Jump to content
jweigang

False positive from iasrecst.dll

Recommended Posts

@JPP

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Copy iasrecst.dll into the Search: field in FRST then click the Search Files button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.

Share this post


Link to post
Share on other sites

Hello THEagle,

Thanks for getting back to me.

I have Windows 7 64bit & used that version of Farbar.  Attached is what you requested.

BTY, was the "CBS" I uploaded of any use?

Thanks again,

JPP

Search.txt

Share this post


Link to post
Share on other sites

As I appear to be suffering from the same malady, I thought I'd add my two pennies; I'll attach my FRST scan for perusal, as I assume JPP and my problem(s) are likely the same - although I've not encountered any problems as of yet after restoring from quarantine, minus 'corruot files' in my scannow.

Search.txt

Share this post


Link to post
Share on other sites

I think you're both good. What sfc is reporting is this:
 

C:\Windows\winsxs\wow64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.1.7601.17514_none_39a9406d8100038f\iasrecst.dll
[2010-11-21 03:24][2010-11-21 03:24] 000122880 _____ () A449ACE046CC5423E1CF2601BE1095E6 [File not signed]

 

That file seems to be corrupted as it can't read its signature. But what's important is this one:
 

C:\Windows\SysWOW64\iasrecst.dll
[2018-12-16 20:25][2018-12-16 20:25] 000122880 _____ (Microsoft Corporation) 4EA584FCC419E66E9ADCEEAE0B0A7301 [File is digitally signed]

 

And this one seems healthy.
 

Share this post


Link to post
Share on other sites

Hello, I recently ran a SFC /SCANNOW and got the dreaded message that windows resource protection found corrupt files but was unable to fix some of them. I checked the CBS log and found that the culprit was the iasrecst.dll file. I came across this thread and saw that Malwarebytes had deemed it a threat so looked in my quarantine and found it there luckily since I don't delete items for safety reasons. I decided to restore the file since it was claimed to be a false positive and  I ran the SFC scan again but it still came back as corrupted. This is the entry in the log if that helps.  Any thoughts on what I can do to repair this corrupted file or is there any solution to this yet? I really don't want to have to reinstall my entire OS over this. Thanks for any help.

2019-01-11 01:59:06, Info                  CSI    00000321 [SR] Cannot repair member file [l:24{12}]"iasrecst.dll" of Microsoft-Windows-Networking-Internet_Authentication_Service_DataStore, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2019-01-11 01:59:06, Info                  CSI    00000323 [SR] Cannot repair member file [l:24{12}]"iasrecst.dll" of Microsoft-Windows-Networking-Internet_Authentication_Service_DataStore, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

Share this post


Link to post
Share on other sites

 I have another computer with the same file and OS  and put a good copy of the same file on a flash drive. Should I just replace the corrupt file with the one on my flash drive? I did a system restore the day after all this happened with the false positive with MB lol..just my luck!! 

Share this post


Link to post
Share on other sites

I meant my last restore point is the day after I put it in quarantine..so I can't just restore. Anyway I went to add the file and it says replace or copy and I need administrator privileges. Awaiting your response before I continue. Also wondering if you knew what the CBS log meant that I posted as to why it was corrupt. Thanks again.

Share this post


Link to post
Share on other sites

you can do that. The one previously in this thread wasnt actually corrupt.

Can you submit both files to virustotal and provide the links here for me? the one on the flash drive and the one showing that it is corrupt.

www.virustotal.com

 

Share this post


Link to post
Share on other sites

Here's both files. Wondering if the first one isn't corrupt how can I get mt sfc scannow back  in working order?  I haven't replaced the file yet with the other one now that you are saying it is okay. 

https://www.virustotal.com/#/file/1872f13b4085437de4091bded732881bcdccbbb48c7c23a256310ede17f8b528/detection 

https://www.virustotal.com/#/file/1872f13b4085437de4091bded732881bcdccbbb48c7c23a256310ede17f8b528/detection

Share this post


Link to post
Share on other sites

The files are exactly the same. I will look over the log but its nothing to worry about. Its definitely not corrupt.

It wont affect the os in any way as the correct file is present and not corrupt.

 

Share this post


Link to post
Share on other sites

Can you pm me the full cbs.log?

 

 

You can possibly try this program. I have never used it.

 

https://www.ghacks.net/2015/11/06/sfcfix-comes-to-the-rescue-when-sfc-scannow-cannot-repair-windows-file-corruption/

 

It looks like it uses the dism tool to repair stuff sfc cant.

I recommend backing up the system before hand just in case.

 

Edited by shadowwar

Share this post


Link to post
Share on other sites

Can you go to c\:windows and do a file search for:

iasrecst.dll

 

And let me know all the locations its found.

 

Thanks

 

Share this post


Link to post
Share on other sites

Hi there. CBS log sent, I used the sfcfix tool prior to posting here on the forum and the results were good..no errors but it didn't fix my sfc scannow issue so kind of a double edged sword . Thank you so much for the link tho. Here is an attachment with the locations of the dll files..one is the file I added from my flash drive with the (2) on it and the most recent one is the one I brought out of quarantine on the 1/11/19.  I went ahead and added the file from the flash in the SySWOW folder but I didn't have any changes. Hopeful something can be done to get my sfc snannow back to normal. Hope you are having a great weekend. Thanks for your help too!

mbarinfo.jpg

Share this post


Link to post
Share on other sites
13 hours ago, shadowwar said:

ok do you know where the first one was located? the first vt result before this post. This is a corrupt one. my bet is its in the winsxswow64 120kb one.

https://www.virustotal.com/#/file/dbb88ac48ed1456fb0c8163afb1a652dc2f95deedbf11dcf2684722a07970a72/detection

 

 


What should one do about this then? I've found the exact same thing - should I replace it, delete it...?

Share this post


Link to post
Share on other sites

Ok replacing this file is not that easy. Everyone but trusted installer only has read access to it. Let me check around and with dev if we can come up with something to make this easier to replace.

One way that may work is an offline linux rescue disk.

Share this post


Link to post
Share on other sites

Ok 1 more request. Can you send me the MBAMservice.log located here:

 

C:\ProgramData\Malwarebytes\MBAMService\LOGS

 

pm is fine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.