Jump to content
DigitMZ

Persistent Trojan Gen-Nullo (Short)

Recommended Posts

I've been trying to figure out why this keeps reoccuring in Super Anti-Spyware. I've run MalawareBytes, Spybot, RogueKiller, HitmanPro, Junkware Removal Tool, Kaparvesky's Tool, and nothing seems to get rid of it continuing to pop up.

 

Any suggestions?

 

The file is located in System32 (ias.dll) and seems legit.

 

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 05/10/2014 at 05:43 PM

Application Version : 5.7.1018

Core Rules Database Version : 11222
Trace Rules Database Version: 9034

Scan type       : Quick Scan
Total Scan Time : 00:02:55

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned      : 689
Memory threats detected   : 0
Registry items scanned    : 59368
Registry threats detected : 0
File items scanned        : 10807
File threats detected     : 3

Adware.Tracking Cookie
    .imrworldwide.com [ C:\USERS\DAVID TAI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0II6F2OT.DEFAULT\COOKIES.SQLITE ]
    .questionablecontent.net [ C:\USERS\DAVID TAI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0II6F2OT.DEFAULT\COOKIES.SQLITE ]

Trojan.Agent/Gen-Nullo[short]
    C:\WINDOWS\SYSTEM32\IAS.DLL
 

Share this post


Link to post
Share on other sites

Heya,

The "Nullo" rules are mostly there as a cleanup mechanism.  The detection is based on the fact that it's an executable file (EXE, DLL, COM, etc.) but it's not executable (the file is either empty, or doesn't contain the right bits for it to be valid).  I can't say why the item is re-detecting on your PC though.  Can you navigate to your C:\WINDOWS\SYSTEM32 folder and manually delete IAS.DLL?  It would likely do no harm to select the item after the scan is complete and click the "Trust/Allow" button; it will stop re-detecting it (though it should be removing it).

Share this post


Link to post
Share on other sites

Apparently I need permission from 'TrustedInstaller' to delete it. Which is probably why SAS isn't deleting it?

Share this post


Link to post
Share on other sites

It also has permissions set to read/write only. No full control. Hm.

 

Does it really matter? It seems to be 26 kb and by Microsoft, though I can't seem to find another DLL for it. (Windows 7 Professional, SP on it.)

Share this post


Link to post
Share on other sites

Sounds like a false positive of sorts; Like I said, that rule tends to just pick up oddball files that don't really make sense (executable files with an inappropriate header). If you could, select the item next time, report it as a false positive. That will get a copy to our research team to confirm what it is. Might just be a corrupted file.

Share this post


Link to post
Share on other sites

I've sent a false positive and deleted the .dll.

 

If it mattered, where would the best place to get a fresh copy of IAS.dll be?

Share this post


Link to post
Share on other sites

Hello DigitMZ,

 

I have done some investigating and I believe I have found the source of the false detection. Please update to the latest database version (11227), scan again, and let us know if the file is still detected.

 

Also, thank you for submitting the false positive report - makes our job that much easier.

 

SUPERAntiSpyware Malware Research

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...