Theme

Welcome · log in · join	food

Home

Reviews

Speed Test

	All Forums		Hot Topics		Gallery

Security → Malwarebytes and IME - False Positive?

uniqs
1772

« Microsoft Security Bulletin Minor Revisions - May 23, 2013 • Avast Free 8.0.1489 and Windows 8 Pro »

Tom Servo @comcast.net	Tom Servo Anon 2013-May-23 3:58 pm Malwarebytes and IME - False Positive? I'm on a Windows 8 PC, and updated to the latest definitions from Malwarebytes last night. I was surprised when Malwarebytes found two items in the IME folder(system 32 folder). One was imtcui.dll, and another folder. Something about a Trojan.Agent.BDAVgen bit. I did a Google Search, and there was no hits/trace of that name. Of course I uploaded the .dll to Virus Total, and Malwarebytes was the only one to flag it. I also ran scans with Eset, Spybot, Kaspersky, and Windows Defender, and nothing came up. imtcui was listed as last being modified/used on 7/25/2012. Malwarebytes seemingly cleaned both instances, and not the imtcui.dll file is back, but everything registers it as clean. I keep Malwarebytes and my other programs updated daily, and since this file has been sitting on my computer since I bought it earlier this year, it has never been flagged. Only with the most recent Malwarebytes definitions did it get flagged. Nothing else has come up or been out of the ordinary on my computer, aside from that hit. I know I'm rambling, but is this a False Positive?
	actions · 2013-May-23 3:58 pm · (locked)
dib22 join:2002-01-27 Kansas City, MO	dib22 Member 2013-May-23 4:37 pm I tried to scan it for you on my windows 8 system, but I don't have office 2007 installed and it appears that imtcui.dll is part of office 2007.
	actions · 2013-May-23 4:37 pm · (locked)
Tom Servo @comcast.net	Tom Servo Anon 2013-May-23 4:45 pm That's the thing. I don't have Office installed on my system, as I bought a prebuilt. I have an IME folder though, and everything checks out fine. My concern was that this file/folder had been on my system since activation, and through hundreds of scans from Malwarebytes, Windows Defender, Spybot and etc. over those months, nothing came up. Only after a Malwarebytes definition update, did it flag both files, and Malwarebytes was the only one to pick something up, according to VirusTotal. The last item I installed was an Adobe Flash update on the 14th(from Adobe's site, the usual). I'm trying to get down to the bottom of it, as the file is back, and everything registers it as clean and it's a MS file.
	actions · 2013-May-23 4:45 pm · (locked)
dib22 join:2002-01-27 Kansas City, MO 3 edits	dib22 Member 2013-May-23 4:47 pm I do have Malwarebytes running a full scan as admin, I'll post back if it finds it. Malwarebytes Anti-Malware 1.75.0.1300 Database version: v2013.05.23.11 edit: scan found nothing. System win8pro64 OK I found it: Did some searches and I do have under this dir on Win8pro64: C:\Windows\System32\IME\IMETC\imtcui.DLL Malwarebytes does NOT trigger on it on my system. size: 605 KB (619,520 bytes) sod: 608 KB (622,592 bytes)
	actions · 2013-May-23 4:47 pm · (locked)
lordpuffer Legalize It Joe! Premium Member join:2004-09-19 Old Town, ME Nokia XS-110G-A Linksys Velop MX5300	lordpuffer to Tom Servo Premium Member 2013-May-23 5:37 pm to Tom Servo You can check here at Malwarebytes' False Positive Forum to see if it is a FP: »forums.malwarebytes.org/ ··· forum=42 Or, if you still are unsure: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
	actions · 2013-May-23 5:37 pm · (locked)
Tom Servo @comcast.net	Tom Servo Anon 2013-May-23 6:30 pm Thank you for the link lordpuffer. There is nothing on the Malwarebytes site, and programs listed in the second have found nothing either. I think I'm going to chock this up as a False Positive, as nothing else has found an issue among many tools, different scanners, and Malwarebytes being the only thing to pick it up after months of it sitting as a normal file on my PC.
	actions · 2013-May-23 6:30 pm · (locked)
redwolfe_98 Premium Member join:2001-06-11	redwolfe_98 to Tom Servo Premium Member 2013-May-23 7:18 pm to Tom Servo tom servo, you need to discuss this issue with malwarebytes.. if it is a false-positive, malwarebytes needs to know about it so that they can fix it..
	actions · 2013-May-23 7:18 pm · (locked)
therube join:2004-11-11 Randallstown, MD	therube to Tom Servo Member 2013-May-23 7:20 pm to Tom Servo > One was imtcui.dll Where, in what directory, was it found? > appears that imtcui.dll is part of office 2007 Perhaps, but certainly not solely. > I uploaded the .dll to Virus Total Link to your submittal? As it is, I have it here, C:\Windows\System32\IME\IMETC10\imtcui.DLL. Win7 x64, 421,888 bytes, 07/13/2009. SHA1: 123c08aed9154f0885e482e8f35b864f4dc624f85402349012f763f0c913d62a
	actions · 2013-May-23 7:20 pm · (locked)
Tom Servo @comcast.net	Tom Servo Anon 2013-May-23 7:51 pm therube: It was in C:\Windows\System32\IME\IMETC This came up in the wee hours of the morning(3am or so), as I don't have my submital link to Virus Total. This is the file I currently have in that folder, under the same name. https://www.virustotal.com/en/file/76ada14424457bb0575415a2d593580eb2ce920df001180ef14d665642d6b467/analysis/1369351992/ Win 8 x64 605.0 KB ( 619520 bytes ) 7/25/2012 redwolfe_98, I would, but Malwarebytes has updated a decent bit this early this morning, and I'm unsure of the definition number.
	actions · 2013-May-23 7:51 pm · (locked)

