Jump to content
Sign in to follow this  
dja2k

x64 Msconfig False Possitive

Recommended Posts

Ever since version 1.44 on Win7 x64, I've noticed that Msconfig is detected as a back-door trojan. I have been on and off using MBAM and now I've installed 1.45 and still see the same false positive. All updates are current. Is anyone else seeing this false positive.

dja2k

Share this post


Link to post
Share on other sites

I did a restore of a clean msconfig from the Windows 7 DVD and still the same FP. It doesn't get flagged if I use the MBAM right click, but it does when running a quick or full system scan.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3939

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

4/1/2010 4:26:08 PM

mbam-log-2010-04-01 (16-26-08).txt

Scan type: Quick scan

Objects scanned: 105886

Time elapsed: 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\msconfig.exe (Backdoor.Bot) -> No action taken. [FAE5B45F4F285E839C4E6502576FEEBC]

dja2k

mbam_log_2010_04_01__16_26_08_.zip

Share this post


Link to post
Share on other sites

Any word on this false positive and when its going to get fixed?

dja2k

Share this post


Link to post
Share on other sites

There is some kind of bug here as this FP is not possible , I am going to refer this thread to app support .

Share this post


Link to post
Share on other sites
Hello :)

Can you please zip and attach a copy of the file being detected to your next reply?

Thanks :)

Sorry for taking long in responding, but here is the file. Again the file with a right click scan will not say infected, but a quick\full scan via the GUI will. Also if you don't have it in the ignore list, eventually it MBAM will pop up saying msconfig is infected and what you want to do.

dja2k

msconfig.zip

Share this post


Link to post
Share on other sites
Do you also have this file in C:\Windows\SysWOW64 or is it only in System32?

I don't think there has ever been an msconfig in sysWOW64 folder and no I don't have a version there.

dja2k

Share this post


Link to post
Share on other sites

Thanks, just to be certain please do the following:

  • Please copy and paste the following text exactly as written into notepad (not wordpad or any other text editor):
    @echo off
    @color 48
    if exist "%windir%\syswow64\msconfig.exe" echo MSCONFIG in WoW64 Found!>"%userprofile%\desktop\info.txt"
    if not exist "%windir%\syswow64\msconfig.exe" echo MSCONFIG in WoW64 NOT Found!>"%userprofile%\desktop\info.txt"
    "%userprofile%\desktop\info.txt"
    del /f /q "%userprofile%\desktop\info.txt"
    del /f /q %0

    Once you've done that click on File and select Save As...

  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file Check.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it finishes it will open the file it created in notepad, please copy and paste the file's contents into your next reply.

Thanks :)

Share this post


Link to post
Share on other sites

Did your check.bat test and yeah there is an msconfig.exe in that folder. Didn't see it as my system files were hidden, but now I see it.

File: msconfig.exe

CRC-32: 00000000

MD4: 31d6cfe0d16ae931b73c59d7e0c089c0

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA-1: da39a3ee5e6b4b0d3255bfef95601890afd80709

dja2k

Share this post


Link to post
Share on other sites

I deleted the file in syswow64 folder just to be sure on this test I ran. I extracted two different msconfig.exe files from 32 and 64 bit Windows 7 DVD's. Both files are attached and they have different signatures as shown in the attached image. Both files aren't flagged by MBAM while on the desktop via execution, right click scan, nor with a quick scan. It is a different story when put into the windows\system32 folder as they both get flagged on execution by MBAM, but don't get detected with a scan which is odd.

dja2k

MSCONFIG_FP.zip

Share this post


Link to post
Share on other sites
It is a different story when put into the windows\system32 folder as they both get flagged on execution by MBAM, but don't get detected with a scan which is odd.

How were you able to replace the original MSCONFIG.EXE in System32? I tried and Windows would not allow it as it is a protected system file. I tried copying the files to System32 named as you have them in the zip file, which did work, but MBAM did not detect them when executed (and they actually failed to execute with a Windows error message).

As for the file you attached to your other post here that actually came from SysWOW64, it wasn't a functional exe file, just a blank, apparently made by renaming a blank notepad text file to msconfig.exe. It did not get detected by the protection module when I attempted to run it, as it is not an actual executable, but it did show up in a scan when checked by MBAM's heuristics because it is not a legitimate system file but is using a reserved system file name and residing in a system folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.