Jump to content

Malwarebytes Removing System File ntdll.dll


Recommended Posts

As of this morning at 4:47am EST Malwarebytes began removing the following file.

 

C:\Windows\System32\ntdll.dll

 

Around the same time I began getting reports of systems boot looping. I have added the file to the ignore list and sent a command from the console to restore this file on all machines. Hopefully any system that has not been rebooted will restore this file.

 

I am now looking at ways to easily resolve this issue on the affected system.

Link to post
Share on other sites

I got a hold of a Windows 7 Enterprise laptop that was missing the file. Letting startup repair run on that system restored the file.

 

I have a script running on all my machines now to let me know if the file was not restored, but nothing so far.

 

So once again, just the ones that were rebooted in the past few hours are looping.

Link to post
Share on other sites

I am also seeing this false detection on multiple machines this morning:

 

- Managed Client Version - 1.5.0.2701

- AntiMalware Engine - 1.75.0.1300

- Database Version - v2015.07.23.02

 

And yes, if you reboot after the detection the machine will blue-screen.  We are attempting a Windows Repair install using a Windows CD to prevent loss of data.  Will post our results.

Link to post
Share on other sites

from another thread: https://forums.malwarebytes.org/index.php?/topic/170829-windows-system32-ntdlldll-being-reported-as-trojanfakemsed/?p=978300

 

Doesn't do those of us that have dead machines any good... Still no response to my ticket. Anyone get one?

 

"Posted Today, 09:35 AM

 

NTDLL.Dll detection issue has been fixed with database version 2015.07.23.03

Please make sure to update to that version or higher.

It was a false positive that was in the DB for a short time.

 

For those using the premium with the Protection Module, once you update MBAM, you will need to shut MBAM down & restart it for new defs to kick in."

Link to post
Share on other sites

Zero response from Malwarebytes sales or support so far. We were able to find the license email, it was emailed to an ex-employee's inbox. I don't know why they had to change their license code structure and break it, it should have just renewed as it has in previous years. I can't believe they'd release an update that would false positive on an important OS file, you'd think they would do a simple QA scan against a folder full of known good OS files before releasing to the wild and causing OS damage and systems not to boot. Very poor support from an otherwise good product. :(

Link to post
Share on other sites

I have found a fix for this

Ntdll.dll is a protected file and it is set to be removed on reboot - hence the bluescreen when it tries to do this.

In my case I removed the xml log files from the logs directory in the malwarebytes folder in programdata and then on the first machine I tried, I rebooted and the machine booted to the login screen. On a second it went through a registry check and then rebooted to windows recovery.

Once in recovery I went to advanced recovery and using command prompt checked for the presence of ntdll.dll in the windows\system32 folder. It was missing so I copied one of the several renamed copies of this file from the malware bytes quarantine folder on the local machine and renamed it ntdll.dll and then rebooted and the machine booted up to a login screen.

The key points:
Stop malware bytes removing the protected system file to stop the bluescreen
replace the Ntdll.dll file with either one from quarentine or another machine

Link to post
Share on other sites

  • Staff

Zero response from Malwarebytes sales or support so far. We were able to find the license email, it was emailed to an ex-employee's inbox. I don't know why they had to change their license code structure and break it, it should have just renewed as it has in previous years. I can't believe they'd release an update that would false positive on an important OS file, you'd think they would do a simple QA scan against a folder full of known good OS files before releasing to the wild and causing OS damage and systems not to boot. Very poor support from an otherwise good product. :(

 

We are currently analyzing the situation and we are sorry for any inconvenience this may have caused.

 

To answer a few of your questions/concerns:

  • you'd think they would do a simple QA scan against a folder full of known good OS files before releasing to the wild
    • We do have False Positive tests in regards to new databases being pushed out.  This had fallen through the cracks and we are currently analyzing exactly why this happened in the first place.
  • Zero response from Malwarebytes sales or support so far
    • ​We are doing our best to address each issue as they come up and if you still do not get a response, Marcin had responded in another thread that you can also respond directly to him as well.

Please bear with us as we try to analyze and find the best solution that we can for anyone that this has inconvenienced.

Link to post
Share on other sites

I started manually copying a replacement DLL to many PCs this evening and in each case this fixed it. What I noticed was the DLL was present on each system, but it was damaged/corrupt. It appears that Malwarebytes tried to restore it as I requested, but the restored copy is not good.

 

Going to have to fix all of these the hard way. Hands on.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.