CRITICAL False-Positive

[tycho90213]

Today I ran the latest version of SAS with the latest updates on a friend's infected computer, and in addition to finding some malware, it also flagged C:\Windows\System32\MSVCRT.DLL as Trojan.Agent/Gen-MSFake. It was checked to be removed by default, and I allowed it to be deleted along with some other files.

Upon reboot, I immediately received a BSOD with the following message:

STOP: c000021a {Fatal System Error}

The windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000). The system has been shut down.

I spent over 4 hours trying to debug what had gone wrong. Safe mode and Last Known Good Configuration all resulted in the same error. After much searching, I narrowed the error down to the fact that MSVCRT.DLL was missing. Using Ubuntu to replace the file, viola!, the system booted fine.

I submitted the quarantined MSVCRT.DLL to both Jotti and Virustotal (File size: 343040 bytes, MD5: b0fefa816d61ec66aa765ddf534eab5e), and both gave it a clean bill of health. I can see nothing wrong with the file. I even re-ran SAS on the now clean system, and it still flags MSVCRT.DLL as infected.

Please rectify this false-positive as soon as possible, as I fear that people with less technical skills may entirely lose their Win XP installation in the process. Thank you!

[khakiman]

Same here. Superantispyware detected C:\Windows\System32\MSVCRT.DLL and reported it as Trojan.Agent/Gen-MSFake. Fortunately, I did not delete it. Scans by Avira and Malwarebytes of same file were clean.

Is this a false positive?

[prairie dog]

If you take it out of Quarantine it goes back like it was before?

When you restore it out of quarantine it will go back to the proper location

[khakiman]

It's all well and good that you learned something, but it would be more helpful if the developer folks at SAS actually told us whether it was in fact a FP. Since three users have already written about the problem over the last couple of days, I would think that a response would be in order.

[khakiman]

This was already sent in (yesterday) and I am still awaiting a reply!

[khakiman]

Thank you SAS development team and thank you fellow posters for helping get this corrected.

[jposa002]

Hi I'm new to this forum. I need help. I perfomed a search on trojan.agent/gen-fake an this is the closet post I got. Just wondering. I was infected by the above trojan, I'm running Windows xp on my EE notebook. I think it gave me a bogus security message I selected not to block and then it took me to some porn website. I did a scan right away and the sas quarantined it, I removed it from quarantine, don't know if I did the right thing. The scan I perfomed also quarantined rogue.agent/gen. My internet explorer was affected its blocking all internet traffic, except any sites that start with https, ie banks, att wireless account. I have performed both with SAS and AVG a complete system scan, and it has been clean except for the cookies. My question is can I fix the internet issue? If so how? Thank you.

[SUPERAntiSpy]

Hi I'm new to this forum. I need help. I perfomed a search on trojan.agent/gen-fake an this is the closet post I got. Just wondering. I was infected by the above trojan, I'm running Windows xp on my EE notebook. I think it gave me a bogus security message I selected not to block and then it took me to some porn website. I did a scan right away and the sas quarantined it, I removed it from quarantine, don't know if I did the right thing. The scan I perfomed also quarantined rogue.agent/gen. My internet explorer was affected its blocking all internet traffic, except any sites that start with https, ie banks, att wireless account. I have performed both with SAS and AVG a complete system scan, and it has been clean except for the cookies. My question is can I fix the internet issue? If so how? Thank you.

Try our repairs section in SUPERAntiSpyware's Preferences.