John L. Galt Posted November 3, 2007 ID:9500 Share Posted November 3, 2007 Hi folks,First of all, let me say thanks for having me - Hardhead knows me from CoU and it was he who got me interested in using MBAM in the first place.That being said, I just recently re-installed Vista (completely fresh install, formatted HD, etc.) and on running MBAM 0.69, updating the defs, and scanning (quick scan) I get the following log:Malwarebytes' Anti-Malware Version 0.69Database version: 183This logfile was saved before the removal process. Scan type: Quick ScanObjects scanned: 16394 Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 42Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{0a95be2d-1543-46be-ad6d-18653034bf87} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{0b8edb8d-4575-4942-9c34-55591e415909} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{278ead7a-2a45-4d4e-acb4-a1a4ad9bb54b} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{2b539d9c-127a-4f10-855f-ef31c83d2007} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{2d91877a-468c-4802-8cd7-21f6bf776790} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{3120a5e4-552d-4edf-8c48-70c5d5ff22d2} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{31ce2164-4d5c-4508-bca7-b10e11d08e6b} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{359a062f-cda8-4a9c-9b28-588446d35098} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{35efad55-134a-47bf-912a-44a9d9fd556f} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{38f95b22-32bf-4378-b3ec-47b2c09de1f5} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{3d177ba8-bf8c-45e2-8ca2-20aca6269a68} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{3e1392bb-3b66-4a39-bbd0-259fc2bdc979} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{45128c11-a7e5-46d2-a164-3d1273e92c44} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{47146231-b550-4b13-b9e7-4257f740f39d} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{5c61669e-f0ce-4126-b365-316588e6228f} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{60e5f55e-236f-422d-a5f9-560f1778ccd4} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{62b6a513-3764-42cd-8410-9b81e8dff135} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{6a5d680a-8f9f-4752-a056-2c0273f60b4e} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{6ccd925e-e833-4be3-a62e-d3c8838c5d6d} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{6cdd1f89-fc3b-401c-b1f1-932c48f45eb5} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{78412eb9-e06b-4484-bc85-0b1594f6e23a} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{7ee495f3-345b-4cc1-aab7-a255ed85eed2} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{82b58fcb-73f3-46dc-a52d-74d3fe359702} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{86797248-1a4e-41d0-a0c3-2175a36b3d0e} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{919df860-d321-4d02-ac3d-1c25efae551a} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{aa6ccb5d-0f97-4a37-a077-8b49fb5bc60d} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{c18d120c-b7ab-4499-8bdc-0cd2bd0861fd} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{c1dfd382-e253-434d-b22d-2e47233b6147} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{cacb61e0-aeea-404d-88e1-7f3bca8b8726} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{cd5b9523-6eaf-4d63-8fe8-c081c51d1673} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{d45b0772-5801-4e61-9cba-84120557a4d7} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{d7e6fb7c-a22f-4a9d-a89d-653d1aa37324} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{d80ac53d-e102-4a55-a265-529a626515e5} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{dbcad616-bfd4-4c72-8d87-c5926921d378} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{e16f1874-c5b1-4400-a9f0-08e7fd4d3f8c} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{e3ec74bb-5522-462d-a00f-2728c53fca04} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{ebb4eba9-d546-4c85-a05a-167bf875fb83} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{f71d2854-2609-4a63-b4bf-bf2ba61a61cf} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{f7919641-3978-4668-8388-7310329c800e} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{f961ce9d-ae2b-4cfb-887c-3a055ff685c9} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{ffbbdece-4363-4b4d-b35e-39eff228c723} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Typelib\{2d5e2d34-bed5-4b9f-9793-a31e26e6806e} (Adware.Hotbar) -> No action taken. Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)I sorted the results in the scan window by the item column, and started looking at each of these registry entries - they say absolutely nothing about Hotbar in them, and further more, no other scanning product is finding Hotbar installed.Also, I did some serious digging - using Registry Crawler (one of my all-time fav reg search tools, works decently still in Vista) and looked for the CLSID in the first item - the same key can be found at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A95BE2D-1543-46BE-AD6D-18653034BF87} - and yet that was not 'detected' by MBAM (ironically, though, Registry crawler did *not* find the one reported by MBAM). Searching Google for the CLSID only led me here to these forums, as a previous post by LoneWolf listed almost all (if not all, I didn't peruse the list exactly) of these same items.Even stranger is that that particular key is 'named' ISafeMailItem, and a Google search of that shows it to be a used object by Outlook, OE, and other mail programs. Furthermore, searching the registry for ISafeMailItem also only finds the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A95BE2D-1543-46BE-AD6D-18653034BF87} item as well.Are these *really* Hotbar items? I find it hard to believe (not impossible, mind you, because I have installed more than a few things on here, and it is possible that one of them sneaked something onto my machine) because I am pretty security minded, and with so many products already on here I am doubly surprised that something like this would escape my attention- especially as there is no Hotbar running in any of my browsers.... Link to post Share on other sites More sharing options...
