|
Tom Servo
Anon
2013-May-23 3:58 pm
Malwarebytes and IME - False Positive?I'm on a Windows 8 PC, and updated to the latest definitions from Malwarebytes last night. I was surprised when Malwarebytes found two items in the IME folder(system 32 folder). One was imtcui.dll, and another folder. Something about a Trojan.Agent.BDAVgen bit. I did a Google Search, and there was no hits/trace of that name.
Of course I uploaded the .dll to Virus Total, and Malwarebytes was the only one to flag it. I also ran scans with Eset, Spybot, Kaspersky, and Windows Defender, and nothing came up. imtcui was listed as last being modified/used on 7/25/2012. Malwarebytes seemingly cleaned both instances, and not the imtcui.dll file is back, but everything registers it as clean.
I keep Malwarebytes and my other programs updated daily, and since this file has been sitting on my computer since I bought it earlier this year, it has never been flagged. Only with the most recent Malwarebytes definitions did it get flagged. Nothing else has come up or been out of the ordinary on my computer, aside from that hit.
I know I'm rambling, but is this a False Positive? |
actions · 2013-May-23 3:58 pm · (locked) |
dib22 join:2002-01-27 Kansas City, MO |
dib22
Member
2013-May-23 4:37 pm
I tried to scan it for you on my windows 8 system, but I don't have office 2007 installed and it appears that imtcui.dll is part of office 2007. |
actions · 2013-May-23 4:37 pm · (locked) |
|
Tom Servo
Anon
2013-May-23 4:45 pm
That's the thing. I don't have Office installed on my system, as I bought a prebuilt. I have an IME folder though, and everything checks out fine. My concern was that this file/folder had been on my system since activation, and through hundreds of scans from Malwarebytes, Windows Defender, Spybot and etc. over those months, nothing came up.
Only after a Malwarebytes definition update, did it flag both files, and Malwarebytes was the only one to pick something up, according to VirusTotal. The last item I installed was an Adobe Flash update on the 14th(from Adobe's site, the usual). I'm trying to get down to the bottom of it, as the file is back, and everything registers it as clean and it's a MS file. |
actions · 2013-May-23 4:45 pm · (locked) |
dib22 join:2002-01-27 Kansas City, MO 3 edits |
dib22
Member
2013-May-23 4:47 pm
I do have Malwarebytes running a full scan as admin, I'll post back if it finds it.
Malwarebytes Anti-Malware 1.75.0.1300 Database version: v2013.05.23.11
edit: scan found nothing. System win8pro64
OK I found it:
Did some searches and I do have under this dir on Win8pro64: C:\Windows\System32\IME\IMETC\imtcui.DLL
Malwarebytes does NOT trigger on it on my system.
size: 605 KB (619,520 bytes) sod: 608 KB (622,592 bytes) |
actions · 2013-May-23 4:47 pm · (locked) |
lordpufferLegalize It Joe! Premium Member join:2004-09-19 Old Town, ME Nokia XS-110G-A Linksys Velop MX5300
|
to Tom Servo
You can check here at Malwarebytes' False Positive Forum to see if it is a FP: » forums.malwarebytes.org/ ··· forum=42Or, if you still are unsure: » Security Cleanup FAQ » Mandatory Steps Before Requesting Assistance |
actions · 2013-May-23 5:37 pm · (locked) |
|
Tom Servo
Anon
2013-May-23 6:30 pm
Thank you for the link lordpuffer. There is nothing on the Malwarebytes site, and programs listed in the second have found nothing either.
I think I'm going to chock this up as a False Positive, as nothing else has found an issue among many tools, different scanners, and Malwarebytes being the only thing to pick it up after months of it sitting as a normal file on my PC. |
actions · 2013-May-23 6:30 pm · (locked) |
|
to Tom Servo
tom servo, you need to discuss this issue with malwarebytes.. if it is a false-positive, malwarebytes needs to know about it so that they can fix it.. |
actions · 2013-May-23 7:18 pm · (locked) |
therube join:2004-11-11 Randallstown, MD |
to Tom Servo
> One was imtcui.dll Where, in what directory, was it found? > appears that imtcui.dll is part of office 2007 Perhaps, but certainly not solely. > I uploaded the .dll to Virus Total Link to your submittal? As it is, I have it here, C:\Windows\System32\IME\IMETC10\imtcui.DLL. Win7 x64, 421,888 bytes, 07/13/2009. SHA1: 123c08aed9154f0885e482e8f35b864f4dc624f85402349012f763f0c913d62a |
actions · 2013-May-23 7:20 pm · (locked) |
|
Tom Servo
Anon
2013-May-23 7:51 pm
therube:
It was in C:\Windows\System32\IME\IMETC
This came up in the wee hours of the morning(3am or so), as I don't have my submital link to Virus Total. This is the file I currently have in that folder, under the same name.
https://www.virustotal.com/en/file/76ada14424457bb0575415a2d593580eb2ce920df001180ef14d665642d6b467/analysis/1369351992/
Win 8 x64 605.0 KB ( 619520 bytes ) 7/25/2012
redwolfe_98, I would, but Malwarebytes has updated a decent bit this early this morning, and I'm unsure of the definition number. |
actions · 2013-May-23 7:51 pm · (locked) |
|
|
I made an account and posted, just to be safe, on the Security Cleanup forum. When I try to click on my topic, it's listed as "locked" for me. Should I repost it, or is this normal? |
actions · 2013-May-24 12:22 am · (locked) |
1 edit |
you said that the file was automatically restored, right? and apparently malwarebytes is no longer flagging it, right? so just let it go..
i wouldn't worry about your post's being locked, in the "security cleanup" forum.. in the future, if you need help, in the "security cleanup" forum, just go ahead and start a new thread, there..
is it normal for a post to be locked, in the "security cleanup" forum? yes, under certain circumstances..
at the top of the "security cleanup" forum, there is a message, "mandatory steps before requesting assistance".. you need to read that before posting in the "security cleanup" forum.. |
actions · 2013-May-24 2:57 am · (locked) |
lordpufferLegalize It Joe! Premium Member join:2004-09-19 Old Town, ME Nokia XS-110G-A Linksys Velop MX5300
|
to Tom Servo
I agree with redwolfe_98 . If Malwarebytes is no longer flagging it, then it had something to do with the definitions at the time. If it were me, I would feel safe at this point. |
actions · 2013-May-24 6:32 am · (locked) |
norwegian Premium Member join:2005-02-15 Outback |
to Tom Servo
said by Tom Servo:One was imtcui.dll, and another folder. Something about a Trojan.Agent.BDAVgen bit. What is or was being detected is what the heuristics picked up that must have matched a similar trait or string or thread. The gen suggests a generic detection, in other words "behavior was similar to" type detection. At least is is usually how the detection by heuristics is labelled with most A/V software, I don't see that there would need to be a change in MBAM's labeling. Trojan detection, BDAV, Win32. |
actions · 2013-May-24 7:51 am · (locked) |
lilhurricaneCrunchin' For Cures Numquam oblita join:2003-01-11 Purple Zone |
to Tom Servo
|
actions · 2013-May-24 11:27 am · (locked) |