Jump to content
jweigang

False positive from iasrecst.dll

Recommended Posts

I've gotten a similar report.  So far only seeing it on Win7 64-bit based machines.  No registry keys for me, just the file itself.

Share this post


Link to post
Share on other sites

I received the same, and quarantined the file - now I'm a complete 'novice' - so should I delete the file? And should I be worried at all? Or is it simply a false positive and that's that.

Share this post


Link to post
Share on other sites

ran update of database. re scanned. no threats detected. MWB Staff said it was a false positive.

should I take C:\WINDOWS\SYSWOW64\IASRECST.DLL out of quarantine.(does my system need this file ?)

Share this post


Link to post
Share on other sites

Also I notice that the Database Version Mentioned is Different on the Enterprise version of Malwarebytes. I am assuming the correct version is V2018.12.16.05. Is this the correct version with updated Definitions to exclude the False Positive?

 

Share this post


Link to post
Share on other sites
4 minutes ago, FallJustin said:

Also I notice that the Database Version Mentioned is Different on the Enterprise version of Malwarebytes. I am assuming the correct version is V2018.12.16.05. Is this the correct version with updated Definitions to exclude the False Positive?

 

Hi

That is correct, the f/p was fixed with the following publication(s)

MBAM2 Version: v2018.12.16.05
MBAM3 Version: 1.0.8351

Share this post


Link to post
Share on other sites

With 1.0.8351, the scan now reports no threats detected. (I didn't quarantine anything from the previous scan.)

Thanks for the quick fix!

Share this post


Link to post
Share on other sites

Hello,

I did a scan today, Sunday, 12/16, & was told that trojan.banker  syswow64\iasrecst.dll was a threat & should be quarantined.  I did that & rebooted my system.  It was a hard reboot... never took this long before.  I therefore ran AVAST, found nothing; ran "scannow" in the command prompt.  It found corrupted files that it could not repair.  I looked in the "CBS" folder for the log of the scan results & this "iasrecst" kept showing up.  I then found this forum which said it was a false positive & that I could restore the quarantined file.  I did this, rebooted the comp. & ran the "scannow".  Same problems.  Is this something I need to be worried about?  Any thoughts on how to repair these corrupted files?

Thank You,

JPP

Share this post


Link to post
Share on other sites

@JPP What is your operating system? 

Can you open Command Prompt as Administrator and type this command:

sfc /scannow > C:\Users\%USERNAME%\Desktop\sfc.txt

Make sure to replace %USERNAME% with the actual name of the user. When the scan is done, please attach sfc.txt found on your Desktop.

Edited by TwinHeadedEagle

Share this post


Link to post
Share on other sites

Hello TwinHeadedEagle & ShadowWar,

I'm attaching the sfc you requested, but there isn't much info. in that file.  The "CBS" has the examples of the "iasrecst" file issues.  You didn't ask for that, but it seems relevant, so I'll attach it.  You'll find the relevant examples at the bottom of the file.

As to, "restore any other items quarantined with this", I do not know how to that.  In Malwarbytes, I just clicked restore the "Trojan.Banker" at C:\Windows\SysWOW64\iasrecst.dll.  Does this restore option do the registry detections?

Thanks to both of you for your responses.

JPP

sfc.txt

CBS.log

Share this post


Link to post
Share on other sites

Hey guys, 

I had the same issue last night, with the Trojan.Banker threat being detected in the same .dll file. I get a bit panicky with these things, so I quarantined + deleted it immediately. 

Was it definitely a false positive? And if so, are there any potential issues having removed the file? 

Share this post


Link to post
Share on other sites
2 hours ago, ElDiem said:

Was it definitely a false positive? And if so, are there any potential issues having removed the file? 

 

I very much hope so, otherwise I've restored it and just doomed my own PC.

Share this post


Link to post
Share on other sites

Hello again,

It's been a couple of days.... any thoughts about the corrupted files mentioned in my earlier posts?  Do I have something serious to worry about with this?

Thanks,

JPP

Share this post


Link to post
Share on other sites

It was a false positive so ok to restore.

 

@jpp Can you zip and pm me the file located here? Have you rebooted since the sfc run?

 

C:\Windows\SysWOW64\iasrecst.dll

 

Edited by shadowwar

Share this post


Link to post
Share on other sites

Hello Shadowwar,

Please read the earlier posts.  I have already restored "iasrecst.dll" from quarantine.  I've rebooted repeatedly & run "scannow" a few times & the results say that there is corruption of files it can not repair.  See the above posts with "sfc" & "CBS" files attached.  I do not know how to zip you this file & I do not know what "pm" means.  I was able to follow the file address to the iasrecst.dll location/file.  It is back where it belongs as of 12/16/18, 8:25pm from quarantine, but again, the reboot( AFTER malwarebytes found the file, said it was malware & told me to reboot to finish the job) somehow has corrupted files.  If you look at the bottom of the "CBS" file (attached in an earlier post) you will find "iasrecst" referenced many times.

Thank you for getting back to me & for your time.

JPP

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.