Ad-Aware says regedit.exe %1 is possible virus - anyone?

screen · External Since: Feb 21, 2006 Posts: 13

This is the Ad-Aware log comment.
Has anyone gotten this and is it a false positive?

Windows Object Recognized!
Type : RegData
Data : regedit.exe %1
TAC Rating : 3
Category : Vulnerability
Comment : Possible virus infection, REG file extension
compromised
Rootkey : HKEY_CLASSES_ROOT
Object : regfile\shell\open\command
Value :
Data : regedit.exe %1

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

<screen.DeleteThis@blank.org> wrote in message news:vYWdnfIBYt2uKmfenZ2dnUVZ_vudnZ2d@giganews.com...
> This is the Ad-Aware log comment.
> Has anyone gotten this and is it a false positive?

Yes.

Ad-Aware is alerting to a normal default value for this key.

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

<screen.TakeThisOut@blank.org> wrote in message news:oPqdna0oNffuq2beRVn-gQ@giganews.com...

> I've done scans with several programs and can't find anything. Avast's
> response was:
>
> I'm not sure what it's trying to say, but "regedit.exe %1" is the default
> value for .reg files...

They are trying to tell you that this is not a detection of a malware file, but
is instead an alert on a registry key value. The default entry in the registry
for dealing with .reg files is to open them with the registry editor (regedit)
and that is what "regedit.exe %1" means (feed this invoked file represented
by "%1" to "regedit.exe") in the key value.

Ask Ad-Aware, not Avast! why they detect this.

Stephen Howe · External Since: Feb 22, 2006 Posts: 2

> This is the Ad-Aware log comment.
> Has anyone gotten this and is it a false positive?

Yes I have had that. I am not sure if I would regard it as a false positive.
After all with a REG file, running REGEDIT to open the contents is a
natural.
The problem is that this is a security hole. This troubles me greatly.

I recognise the need to run registry scripts but not just any.

Stephen Howe

screen · External Since: Feb 21, 2006 Posts: 13

"Stephen Howe" <sjhoweATdialDOTpipexDOTcom> wrote in
news:43fbc424$0$26032$cc9e4d1f@news.dial.pipex.com:

>> This is the Ad-Aware log comment.
>> Has anyone gotten this and is it a false positive?
>
> Yes I have had that. I am not sure if I would regard it as a false
> positive. After all with a REG file, running REGEDIT to open the
> contents is a natural.
> The problem is that this is a security hole. This troubles me greatly.
>
> I recognise the need to run registry scripts but not just any.
>
> Stephen Howe
>
>

For what it's worth, I just found these right under it in the registry
HKEY_Classes_Root:

RegWizCtrl.RegWizCtrl.1
Clsid
(Default) {50E5E3D1-C07E-11D0-B9FD-00A0249F6B00}

I also see something called Rend.rendezvous.1

Should I backup the registry and delete those Regwizctrl keys?

It seems like if these are spyware or part of a virus, no AV program or
Spyware program is catching it (and I have numerous ones running along
with constant regcleaners).

screen · External Since: Feb 21, 2006 Posts: 13

"Stephen Howe" <sjhoweATdialDOTpipexDOTcom> wrote in
news:43fbc424$0$26032$cc9e4d1f@news.dial.pipex.com:

>> This is the Ad-Aware log comment.
>> Has anyone gotten this and is it a false positive?
>
> Yes I have had that. I am not sure if I would regard it as a false
> positive. After all with a REG file, running REGEDIT to open the
> contents is a natural.
> The problem is that this is a security hole. This troubles me greatly.
>
> I recognise the need to run registry scripts but not just any.
>
> Stephen Howe
>
>
>

So what's the solution? Avast doesn't seem to find anything on the OS
drive and neither did Trend Micro or Kaspersky. Hijackthis doesn't show
anything other than programs I know that are loading and the Google search
stuff.