

    Links provided by poster. Margin blowing log removed - Ron
     
    Last edited by a moderator: May 7, 2006
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
  3. JG427

    JG427 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    4
    Yes, I read that thread before I posted.
    It still leaves many unanswered questions.

    In the two links I posted, no signs of MidAddle were present to begin with.
    No browser object, run keys or any files identified as MidAddle components.

    I have read several descriptions of MidAddle infections and none include the registry keys that ewido has flagged.
    I don't know much about hardware, but those registry keys seem to be related to integrated audio control on a laptop.
    What the heck is MidAddle hijacking there?

    http://www3.cai.com/securityadvisor/pest/pest.aspx?id=453088187
    http://securityresponse.symantec.com/avcenter/venc/data/adware.winfetch.html
    http://vil.nai.com/vil/content/v_132577.htm
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The Reg keys are legitimate and are related to Realtek, and I'm willing to bet that it is a Realtek file (or Explorer.exe) putting them back each time ewido removes them!

    If it was my system, I would configure RegDefend to protect values on the following Key:-

    HKEY_LOCAL_MACHINE\SYSTEM\*Controlset*\Control\DeviceClasses**

    then allow ewido to remove the entries, I would then wait and see what pop-ups RD gave. That would soon tell you what program is re-writing the entries.

    Ewido has not found a single Reg change known to be related to MidAddle, nor has it found a single .dll or .exe file known to be part of MidAddle.

    Of course this is a false positive.
     
  5. JG427

    JG427 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    4
    Yes, but since this is the Official ewido Support Forum, I would prefer that someone from ewido confirm that.

    While their was no reply to the thread at Malware Research, the other false positive I reported in December is no longer flagged.

    I would like to see the definitions updated for this one as well.
     
  6. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Please locate this detected registry entry with the Windows Registry Editor (use
    regedit.exe), create a *.reg backup file of this key and then send us this reg
    backup file:
    http://www.ewido.net/en/malware/
     
  7. JG427

    JG427 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    4
    Thanks, karl.

    The registry file has been sent.
     
Thread Status:
Not open for further replies.