Solved

msimg32.dll is reported as infected by w32.rogue.gen

  • 19 November 2014
  • 43 replies
  • 5288 views

After installing the Microsoft Windows 8.1 updates this morning (KB3000850 and KB3011750), webroot reported msimg32.dll as infected by w32.rogue.gen.
 
I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?
icon

Best answer by Rakanisheu Retired 19 November 2014, 18:32

EDIT just seen your reply! Glad to hear your back up and running. I have to fix my own Win 8.1 VM which I have completely destroyed :D My shift is just finished if you have any further issues please reply to the support ticket.
View original

43 replies

Userlevel 7
EDIT just seen your reply! Glad to hear your back up and running. I have to fix my own Win 8.1 VM which I have completely destroyed :D My shift is just finished if you have any further issues please reply to the support ticket.
Userlevel 7
WSA isnt loading because of a non-webroot related driver? Your the only reported instance of this from what I have seen. When you try to open WSA is doesnt open or gives you an error? Can you get online with either PC? I can send you a copy of this file that you can drop in the System32 folder. 
Userlevel 7
Ok I am testing this on a VM to see if I can brick my Win 8.1. In the meantime can you run a system file check to make sure the rest of the system is OK
 
To open Command prompt and run in elevated mode, follow these steps.
a. From Start screen, type Command prompt.
b. Right-click on Command Prompt and choose Run as Adminstrator.
c. Now in the command prompt window,  type sfc /scannow (note, there is a space between sfc and/scannow)
 
Can you try that and let me know if there were any integrity issues. 
Userlevel 1
Joy, Joy, Joy!!!  The system scan successfully restored msimg32.dll to c:windowssysWOW64 and Webroot is running great!
 
I can NOT thank you enough for helping me resolve this problem in a timely manor!
 
After checking the Webroot quarantine, the missing file msimg32.dll was, indeeed, quarantined by WSA; the files were in the Windows 8.1 System32 and sysWOW64 subdirectories.
Userlevel 7
Badge +55
@ wrote:
After installing the Microsoft Windows 8.1 updates this morning (KB3000850 and KB3011750), webroot reported msimg32.dll as infected by w32.rogue.gen.
 
I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?
Hello azayaka,
 
Welcome to the Community!
 
I've done some research of this and here's what I've found. I don't want to alarm you though because I could be wrong.
 
he W32.Rogue.Gen is a nasty computer infection classified as a Trojan virus, and sneaks in the computers by using the holes in the security of the system. Once installed, the W32.Rogue.Gen modifies the browser settings on your system in order to gain the complete control of your online activity. There are many different ways through which you can get this infection inside your system including the social networks, bundled downloads, and spam email attachments. No matter how good antivirus you are using, there is always a chance that this nasty Trojan sneaks in the system, and performs a number of harmful activities. In order to avoid any detection effort, this Trojan virus hides itself deep in the roots of the system file, and keeps changing its places. This malicious application can crash your operating system modify the windows registry, steal the confidential details, and take control of your browser. Besides that, when it alters the windows firewall, the other parasites can easily enter in the system, and you are unable to open any application on the system. It also stops you from downloading any security related software on your PC.
 
Please issue a Support Ticket  ASAP so they can take care of this nasty virus for you!
 
 
Good Luck,
 
Best Regards,
 
I've seen the same behavior on two Win 8.1 PCs since installing the 3011750 patch. Once installed, Webroot crashes Internet Explorer if you either resize the window, or open a pop-up or link in a new window. If Webroot launches a scan before you can remove the patch, it quarantines the instances of msimg32.dll it finds. In one of my cases, this blue screened the PC. Checking the event logs shows that WRusr.dll is causing the fault in IE.
 
Once msimg32.dll has been quarantined (that is, once a Webroot scan has been launched), almost none of the applications on the PC other than default Windows programs will run. System Restore also fails. I was able to restore by doing the following:
  • Open an elevated command prompt, and type the following: sfc /scannow
  • When that's done, go to Programs and Features and remove both 3000850 and 3011750 (I think it's the latter patch that causes the problem, but I've been removing both)
  • Reboot--this takes longer than normal, as the patches are removed.
This procedure restored both my machines, neither of which had any problem until applying the MS patches today and then getting some false positives from Webroot. I have not tried this on a Win 7 machien yet, but it's possible it happens there as well. Hope this helps others until Webroot can resolve the issue.
This does look like a false positive, it seems it has already been corrected today though.
 
If you are curious about a file and would like us to check into it for you, please give us the file's MD5 signature. This can be found in the scan logs, ex:
 
Infection detected: c:windowssyswow64msimg32.dll [MD5: C3D8AE69A5EA63246D00144C12829E4B] [3/00080401] [W32.Rogue.Gen]This and 
c:windowssysnativemsimg32.dll - MD5: 107A98C9FE7EFF7ED1F62CFCD4F1A347have been reversed. 
Userlevel 7
Looks like my colleague is looking at the ticket, he will probably recommened you do the following.
 
You may un-quarantine and restore the file that was quarantined by the Webroot SecureAnywhere software if you have not already done so. To restore the file:

1. Open on the cog icon next to PC Security.
2. Click the Quarantine tab.
3. Click the check box next to the filename, then click Restore.
 
c:windowssystem32msimg32.dll
 
Then reboot your PC, should be fixed then. 
Userlevel 1
Sorry David. I get a bit anxious when I have two broken systems... :mantongue:
Userlevel 7
@ and @ , thank you both for the full explanations in the replies above... I have learned a lot and hopefully if we see another example of this I will know what to suggest to help get it fixed a bit quicker!
 
