Rogue.FakeMSE, is this F/P?

demonluo · June 7, 2010

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

08/06/2010 03:07:49 AM

mbam-log-2010-06-08 (03-07-49).txt

Scan type: Quick scan

Objects scanned: 130008

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpnwmon (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

---------------------------------------------------------------------------------------------------------------------

is this F/P coz my NIS, MSE & SAS said its clean & i also sent to VT to analysis w 41 dif AV & all of them said clean

http://www.virustotal.com/analisis/8b7d641...f164-1275938790

i've also included the registry & file that MBAM said infected in the attachment called desktop.7z

Desktop.7z

Fred232 · June 7, 2010

After updating Malwarebytes today, I'm seeing the same thing.

Same file, same key - Rogue.FakeMSE

Is this a FP?

System

Windows 7 Starter

MSE (AV)

Malwarebytes 1.46

TeMerc · June 7, 2010

After updating Malwarebytes today, I'm seeing the same thing.
Same file, same key - Rogue.FakeMSE
Is this a FP?
System
Windows 7 Starter
MSE (AV)
Malwarebytes 1.46

Not seeing this on either of the following systems:

XP Pro SP3

Vista Ultimate SP2

W7 Home Prem 64bit

Last scan db was 4175 on all 3

ShyWriter · June 7, 2010

Me too,

~Shy

WinVista - updated thru yesterday - all updates installed.

Scan was with 4175 - upon quarantine and reboot, Window's blocked startup MBAM Pro restart - did a manual restart.

Internet Explorer 8.0.6001.18904

6/7/2010 1:08:05 PM

mbam-log-2010-06-07 (13-08-05).txt

Scan type: Quick scan

Objects scanned: 131881

Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> Quarantined and deleted successfully.

Kavu · June 7, 2010

6/7/10

Going 'Rogue' here as well....

Re: file - 'mpnwmon.sys'

Note that my 'Rogue.FakeMSE was located in the Microsoft Security Essentials files in C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon....as well as in 2 System restore folders.

I submitted the file to VirusTotal and report was clean:

http://www.virustotal.com/analisis/7e97e8d...4243-1275933544

And file 'mpnwmon.sys' properties show it to be a Microsoft file, digitally signed 11/20/09. So, what say you(Malwarebytes)....False Positive?

-----------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 2:30:17 PM

mbam-log-2010-06-07 (14-30-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 324645

Time elapsed: 1 hour(s), 53 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon\mpnwmon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0121549.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0121553.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

----------------------

mpnwmon.zip

nosirrah · June 7, 2010

This should be fixed within the next 20 minutes.

pifreak · June 7, 2010

awesome

Thanks for the quick reply and for fixing it

nosirrah · June 7, 2010

This should be fixed now.

Kavu · June 7, 2010

This should be fixed now.

Yep, fixed...thanks. You guys are awesome and wicked fast as well :-)

ShyWriter · June 7, 2010

Ummmm.... hope I can restore this from quarantine and get it back where it belongs.

Thanks for the quick fix.

~Shy

demonluo · June 8, 2010

fixed...

Fred232 · June 8, 2010

Updated to 4177 and fixed for me as well.

Thanks for your quick response.

ducasoft · June 8, 2010

Thank you very much

kovacsbv · June 24, 2011

Now I'm getting this on ICL Icon extractor.

I deleted it and reinstalled it but it continues.

The reason that I'm wondering if this is a F/P is that

none of the users on this machine runs as Admin (including me),

so the number of entry vectors is much reduced.

Can somebody confirm whether this is a FP?

Thanks

trojan.fakemse.7z

nosirrah · June 24, 2011

This will be fixed in the next update.

kovacsbv · June 24, 2011

This will be fixed in the next update.

I'm curious. . .

How can you guys possibly work that fast?

I'm dumbfounded by your response time.

Vic

shadowwar · June 24, 2011

We really care about our product and want it to be the best it can be. Addressing false positives is a priority for us.

Thanks for the complement!

kovacsbv · August 5, 2012

Started getting the F/P again on icon extractor.

shadowwar · August 5, 2012

Can you please post a log and or the file?

The file above is currently not detected.

Thanks.

Rogue.FakeMSE, is this F/P?

Recommended Posts

demonluo 0

Link to post

Share on other sites

Fred232 0

Link to post

Share on other sites

TeMerc 80

Link to post

Share on other sites

ShyWriter 0

Link to post

Share on other sites

Kavu 0

Link to post

Share on other sites

nosirrah 0

Link to post

Share on other sites

pifreak 0

Link to post

Share on other sites

nosirrah 0

Link to post

Share on other sites

Kavu 0

Link to post

Share on other sites

ShyWriter 0

Link to post

Share on other sites

demonluo 0

Link to post

Share on other sites

Fred232 0

Link to post

Share on other sites

ducasoft 0

Link to post

Share on other sites

kovacsbv 0

Link to post

Share on other sites

nosirrah 0

Link to post

Share on other sites

kovacsbv 0

Link to post

Share on other sites

shadowwar 77

Link to post

Share on other sites

kovacsbv 0

Link to post

Share on other sites

shadowwar 77

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information