Win32-Trojan-Gen help

[timjb]

I wasnt really sure where else to go so here I am  

In the space of a day I've had two seperate computers running the same version of avast - both fully updated, suddenly start reporting viruses in various files, including in the epson printer manager software and dozens of other seemingly random places, avast reports it as "Win32-Trojan-Gen"

I'm at a loss as to why BOTH would suddenly start reporting this out of the blue, considering neither of the users have been on any sites out of the ordinary or downloaded anything recently.

I'm thinking its a false positive? But I'm not quite sure what to do as info on this seems scarse.

They arnt networked but do share the same wifi connection, I was told one of them popped up a web sheild warning blocking a connection on firefox but that was before the warnings began.

I'd also like to add that the laptop I'm typing this on has windows 7 instead of vista, the exact same printer software and the same version of avast with up to date definitions. It usually shares the same wifi as the other two systems but is currently on a 3G mobile network and I've had no virus warnings of the same kind, currently running a scan on here to be sure anyway.

Can anyone help? Its depressing watching these virus popups when you run a scan, for no apparent reason.

[DavidR]

Some information would help:
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Are the detections on files that have been on the systems for some time and previously scanned ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[timjb]

Thanks for the heads up, I've got hold of the log file for one of the machines.

Turns out there was a unrelated warning on the web shield before hand but I've been informed it was successfully blocked and ended at that.


16/12/2009   17:16:27   1260983787   SYSTEM   1704   Sign of "JS:Pdfka-TW [Expl]" has been found in "http://gjbeeklgpnf.com/nte/TREST10.exe/oHdf0a8a76V03005f35002Ra5dc5ecc108T94239fa5Q000002fc900801F0020000aJ0f000601l0809K31643e31317" file.  

16/12/2009   18:16:44   1260987404   SYSTEM   1704   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\E_FBA6FSE.DLL" file.  

16/12/2009   18:21:55   1260987715   user   4772   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI4.DLL" file.  

16/12/2009   18:23:54   1260987834   user   4772   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI5.DLL" file.  

16/12/2009   18:24:02   1260987842   user   4772   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI6.DLL" file.  

Heres the log from the other machine:

16/12/2009   14:30:59   1260973859   SYSTEM   1776   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\E_FBA6FSE.DLL" file. 

16/12/2009   14:57:33   1260975453   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI4.DLL" file. 

16/12/2009   15:01:27   1260975687   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI5.DLL" file. 

16/12/2009   15:03:22   1260975802   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBAPI6.DLL" file. 

16/12/2009   15:04:03   1260975843   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBPBIDI.DLL" file. 

16/12/2009   15:04:42   1260975882   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\DriverStore\FileRepository\e_df1fse.inf_c9225c34\WINVISTA_XP_2K\EBPBIDI6.DLL" file. 

16/12/2009   15:09:37   1260976177   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\EBAPI4.DLL" file. 

16/12/2009   15:10:03   1260976203   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\EBPBIDI.DLL" file. 

16/12/2009   15:10:17   1260976217   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\E_FBAPFSE.DLL" file. 

16/12/2009   15:10:29   1260976229   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\3\E_FBL6FSE.DLL" file. 

16/12/2009   15:11:01   1260976261   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\PCC\e_df1fse.inf_c9225c34.cab\WINVISTA_XP_2K\EBAPI4.DLL" file. 

16/12/2009   15:11:16   1260976276   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\PCC\e_df1fse.inf_c9225c34.cab\WINVISTA_XP_2K\EBAPI5.DLL" file. 

16/12/2009   15:11:20   1260976280   Joan & Susan   1464   Sign of "Win32:Malware-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\PCC\e_df1fse.inf_c9225c34.cab\WINVISTA_XP_2K\EBAPI6.DLL" file. 

16/12/2009   15:12:49   1260976369   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\PCC\e_df1fse.inf_c9225c34.cab\WINVISTA_XP_2K\EBPBIDI.DLL" file. 

16/12/2009   15:14:28   1260976468   Joan & Susan   1464   Sign of "Win32:Trojan-gen" has been found in "C:\Windows\System32\spool\drivers\w32x86\PCC\e_df1fse.inf_c9225c34.cab\WINVISTA_XP_2K\EBPBIDI6.DLL" file. 


The printers about a month old, I installed the drivers and other software on both machines and this one at the same time, resident and full protection has been active so I assume the files have been scanned at some point, both of those machines ^ are windows vista.

Strangely I just noticed it says "Malware" where avast itself was reporting it as "Trojan"

[DavidR]

I would say that all the file detections starting EBA or EBP .dll files could well be false positive detections on Epson files, there are a few topics about this in the viruses and worms forum.

Send/report the samples to avast as false positives for further analysis. You can scan them within the chest and when avast alerts, click the report as false positive link on the alert window. Or right click on the file within the chest and select email to Alwil, t will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

You could try excluding the file from being scanned, similar to my instructions on uploading to virustotal, which I still think you should do for 1 sample of a unique file name, e.g. EBPBIDI6.DLL. This really should be done to confirm only avast is detecting this before exclusion.

- In the meantime, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions (right click the avast ' a ' icon)
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Use this wildcard method, copy and paste into the two exclusions lists above, C:\*\EBA*.DLL also C:\*\EBP*.DLL and :\*\E_FB*.DLL the * is a wild card which saves typing the full path for each and every file. The second * element in the EPA*.DLL is to restrict what may be excluded doesn't match lots of dll files.

[Milos]

Hello,
yes the .dll starting "EBA" and "EBP" are Epson drives. Will be fixed soon.
http://forum.avast.com/index.php?topic=52275.0

Milos

[PeteC]

There is an advantage to this.  I am no longer nagged by that Epson program that wants me to buy ink from them.
Downside, it no longer knows how much ink is left.
Upside, it won't stop me from printing if it thinks the ink is low.  This happened with my last ink cartridge.  It was printing fine then the program refused to send any documents to the printer because it said the ink was low.  For the price they get for a cartridge, I should at least be sure that it can't print a few more pages.

I found that avast just renamed the file:

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_FBA6FBA.DLL.vir by adding the .vir.

Maybe if I ever need to know how much ink I have, I might try undoing that.  But maybe I'll just wait for the printer to skip.  If cleaning the heads doesn't fix that I'll replace the cartridge.

Pete

[YoKenny]

Welcome  PeteC

I have used Island Ink-Jet refill quite a bit:
http://www.experts123.com/q/is-island-ink-jet-able-to-refill-all-cartridges.html

[PeteC]

I can't get much info from their website.  Nearest to me is St Catharines, 45 Min away plus a border crossing.  Not worth it for home use.

Thanks

Pete