Jump to content
tycho90213

CRITICAL False-Positive

Recommended Posts

Today I ran the latest version of SAS with the latest updates on a friend's infected computer, and in addition to finding some malware, it also flagged C:\Windows\System32\MSVCRT.DLL as Trojan.Agent/Gen-MSFake. It was checked to be removed by default, and I allowed it to be deleted along with some other files.

Upon reboot, I immediately received a BSOD with the following message:

STOP: c000021a {Fatal System Error}

The windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000). The system has been shut down.

I spent over 4 hours trying to debug what had gone wrong. Safe mode and Last Known Good Configuration all resulted in the same error. After much searching, I narrowed the error down to the fact that MSVCRT.DLL was missing. Using Ubuntu to replace the file, viola!, the system booted fine.

I submitted the quarantined MSVCRT.DLL to both Jotti and Virustotal (File size: 343040 bytes, MD5: b0fefa816d61ec66aa765ddf534eab5e), and both gave it a clean bill of health. I can see nothing wrong with the file. I even re-ran SAS on the now clean system, and it still flags MSVCRT.DLL as infected.

Please rectify this false-positive as soon as possible, as I fear that people with less technical skills may entirely lose their Win XP installation in the process. Thank you!

Share this post


Link to post
Share on other sites

Same here. Superantispyware detected C:\Windows\System32\MSVCRT.DLL and reported it as Trojan.Agent/Gen-MSFake. Fortunately, I did not delete it. Scans by Avira and Malwarebytes of same file were clean.

Is this a false positive?

Share this post


Link to post
Share on other sites

It's all well and good that you learned something, but it would be more helpful if the developer folks at SAS actually told us whether it was in fact a FP. Since three users have already written about the problem over the last couple of days, I would think that a response would be in order.

Share this post


Link to post
Share on other sites

Hi I'm new to this forum. I need help. I perfomed a search on trojan.agent/gen-fake an this is the closet post I got. Just wondering. I was infected by the above trojan, I'm running Windows xp on my EE notebook. I think it gave me a bogus security message I selected not to block and then it took me to some porn website. I did a scan right away and the sas quarantined it, I removed it from quarantine, don't know if I did the right thing. The scan I perfomed also quarantined rogue.agent/gen. My internet explorer was affected its blocking all internet traffic, except any sites that start with https, ie banks, att wireless account. I have performed both with SAS and AVG a complete system scan, and it has been clean except for the cookies. My question is can I fix the internet issue? If so how? Thank you.

Share this post


Link to post
Share on other sites
Hi I'm new to this forum. I need help. I perfomed a search on trojan.agent/gen-fake an this is the closet post I got. Just wondering. I was infected by the above trojan, I'm running Windows xp on my EE notebook. I think it gave me a bogus security message I selected not to block and then it took me to some porn website. I did a scan right away and the sas quarantined it, I removed it from quarantine, don't know if I did the right thing. The scan I perfomed also quarantined rogue.agent/gen. My internet explorer was affected its blocking all internet traffic, except any sites that start with https, ie banks, att wireless account. I have performed both with SAS and AVG a complete system scan, and it has been clean except for the cookies. My question is can I fix the internet issue? If so how? Thank you.

Try our repairs section in SUPERAntiSpyware's Preferences.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×