Jump to content
Drey

Possible false positive trojan fake ms

Recommended Posts

23 minutes ago, djacobson said:

The update is "November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)" - https://support.microsoft.com/en-us/kb/3197868

You can get a clean example of the kernel32.dll file by downloading a standalone version package of the update and expanding from the cab - http://catalog.update.microsoft.com/v7/site/search.aspx?q=3197868

3197868 file information.csv

That helps, we are systemically removing the Microsoft update.

Share this post


Link to post
Share on other sites

Why not just post the recovery instructions here, so everyone can recover from this nightmare?  I have pm'd djacobson and have not heard anything in return.  I have 10 remote computers that have been flagged for removal on reboot and if that happens before we can resolve this, I will not be able to get to those machines and it will cause some major issues in our business.

Share this post


Link to post
Share on other sites

Hi fade2black911, I don't have anything from you in my inbox, but if you haven't yet rebooted any machines and are in that "limbo" kinda deal, remove the KB3197868 update. The other instructions are for those that have rebooted and are boot looping / bluescreening.

Share this post


Link to post
Share on other sites

Yes, we've gotten positive feedback from the KB removal tactic for those that haven't yet rebooted their machines. We will be posting an official set of steps for both pre-reboot and post-reboot scenarios very soon, we've had our heads down trying to get back to everyone and vetting workarounds.

Share this post


Link to post
Share on other sites

 

On 11/18/2016 at 0:20 AM, djacobson said:

Hi everyone, we have the help article up with the current known working fixes for the FP issue, both pre-reboot and post-reboot scenarios - https://support.malwarebytes.com/customer/portal/articles/2647220-what-can-i-do-if-i-have-been-affected-by-the-kernel32-dll-false-positive-?b_id=6442

I'm going through the Advanced steps as I have no Sys Restore to fall back on, I get as far as Step 9 sub-step 8: 

del c:\windows\syswow64\kernel32.dll

(on my PC i have corrected for this being d:\)

But this fails as the file is not there, is this correct as the next step is to create a link between this file and another?

 

Share this post


Link to post
Share on other sites
5 hours ago, AWilson said:

I'm going through the Advanced steps as I have no Sys Restore to fall back on, I get as far as Step 9 sub-step 8: 

del c:\windows\syswow64\kernel32.dll

(on my PC i have corrected for this being d:\)

But this fails as the file is not there, is this correct as the next step is to create a link between this file and another?

Go ahead and continue with the rest of the steps. The next command will place a good copy of that file via a hard link.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.