demonluo #1 Posted June 7, 2010 Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4176Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.1890408/06/2010 03:07:49 AMmbam-log-2010-06-08 (03-07-49).txtScan type: Quick scanObjects scanned: 130008Time elapsed: 5 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpnwmon (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]---------------------------------------------------------------------------------------------------------------------is this F/P coz my NIS, MSE & SAS said its clean & i also sent to VT to analysis w 41 dif AV & all of them said cleanhttp://www.virustotal.com/analisis/8b7d641...f164-1275938790i've also included the registry & file that MBAM said infected in the attachment called desktop.7zDesktop.7z Share this post Link to post Share on other sites
Fred232 #2 Posted June 7, 2010 After updating Malwarebytes today, I'm seeing the same thing.Same file, same key - Rogue.FakeMSEIs this a FP?SystemWindows 7 StarterMSE (AV)Malwarebytes 1.46 Share this post Link to post Share on other sites
TeMerc #3 Posted June 7, 2010 After updating Malwarebytes today, I'm seeing the same thing.Same file, same key - Rogue.FakeMSEIs this a FP?SystemWindows 7 StarterMSE (AV)Malwarebytes 1.46Not seeing this on either of the following systems:XP Pro SP3Vista Ultimate SP2W7 Home Prem 64bitLast scan db was 4175 on all 3 Share this post Link to post Share on other sites
ShyWriter #4 Posted June 7, 2010 Me too, ~ShyWinVista - updated thru yesterday - all updates installed.Scan was with 4175 - upon quarantine and reboot, Window's blocked startup MBAM Pro restart - did a manual restart.Internet Explorer 8.0.6001.189046/7/2010 1:08:05 PMmbam-log-2010-06-07 (13-08-05).txtScan type: Quick scanObjects scanned: 131881Time elapsed: 6 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> Quarantined and deleted successfully. Share this post Link to post Share on other sites
Kavu #5 Posted June 7, 2010 6/7/10Going 'Rogue' here as well....Re: file - 'mpnwmon.sys'Note that my 'Rogue.FakeMSE was located in the Microsoft Security Essentials files in C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon....as well as in 2 System restore folders. I submitted the file to VirusTotal and report was clean:http://www.virustotal.com/analisis/7e97e8d...4243-1275933544And file 'mpnwmon.sys' properties show it to be a Microsoft file, digitally signed 11/20/09. So, what say you(Malwarebytes)....False Positive?-----------------------------Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4176Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187026/7/2010 2:30:17 PMmbam-log-2010-06-07 (14-30-17).txtScan type: Full scan (C:\|)Objects scanned: 324645Time elapsed: 1 hour(s), 53 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon\mpnwmon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0121549.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0121553.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]----------------------mpnwmon.zip Share this post Link to post Share on other sites
nosirrah #6 Posted June 7, 2010 This should be fixed within the next 20 minutes. Share this post Link to post Share on other sites
pifreak #7 Posted June 7, 2010 awesome Thanks for the quick reply and for fixing it Share this post Link to post Share on other sites
nosirrah #8 Posted June 7, 2010 This should be fixed now. Share this post Link to post Share on other sites
Kavu #9 Posted June 7, 2010 This should be fixed now.Yep, fixed...thanks. You guys are awesome and wicked fast as well :-) Share this post Link to post Share on other sites
ShyWriter #10 Posted June 7, 2010 Ummmm.... hope I can restore this from quarantine and get it back where it belongs. Thanks for the quick fix.~Shy Share this post Link to post Share on other sites
Fred232 #12 Posted June 8, 2010 Updated to 4177 and fixed for me as well.Thanks for your quick response. Share this post Link to post Share on other sites
ducasoft #13 Posted June 8, 2010 Thank you very much Share this post Link to post Share on other sites
kovacsbv #14 Posted June 24, 2011 Now I'm getting this on ICL Icon extractor.I deleted it and reinstalled it but it continues.The reason that I'm wondering if this is a F/P is thatnone of the users on this machine runs as Admin (including me),so the number of entry vectors is much reduced.Can somebody confirm whether this is a FP?Thankstrojan.fakemse.7z Share this post Link to post Share on other sites
nosirrah #15 Posted June 24, 2011 This will be fixed in the next update. Share this post Link to post Share on other sites
kovacsbv #16 Posted June 24, 2011 This will be fixed in the next update.I'm curious. . .How can you guys possibly work that fast?I'm dumbfounded by your response time.Vic Share this post Link to post Share on other sites
shadowwar #17 Posted June 24, 2011 We really care about our product and want it to be the best it can be. Addressing false positives is a priority for us. Thanks for the complement! Share this post Link to post Share on other sites
kovacsbv #18 Posted August 5, 2012 Started getting the F/P again on icon extractor. Share this post Link to post Share on other sites
shadowwar #19 Posted August 5, 2012 Can you please post a log and or the file?The file above is currently not detected.Thanks. Share this post Link to post Share on other sites