Jump to content

False Positive rundll32.exe

LittleGirlyMan

By LittleGirlyMan
in File Detections

 Share

Recommended Posts

LittleGirlyMan

LittleGirlyMan

Posted
Posted

Hi, I hope this hasn't already been covered, but I ran a search, and also looked through a few pages of the false positives and couldn't find it.

First of all, I just downloaded your software to try out - thanks! Easy to use, seems to run very nicely and not too memory-hungry.

My system is HP Laptop, running Windows Vista Home Basic edition, up to date. I also run (up to date) Avast Antivirus Home edition, and had completed a scan shortly before running my first MBAM scan. This was reporting no problems.

After initial 'Full Scan', MBAM reported 2 instances of infected files. Developer mode Log file attached.

The 'Vendor' is listed as 'Heuristics.Reserved.Word.Exploit', and both files are named 'rundll32.exe' They appear in 2 different locations within the folder C:\Users\$USER$\Local Settings\

When I try to access this location using Windows Explorer (as Admin), I get an 'Access Denied' message. Some further reading suggests that this means the location '...\Local Settings' is not a folder, but a 'Junction' - effectively a folder acting as a shortcut to other locations.

My guess is that the file rundll32.exe which has been scanned by MBAM is actually where it should be, (in the C:\Windows\System32\ folder) but the software is finding it through the junction "in the wrong place", and so flagging it as malware.

Hope this is helpful, and thanks again :P

mbam_log_2010_03_06__12_06_43_.rar

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
nosirrah

nosirrah

Posted
  • Staff
Posted

I have been looking at this and cant replicate it . There have been issues from time to time where security software conflicts can cause something similar to this but this does not look that way here .

I have 2 suggestions here . Do a scan from safemode and run a checkdisk before a second scan . The results of these will tell me where we should look next .

Link to post
Share on other sites
LittleGirlyMan

LittleGirlyMan

Posted
  • Author
Posted
I have been looking at this and cant replicate it . There have been issues from time to time where security software conflicts can cause something similar to this but this does not look that way here .

I have 2 suggestions here . Do a scan from safemode and run a checkdisk before a second scan . The results of these will tell me where we should look next .

Thanks for your time nosirrah.

I will do both of those, then and post the log :)

Link to post
Share on other sites
  • 2 weeks later...
LittleGirlyMan

LittleGirlyMan

Posted
  • Author
Posted
I have been looking at this and cant replicate it . There have been issues from time to time where security software conflicts can cause something similar to this but this does not look that way here .

I have 2 suggestions here . Do a scan from safemode and run a checkdisk before a second scan . The results of these will tell me where we should look next .

Hey, I'm really sorry it took so long, I had another issue with a trojan. Now solved.

Have run a CheckDisk, and a scan in SafeMode, results the same - copied below...

Malwarebytes' Anti-Malware 1.44

Database version: 3825

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18882

29/03/2010 21:09:10

mbam-log-2010-03-29 (21-08-55) Safemode

Scan type: Full Scan (C:\|)

Objects scanned: 282768

Time elapsed: 55 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Chris\Local Settings\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\Users\Chris\Local Settings\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Cheers.

Link to post
Share on other sites
  • 3 weeks later...
MAM

MAM

Posted
Posted

Hello.

Here is your Report from MBAM:

Malwarebytes' Anti-Malware 1.44 old version

Database version: 3825 update to old

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

06/03/2010 12:06:56

mbam-log-2010-03-06 (12-06-43).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 301031

Time elapsed: 1 hour(s), 36 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Chris\Local Settings\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken. [5A32C817446474E5613810C48100AD8D]

C:\Users\Chris\Local Settings\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken. [5A32C817446474E5613810C48100AD8D]

Version 1.45 is still out now, do you know that ?

Malwarebytes' Anti-Malware 1.45 released ---> http://forums.malwarebytes.org/index.php?showtopic=45037 <_<

Read it, insatll it and make an another scan this MBAM in the developer mode, and post us the result again.

MAM

Link to post
Share on other sites
LittleGirlyMan

LittleGirlyMan

Posted
  • Author
Posted
Version 1.45 is still out now, do you know that ?

Malwarebytes' Anti-Malware 1.45 released ---> http://forums.malwarebytes.org/index.php?showtopic=45037 B)

Read it, insatll it and make an another scan this MBAM in the developer mode, and post us the result again.

MAM

Hi, thanks - I didn't realise there were new versions available - I am used to things auto-updating. Spoiled, internet generation I guess :(

OK, have updated, and re-run, with the same results. I have uploaded the developer log so you can confirm, but it's the same two files causing the issue.

However, I Google searched the MBAM database code [5A32C817446474E5613810C48100AD8D] for my problem, and found one other thread on the forum:

http://forums.malwarebytes.org/index.php?showtopic=35934

In this thread, one of lcander's (68) issues is the same 'Heuristics Reserved Word Exploit', although lcander's appears in a sub-folder of the system 32 file, rather than at the junction 'Users\Chris\Local Settings', as on my system.

In this thread, it was suggested that 'CA' [antivirus software, I assume] was causing the conflict.

I run personalised settings on Avast 'On-Access Scanner'. Perhaps this is causing the issue? Windows Defender is also running to some extent, although I have tried to turn it off. If we think it's just a conflict with another piece of software, I am happy enough with that - although if you need more info for yourselves, feel free to ask. :(

Thanks again

Chris

mbam_log_2010_04_21__16_48_38_.rar

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept