Solved

msimg32.dll is reported as infected by w32.rogue.gen


After installing the Microsoft Windows 8.1 updates this morning (KB3000850 and KB3011750), webroot reported msimg32.dll as infected by w32.rogue.gen.
 
I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?
icon

Best answer by Rakanisheu 19 November 2014, 18:32

EDIT just seen your reply! Glad to hear your back up and running. I have to fix my own Win 8.1 VM which I have completely destroyed :D My shift is just finished if you have any further issues please reply to the support ticket.

View original

43 replies

Userlevel 7
Badge +55

@azayaka wrote:
After installing the Microsoft Windows 8.1 updates this morning (KB3000850 and KB3011750), webroot reported msimg32.dll as infected by w32.rogue.gen.
 
I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?

Hello azayaka,
 
Welcome to the Community!
 
I've done some research of this and here's what I've found. I don't want to alarm you though because I could be wrong.
 
he W32.Rogue.Gen is a nasty computer infection classified as a Trojan virus, and sneaks in the computers by using the holes in the security of the system. Once installed, the W32.Rogue.Gen modifies the browser settings on your system in order to gain the complete control of your online activity. There are many different ways through which you can get this infection inside your system including the social networks, bundled downloads, and spam email attachments. No matter how good antivirus you are using, there is always a chance that this nasty Trojan sneaks in the system, and performs a number of harmful activities. In order to avoid any detection effort, this Trojan virus hides itself deep in the roots of the system file, and keeps changing its places. This malicious application can crash your operating system modify the windows registry, steal the confidential details, and take control of your browser. Besides that, when it alters the windows firewall, the other parasites can easily enter in the system, and you are unable to open any application on the system. It also stops you from downloading any security related software on your PC.
 
Please issue a Support Ticket  ASAP so they can take care of this nasty virus for you!
 
 
Good Luck,
 
Best Regards,
 
Userlevel 7
Hello there, welcome to the Webroot Community!
 
EDIT: @Ssherjj got here first, but I am going to leave my post as is to add to what she said.
 
There would be no difference in the detections between automatic and manual scans.  It is possible that a file that was previously not makrd as bad has been found to be malicous and has thus been marked in the Cloud as malware. It could be a new variant that had not been previously detected.
 
The best thing to do if you are unsure about this detection being a Fale Postive would be to submit a Trouble Ticket to have Webroot Support take a quick look. This is a free service with your vlalid WSA license.
 
 
I have nearly the exact same scenario:  same OS (Windows 8.1), same lack of infections using Webroot, same Windows Updates, then the same subsequent infected file from the same Trojan, same thought of false positive. The only difference for me was Webroot was to remove the Trojan upon restart, only to not be able to sign into my computer afterwards.
I've seen the same behavior on two Win 8.1 PCs since installing the 3011750 patch. Once installed, Webroot crashes Internet Explorer if you either resize the window, or open a pop-up or link in a new window. If Webroot launches a scan before you can remove the patch, it quarantines the instances of msimg32.dll it finds. In one of my cases, this blue screened the PC. Checking the event logs shows that WRusr.dll is causing the fault in IE.
 
Once msimg32.dll has been quarantined (that is, once a Webroot scan has been launched), almost none of the applications on the PC other than default Windows programs will run. System Restore also fails. I was able to restore by doing the following:
  • Open an elevated command prompt, and type the following: sfc /scannow
  • When that's done, go to Programs and Features and remove both 3000850 and 3011750 (I think it's the latter patch that causes the problem, but I've been removing both)
  • Reboot--this takes longer than normal, as the patches are removed.
This procedure restored both my machines, neither of which had any problem until applying the MS patches today and then getting some false positives from Webroot. I have not tried this on a Win 7 machien yet, but it's possible it happens there as well. Hope this helps others until Webroot can resolve the issue.
Userlevel 7
Badge +55
 
Hello Wadsville85,  Welcome to the Community! Thank you for your help in posting this.  I hope this is a False Positive as David has mentioned in previous post.  Best Regards, Thanks,
I had 4 Win 8.1 machines wth Webroot to which I applied KB3000850, and of these only one had no problem, though on it I had to override WSA's attempt to quarantine msimg32.dll. Of the others, two are hung at the login screen; I'll have to restore them from a Windows Home Sever backup, if I can. The last is usable but crippled by the missing msimg32.dll. It was a brand new computer unboxed days ago, barely used, so I think it's unlikely that it could have had an infection.
 
I think this may prove to be a big time problem for WSA users.
Userlevel 7

@jim02143 wrote:
I had 4 Win 8.1 machines wth Webroot to which I applied KB3000850, and of these only one had no problem, though on it I had to override WSA's attempt to quarantine msimg32.dll. Of the others, two are hung at the login screen; I'll have to restore them from a Windows Home Sever backup, if I can. The last is usable but crippled by the missing msimg32.dll. It was a brand new computer unboxed days ago, barely used, so I think it's unlikely that it could have had an infection.
 
I think this may prove to be a big time problem for WSA users.

Not for long. Please submit a Trouble Ticket ASAP. That will give Webroot Support a bit more information about this problem.  It will likely not be very long before the file is whitelisted in the Cloud.
Userlevel 7
Badge +55
I know someone will be looking into this ASAP and he will let you know!
 
Daniel
Userlevel 2
This does look like a false positive, it seems it has already been corrected today though.
 
