Jump to content

False positive from iasrecst.dll


Recommended Posts

4 minutes ago, FallJustin said:

Also I notice that the Database Version Mentioned is Different on the Enterprise version of Malwarebytes. I am assuming the correct version is V2018.12.16.05. Is this the correct version with updated Definitions to exclude the False Positive?



That is correct, the f/p was fixed with the following publication(s)

MBAM2 Version: v2018.12.16.05
MBAM3 Version: 1.0.8351
Link to post
Share on other sites


I did a scan today, Sunday, 12/16, & was told that trojan.banker  syswow64\iasrecst.dll was a threat & should be quarantined.  I did that & rebooted my system.  It was a hard reboot... never took this long before.  I therefore ran AVAST, found nothing; ran "scannow" in the command prompt.  It found corrupted files that it could not repair.  I looked in the "CBS" folder for the log of the scan results & this "iasrecst" kept showing up.  I then found this forum which said it was a false positive & that I could restore the quarantined file.  I did this, rebooted the comp. & ran the "scannow".  Same problems.  Is this something I need to be worried about?  Any thoughts on how to repair these corrupted files?

Thank You,


Link to post
Share on other sites

@JPP What is your operating system? 

Can you open Command Prompt as Administrator and type this command:

sfc /scannow > C:\Users\%USERNAME%\Desktop\sfc.txt

Make sure to replace %USERNAME% with the actual name of the user. When the scan is done, please attach sfc.txt found on your Desktop.

Edited by TwinHeadedEagle
Link to post
Share on other sites

Hello TwinHeadedEagle & ShadowWar,

I'm attaching the sfc you requested, but there isn't much info. in that file.  The "CBS" has the examples of the "iasrecst" file issues.  You didn't ask for that, but it seems relevant, so I'll attach it.  You'll find the relevant examples at the bottom of the file.

As to, "restore any other items quarantined with this", I do not know how to that.  In Malwarbytes, I just clicked restore the "Trojan.Banker" at C:\Windows\SysWOW64\iasrecst.dll.  Does this restore option do the registry detections?

Thanks to both of you for your responses.




Link to post
Share on other sites

Hey guys, 

I had the same issue last night, with the Trojan.Banker threat being detected in the same .dll file. I get a bit panicky with these things, so I quarantined + deleted it immediately. 

Was it definitely a false positive? And if so, are there any potential issues having removed the file? 

Link to post
Share on other sites

Hello Shadowwar,

Please read the earlier posts.  I have already restored "iasrecst.dll" from quarantine.  I've rebooted repeatedly & run "scannow" a few times & the results say that there is corruption of files it can not repair.  See the above posts with "sfc" & "CBS" files attached.  I do not know how to zip you this file & I do not know what "pm" means.  I was able to follow the file address to the iasrecst.dll location/file.  It is back where it belongs as of 12/16/18, 8:25pm from quarantine, but again, the reboot( AFTER malwarebytes found the file, said it was malware & told me to reboot to finish the job) somehow has corrupted files.  If you look at the bottom of the "CBS" file (attached in an earlier post) you will find "iasrecst" referenced many times.

Thank you for getting back to me & for your time.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.