Jump to content

Rogue.FakeMSE, is this F/P?


demonluo

Recommended Posts

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

08/06/2010 03:07:49 AM

mbam-log-2010-06-08 (03-07-49).txt

Scan type: Quick scan

Objects scanned: 130008

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpnwmon (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

---------------------------------------------------------------------------------------------------------------------

is this F/P coz my NIS, MSE & SAS said its clean & i also sent to VT to analysis w 41 dif AV & all of them said clean

http://www.virustotal.com/analisis/8b7d641...f164-1275938790

i've also included the registry & file that MBAM said infected in the attachment called desktop.7z

Desktop.7z

Link to post
Share on other sites

  • Staff
After updating Malwarebytes today, I'm seeing the same thing.

Same file, same key - Rogue.FakeMSE

Is this a FP?

System

Windows 7 Starter

MSE (AV)

Malwarebytes 1.46

Not seeing this on either of the following systems:

XP Pro SP3

Vista Ultimate SP2

W7 Home Prem 64bit

Last scan db was 4175 on all 3

Link to post
Share on other sites

Me too, :)

~Shy

WinVista - updated thru yesterday - all updates installed.

Scan was with 4175 - upon quarantine and reboot, Window's blocked startup MBAM Pro restart - did a manual restart.

Internet Explorer 8.0.6001.18904

6/7/2010 1:08:05 PM

mbam-log-2010-06-07 (13-08-05).txt

Scan type: Quick scan

Objects scanned: 131881

Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\MpNWMon.sys (Rogue.FakeMSE) -> Quarantined and deleted successfully.

Link to post
Share on other sites

6/7/10

Going 'Rogue' here as well....

Re: file - 'mpnwmon.sys'

Note that my 'Rogue.FakeMSE was located in the Microsoft Security Essentials files in C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon....as well as in 2 System restore folders.

I submitted the file to VirusTotal and report was clean:

http://www.virustotal.com/analisis/7e97e8d...4243-1275933544

And file 'mpnwmon.sys' properties show it to be a Microsoft file, digitally signed 11/20/09. So, what say you(Malwarebytes)....False Positive?

-----------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 2:30:17 PM

mbam-log-2010-06-07 (14-30-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 324645

Time elapsed: 1 hour(s), 53 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft Security Essentials\Drivers\mpnwmon\mpnwmon.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0121549.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0121553.sys (Rogue.FakeMSE) -> No action taken. [106660DC692B083A5FD9BEDCA290F58C]

----------------------

mpnwmon.zip

Link to post
Share on other sites

  • 1 year later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.