Jump to content

Possible false positive trojan fake ms


Drey

Recommended Posts

Found a possible false positive here is the log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/16/2016
Scan Time: 8:44 AM
Logfile: possible false positive 2.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.16.07
Rootkit Database: v2016.10.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Allen

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 617315
Time Elapsed: 2 hr, 5 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.FakeMS, C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.23569_none_fc90f42dba8db537_kernel32.dll_ef9eca7e, , [d91ef2ce603a69cdb07543922cd7cd33],
Trojan.FakeMS, C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.23569_none_fc90f42dba8db537\kernel32.dll, , [16e1239d9cfe350191948c494eb58a76],

Physical Sectors: 0
(No malicious items detected)


(end)

Also scanned the files with hitman pro,norton and ESET none of them detected the files also uploaded to virus total only malwarebytes flagged the files.

 

Here is the zip

false positive test.7z

 

 

Link to post
Share on other sites

Hello we've had this problem at our workplace this morning.

All the computers here came back with this as malware. I removed it on one computer thinking I should trust this program, but all it did was wreck the computer. I cannot boot windows at all - it crashes mid boot and starts again. Doesn't matter how I try to boot it either - safe mode, normal etc.

I cannot boot at all. I'm just glad I didn't go and remove this from all our PCs.

Can you please post a step-by-step process of how to resolve this issue?

Link to post
Share on other sites

I have verified that I am on the current update of v2016.11.16.14.  I have also pushed and made all my clients have this same version as well.  I am running a full scan now to verified that it is working as intended - I will report back on this.

This was pretty detrimental overall though I have 50+ computers scan and detect and remove these 2 files which I had to get them back on their feet with a system restore.

To fix the two files being removed you first need to power down computer.  When you boot back up you will be presented with 2 options: select the default option NOT start windows normally.  At this point you will boot into windows recovery and should be able to recover with a System Restore..

Link to post
Share on other sites

We have had over 20+ computers that deleted the files as well.  System restore has worked on the machines that had a restore point, however, there are several machines that do not have a restore point.  This is incredibly frustrating as nothing we have tried has worked to get the machines up and running.  

Link to post
Share on other sites

Found a solution that is working for us.

We have fixed 15+ computers that did not have restore points using this method:

1.We booted from a Windows 10 USB important that is Windows 10 to load up universal USB drivers,

2.Went to advanced repair and selected command prompt. We then copied the two files that were deleted/quarantined from a working Windows7 computer and put them on seperate USB drive.

3.Using Xcopy we restored the files back to the original location on the computer that has failed.

Below is the exact commands we used ** your windows directories may vary, adjust accordingly **

e:\xcopy wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.23569_none_fc90f42dba8db537 C:\Windows\winsxs\ /e /k /o /h

e:\xopy wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.23569_none_fc90f42dba8db537_kernel32.dll_ef9eca7e c:\windows\winsxs\backup

If prompted to overwrite file, select yes.

Once the files were copied, we rebooted into the Windows7 system repair on the failed computers' hard drive. Then ran following command: ** again, your windows directories may vary **

SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\Windows

If all works well you will get a result stating SFC was able to repair the files. Reboot normally.

 

 

Link to post
Share on other sites

Does anybody know how we can restore this file -> C:\Windows\winsxs\backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.23543_none_fca09249ba82e54b_kernel32.dll_ef9eca7e 

We are having the same issue described in this thread but have some systems that are currently up that haven't rebooted yet. Does restoring the object through MB console actually restore the good "clean" DLL? 

We will be seeing roughly 75 systems tomorrow morning not able to boot into windows. Please let me know of a remedy of how I can do this remotely without remote access because MB thinks Kernerl32.DLL is a false positive! 

 

Threats.jpg

Link to post
Share on other sites

I have 24 computers with the same issue.

On some of my machines the Startup repair has been enough to bring them back online however I have about 10 machines which startup repair, system restore, chkdsk and sfc won't fix.

I can't call sales to purchase phone support because it's out of hours in america and logging a ticket isn't going to resolve this quick enough to a business critical issue.

If anyone has had any luck resolving this please share! Thanks

false postive.PNG

Link to post
Share on other sites

We're still trying to get to everyone. We will be checking into this forum post as often as we can between tickets and calls as the day goes on.

Those with machines that haven't rebooted, restore the object. To prevent an auto-reboot on a detected object from occurring in the future, uncheck the scan option "Restart the computer if required for threat removal" in Policy \ Scheduler \ Edit or Add a scan. This will not change an object being marked as Delete-On-Reboot (that is decided in the signature) but it will prevent Malwarebytes from triggering a reboot.

These files are being hit because they are unsigned from Microsoft. For those with machines that boot loop / blue screen, we're are still trying to come up with the most successful way to get the machines back up.

Link to post
Share on other sites

We are unable to restore the files that are set to delete on reboot.  There is no way in the console to restore the kernell32.dll file.  Also when logging into a client that hasn’t rebooted, I choose those two files to recover from Quarantine but they don’t recover and just stay there.  This is happening on about 100 PC’s.  We need to get a fix to reverse the delete on reboot as soon as possible.

Link to post
Share on other sites

A reversal to the signature selecting Delete on Reboot is unfortunately not possible. A reboot will be required before a Delete on Reboot item may be restored. You must prepare your system before the restart takes place.

Place good copies of the detected files in your C:\ root. Do not place them into the folders they belong just yet, the reboot delete action will just remove them. You will then need to boot into recovery to place them back into their respective folder locations. You can make a script to do this as the folder name is quite long and easy to mess up.

Link to post
Share on other sites

2 minutes ago, djacobson said:

A reversal to the signature selecting Delete on Reboot is unfortunately not possible. A reboot will be required before a Delete on Reboot item may be restored. You must prepare your system before the restart takes place.

Place good copies of the detected files in your C:\ root. Do not place them into the folders they belong just yet, the reboot delete action will just remove them. You will then need to boot into recovery to place them back into their respective folder locations. You can make a script to do this as the folder name is quite long and easy to mess up.

Cant Malwarebytes come up with a fix for this since the problem was created by Malwarebytes!  We have 100 PC's effected in multiple locations. Driving to all of them and fixing them is extremely time consuming!!

 

Link to post
Share on other sites

We're doing everything we can right now. Ultimately this is on Microsoft for not digitally signing their own file (you can confirm by checking the certificate properties of a file still on the system), which activated Malwarebytes' protections; it was meant to protect you from files like this.

We're trying to figure out to which pending update KB this kernel.dll file is related, it may be possible to save the system by killing that update so that the system will not need to switch over to the Windows side by side holding version of kernel.dll as it restarts.

Link to post
Share on other sites

The update is "November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)" - https://support.microsoft.com/en-us/kb/3197868

You can get a clean example of the kernel32.dll file by downloading a standalone version package of the update and expanding from the cab - http://catalog.update.microsoft.com/v7/site/search.aspx?q=3197868

3197868 file information.csv

Edited by djacobson
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.