Rogue.AntiVirus

[Tengil]

It had to happen sooner or later, Mbam has turned on itself:

Malwarebytes' Anti-Malware 1.41

Database version: 2934

Windows 5.1.2600 Service Pack 3

2009-10-10 07:00:10

mbam-log-2009-10-10 (07-00-04).txt

Scan type: Quick Scan

Objects scanned: 111873

Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Lavasoft Ad-Aware SE Professional (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Logs (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\RogueRemover FREE (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Symantec Client Security (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

Files Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Lavasoft Ad-Aware SE Professional\Ad-Aware SE Manual.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Lavasoft Ad-Aware SE Professional\Ad-Aware SE Professional.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Lavasoft Ad-Aware SE Professional\Ad-Watch SE Professional.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Lavasoft Ad-Aware SE Professional\Uninstall Ad-Aware SE Professional.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Malwarebytes' Anti-Malware Help.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Malwarebytes' Anti-Malware.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Uninstall Malwarebytes' Anti-Malware.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Logs\Desktop.ini (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Mbam\Logs\target.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\RogueRemover FREE\Help.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\RogueRemover FREE\RogueRemover FREE.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\RogueRemover FREE\Uninstall RogueRemover FREE.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus\Symantec Client Security\Symantec AntiVirus.lnk (Rogue.AntiVirus) -> No action taken. [3742513051807286701534798574557483868413010649514840513446520661347985748774838

684]

[TonyKlein]

The "Antivirus" rogue in fact creates a "Start Menu\Programs\Antivirus" subfolder, see here, so therefore this can't be considered a "full" False Positive

A quick solution would be to rename that folder to something else, say "Start Menu\Programs\Security

[Tengil]

The quick solution works, thanks.

It seems a bit weak to identify a malware just by a start menu folder name, especially one as generic as Antivirus.

[TonyKlein]

Well, if you were indeed to have that Start Menu folder as either part or remnant of a Rogue.Antivirus infection, you would definitely be happy to see MBAM remove it.

It may or may not be possible for the MBAM development team to further fine-tune that detection, but as I'm not part of the team, I can't really comment.

[miekiemoes]

Hi,

We have modified detection for this so it will only target when you're dealing with this specific Rogue.