False Positive Windows Registry Run.

June 14, 2012

Malwarebytes just updated to the latest version and ran a flash scan and said a Legitimate Windows Registry Key was a Trojan.Agent.

Log is attached. Malwarebytes PRO version 1.61.0.1400 update version v2012.06.14.01.

Thank you.

DarkSnakeKobra · June 14, 2012

I got the same thing.

Edit: Developer log

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.14.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

DarkSnake-Kobra :: XPS17 [administrator]

Protection: Enabled

6/13/2012 8:02:00 PM

mbam-log-2012-06-13 (20-02-13).txt

Scan type: Flash scan

Scan options disabled: Registry | File System | P2P

Objects scanned: 184644

Time elapsed: 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Trojan.Agent) -> No action taken. [4693797abba191a5c6083e21ca3a936d]

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ottchris · June 14, 2012

Malwarebytes just updated to the latest version and ran a flash scan and said a Legitimate Windows Registry Key was a Trojan.Agent.
Log is attached. Malwarebytes PRO version 1.61.0.1400 update version v2012.06.14.01.
Thank you.

I can confirm that deleting/quarantining said registry key stops various applications running, or at least automatically running after reboot! :-( Fortunately restoring the key resolves the situation.

Regards to All,

Chris

turtledove · June 14, 2012

I have the same also.

Same update version.

mbam-log-2012-06-13 (18-30-56).txt

Hardhead · June 14, 2012

This False positive deletes the Windows sidebar.

I would would look for a fix soon.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.14.01
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Hardhead 5 :: OWNER-PC [administrator]
Protection: Enabled
6/13/2012 9:39:39 PM
mbam-log-2012-06-13 (21-39-39).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 223244
Time elapsed: 3 minute(s), 17 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Hardhead · June 14, 2012

I forgot to add the developer mode scan.

Posted below:

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.14.01
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Hardhead 5 :: OWNER-PC [administrator]
Protection: Enabled
6/13/2012 10:07:01 PM
mbam-log-2012-06-13 (22-07-01).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 223308
Time elapsed: 3 minute(s), 11 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Trojan.Agent) -> Quarantined and deleted successfully. [8d4c0be82f2de155bb13b0af08fc7090]
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)

(end)

AdvancedSetup · June 14, 2012

Thank you for the report. Our Research Team is looking into it now.

nosirrah · June 14, 2012

I am really sorry about this guys. If you update and check again this should be fixed.

Hardhead · June 14, 2012

My pleasure.

June 14, 2012

Thank you, and your welcome.

I can confirm, after updating and running a flash scan, this Registry Key is no longer being flagged.

Thanks again Malwarebytes Team.

DarkSnakeKobra · June 14, 2012

No longer detected after latest update. Thanks again Malwarebytes' .

Hardhead · June 14, 2012

Thank you Bruce,

Windows sidebar is now back.

wildman424 · June 14, 2012

I'm still getting a trojan.agent detection for the run key under HKCU. Its empty there's nothing there. The only thing I had there was the startup key for Sandboxie, which was removed the first time it was detected.

Edit: Fp seems fixed now, Thanks

Henrilaconte · June 14, 2012

Sames Issue this day: see result.

Log attached:

Versions: 1.61.0.1400

Please fix

Thanks

mbam-log-2012-06-14 (05-55-24).txt

AdvancedSetup · June 14, 2012

Sames Issue this day: see result.
Log attached:
Versions: 1.61.0.1400
Please fix
Thanks

I don't see any detection in your log Henrilaconte

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Databaseversie: v2012.06.14.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

H.W. van Berkum :: HWVANBERKUM-PC [administrator]

Realtime bescherming: Ingeschakeld

14-06-2012 05:55:24

mbam-log-2012-06-14 (05-55-24).txt

Scantype: Flash-scan

Uitgeschakelde scanopties: Register | Bestanden en mappen | P2P

Objecten gescand: 153118

Verstreken tijd: 29 seconde(n)

Geheugenprocessen gedetecteerd: 0