False pos Fake Driver?

[Opalfruit]

mbam_log_2009_03_10__19_20_49_.txt is this a false positive? Superantispyware doesn't detect by the way great program thanks

mbam_log_2009_03_10__19_20_49_.txt

[Opalfruit]

sorry it would be better if i just did this

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

10/03/2009 19:21:08

mbam-log-2009-03-10 (19-20-49).txt

Scan type: Quick Scan

Objects scanned: 75369

Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

is it false or not as i said SAS doesnt detect but that could just be cos MBAM is better than SAS

[exile360]

Greetings. If you wouldn't mind, please post a developer log by going to Start clicking on Run and typing the following in the Run box and hitting enter (or you can copy and paste it):

mbam /developer

Then run the quick scan when MBAM opens and post the resulting log here.

Thanks.

[Sergeant Sykes]

I have the same problem.

Here's the log:

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

2009-03-10 20:37:31

mbam-log-2009-03-10 (20-37-25).txt

Scan type: Quick Scan

Objects scanned: 53187

Time elapsed: 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[oth]

I got the same thing...definately looks like a false positive as I got rid of it and I couldn't connect to the internet after the reboot...thank god for quarantine!

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

10/03/2009 7:39:10 PM

mbam-log-2009-03-10 (19-39-05).txt

Scan type: Quick Scan

Objects scanned: 78662

Time elapsed: 12 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Gman]

I have the same concerns.

I ran a search for the file this flag references and only found the two (both v5.1.2600.0) apparently added by MS to the original WinXP installation CD back in 2001 (one in C:\WINDOWS\system32\dllcache\ws2ifsl.sys, the other in C:\WINDOWS\system32\drivers\ws2ifsl.sys). Neither of these appear to be fake drivers.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 3:39:05 PM

MBAM 2009-03-10.txt

Scan type: Quick Scan

Objects scanned: 74552

Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Daveski17]

I noticed that my computer was acting strange & slow. It seemed to have great difficulty in clicking off browsers. I did an MBAM scan & it found a Fake Driver. I have this now in quarantine. My laptop seems to be working far better. Is this a false positive?

FAKE DRIVER HKEY_LOCAL_MACHINE\SYSTEM\C...22275

I have it in quarantine, so I suppose I can put it back with restore, but my computer seems a lot healthier now.

[Buddel]

MBAM also found this FAKE.DRIVER on my machine. Seems to be a false positive.

[starr3882]

I got this too...I quarantined it, rebooted like it asked me to, rescanned (came up clean) and then proceeded on with my tasks....Been using the computer for an hour now, not seen any adverse effects to quarantining it...

Should I leave it quarantined or not?

[mona7865]

And same "problem" here too:

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

10/03/2009 21:27:40

mbam-log-2009-03-10 (21-27-37).txt

Scan type: Quick Scan

Objects scanned: 76458

Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[leofelix]

Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [385753513430414438586445483634456446343641424738615258525338466136868383707985368079858380775270856152708387746870846156521942395245]

Hi all

got same problem on three of my PC's (a laptop running XP Home SP 3, antoher laptop running Vista Home Premium SP 1 and a desktop PC running XP SP 3) when updated MBAM to database: 1832

SUPERAntiSpyware free and SpyBot Search and Destroy dind't catch any sign of infection.

I use Comodo Internet Security 3.8 (with no antivirus included and with no toolbar) and Avira PREMIUM 8.2.

I found this article related

http://www.pandasecurity.com/enterprise/se...;idvirus=150198

I Suppose Comodo IS 3.8 was flagged as malware, I think is a false positive.

Regards

[Daveski17]

I restored the 'Fake Driver' from quarantine. SAS says I am clean. However I don't know how to get the log to come up. I have never had an FP before. So I haven't posted it. Will this be fixed on the next update?

[Portmanteau]

Just to add to the melee, here's my log;

Malwarebytes' Anti-Malware 1.34Database version: 1832Windows 6.0.6001 Service Pack 1
10/03/2009 21:40:59mbam-log-2009-03-10 (21-40-57).txt
Scan type: Quick ScanObjects scanned: 56416Time elapsed: 3 minute(s), 50 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [385753513430414438586445483634456446343641424738615258525338466136868383707985368079858380775270856152708387746870846156521942395245]
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

[VietSushi]

Here's my log file, because I got this detection too. Windows Defender () doesn't find this but it does find a problem with my HOSTS file, which I too think is a FP.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

3/10/2009 4:39:43 PM

mbam-log-2009-03-10 (16-39-37).txt

Scan type: Quick Scan

Objects scanned: 58440

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[leofelix]

Windows Defender () doesn't find this but it does find a problem with my HOSTS file, which I too think is a FP.

I had the same problem with Windows Defender. I'm sure is a false positive.

Please update Windows Defender, I think MS fixed this issue:)

sorry for O.T

[xx521xx]

I have the same Fake.Driver detection on my system.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 5:15:53 PM

mbam-log-2009-03-10 (17-15-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 401998

Time elapsed: 51 minute(s), 13 second(s)

[...]

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

[Mad Dog Vee]

I updated to latest MBAM and got the same result. I've been clean previously and the only change I've made to that system is install AVG Free 8.5.

I only have the Fake.Driver listed in the registry not in the %systemroot% - well at least on a quick scan.

The standard Microsoft system driver <System>\drivers\ws2ifsl.sys may be registered as a new service (if it is not already registered as a service) named "WS2IFSL", with a display name of "Windows Socket 2.0 Non-IFS Service Provider Support Environment" and a startup type of manual, creating registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL\

This service should not be removed.

http://www.sophos.com/security/analyses/ad...l?_log_from=rss

Upper and lower case wouldn't make a difference in the regisry would it? Or is the registry like *nix and likes to differentiate between the cases?

[demonluo]

i got this too, is this a false positive?

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

11/03/2009 06:43:55 AM

mbam-log-2009-03-11 (06-43-38).txt

Scan type: Quick Scan

Objects scanned: 62434

Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Gman]

I updated to latest MBAM and got the same result. I've been clean previously and the only change I've made to that system is install AVG Free 8.5.

I only have the Fake.Driver listed in the registry not in the %systemroot% - well at least on a quick scan.

http://www.sophos.com/security/analyses/ad...l?_log_from=rss

Upper and lower case wouldn't make a difference in the regisry would it? Or is the registry like *nix and likes to differentiate between the cases?

No, for the most part, Windows doesn't care about upper/lower case except for passwords. Registry path statements are followed regardless of case.

[B-boy/StyLe/]

http://www.bleepingcomputer.com/startups/w....sys-12029.html

[normishmael]

See this is why I love malwarebytes,false positives be damned.

In fact it is the false positives I love!

There is just nothing sweeter in the cyber world,

than a new copy of windows running on a reformated

partition,and few softwares give as amply an oppertunity

to revel in that feeling as Malwarebytes,with its penchant

for registry and windows system file false positives!!

Keep up the good work duck!!

[Graffin]

Having the same registry entry flagged as being a fake driver - is this definitely a false positive? I am forever paranoid.

[yardbird]

Here's my developer log do we remove it? quarantine it?

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 5:45:02 PM

mbam-log-2009-03-10 (17-44-49).txt

Scan type: Quick Scan

Objects scanned: 65865

Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Karol3]

I registered to post this VISTA HP. FAKE.DRIVER

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

3/10/2009 8:59:25 PM

mbam-log-2009-03-10 (20-59-23).txt

Scan type: Quick Scan

Objects scanned: 55541

Time elapsed: 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Raid]

This is a false positive. We are very sorry for the inconvenience caused. Please restore from Quarantine if you haven't already and update your database.