Jump to content
Opalfruit

False pos Fake Driver?

Recommended Posts

sorry it would be better if i just did this

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

10/03/2009 19:21:08

mbam-log-2009-03-10 (19-20-49).txt

Scan type: Quick Scan

Objects scanned: 75369

Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

is it false or not as i said SAS doesnt detect but that could just be cos MBAM is better than SAS :D

Share this post


Link to post
Share on other sites

Greetings. If you wouldn't mind, please post a developer log by going to Start clicking on Run and typing the following in the Run box and hitting enter (or you can copy and paste it):

mbam /developer

Then run the quick scan when MBAM opens and post the resulting log here.

Thanks.

Share this post


Link to post
Share on other sites

I have the same problem.

Here's the log:

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

2009-03-10 20:37:31

mbam-log-2009-03-10 (20-37-25).txt

Scan type: Quick Scan

Objects scanned: 53187

Time elapsed: 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

I got the same thing...definately looks like a false positive as I got rid of it and I couldn't connect to the internet after the reboot...thank god for quarantine! :D

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

10/03/2009 7:39:10 PM

mbam-log-2009-03-10 (19-39-05).txt

Scan type: Quick Scan

Objects scanned: 78662

Time elapsed: 12 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

I have the same concerns.

I ran a search for the file this flag references and only found the two (both v5.1.2600.0) apparently added by MS to the original WinXP installation CD back in 2001 (one in C:\WINDOWS\system32\dllcache\ws2ifsl.sys, the other in C:\WINDOWS\system32\drivers\ws2ifsl.sys). Neither of these appear to be fake drivers.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 3:39:05 PM

MBAM 2009-03-10.txt

Scan type: Quick Scan

Objects scanned: 74552

Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

I noticed that my computer was acting strange & slow. It seemed to have great difficulty in clicking off browsers. I did an MBAM scan & it found a Fake Driver. I have this now in quarantine. My laptop seems to be working far better. Is this a false positive?

FAKE DRIVER HKEY_LOCAL_MACHINE\SYSTEM\C...22275

I have it in quarantine, so I suppose I can put it back with restore, but my computer seems a lot healthier now.

Share this post


Link to post
Share on other sites

I got this too...I quarantined it, rebooted like it asked me to, rescanned (came up clean) and then proceeded on with my tasks....Been using the computer for an hour now, not seen any adverse effects to quarantining it...

Should I leave it quarantined or not?

Share this post


Link to post
Share on other sites

And same "problem" here too:

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

10/03/2009 21:27:40

mbam-log-2009-03-10 (21-27-37).txt

Scan type: Quick Scan

Objects scanned: 76458

Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [385753513430414438586445483634456446343641424738615258525338466136868383707985368079858380775270856152708387746870846156521942395245]

Hi all

got same problem on three of my PC's (a laptop running XP Home SP 3, antoher laptop running Vista Home Premium SP 1 and a desktop PC running XP SP 3) when updated MBAM to database: 1832

SUPERAntiSpyware free and SpyBot Search and Destroy dind't catch any sign of infection.

I use Comodo Internet Security 3.8 (with no antivirus included and with no toolbar) and Avira PREMIUM 8.2.

I found this article related

http://www.pandasecurity.com/enterprise/se...;idvirus=150198

I Suppose Comodo IS 3.8 was flagged as malware, I think is a false positive.

Regards

Share this post


Link to post
Share on other sites

I restored the 'Fake Driver' from quarantine. SAS says I am clean. However I don't know how to get the log to come up. I have never had an FP before. So I haven't posted it. Will this be fixed on the next update?

Share this post


Link to post
Share on other sites

Just to add to the melee, here's my log;

Malwarebytes' Anti-Malware 1.34Database version: 1832Windows 6.0.6001 Service Pack 1
10/03/2009 21:40:59mbam-log-2009-03-10 (21-40-57).txt
Scan type: Quick ScanObjects scanned: 56416Time elapsed: 3 minute(s), 50 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [385753513430414438586445483634456446343641424738615258525338466136868383707985368079858380775270856152708387746870846156521942395245]
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

Share this post


Link to post
Share on other sites

Here's my log file, because I got this detection too. Windows Defender (:D) doesn't find this but it does find a problem with my HOSTS file, which I too think is a FP.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

3/10/2009 4:39:43 PM

mbam-log-2009-03-10 (16-39-37).txt

Scan type: Quick Scan

Objects scanned: 58440

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
Windows Defender (:D) doesn't find this but it does find a problem with my HOSTS file, which I too think is a FP.

I had the same problem with Windows Defender. I'm sure is a false positive.

Please update Windows Defender, I think MS fixed this issue:)

sorry for O.T

Share this post


Link to post
Share on other sites

I have the same Fake.Driver detection on my system.

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 5:15:53 PM

mbam-log-2009-03-10 (17-15-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 401998

Time elapsed: 51 minute(s), 13 second(s)

[...]

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Share this post


Link to post
Share on other sites

I updated to latest MBAM and got the same result. I've been clean previously and the only change I've made to that system is install AVG Free 8.5.

I only have the Fake.Driver listed in the registry not in the %systemroot% - well at least on a quick scan.

The standard Microsoft system driver <System>\drivers\ws2ifsl.sys may be registered as a new service (if it is not already registered as a service) named "WS2IFSL", with a display name of "Windows Socket 2.0 Non-IFS Service Provider Support Environment" and a startup type of manual, creating registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL\

This service should not be removed.

http://www.sophos.com/security/analyses/ad...l?_log_from=rss

Upper and lower case wouldn't make a difference in the regisry would it? Or is the registry like *nix and likes to differentiate between the cases?

Share this post


Link to post
Share on other sites

i got this too, is this a false positive?

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

11/03/2009 06:43:55 AM

mbam-log-2009-03-11 (06-43-38).txt

Scan type: Quick Scan

Objects scanned: 62434

Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
I updated to latest MBAM and got the same result. I've been clean previously and the only change I've made to that system is install AVG Free 8.5.

I only have the Fake.Driver listed in the registry not in the %systemroot% - well at least on a quick scan.

http://www.sophos.com/security/analyses/ad...l?_log_from=rss

Upper and lower case wouldn't make a difference in the regisry would it? Or is the registry like *nix and likes to differentiate between the cases?

No, for the most part, Windows doesn't care about upper/lower case except for passwords. Registry path statements are followed regardless of case.

Share this post


Link to post
Share on other sites

See this is why I love malwarebytes,false positives be damned.

In fact it is the false positives I love!

There is just nothing sweeter in the cyber world,

than a new copy of windows running on a reformated

partition,and few softwares give as amply an oppertunity

to revel in that feeling as Malwarebytes,with its penchant

for registry and windows system file false positives!!

Keep up the good work duck!!

Share this post


Link to post
Share on other sites

Having the same registry entry flagged as being a fake driver - is this definitely a false positive? I am forever paranoid.

Share this post


Link to post
Share on other sites

Here's my developer log do we remove it? quarantine it?

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 5:45:02 PM

mbam-log-2009-03-10 (17-44-49).txt

Scan type: Quick Scan

Objects scanned: 65865

Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

I registered to post this VISTA HP. FAKE.DRIVER

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 6.0.6001 Service Pack 1

3/10/2009 8:59:25 PM

mbam-log-2009-03-10 (20-59-23).txt

Scan type: Quick Scan

Objects scanned: 55541

Time elapsed: 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken. [3857535134304144385864454836344564463436414247386152585253384661368683837079853

68079858380775270856152708387746870846156521942395245]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

This is a false positive. We are very sorry for the inconvenience caused. Please restore from Quarantine if you haven't already and update your database.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.