Jump to content

false positive


Ftracy3
 Share

Recommended Posts

Hi, See below. Kaspersky forum said this was false related to my network adapter. And I don't understand how this can show a system32\SYSTEM32..I don't see it or either of these files in explorer.

Is this false? and will deleting these files/keys hurt anything? Thanks for any response.

Malwarebytes' Anti-Malware 1.38

Database version: 2365

Windows 6.0.6001 Service Pack 1

7/3/2009 9:03:39 AM

mbam-log-2009-07-03 (09-03-33).txt

Scan type: Quick Scan

Objects scanned: 89021

Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688

38084807185615674796980888461368683837079855570838474807961498077746874708461388

9

81778083708393478034688574877037708476858081367366797270843018130117]

Folders Infected:

C:\Windows\System32\SYSTEM32 (Trojan.Agent) -> No action taken. [3742513036276156747969808884618490848570782019615290848570782019]

c:\Windows\System32\SYSTEM32\DRIVERS (Trojan.Agent) -> No action taken. [3742513036276156747969808884618490848570782019615290848570782019]

Files Infected:

c:\Windows\System32\SYSTEM32\DRIVERS\rtl8187.sys (Trojan.Agent) -> No action taken. [3742513036276156747969808884618490848570782019615290848570782019]

c:\Windows\System32\SYSTEM32\DRIVERS\rtl8187B.sys (Trojan.Agent) -> No action taken. [3742513036276156747969808884618490848570782019615290848570782019]

Link to post
Share on other sites

  • Staff

System32\SYSTEM32 <- see the double system32 , this is the problem here .

Where are you getting these drivers from ? Is it their website or an older disk ? There is a bug in the version of the driver installer that you are creating and using folders that should not ever exist .

Link to post
Share on other sites

Agreed and that's what's so weird about this. I don't see the SYSTEM32 subfolder for system32, system is set to show invisible files. Neither of the two flagged files (rtl8187.sys and rtl8187B.sys) appear to exist anywhere either. There is a rtl8187se.sys in my system32 folder, but no additional SYSTEM32 subfolder where the supposedly infected files exist. Any ideas as to why this would identify a folder and files that don't exist? Or if they do why I can't see them even though system is set to show invisible files?

Looking up rtl8187se.sys it appears to be a realtek networking driver. It's a Gateway preconfigured machine so I'm assuming if it's necessary Gateway put it there.

Also, does that registry data mean anything?

Thanks for any additional guidance.

System32\SYSTEM32 <- see the double system32 , this is the problem here .

Where are you getting these drivers from ? Is it their website or an older disk ? There is a bug in the version of the driver installer that you are creating and using folders that should not ever exist .

Link to post
Share on other sites

  • Staff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

This is just detecting that active desktop setting are locked and that MBAM can unlock them , there are both legit and non legit causes for this and since it is impossible why this is set this way we show the notification in case it was not intentional .

There is another problem with these drivers located where they are . MBAM did not links back to the service which makes me thing that the service points to the correct location and does not even load these files . Do you have hidden shown , system shown or hidden and system shown ? I cant tell from your log if you have removed these or not , did you ? You case safely set all of these detections to ignore as this seems to be a factory defect in their setup , not an actual problem .

Link to post
Share on other sites

No I haven't removed anything as I didn't want to screw up my system if this was false.

I'm set to view both system and hidden files (Vista 64, show hidden files checked, hide protected operating system files unchecked). And as far as I can tell this subfolder doesn't exist..can you think of any explanation as to why I can't see a system32\SYSTEM32 subfolder that MBAM tells me is there?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.