If you are curious about a file and would like us to check into it for you, please give us the file's MD5 signature. This can be found in the scan logs, ex:
 
Infection detected: c:windowssyswow64msimg32.dll [MD5: C3D8AE69A5EA63246D00144C12829E4B] [3/00080401] [W32.Rogue.Gen]This and 
c:windowssysnativemsimg32.dll - MD5: 107A98C9FE7EFF7ED1F62CFCD4F1A347have been reversed. 
Userlevel 1
I' ve basically got two semi-bricked systems becasue Webroot apparently either blocked or quarantined Msimg32.dll, so now I get a Windows 8.1 message that this DLL is mssing; as a result, neither Webroot WSA Complete or AVG will run on either system.
 
Like a previous poster, I tried two different Windows restores and they both failed.
 
What am I supposed to do NOW???
Userlevel 7
Badge +55

@kdcdq wrote:
I' ve basically got two semi-bricked systems becasue Webroot apparently either blocked or quarantined Msimg32.dll, so now I get a Windows 8.1 message that this DLL is mssing; as a result, neither Webroot WSA Complete or AVG will run on either system.
 
Like a previous poster, I tried two different Windows restores and they both failed.
 
What am I supposed to do NOW???

Hello kdcdq,
 
Welcome to the Community!
 
 Please issue a Support Ticket  ASAP so they can take care of this for you.
 
I aplogize for the inconvience. According to Support
 
This does look like a false positive, it seems it has already been corrected today though.
 
If you are curious about a file and would like us to check into it for you, please give us the file's MD5 signature. This can be found in the scan logs, ex:
 
Infection detected: c:windowssyswow64msimg32.dll [MD5: C3D8AE69A5EA63246D00144C12829E4B] [3/00080401] [W32.Rogue.Gen]This and 
c:windowssysnativemsimg32.dll - MD5: 107A98C9FE7EFF7ED1F62CFCD4F1A347

Has been reversed.
Userlevel 7
Hello kdcdq, welcome to the Community!
 
EDIT:  @Ssherjj  got here first, so please read both posts: her information is relevant to my reply as well.
 
Please submit a Trouble TIcket to have further assistance by Webroot Support.  
 
Also,I am not sure, but I believe you should be able to go into Safe Mode, open WSA, and restore the file from the Quarantine.  As the False Postive has now been fixed, WSA will not re-detect it as malicious.
 
After restoring the file, reboot to normal mode.
 
 
I hope this helps!
Userlevel 1
Unfortunately your suggestion didn't work. When I bring up Windows 8.1 in Safe Mode, I still get the same message about the missing dll, so therefore I am unable to "unquarantine" Msimg32.dll.
Userlevel 7

@kdcdq wrote:
Unfortunately your suggestion didn't work. When I bring up Windows 8.1 in Safe Mode, I still get the same message about the missing dll, so therefore I am unable to "unquarantine" Msimg32.dll.

Please go ahead and submit a Trouble Ticket to have Webroot Support take a look or provide additional suggestions/help.
 
Let us know if they come up with a viable solution for you please so that we can also pass it on to anyone else affected and inable to easily rollback or unquarantine.
Userlevel 1
I HAVE opened a trouble ticket and am SURE hoping they can offer me somekind of fix ASAP before I take a sledge hammer to two expensive systems.  :manmad:
Userlevel 7
Thank you :)
 
Please do not attempt to add to the ticket or update it until you have heard from Support, that will slow down the response to you by altering the date/time stamp on the ticket.  Webroot Support is usually not instant, but it is usually quite fast, within an hour or two for me usually when I file a ticket.
Userlevel 7
Looks like my colleague is looking at the ticket, he will probably recommened you do the following.
 
You may un-quarantine and restore the file that was quarantined by the Webroot SecureAnywhere software if you have not already done so. To restore the file:

1. Open on the cog icon next to PC Security.
2. Click the Quarantine tab.
3. Click the check box next to the filename, then click Restore.
 
c:windowssystem32msimg32.dll
 
Then reboot your PC, should be fixed then. 
Userlevel 1
I wished I could. WSA does not start or run because of the missing DLL, therefore I am unable to restore this dll from quarantine using the method you describe.  That is what I've been trying to explain; WSA is NOT running on the bricked systems.
Userlevel 1
I also got the same missing dll message after booting WIndows 8.1 in Safe Mode, so that doesn't work either.
Userlevel 7
Badge +55
Hi @kdcdq  I see you posted here as well as Wilders so I will leave you in @Rakanisheu hands to get your issue corrected.
 
Thanks,
 
Daniel
Userlevel 7
WSA isnt loading because of a non-webroot related driver? Your the only reported instance of this from what I have seen. When you try to open WSA is doesnt open or gives you an error? Can you get online with either PC? I can send you a copy of this file that you can drop in the System32 folder. 
Userlevel 1
I have already tried to copy in the missing dll and WSA still does NOT run.
 
Yes, I can use Internet Explorer on the affected systems after I get three or four messages about msimg32.dll being missing. I just have NO security on the two affected systems.
Userlevel 7
Here is a copy of that exact file
 
http://www.filedropper.com/msimg32
 
With MD5 of: c3d8ae69a5ea63246d00144c12829e4b
 
Are you able to get that file and place it in the following path?
 
c:windowssystem32
 
*Edit* 
 
Just seen your reply, is the system stable but WSA is now broken? We can repair WSA if thats the case.
Userlevel 1
That's it EXACTLY!!!  Only WSA (and/or AVG) doesn't run because of the missing DLL.
Userlevel 7
Roy, 
 
Sorry for interrupting here, but I wanted to ask if it would be OK with you for us to reference your file download for any other users who have similar issues with not being able to un-quarantine the file?

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings