Heads-up: Lavasoft ad-aware false positives

[Jim Howes]

As spyware issues seem to pop up in this group, this is a copy of a report I
sent to SANS ISC, because Lavasoft only accept support mail from users of their
pay-for product (and if the free scanner throws false positives like this, I'm
not going to get the paid-up version any time soon...)

(Perhaps a microsoft representative would like to verify the SHA1 checksums
below...)

Lavasoft fingered the Microsoft Internet Transfer Control
(%Windir%\System\MSINET.OCX) as malware a while back, and fixed it shortly after
I attempted to report it to them (but never bothered to respond to email).

It seems to be back in the current detections (SE1R126 12.10.2006)...

Win32.Trojan.Agent Object Recognized!
Type : Regkey
TAC Rating : 10
Category : Malware
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
TAC Rating : 10
Category : Malware
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
TAC Rating : 10
Category : Malware
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}

The MSINET.OCX is the same one I reported before, and is still digitally signed
by Microsoft.

Also, this turned up...

Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
TAC Rating : 10
Category : Malware
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{fe38753a-44a3-11d1-b5b7-0000c09000c4}

This is the Microsoft Flat Scrollbar Control 6.0 (SP4), and relates to
C:\WINNT\System32\MSCOMCT2.OCX, which is also digitally signed by Microsoft.

The sha1sum's I have for the two OCX files on W2K SP4 are
c0c55de97f41a24bf50b2d08eb428371bb4a3cce *MSCOMCT2.OCX
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4 *MSINET.OCX

MSIE is only used on this system for windows update purposes, and the system is
up to date to this week's updates (although it has no office updates, because it
does not have any office products).

I have shoved MSINET.OCX through virustotal before, so I have not done so again
(the wait is long enough as it is), and the results of MSCOMCT2.OCX are negative
across all scanners.

Finally, AdAware is also objecting to HKCU\Software\Microsoft\Internet
Explorer\Main having a non-standard "Window Title", suggesting it is part of the
same malware as MSINET.OCX. (It *is* nonstandard on this system, because I have
a IEAK-produced MSIE kit which I use to roll out up-to-date IE's onto new
machines, because it's faster than mucking about with MS Windows Update)

Needless to say, I'm not about to let AdAware have it's way with my registry today.

 

[Peter]

[snip]

Needless to say, I'm not about to let AdAware have it's way with my
registry today.

Me too..

There appeared to be two releases of definitions yesterday, both named
'SE1R126 12.10.2006'.

The problem seems to have gone away in the second release, which carries
the flag 'Internal build : 156' (tested on an identical setup).

I spotted the 'Window Title' one, but in panic I let ad-aware deal with the
other entries. Do I need to re-register these OCX's ?

 

[Jim Howes]

The problem seems to have gone away in the second release, which carries
the flag 'Internal build : 156' (tested on an identical setup).

I spotted the 'Window Title' one, but in panic I let ad-aware deal with the
other entries. Do I need to re-register these OCX's ?

Probably. If you are really stuck, I could send you (or post) the appropriate
branches of my registry, however that is more likely to break things on your
system than fix them.

It probably depends on exactly what AdAware has done with the keys concerned.
Hopefully, it has just quarantined that selection, and can replace it.
Alternatively, I'd reinstall IE, and re-run Windows Update.

Have you noticed anything in particular not working?
A typical error would be seeming windows update fail with one of it's really
cryptic error messages.


This is the second time to my knowledge that AdAware has decided to finger
MSINET.OCX as malware despite it being a standard MS file. (File details are:
Version 6.0.88.62, "Microsoft Internet Transfer Control DLL", May 11 2000,
signed on 23-May-2000 01:02:15)

If in doubt, use REGEDIT to find the suspicious key (which you will find listed
in AdAware's log file) (rather obviously, do this before you let AdAware
shotgun your registry), and look around the CLSID, Interface, or Typelib
concerned for a handler. If it's in %WinDir%\System32, it's probably fine, but
check the digital signature by examining the file's properties with explorer.
If it is somewhere like 'Temporary Internet Files', Kill it. Now.

For what it is worth, the function DLLGetDocumentation in the MSINET.OCX (which
is actually a DLL) refers to MSINET.CHM, which should be in your windows HELP
directory. Opening that says:

The Internet Transfer control provides implementation of two of the most
widely used protocols on the Internet, HyperText Transfer Protocol (HTTP)
and File Transfer Protocol (FTP).


The other file, MSCOMCTL2.OCX also has a DLLGetDocumentation function, which
refers to a help file I don't have, although it didn't take long to find one
with google. The help file confirms my guess (from the name) that it is a
common ActiveX control, and the registry mentions 'flat scroll bar', which seems
to tie up nicely.

 

[Peter]

[ long, detailed, and much-appreciated reply snipped ]

This is the second time to my knowledge that AdAware has decided to
finger MSINET.OCX as malware despite it being a standard MS file.
(File details are: Version 6.0.88.62, "Microsoft Internet Transfer
Control DLL", May 11 2000, signed on 23-May-2000 01:02:15)

Panic over.

In the course of much messing about with my system, I managed to delete the
ad-aware backup, so restoring from that was not an option.

The only app I use msinet.ocx in is still working correctly and nothing
else seems to be amiss. If anything falls over in the near future, I shall
know where to look first.

Out of curiosity, I reinstated build 155 definitions and re-ran ad-aware.

To my surprise, the false-positives were still being reported, which would
appear to indicate that ad-aware *didn't* remove these entries when it was
told to.

This does not inspire confidence, but I suppose I get what I paid for.

Many thanks for your assistance.