Jump to content

audiodg.exe reported as infected


hspen302

Recommended Posts

I suddenly started to receive multiple messages of a successful removal for a Trojan.FakeMS. I am trying to determine if these are a false positive incidence or not. Here is the location and information about the object that it located:

 

C:\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7600.16385_none_d294b5cdfe50c681\audiodg.exe

 

It is coming up with the exact same file on over 30 computers.

Link to post
Share on other sites

Well good thing to know it is a false positive but I can't restore it from quarantine. I get this message "Error Unable to restore quarantined item

C:\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7600.16385_none_d294b5cdfe50c681\audiodg.exe : Access is denied"

Link to post
Share on other sites

  • Staff

Whenever you'll do a windows update that includes this file, you'll have it back in the C:\Windows\winsxs\ folder as well.

A lot of users actually delete the entire C:\Windows\winsxs\ folder in order to gain drive space. This folder and its subfiles is mainly needed/required in case of compatibility issues, but in your case, the audiodg.exe loaded in your system32 folder (which is where it loads by default) still works fine.

In order to gain ownership of that winsxs folder to have it restore the file mbam quarantined, do the following:

 

right-click it, (C:\Windows\winsxs\) select Properties > Security Tab > Advanced at the bottom > Owner Tab > Edit > Highlight your username and put a tick in ‘Replace owner on sub containers…’ and Apply > OK. You will only have the ‘Replace owner on subcontainers…’ box for folders not files. Click Yes when you receive the Security pop-up window then click OK to the Close/Reopen message.

 Now go back to the Properties > Security Tab. Click Edit > Add. Type in your User Account Name in the box under Enter the objects name to select. Click on Check Names > OK. Click on your User Account Name to highlight it. Check the box for Full Control > Apply and OK etc

 Refer to this link for more information on this issue: http://social.msdn.microsoft.com/Forums/en/windowscompatibility/thread/beac915a-1ed3-4686-a62b-0fc2d079ebf8

 

But honestly, it's really not worth the hassle - if you really want a backup of that exact file, just copy/backup the audiodg.exe file from your system32 folder to whatever location you prefer as that's the same one :)

Link to post
Share on other sites

As you know, this is a legitimate file required for audio to play.  Contrary to what was stated above, the file is no longer in my Windows\System32 folder.  I updated my definitions, ran a scan, and the computer comes up clean.  But the audiodg.exe file is still in Quarantine and still won't allow me to restore it.

 

I found an audiodg.exe file in the winsxs folder, but it was dated 2009; would that still be the same version as what MalwareBytes quarantined and won't let me recover?  My computer has been silent all day, ever since this file was quarantined.  That's obviously not an acceptable situation.

 

Advice ASAP, please!  Thanks...

Link to post
Share on other sites

But there's no way to just tell MalwareBytes to take that file out of the list of files to be deleted on the next reboot?  This limitation seems to defeat the whole purpose of sending files to Quarantine instead of deleting them.  For all practical purposes, this "Quarantined" file has been deleted.

 

Someone at MalwareBytes might want to rethink this one!

Link to post
Share on other sites

  • Root Admin

No it should not have deleted it. It should be in the Quarantine however due to a limitation on Windows 7 we're unable to currently automatically restore it to that location. We're working on a future update that would allow us to restore it.

 

 

Again I'm sorry to hear that the audio.exe file was removed by the false positive.
 
If needed you should be able to run the following to restore the file:  How to Repair Windows 7 System Files with System File Checker
 
Using the installation DVD you can also obtain the file.  How to Extract Files from the Windows 7 Installation DVD
 
If you need additional help restoring the file please contact Consumer Support
 
Thank you
 

Link to post
Share on other sites

SFC runs successfully and identifies audiodg.exe as corrupted but can't replace it.  I don't have an install DVD for Windows 7, and there is no I386 folder on this machine.  I really need to recover this file so that I can hear audio on this computer again, as I did before this false positive by MBAM mucked up the works.

 

More help, please...

Link to post
Share on other sites

I also need more help.  This shakes my confidence in malwarebytes just a little.  On June 5 the sound went out on my computer just as has been described in these posts.  I am not really that tech savvy, but have been trying to figure this out.  I did a restore to a point prior to June 5 and was so hopeful that would work.  Did not.  I hope this topic continues to be discussed.  Thanks!

Link to post
Share on other sites

I copied audiodg.exe from C:\Windows\System32 on another Windows 7 machine with an Intel CPU and pasted it into the same folder on the computer that had been broken by MalwareBytes.  Double-clicked on it, no error message.  When I removed the thumb drive, the familiar "ding" came from the speakers of the formerly quiet PC.  Success, no thanks to any of the suggestions in this thread.

 

Like pegrae45, I have had my confidence in MalwareBytes shaken by this unfortunate episode.  All of my previous experiences have been positive, both with the products and the support.  I'm going to assume they just assigned the wrong tech(s) to handle this thread.

Link to post
Share on other sites

  • Staff

I am sorry u may have misunderstood my instructions. I provided a link for you to get in touch with support to get this resolved. I am glad you figured it out though.

 

Support does not get assigned tickets from forums and has to be contacted the way i listed.

 

This subforum is just for reporting false positive detections and is only monitored by the research department.

 

Unfortunately false positives happen to all companies. We have invested a lot in the past year and a half to prevent these but unfortunately u can not prevent all of them. We have added this file to the filter servers to prevent any more detections of this file in the future.

Link to post
Share on other sites

So it has been almost a week and I have not heard back from support except to acknowledge that they got my e-mail and would respond in 3-4 business days.  I have tried a number of the suggestions in this forum and other ideas gleaned from other sources.  Perhaps all programs do have false positives from time to time, apparently this one is unusual because it cannot be retrieved from quarantine.  Is that correct?  It may have been deleted completely because that is what I usually used to do.  However I am not certain of that.  The log seems to indicate quarantine.  Either way I have no sound.  Do you think that when I do hear from support that they have a solution? 

Link to post
Share on other sites

Hi Shadowwar,  I hope you are still around.  After waiting a week I finally heard from support.  The person responding seems to have no idea about this issue.  He is asking me to send him a file to be examined by support.  Clueless.  This is after I sent a long explanation of everything I have learned about this from this forum and other sources as well. I finally asked him to please refer to this forum and have not heard back from him.  Thank you for sending me the zip file.  I wish I could say that has fixed the problem.  I really would like to figure this out myself and not resort to taking this to the "Geeks", but that might have to happen.  When I try to unzip the file that you sent to the location in system 32 it tells me that I do not have access.  I went to sfc and went through that process of gaining ownership of the file, but since the file has been deleted the sfc does not seem to recognize the path.  Any ideas would be appreciated and thanks for listening.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.