DigitMZ Posted May 10, 2014 I've been trying to figure out why this keeps reoccuring in Super Anti-Spyware. I've run MalawareBytes, Spybot, RogueKiller, HitmanPro, Junkware Removal Tool, Kaparvesky's Tool, and nothing seems to get rid of it continuing to pop up. Any suggestions? The file is located in System32 (ias.dll) and seems legit. SUPERAntiSpyware Scan Loghttps://www.superantispyware.comGenerated 05/10/2014 at 05:43 PMApplication Version : 5.7.1018Core Rules Database Version : 11222Trace Rules Database Version: 9034Scan type : Quick ScanTotal Scan Time : 00:02:55Operating System InformationWindows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)UAC Off - AdministratorMemory items scanned : 689Memory threats detected : 0Registry items scanned : 59368Registry threats detected : 0File items scanned : 10807File threats detected : 3Adware.Tracking Cookie .imrworldwide.com [ C:\USERS\DAVID TAI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0II6F2OT.DEFAULT\COOKIES.SQLITE ] .questionablecontent.net [ C:\USERS\DAVID TAI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0II6F2OT.DEFAULT\COOKIES.SQLITE ]Trojan.Agent/Gen-Nullo[short] C:\WINDOWS\SYSTEM32\IAS.DLL Share this post Link to post Share on other sites
SAS_Dave Posted May 11, 2014 Heya, The "Nullo" rules are mostly there as a cleanup mechanism. The detection is based on the fact that it's an executable file (EXE, DLL, COM, etc.) but it's not executable (the file is either empty, or doesn't contain the right bits for it to be valid). I can't say why the item is re-detecting on your PC though. Can you navigate to your C:\WINDOWS\SYSTEM32 folder and manually delete IAS.DLL? It would likely do no harm to select the item after the scan is complete and click the "Trust/Allow" button; it will stop re-detecting it (though it should be removing it). Share this post Link to post Share on other sites
DigitMZ Posted May 11, 2014 Apparently I need permission from 'TrustedInstaller' to delete it. Which is probably why SAS isn't deleting it? Share this post Link to post Share on other sites
DigitMZ Posted May 11, 2014 It also has permissions set to read/write only. No full control. Hm. Does it really matter? It seems to be 26 kb and by Microsoft, though I can't seem to find another DLL for it. (Windows 7 Professional, SP on it.) Share this post Link to post Share on other sites
SAS_Dave Posted May 11, 2014 Sounds like a false positive of sorts; Like I said, that rule tends to just pick up oddball files that don't really make sense (executable files with an inappropriate header). If you could, select the item next time, report it as a false positive. That will get a copy to our research team to confirm what it is. Might just be a corrupted file. Share this post Link to post Share on other sites
DigitMZ Posted May 11, 2014 I've sent a false positive and deleted the .dll. If it mattered, where would the best place to get a fresh copy of IAS.dll be? Share this post Link to post Share on other sites
SAS_Dave Posted May 11, 2014 You could start here: http://support.microsoft.com/kb/929833 Sounds like it was just a Windows system file that got borked. IAS.DLL looks to only be used for RADIUS support, so if you aren't using VPN, it's probably nothing you'll notice is gone. Share this post Link to post Share on other sites
SAS Malware Research Posted May 12, 2014 Hello DigitMZ, I have done some investigating and I believe I have found the source of the false detection. Please update to the latest database version (11227), scan again, and let us know if the file is still detected. Also, thank you for submitting the false positive report - makes our job that much easier. SUPERAntiSpyware Malware Research Share this post Link to post Share on other sites