Jump to content

Recommended Posts

We are experiencing a false positive issue where MBAM is flagging a valid file as being infected with the trojan Dluca. This dll belong to the software UTIMACO, an full disk encryption software. If the user allows MBAM to clean out these files and entries, it renders the computer unable to boot.

Here is the log.

Malwarebytes' Anti-Malware 1.37

Database version: 2296

Windows 5.1.2600 Service Pack 3

6/17/2009 12:36:33 PM

mbam-log-2009-06-17 (12-36-18).txt

Scan type: Full Scan (C:\|)

Objects scanned: 138839

Time elapsed: 32 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\bedevctlps.dll (Trojan.Dluca) -> No action taken. [4054423730921717171717171717141717171714171717171417171717141717171717171717171

7171894]

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001} (Trojan.Dluca) -> No action taken. [4054423730921717171717171717141717171714171717171417171717141717171717171717171

7171894]

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\bedevctlps.dll (Trojan.Dluca) -> No action taken. [4054423730921717171717171717141717171714171717171417171717141717171717171717171

7171894]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\bedevctlps.dll (Trojan.Dluca) -> No action taken. [4054423730921717171717171717141717171714171717171417171717141717171717171717171

7171894]

mbam_log_2009_06_17__12_36_18_.txt

mbam_log_2009_06_17__12_36_18_.txt

Link to post
Share on other sites

Why is this legit software using a reserved GUID and one that is also frequently used by malware ?

If you have contact with the developers it would be in their best interest to get this fixed as many antimalware/spyware/adware applications maintain a list of known malicious GUIDs .

http://74.125.95.132/search?q=cache:to8yvd...=clnk&gl=us

Link to post
Share on other sites

I am going to delist this for now as the malware that uses this CLSID seems to be long gone .

Keep in mind that this will not change the many other vendors that will still detect this because of the known malware CLSID .

Thank you very much for your quick response. Adware and Spybot do not appear to detect this file as malware. However Mbam is my preferred tool for detecting and removing malware.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.