Author Topic: False positive: Win32:Murlo [Trj]  (Read 9622 times)

0 Members and 1 Guest are viewing this topic.

Twister

  • Guest
False positive: Win32:Murlo [Trj]
« on: September 09, 2005, 12:01:38 PM »
After VPS 0536-3 got autoupdated this morning, any attempts to access acrord32.dll from the Adobe Reader 7.0.3 package result in an Avast warning for the Win32:Murlo trojan.  I've submitted this file to the jotti site, which gives it a clean bill of health with all scanners other than Avast.

uilop

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #1 on: September 09, 2005, 12:09:31 PM »
Same with me!

It's really a false positive!

zivilist

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #2 on: September 09, 2005, 12:11:34 PM »
I have got the same problem.

aquilo

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #3 on: September 09, 2005, 12:16:41 PM »
Me too! I changed back to Reader 6.0.

shuflie

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #4 on: September 09, 2005, 12:40:05 PM »
I just added the file to the on access scanner's ignore list, not a perfect solution but until there is a fix its the only option available to me.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: False positive: Win32:Murlo [Trj]
« Reply #5 on: September 09, 2005, 12:43:23 PM »
Sorry for the troubles, it should be fixed soon.

kwizart

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #6 on: September 09, 2005, 01:11:29 PM »
Sign of "Win32:Murlo [Trj]" has been found in "F:\Adobe\Acrobat 7.0\Acrobat\Acrobat.dll.700.bak" file. 

It is the same for adobe pro 7 version. since adobe want to reinstall the file, it rename it as .bak but it is acrobat.dll

thx to update soon!
best regards

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: False positive: Win32:Murlo [Trj]
« Reply #7 on: September 09, 2005, 01:24:50 PM »
Adobe reader 7.0.3.
VPS 536-2. No false positives in the entire Adobe folder found.
VPS 536-4. No false positives in the entire Adobe folder found.
« Last Edit: September 09, 2005, 01:26:25 PM by Eddy »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: False positive: Win32:Murlo [Trj]
« Reply #8 on: September 09, 2005, 01:34:00 PM »
The fixed VPS has been released.

shuflie

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #9 on: September 09, 2005, 04:58:17 PM »
Thanks, removed my exclusion for the file now. :)

wavus

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #10 on: September 10, 2005, 02:15:11 PM »
Hi guys,

Can I just pester you a little bit more on this topic? I'm new to the forum (and virus/trojan problems in general) so I could do with a little help deciding whether my AV alert has been a false positive or not.

Like some of you on this post, I had an alert from Avast! yesterday about the presence of the trojan Win32 Murlo on my computer. The suspect file's name is acrobat.dll, and it has been confined to the chest ever since.

The reasons why I think it might be something more serious are:

1. A scan with the EWIDO security suite showed 232 infected objects.
2. For the past week or so I've had patchy Internet connection, my browser suddenly stops responding, and the laptop heats up more than normal.
3. Each time I boot up a Windows Installer dialog box comes up and a process of installation begins which I cancel manually each time.

Could this be an infection rather than a false positive ???
And what should I do with the Windows installer?

Sorry if my question is a bit stupid but I'm not computer-savvy. :(

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: False positive: Win32:Murlo [Trj]
« Reply #11 on: September 11, 2005, 06:51:54 AM »
1. A scan with the EWIDO security suite showed 232 infected objects.
Ewido is well know for huge false positves... take care on deleting.

2. For the past week or so I've had patchy Internet connection, my browser suddenly stops responding
Seems infected...

and the laptop heats up more than normal.
I think it's not virus related... just harware trouble... But it could be dangerous keeping the overheated function of the laptop.

3. Each time I boot up a Windows Installer dialog box comes up and a process of installation begins which I cancel manually each time.
Do you have Adobe Acrobat? Which program starts Windows Installer?
The best things in life are free.

wavus

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #12 on: September 11, 2005, 01:46:00 PM »
Thanks for your reply Tech. I do indeed have Adobe Acrobat Pro 7.0.3, and that's what the Windows Installer is trying to install, but I don't let it.

In addition to Ad-aware and Spybot - Search and Destroy , I have done a number of online scans (RAV, Kaspersky, Trend Housecall), which showed no malware.

I have been advised (at the Geeks to go forum) to uninstall and reinstall Adobe Acrobat, but given the situation I'm not sure what the right course of action is. Is it a matter of an incompatibility between Acrobat and Avast?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: False positive: Win32:Murlo [Trj]
« Reply #13 on: September 11, 2005, 03:53:37 PM »
Thanks for your reply Tech. I do indeed have Adobe Acrobat Pro 7.0.3, and that's what the Windows Installer is trying to install, but I don't let it.
You could let it... otherwise, you won't be in peace with it.
It seems a kind of anti-piracy (?) feature that I could never disabled.
It restores the links and Registry keys of Acrobat. A lot of Registry cleaners detect them as trash and invalid.
I think Spybot did the cleaning...

Is it a matter of an incompatibility between Acrobat and Avast?
No, it's not.
The best things in life are free.

wavus

  • Guest
Re: False positive: Win32:Murlo [Trj]
« Reply #14 on: September 12, 2005, 12:35:50 PM »
Problem resolved. It was a false positive after all. I've had no further problems since the clean-up operation.