False positive: Win32:Murlo [Trj]

[Twister]

After VPS 0536-3 got autoupdated this morning, any attempts to access acrord32.dll from the Adobe Reader 7.0.3 package result in an Avast warning for the Win32:Murlo trojan.  I've submitted this file to the jotti site, which gives it a clean bill of health with all scanners other than Avast.

[uilop]

Same with me!

It's really a false positive!

[zivilist]

I have got the same problem.

[aquilo]

Me too! I changed back to Reader 6.0.

[shuflie]

I just added the file to the on access scanner's ignore list, not a perfect solution but until there is a fix its the only option available to me.

[igor]

Sorry for the troubles, it should be fixed soon.

[kwizart]

Sign of "Win32:Murlo [Trj]" has been found in "F:\Adobe\Acrobat 7.0\Acrobat\Acrobat.dll.700.bak" file. 

It is the same for adobe pro 7 version. since adobe want to reinstall the file, it rename it as .bak but it is acrobat.dll

thx to update soon!
best regards

[Eddy]

Adobe reader 7.0.3.
VPS 536-2. No false positives in the entire Adobe folder found.
VPS 536-4. No false positives in the entire Adobe folder found.

[igor]

The fixed VPS has been released.

[shuflie]

Thanks, removed my exclusion for the file now.

[wavus]

Hi guys,

Can I just pester you a little bit more on this topic? I'm new to the forum (and virus/trojan problems in general) so I could do with a little help deciding whether my AV alert has been a false positive or not.

Like some of you on this post, I had an alert from Avast! yesterday about the presence of the trojan Win32 Murlo on my computer. The suspect file's name is acrobat.dll, and it has been confined to the chest ever since.

The reasons why I think it might be something more serious are:

1. A scan with the EWIDO security suite showed 232 infected objects.
2. For the past week or so I've had patchy Internet connection, my browser suddenly stops responding, and the laptop heats up more than normal.
3. Each time I boot up a Windows Installer dialog box comes up and a process of installation begins which I cancel manually each time.

Could this be an infection rather than a false positive
And what should I do with the Windows installer?

Sorry if my question is a bit stupid but I'm not computer-savvy.

[Lisandro]

1. A scan with the EWIDO security suite showed 232 infected objects.

Ewido is well know for huge false positves... take care on deleting.

2. For the past week or so I've had patchy Internet connection, my browser suddenly stops responding

Seems infected...

and the laptop heats up more than normal.

I think it's not virus related... just harware trouble... But it could be dangerous keeping the overheated function of the laptop.

3. Each time I boot up a Windows Installer dialog box comes up and a process of installation begins which I cancel manually each time.

Do you have Adobe Acrobat? Which program starts Windows Installer?

[wavus]

Thanks for your reply Tech. I do indeed have Adobe Acrobat Pro 7.0.3, and that's what the Windows Installer is trying to install, but I don't let it.

In addition to Ad-aware and Spybot - Search and Destroy , I have done a number of online scans (RAV, Kaspersky, Trend Housecall), which showed no malware.

I have been advised (at the Geeks to go forum) to uninstall and reinstall Adobe Acrobat, but given the situation I'm not sure what the right course of action is. Is it a matter of an incompatibility between Acrobat and Avast?

[Lisandro]

Thanks for your reply Tech. I do indeed have Adobe Acrobat Pro 7.0.3, and that's what the Windows Installer is trying to install, but I don't let it.

You could let it... otherwise, you won't be in peace with it.
It seems a kind of anti-piracy (?) feature that I could never disabled.
It restores the links and Registry keys of Acrobat. A lot of Registry cleaners detect them as trash and invalid.
I think Spybot did the cleaning...

Is it a matter of an incompatibility between Acrobat and Avast?

No, it's not.

[wavus]

Problem resolved. It was a false positive after all. I've had no further problems since the clean-up operation.