Malware/Trojan or FP?

[deanna]

Spybot encountered the following when last run:

Problem
Microsoft.Windows.FileExe
Settings
HKEY-CLASSES-ROOT\.exe\!=exefile

Threat: Hijacked Windows Setting

Description:
This entry will show up if the filetype association for exefile has been changed. This can be done by trojans or malware which try to load their executable with any exe the user wants to start.

No other spyware/av/firewall has detected this, so could it be a false positive?

System Info:
Win98SE
ZA Firewall
Spybot SD
Spywareblaster
CCleaner
AdAware
F-Prot AV

All with current signature updates. Below is the report detail from Spybot.

TIA for any/all assistance.




Microsoft.Windows.FileExe: Settings (Registry change, nothing done)
HKEY_CLASSES_ROOT\.exe\!=exefile


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-01-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-02 Includes\Cookies.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2007-02-02 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2003-11-12 Includes\QA Tests.sbi (*)
2007-02-02 Includes\TrojansC.sbi (*)
2004-08-11 Includes\plugin-ignore.ini
2007-02-02 Includes\SpybotsC.sbi (*)
2007-02-02 Includes\SecurityC.sbi (*)
2007-02-02 Includes\PUPSC.sbi (*)
2007-02-02 Includes\MalwareC.sbi (*)
2007-02-02 Includes\KeyloggersC.sbi (*)
2007-02-02 Includes\HijackersC.sbi (*)
2007-02-02 Includes\DialerC.sbi (*)

[Buster]

Please select "start"-> "run" and type "regedit" -> "ok". Now browse to "HKEY_CLASSES_ROOT"->".exe". Right click on ".exe" and select export. Please attach the exported .reg file to your next post. Thanks in advance!

[deanna]

Thank you for your quick response, however, I did another scan with yesterday's update and it came up clean. Below is the section of the registry you requested. I don't use the ZA Mailsafe feature BTW.

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"
"ZAMailSafeExt"="zl9"

[Buster]

I tried to reproduce this behaviour with the information you gave us, but everything seems to be clean here. Did you fix this entry on your first scan?