Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

diasymreader.dll virus or false-positive?


  • Please log in to reply
8 replies to this topic

#1 tariintod

tariintod

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 27 July 2012 - 03:57 PM

I ran a full scan with Malwarebytes Anti-Malware 1.62.0.1300 (Build date: 03.07.2012)and it detected a trojen ,diasymreader.dll as trojenfakeMS.

Malwarebytes advised me to delete it , therefore I deleted it and I restarted the computer in order to remove this file.
This file is now at the Quarantina folder.

But before deleting diasymreader.dll , I scanned this file with KIS 2012 but it reported that it is safe.
Therefore I am confused : Is this file a trojen or is it false-positive?

Should I delete this file(remove it from the quarantine folder as well) or restore it?

Here is the custom scan report of malwarebytes:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.27.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
LIVE :: LIVE-PC [administrator]

27.07.2012 23:27:36
mbam-log-2012-07-27 (23-27-36).txt

Scan type: Custom scan (C:\Windows\winsxs\x86_netfx-debugging_msdia70_b03f5f7f11d50a3a_6.1.7600.16385_none_a5658c87d101b1b3\diasymreader.dll|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\winsxs\x86_netfx-debugging_msdia70_b03f5f7f11d50a3a_6.1.7600.16385_none_a5658c87d101b1b3\diasymreader.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

(end)



Thanks in advance,

BC AdBot (Login to Remove)

 


#2 AMDSempron145

AMDSempron145

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:37 AM

Posted 27 July 2012 - 11:11 PM

I got the exact same thing today, same file as well. I just removed it with Malwarebytes.. I'm guessing it's a false positive from net framework.

#3 tariintod

tariintod
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 28 July 2012 - 01:18 AM

I got the exact same thing today, same file as well. I just removed it with Malwarebytes.. I'm guessing it's a false positive from net framework.

Was your file located in the same folder(C:\Windows\winsxs\**) as well?
Did you completely delete diasymreader.dll ?

Am I taking security risks by deleting diasymreader.dll ?

Could someone confirm that whether this file is a trojen or not?

Edited by tariintod, 28 July 2012 - 01:18 AM.


#4 AMDSempron145

AMDSempron145

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:37 AM

Posted 28 July 2012 - 08:18 AM

From log.

Files Detected: 1
C:\Windows\winsxs\x86_netfx-debugging_msdia70_b03f5f7f11d50a3a_6.1.7600.16385_none_a5658c87d101b1b3\diasymreader.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.


I would like confirmation as well, but it does seem a false positive. I just deleted it and everything has been as per usual. No problems.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:37 AM

Posted 29 July 2012 - 04:31 AM

I can't say whether that specific file is bad or not. The file path is legitimate as is the file name. Removing it might create problems, particularly if the file is legit. Even if it is corrupt, it would need to be replaced with a clean copy of the proper version.

This article: http://www.ghacks.net/2010/07/24/the-winsxs-folder-explained/ explains what the winsxs folder is and its purpose. In the event that the copy of the file in question that is actually accessed when running vanishes or is corrupted, you need that file in the winsxs folder to replace it. That folder is also used by Windows Updates to determine what version or versions of the files you have on your computer and the versions of related components so that it offers the correct versions for the various files you need to update.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:37 AM

Posted 29 July 2012 - 07:44 AM

Hi,

this was a false positive from Malwarebytes. It has been reported here: link and was subsequently fixed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:37 AM

Posted 29 July 2012 - 08:08 AM

Thank you myrti.

Given that, those of you who quarantined that file, please restore it. You can do that by navigating to the quarantine tab in MBAM, selecting the file in question, then clicking on Restore.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 AMDSempron145

AMDSempron145

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:37 AM

Posted 29 July 2012 - 08:19 AM

Thanks :thumbup2:

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:37 AM

Posted 30 July 2012 - 09:07 AM

You're welcome.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users