Jump to content

FlashIK.dll marked as trojan.agent, cannot restore from quarantine

flashed

By flashed
in File Detections

 Share

Recommended Posts

flashed

flashed

Posted
Posted

Similar to another user who posted this morning (http://forums.malwar...howtopic=114197), today a full scan running as administrator flagged C:\Program Files\Adobe\Adobe Flash CS5.5\FlashIK.dll as "Trojan.Agent". This seemed odd to me right off the bat, as the file is associated with Adobe Flash the animation production program, not the player. It also appears to have a valid digital signature and its Date Modified timestamp matched the installation date, which was in March of this year.

Because I get nervous around even the possibility of trojans I quarantined it anyway, restarted, and did a full scan (I aborted the first scan as soon as I saw an infection was detected), which found no malicious items.

After reading the thread linked above, I tried restoring the dll so I could follow the steps in the thread. Unfortunately, it seems to be one of those files affected by MB's inability to restore to certain directories; nothing happens when I click restore, except for the Exit button being highlighted on the MB interface. A search confirmed that there is still no FlashIK.dll, not where I saw it before, nor anywhere in the Adobe directory.

So it seems that I can't upload the file to VirusTotal to check it, nor can I upload it here unless there's another way to rescue it from qurantine.

I don't really use Flash that much, and if need be I can reinstall it sometime down the road. I just would like to hear confirmation that this was indeed a false positive so I can rest assured that there's nothing harmful on the machine.

The log follows:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.14.06

Windows 7 x86 NTFS

Internet Explorer 9.0.8112.16421

Pixelsmith :: LEGION [administrator]

8/14/2012 11:34:49 AM

mbam-log-2012-08-14 (11-34-49).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 476896

Time elapsed: 1 hour(s), 51 minute(s), 4 second(s) [aborted]

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Program Files\Adobe\Adobe Flash CS5.5\FlashIK.dll (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Thanks in advance.

Link to post
Share on other sites
flashed

flashed

Posted
  • Author
Posted

Thank you for reporting this. This shall be fixed in our next update. You can de-quarantine the file that was falsely detected.

Thanks for the quick reply! A couple questions though:

1) Since I was unable to upload the file, I'm curious about how you were able to verify that it is a false positive.

2) As I mentioned in my post, I can't de-quarantine the file; clicking either "restore" or "restore all" only causes the "Exit" button to be highlighted. No change occurs to the quarantine list entry, nor does the file reappear in its directory. Is there an alternative method for getting it back?

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
1) Since I was unable to upload the file, I'm curious about how you were able to verify that it is a false positive.

I was able to obtain another FlashIK.dll file that had the same detection.

2) As I mentioned in my post, I can't de-quarantine the file; clicking either "restore" or "restore all" only causes the "Exit" button to be highlighted. No change occurs to the quarantine list entry, nor does the file reappear in its directory. Is there an alternative method for getting it back?
Try this ..

1) From the list of files that are in Quarantine, select the file in question by clicking it once.

2) Then click the [Restore] button.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.