Jump to content
demonluo

Rogue.FakeMSE, is this F/P?

Recommended Posts

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

08/06/2010 03:07:49 AM

mbam-log-2010-06-08 (03-07-49).txt

Scan type: Quick scan

Objects scanned: 130008

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpnwmon (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

---------------------------------------------------------------------------------------------------------------------

is this F/P coz my NIS, MSE & SAS said its clean & i also sent to VT to analysis w 41 dif AV & all of them said clean

http://www.virustotal.com/analisis/8b7d641...f164-1275938790

i've also included the registry & file that MBAM said infected in the attachment called desktop.7z

Desktop.7z

Share this post


Link to post
Share on other sites

After updating Malwarebytes today, I'm seeing the same thing.

Same file, same key - Rogue.FakeMSE

Is this a FP?

System

Windows 7 Starter

MSE (AV)

Malwarebytes 1.46

Share this post


Link to post
Share on other sites
After updating Malwarebytes today, I'm seeing the same thing.

Same file, same key - Rogue.FakeMSE

Is this a FP?

System

Windows 7 Starter

MSE (AV)

Malwarebytes 1.46

Not seeing this on either of the following systems:

XP Pro SP3

Vista Ultimate SP2

W7 Home Prem 64bit

Last scan db was 4175 on all 3

Share this post


Link to post
Share on other sites

Me too, :)

~Shy

WinVista - updated thru yesterday - all updates installed.

Scan was with 4175 - upon quarantine and reboot, Window's blocked startup MBAM Pro restart - did a manual restart.

Internet Explorer 8.0.6001.18904

6/7/2010 1:08:05 PM

mbam-log-2010-06-07 (13-08-05).txt

Scan type: Quick scan

Objects scanned: 131881

Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

6/7/10

Going 'Rogue' here as well....

Re: file - 'mpnwmon.sys'

Note that my 'Rogue.FakeMSE was located in the Microsoft Security Essentials files in C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon....as well as in 2 System restore folders.

I submitted the file to VirusTotal and report was clean:

http://www.virustotal.com/analisis/7e97e8d...4243-1275933544

And file 'mpnwmon.sys' properties show it to be a Microsoft file, digitally signed 11/20/09. So, what say you(Malwarebytes)....False Positive?

-----------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 2:30:17 PM

mbam-log-2010-06-07 (14-30-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 324645

Time elapsed: 1 hour(s), 53 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon\mpnwmon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0121549.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0121553.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

----------------------

mpnwmon.zip

Share this post


Link to post
Share on other sites

awesome :)

Thanks for the quick reply and for fixing it

Share this post


Link to post
Share on other sites
This should be fixed now.

Yep, fixed...thanks. You guys are awesome and wicked fast as well :-)

Share this post


Link to post
Share on other sites

Ummmm.... hope I can restore this from quarantine and get it back where it belongs. :)

Thanks for the quick fix.

~Shy

Share this post


Link to post
Share on other sites

Now I'm getting this on ICL Icon extractor.

I deleted it and reinstalled it but it continues.

The reason that I'm wondering if this is a F/P is that

none of the users on this machine runs as Admin (including me),

so the number of entry vectors is much reduced.

Can somebody confirm whether this is a FP?

Thanks

trojan.fakemse.7z

Share this post


Link to post
Share on other sites

This will be fixed in the next update.

I'm curious. . .

How can you guys possibly work that fast?

I'm dumbfounded by your response time.

Vic

Share this post


Link to post
Share on other sites

We really care about our product and want it to be the best it can be. Addressing false positives is a priority for us.

Thanks for the complement!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.