 
Userlevel 7
Have you modified the default settings in WSA? As none of what you describes sound normal or related to this issue at all.
I've followed your advice and everything looks back to normal. Now to apply those new Windows Updates. *crosses fingers*
Everything's good to go...finally. Thanks for pointing me in the right direction.
Userlevel 7
Hello there, welcome to the Webroot Community!
 
EDIT: @ got here first, but I am going to leave my post as is to add to what she said.
 
There would be no difference in the detections between automatic and manual scans.  It is possible that a file that was previously not makrd as bad has been found to be malicous and has thus been marked in the Cloud as malware. It could be a new variant that had not been previously detected.
 
The best thing to do if you are unsure about this detection being a Fale Postive would be to submit a Trouble Ticket to have Webroot Support take a quick look. This is a free service with your vlalid WSA license.
 
 
Userlevel 7
Badge +55
Hi @  I see you posted here as well as Wilders so I will leave you in @ hands to get your issue corrected.
 
Thanks,
 
Daniel
Userlevel 7
Here is a copy of that exact file
 
http://www.filedropper.com/msimg32
 
With MD5 of: c3d8ae69a5ea63246d00144c12829e4b
 
Are you able to get that file and place it in the following path?
 
c:windowssystem32
 
*Edit* 
 
Just seen your reply, is the system stable but WSA is now broken? We can repair WSA if thats the case.
Userlevel 7
@ wrote:
Roy, I assume your question was directed at/to ...
I am David, and I was directing it to Rakanisheu  :)  
Userlevel 7
Badge +55
Hello @ 

Welcome to the Community,
 

Would you try this before you throw that laptop in the lake. As one of our Moderators said in this earlier thread was to do this.
You may un-quarantine and restore the file that was quarantined by the Webroot SecureAnywhere software if you have not already done so. To restore the file:

1. Open on the cog icon next to PC Security.
2. Click the Quarantine tab.
3. Click the check box next to the filename, then click Restore.
 
c:windowssystem32msimg32.dll
 
Then reboot your PC, should be fixed then. 

Then try this.
To open Command prompt and run in elevated mode, follow these steps.
a. From Start screen, type Command prompt.
b. Right-click on Command Prompt and choose Run as Adminstrator.
c. Now in the command prompt window, type sfc /scannow (note, there is a space between sfc and/scannow)

If this doesn't help you can always issue another support ticket!

Sorry for your troubles,

Best Regards,
Userlevel 7
Badge +55
 
Hello Wadsville85,  Welcome to the Community! Thank you for your help in posting this.  I hope this is a False Positive as David has mentioned in previous post.  Best Regards, Thanks,
Userlevel 7
@ wrote:
I had 4 Win 8.1 machines wth Webroot to which I applied KB3000850, and of these only one had no problem, though on it I had to override WSA's attempt to quarantine msimg32.dll. Of the others, two are hung at the login screen; I'll have to restore them from a Windows Home Sever backup, if I can. The last is usable but crippled by the missing msimg32.dll. It was a brand new computer unboxed days ago, barely used, so I think it's unlikely that it could have had an infection.
 
I think this may prove to be a big time problem for WSA users.
Not for long. Please submit a Trouble Ticket ASAP. That will give Webroot Support a bit more information about this problem.  It will likely not be very long before the file is whitelisted in the Cloud.
Userlevel 7
Badge +55
I know someone will be looking into this ASAP and he will let you know!
 
Daniel
Userlevel 7
Badge +55
@ wrote:
I' ve basically got two semi-bricked systems becasue Webroot apparently either blocked or quarantined Msimg32.dll, so now I get a Windows 8.1 message that this DLL is mssing; as a result, neither Webroot WSA Complete or AVG will run on either system.
 
Like a previous poster, I tried two different Windows restores and they both failed.
 
What am I supposed to do NOW???
Hello kdcdq,
 
Welcome to the Community!
 
 Please issue a Support Ticket  ASAP so they can take care of this for you.
 
I aplogize for the inconvience. According to Support
 
This does look like a false positive, it seems it has already been corrected today though.
 
If you are curious about a file and would like us to check into it for you, please give us the file's MD5 signature. This can be found in the scan logs, ex:
 
Infection detected: c:windowssyswow64msimg32.dll [MD5: C3D8AE69A5EA63246D00144C12829E4B] [3/00080401] [W32.Rogue.Gen]This and 
c:windowssysnativemsimg32.dll - MD5: 107A98C9FE7EFF7ED1F62CFCD4F1A347

Has been reversed.
Userlevel 7
Hello kdcdq, welcome to the Community!
 
EDIT:  @  got here first, so please read both posts: her information is relevant to my reply as well.
 
Please submit a Trouble TIcket to have further assistance by Webroot Support.  
 
Also,I am not sure, but I believe you should be able to go into Safe Mode, open WSA, and restore the file from the Quarantine.  As the False Postive has now been fixed, WSA will not re-detect it as malicious.
 
After restoring the file, reboot to normal mode.
 
 
I hope this helps!
Userlevel 7
@ wrote:
Unfortunately your suggestion didn't work. When I bring up Windows 8.1 in Safe Mode, I still get the same message about the missing dll, so therefore I am unable to "unquarantine" Msimg32.dll.
Please go ahead and submit a Trouble Ticket to have Webroot Support take a look or provide additional suggestions/help.
 
Let us know if they come up with a viable solution for you please so that we can also pass it on to anyone else affected and inable to easily rollback or unquarantine.
Userlevel 1
I HAVE opened a trouble ticket and am SURE hoping they can offer me somekind of fix ASAP before I take a sledge hammer to two expensive systems.  :manmad:

Reply