John L. Galt Posted November 3, 2007 Author ID:9501 Share Posted November 3, 2007 Of course, it would have helped to look at a couple more of the Google search results - I would have seen this item from earlier this morning, no less....http://www.malwarebytes.org/forums/index.php?showtopic=2838My apologies for 1) duplicating the posts, and 2) for posting this in the wrong forum initially. Link to post Share on other sites More sharing options...
Root Admin RubbeR DuckY Posted November 4, 2007 Root Admin ID:9507 Share Posted November 4, 2007 John, they do indeed appear to be false positives, hopefully Bruce will notice these.Also, I did some serious digging - using Registry Crawler (one of my all-time fav reg search tools, works decently still in Vista) and looked for the CLSID in the first item - the same key can be found at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A95BE2D-1543-46BE-AD6D-18653034BF87} - and yet that was not 'detected' by MBAM (ironically, though, Registry crawler did *not* find the one reported by MBAM). Searching Google for the CLSID only led me here to these forums, as a previous post by LoneWolf listed almost all (if not all, I didn't peruse the list exactly) of these same items.As for that, Classes\Interface is the same key as HKCR\Interface, MBAM only detects one of them for simplicity. Try deleting one, then look at the other and it will be gone as well. Just thought I would clear that up. Link to post Share on other sites More sharing options...
nosirrah Posted November 4, 2007 ID:9515 Share Posted November 4, 2007 Update and give the new defs a spin , should be fixed .If I missed any let me know . Link to post Share on other sites More sharing options...
Hardhead Posted November 4, 2007 ID:9517 Share Posted November 4, 2007 I keep getting the same update over and over in Vista. #183Haven't tried XP Pro yet.Also I can't add a pic in manage current attachments.Its uploaded but I'm not able to add the .png in the post.Hmm, that funny. I didn't see the attached file but I see the pic now. Link to post Share on other sites More sharing options...
John L. Galt Posted November 4, 2007 Author ID:9518 Share Posted November 4, 2007 Weird, HH - mine updated to 184 as soon as I ran the update....Of course, upon install I quickly reallied that the program needed admin privileges so I set it up in compatibility mode to always run requesting admin privileges....but since you are running Vista, you should be doing the same....Scanning now- will post back results.... Link to post Share on other sites More sharing options...
John L. Galt Posted November 4, 2007 Author ID:9519 Share Posted November 4, 2007 Still got 2 left.Malwarebytes' Anti-Malware Version 0.69Database version: 184This logfile was saved before the removal process. Scan type: Quick ScanObjects scanned: 16426 Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:HKEY_CLASSES_ROOT\Typelib\{2d5e2d34-bed5-4b9f-9793-a31e26e6806e} (Adware.Hotbar) -> No action taken.HKEY_CLASSES_ROOT\Interface\{38f95b22-32bf-4378-b3ec-47b2c09de1f5} (Adware.Hotbar) -> No action taken. Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)The first is an entry from Logitech Setpoint software (which is why it was not in LoneWolf's original list, giving him 41 and me 42).The second is another COM object, this one being IAddressList.I ran a full scan earlier (after posting) with the old 183 defs but it found the same 42 as the quick scan, so I am assuming that this time around it will do the same - hence my running of the quick scan. Link to post Share on other sites More sharing options...
Hardhead Posted November 4, 2007 ID:9526 Share Posted November 4, 2007 My database got currupted somehow in Vista.Uninstall and reinstalled seemed to fix the problem and I have #184 now.I don't get any logfile report after quick scan completed but did get the prompt that No malicious were detected, click 'Main menu'. Log file is empty too.Is that normal now when nothing is found? Link to post Share on other sites More sharing options...
nosirrah Posted November 4, 2007 ID:9529 Share Posted November 4, 2007 I'm just the database guy , Marcin will have to chime in on the other part . Link to post Share on other sites More sharing options...
nosirrah Posted November 4, 2007 ID:9537 Share Posted November 4, 2007 FPs should be gone . Link to post Share on other sites More sharing options...
Recommended Posts