Malwarebytes Reports - "Fake.Beep.Sys"

[graesid]

Jusst started using the program and after running a scan on my Limited User account it comes up with the following

Files Infected:

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.

I cannot find this file on my computer and I note that if I run Malwarebytes on my main Admin Account nothing is reported .

I have run a number of other Anti Spy Applications and they find nothing .

Can anyone tell me if they have any experience of this and whether this may be a False positive .

Graeme

[RubbeR DuckY]

Thanks, I will look into it.

[graesid]

Thanks, I will look into it.

Thank you for your acknowledgement .

After posting I did find the file C:\WINDOWS\system32\dllcache\beep.sys on my computer by searching on the Admin account .It is is apparently not accessable from the Limited user account as it is a Microsoft System File . I have checked the file with a number of scanners and it appears to be the original Microsoft file which I understand is on most Windows XP systems .

I would be very reluctant to delete this file so I will await your reply as to your findings

Graeme

[graesid]

I am wondering if anyone else has encountered this situation and can confirm whether or not I have a False positive

[RubbeR DuckY]

It is a false positive that happens if you run our program from a limited user account.

[graesid]

Thanks for that information . I am pleased to learn it is a False Positive so I can ignore it in future . I presume it will be fixed in a future update ??

Graeme

[DaChew]

I would not think of using a limited account to scan for malware since you can't remove it when you find it.

[graesid]

That is true but for security I use a limited user account for all my web browsing and online work . As I understand it If damage occurs it can then be limited to that account in many cases . If a scan detects Malware I can then delete using my Admin account if necessay .

[RubbeR DuckY]

This will be fixed in the next version.

[ingber]

We have two a31p Thinkpads running the same currently-updated versions of XP Pro SP3. On both machines we have

c:/WINDOWS/system32/dllcache/beep.sys

c:/WINDOWS/system32/drivers/beep.sys

However, on ONLY one machine we get what I believe is a false positive for ONLY

c:/WINDOWS/system32/dllcache/beep.sys

which was Quarantined as Fake.Beep.Sys

Wasn't this supposed to be fixed back in August?

Thanks.

Lester

[ingber]

We have two a31p Thinkpads running the same currently-updated versions of XP Pro SP3. On both machines we have

c:/WINDOWS/system32/dllcache/beep.sys

c:/WINDOWS/system32/drivers/beep.sys

However, on ONLY one machine we get what I believe is a false positive for ONLY

c:/WINDOWS/system32/dllcache/beep.sys

which was Quarantined as Fake.Beep.Sys

Wasn't this supposed to be fixed back in August?

Thanks.

Lester

P.S. Both machines have only one user with full Administrator privileges.

[Raid]

That's very strange.. Would you mind submitting the file mbam thinks is fake?

[ingber]

That's very strange.. Would you mind submitting the file mbam thinks is fake?

I just did upload the beep.sys file. I have been corresponding with one of your staff, Arthur. Here are some of my comments:

(1)

Previously, you documented that the additional beep.sys files under

dllcache/ should not be there and so I deleted them on both machines.

This raised the issue that Malwarebytes did not flag/Quarantine this

file on one of the two computers.

(2)

In this latest email, you seem to suggest that even if there were

additional beep.sys files under dllcache, this should not present any

problems since these beep.sys files in fact are valid system files?

> As I mentioned, I used zdiff under Cygwin (a bit by bit comparison) between

> /cygdrive/c/WINDOWS/system32/dllcache/beep.sys

> /cygdrive/c/WINDOWS/system32/drivers/beep.sys

> before deleting /cygdrive/c/WINDOWS/system32/dllcache/beep.sys; the

> files were identical

> (on both machines and indentical across machines).