Announcements

Shape the future of TeamViewer Remote Management with our Product Team. Click here to join!

Posted by Cruzinit
Henagon

Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Malware name: Gen:HackTool.WinCred.1
Malware file path: c:\windows\system32\lsasrv.dll
Detection time: 29-Jun-2017 22:33:07 UTC
Additional information / action: File infected

On a users compuiter and our 2012 Remote access server

When went to check the registery found regedit already had some keys open that I never played wuth before.

Concerned IM being hacked

Thanks in advanced

John PC.PNGdan reg.PNG

 

3 Accepted Solutions

Accepted Solutions
Posted by Remote Management Staff
Remote Management Staff
Solution

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Hello Everyone, 

Thanks for posting this situation in the community. 

It appears that the file infected is shown on several Windows systems since yesterday and the detection stopped at around 11.30 UTC with the latest Malware signatures.

[process] c:\windows\system32\lsasrv.dll [INFECTED:<virus> Gen:HackTool.WinCred.1]

As this dll is a critical Windows component we will never try to delete it and the state will always be infected. 

Thank you for your fast reaction and for posting this so everyone can see that it is not an individual issue. 

 

We are sorry for the inconvenience created by this situation.  In an ideal world this should not happen but from time to time these false positives can happen and critical Windows components can be flagged as malware due to updates or updates form other applications which use those components.

We are reparing any false positives withing 24 hours of reporting

After the investigation from our Malware labs will finish we will post the findings here.

 

Product Owner, Remote Management services.

View solution in original post

Posted by Remote Management Staff
Remote Management Staff
Solution

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Hi @pia777

The situationw as resolved as I wrote a week ago. 

Please have a look at the post above yours. The False positive detection was remedieted within 24 hours as mentioned. The detection is no longer present in our signatures. 

Product Owner, Remote Management services.

View solution in original post

Posted by repair2u
Henagon
Solution

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Gen:HackTool.WinCred. some computers - Keeps coming back

please fix 8/5/2017

View solution in original post

12 Replies
Posted by bartlanz
Heptagon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

I received this notice today as well, what I find most annoying is that the IT Brain Anti Malware both on the system, and in the management console does not give me any options to remedy the issue?!

If my post was helpful, Please throw me a Kudos.
If my post fixed your issue, please mark it as the solution to help the next person find a solution quickly.
Bart Lanzillotti
We Do IT USA
www.wedoitusa.com
Posted by Tech-Key
Digon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

3 of the computers I manage just reported the same:

ITbrain Anti-Malware detected a potential threat on the device [edited]
Name Gen:HackTool.WinCred.1
Found in c:\windows\system32\lsasrv.dll
Found at 06/29/2017 12:00 PM
Status File infected

One of the computers has Windows 8, the other two have WinX Pro

This smells like False-Positive to me.
Any way to doublecheck?

Please advice.

Tech-Key
Posted by Remote Management Staff
Remote Management Staff
Solution

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Hello Everyone, 

Thanks for posting this situation in the community. 

It appears that the file infected is shown on several Windows systems since yesterday and the detection stopped at around 11.30 UTC with the latest Malware signatures.

[process] c:\windows\system32\lsasrv.dll [INFECTED:<virus> Gen:HackTool.WinCred.1]

As this dll is a critical Windows component we will never try to delete it and the state will always be infected. 

Thank you for your fast reaction and for posting this so everyone can see that it is not an individual issue. 

 

We are sorry for the inconvenience created by this situation.  In an ideal world this should not happen but from time to time these false positives can happen and critical Windows components can be flagged as malware due to updates or updates form other applications which use those components.

We are reparing any false positives withing 24 hours of reporting

After the investigation from our Malware labs will finish we will post the findings here.

 

Product Owner, Remote Management services.

View solution in original post

Posted by ChrisBa
Henagon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Same by me.
2 on Windows 7 and 3 on Windows 10
I think also it's False-Positive..

Info: This dll have somthing to do with the Wannacry bs. 

Posted by ercankaygusuz
Photon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Is there anything to do about it? If you wanna cry an interesting with the systems very seriously ... I think this is a situation that needs to be resolved very urgently.
Posted by ercankaygusuz
Photon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Is there anything to do about it? If you wanna cry an interesting with the systems very seriously ... I think this is a situation that needs to be resolved very urgently.

Posted by Tech-Key
Digon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

I can't tell if you are trolling and spamming or if there is a language barrier.

If it's the later, @Stanislav confirmed it is a false positive and they are fixing it.

Issue is being fixed. Relax.

Thank you :heart:.

Tech-Key
Posted by Remote Management Staff
Remote Management Staff

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

Hello to everyone,

I would like to reiterate one more time that the lsasrv.dll was falsely detected for a few hours only.  

The false positive detection was introduced on 29.06.2017 and was resolved within hours. The only reason why a few systems were affected for 1 day was due to the fact that at night computers are turned off and new signature updates come usually after booting up during office hours. 

The detection itself was an automated response of the signature compiler to a Windows component, in this case: lsasrv.dll which was about to receive an update from Microsoft. 

With all situations malware related we are dealing with them within 24 hours as per industry standard SLA.

 

Have a nice week ahead and stay safe.

 

 

Product Owner, Remote Management services.
Highlighted
Posted by pia777
Henagon

Re: Gen:HackTool.WinCred.1 - On 2 of our computers - Keeps coming back

I have not seen an update to this problem in two weeks, you said you post fix within 24 hours.  See post.  Where are we with this issue?

1 Reply