I have encountered an unusual possible malware situation which is most probably a false positive. A routine MBAM scan on a relative’s (Vista) laptop showed a ‘Rogue Installer’ in the registry. A similar scan with SAS claimed that the same registry file was a trojan. I didn’t quarantine either as I am only too aware that both SAS and MBAM have a tendency to claim that perfectly benign files are hostile and I didn’t want to risk bricking the machine (I’ve been through this before with MBAM on the same machine). I then proceeded to do a complete scan (8 hrs) with Panda Free, which found nothing. Next I scanned with Bit Defender online, F-Secure online, Kaspersky Security Scan and the Microsoft Safety Scanner, all of which discovered nothing. Finally I did a Panda quick scan which inevitably also found nothing. The only thing that I can think of that might be causing this almost certain false positive is that when I originally examined my relative’s laptop I employed a USB mouse originally from a ‘Tech Air 15.6-Inch Laptop Case with Shoulder Strap and Optical USB 2 Button Mouse’ I purchased six months ago. The mouse had never been used in the laptop before and had to install drivers as is normally the case. Previously the mouse had only ever been used on computers running Ubuntu. I’m guessing that MBAM and SAS may be falsely detecting those drivers as malware. Any suggestions?
Oh yeah, sorry. HKU\S-1-5-21-688742335-2297325631-2119768481-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}
SUPERAntiSpyware told me that they would try to fix this in database version 12018. Although SAS still labels this as a trojan and MBAM still labels it as a rogue installer. It's also suspiciously similar to this I reported in March this year: http://forums.superantispyware.com/index.php?/topic/8156-solved-registry-trojan-false-positive/ FWIW I ran an additional Spybot Search and Destroy scan and it didn't find a trojan or a rogue installer either.
I'm a long term user of MBAM as my first choice malware scanner , and to a much lesser degree , SAS as a "second-line " option , which I've only ever found useful for routing out tracking cookies which MBAM either doesn't find , or doesn't rate as a threat. I can't remember when I had FP issues with either of them and personally , I'd really be looking at the drivers you mentioned as the culprits in your case. I regularly check the MBAM forum , but I've never looked at the SAS forum before now ..... and I just noticed your avatar ...... ..... ha !
SAS did find a trojan once on my old laptop back in 2008. I started to use MBAM around then, although as a whole I tend to agree with you that MBAM is the more efficacious of the two. I've had a few fp's with them over the years on various machines. As long as you check anything they flag first on their respective forums before quarantining or deleting you should be OK. That particular driver has been flagged before, it's probably a Vista thing. I was a member of the MBAM forums a while ago, I think I have forgotten my password though lol. I've had that SAS yin/yang avatar for as long as I've been a member of their forum, I'm sure it was originally animated.
The only Google Search result for: "HKU\S-1-5-21-688742335-2297325631-2119768481-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}" is this thread Did you copy it right?
I think so, I do need new reading glasses though. SUPERAntiSpyware have managed to fix this with database version 12019. MBAM have not fixed this yet.
The problem is that I believe that the "S-1-5-21-688742335-2297325631-2119768481-1000" portion is unique per machine. At least it is different on every machine I checked, so you will not get a match.
Excluding the the portion you pointed out there are a number of hits via google with some ambiguous info saying its "trojan or malware"... https://www.google.co.uk/search?q=7...&oe=utf-8&gws_rd=cr&ei=XW3kVcP5BYbP7gbJ94HYDg