Tom Servo join:2013-05-23	Tom Servo Member 2013-May-24 12:22 am I made an account and posted, just to be safe, on the Security Cleanup forum. When I try to click on my topic, it's listed as "locked" for me. Should I repost it, or is this normal?
	actions · 2013-May-24 12:22 am · (locked)
redwolfe_98 Premium Member join:2001-06-11 1 edit	redwolfe_98 Premium Member 2013-May-24 2:57 am you said that the file was automatically restored, right? and apparently malwarebytes is no longer flagging it, right? so just let it go.. i wouldn't worry about your post's being locked, in the "security cleanup" forum.. in the future, if you need help, in the "security cleanup" forum, just go ahead and start a new thread, there.. is it normal for a post to be locked, in the "security cleanup" forum? yes, under certain circumstances.. at the top of the "security cleanup" forum, there is a message, "mandatory steps before requesting assistance".. you need to read that before posting in the "security cleanup" forum..
	actions · 2013-May-24 2:57 am · (locked)
lordpuffer Legalize It Joe! Premium Member join:2004-09-19 Old Town, ME Nokia XS-110G-A Linksys Velop MX5300	lordpuffer to Tom Servo Premium Member 2013-May-24 6:32 am to Tom Servo I agree with redwolfe_98 . If Malwarebytes is no longer flagging it, then it had something to do with the definitions at the time. If it were me, I would feel safe at this point.
	actions · 2013-May-24 6:32 am · (locked)
norwegian Premium Member join:2005-02-15 Outback	norwegian to Tom Servo Premium Member 2013-May-24 7:51 am to Tom Servo said by Tom Servo: One was imtcui.dll, and another folder. Something about a Trojan.Agent.BDAVgen bit. What is or was being detected is what the heuristics picked up that must have matched a similar trait or string or thread. The gen suggests a generic detection, in other words "behavior was similar to" type detection. At least is is usually how the detection by heuristics is labelled with most A/V software, I don't see that there would need to be a change in MBAM's labeling. Trojan detection, BDAV, Win32.
	actions · 2013-May-24 7:51 am · (locked)
lilhurricane Crunchin' For Cures Numquam oblita join:2003-01-11 Purple Zone	lilhurricane to Tom Servo Numquam oblita 2013-May-24 11:27 am to Tom Servo Ref: »[Trojan] Possible Infection/Peace of Mind
	actions · 2013-May-24 11:27 am · (locked)

Forums → Software and Operating Systems → Security	« Microsoft Security Bulletin Minor Revisions - May 23, 2013 • Avast Free 8.0.1489 and Windows 8 Pro »