SAS & MBAM label same registry entry as malware?

Discussion in 'malware problems & news' started by Daveski17, Aug 17, 2015.

  1. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I have encountered an unusual possible malware situation which is most probably a false positive. A routine MBAM scan on a relative’s (Vista) laptop showed a ‘Rogue Installer’ in the registry. A similar scan with SAS claimed that the same registry file was a trojan. I didn’t quarantine either as I am only too aware that both SAS and MBAM have a tendency to claim that perfectly benign files are hostile and I didn’t want to risk bricking the machine (I’ve been through this before with MBAM on the same machine).

    mbam fp1.jpg
    sas fp1.jpg

    I then proceeded to do a complete scan (8 hrs) with Panda Free, which found nothing. Next I scanned with Bit Defender online, F-Secure online, Kaspersky Security Scan and the Microsoft Safety Scanner, all of which discovered nothing. Finally I did a Panda quick scan which inevitably also found nothing.

    The only thing that I can think of that might be causing this almost certain false positive is that when I originally examined my relative’s laptop I employed a USB mouse originally from a ‘Tech Air 15.6-Inch Laptop Case with Shoulder Strap and Optical USB 2 Button Mouse’ I purchased six months ago. The mouse had never been used in the laptop before and had to install drivers as is normally the case. Previously the mouse had only ever been used on computers running Ubuntu. I’m guessing that MBAM and SAS may be falsely detecting those drivers as malware.

    TechAir.jpg

    Any suggestions?
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Maybe paste the offending key as text instead of image so that we can far more easily research it?
     
  3. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Oh yeah, sorry. :oops:

    HKU\S-1-5-21-688742335-2297325631-2119768481-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}
     
  4. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
  5. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I'm a long term user of MBAM as my first choice malware scanner , and to a much lesser degree , SAS as a "second-line " option , which I've only
    ever found useful for routing out tracking cookies which MBAM either doesn't find , or doesn't rate as a threat.

    I can't remember when I had FP issues with either of them and personally , I'd really be looking at the drivers you mentioned as the culprits in your case.
    I regularly check the MBAM forum , but I've never looked at the SAS forum before now ..... and I just noticed your avatar ......:thumb: ..... ha !
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    SAS did find a trojan once on my old laptop back in 2008. I started to use MBAM around then, although as a whole I tend to agree with you that MBAM is the more efficacious of the two.

    I've had a few fp's with them over the years on various machines. As long as you check anything they flag first on their respective forums before quarantining or deleting you should be OK. That particular driver has been flagged before, it's probably a Vista thing.

    I was a member of the MBAM forums a while ago, I think I have forgotten my password though lol. I've had that SAS yin/yang avatar for as long as I've been a member of their forum, I'm sure it was originally animated. ;)
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    The only Google Search result for: "HKU\S-1-5-21-688742335-2297325631-2119768481-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}" is this thread :)

    Did you copy it right?
     
  8. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I think so, I do need new reading glasses though. ;)

    SUPERAntiSpyware have managed to fix this with database version 12019. MBAM have not fixed this yet.
     
    Last edited: Aug 18, 2015
  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,051
    Location:
    USA
    The problem is that I believe that the "S-1-5-21-688742335-2297325631-2119768481-1000" portion is unique per machine. At least it is different on every machine I checked, so you will not get a match.
     
  10. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK
    Excluding the the portion you pointed out there are a number of hits via google with some ambiguous info saying its "trojan or malware"...


    https://www.google.co.uk/search?q=7...&oe=utf-8&gws_rd=cr&ei=XW3kVcP5BYbP7gbJ94HYDg
     
Loading...