'ginstall.dll' - trojan or false positive?

[beerslayer]

Hi,

I tried to install a program called WeatherPulse (http://www.tropicdesigns.com) on my system a few days ago, but almost immediately upon launching the installer, Avast complained about a trojan in the file 'ginstall.dll'.  After going back and forth about this a few times on their forum, I decided to see if you could shed any light on the issue.

The file 'ginstall.dll' that triggers Avast's alarm is created in the system Temp directory by their installer almost immediately upon launch, as a very early part of their extraction process.  Due to Avast's alert, the installation never gets past this point.

My guess is that they're using some version of CreateInstall or SetupGenerator, both by Gentee, since this installer is known to create a file named 'ginstall.dll' as part of its extraction process.  However, an earlier version of 'ginstall.dll' (created by an installer I built myself several years ago using SetupGenerator) does not trigger Avast's alert.

I believe the company, Tropic Designs, are probably legitimate and are not trying to install anything malicious; however, this doesn't rule out their being victimized themselves.

Another user is reporting that other anti-virus utilities do not detect anything dangerous, but over the last year or so I've really come to trust Avast.  Though I suspect this alert is a false positive (matches a virus signature but is not actually a virus), I am not certain enough to disable Avast in order to continue the installation.

You can download the entire installer (v1.55 or v1.55.9 beta - both trigger the same alert) directly from Tropic Designs or, if you prefer, I have a copy of the "infected" ginstall.dll file that I'll be happy to send to you by whatever means you like (it's roughly 55KB).  Between us, hopefully we can determine once and for all whether this is a trojan or a false positive.

Thanks in advance,

-- Jeff

[Eddy]

Sure looks like a false positive to me. Send the file in a password protected zip to virus@avast.com
Tell in the mail why you think it is a false positive. (Point to this thread.) Don't forget to mention the password in the email.

[whocares]

Hi Jeff,

please
- read the link "VirusRemoval" below in my sig.
- then scan the file Online with Trend, RAV and KAV (with AVAST Shield PAUSED!!)
- if they all don't report anything in it, please email it as a false positive to virus (at) avast.com
 

[RejZoR]

Just check the file with Jotti multi engined scanner on www.security-ops.tk
This is the most thorough scanner to date

[beerslayer]

Just check the file with Jotti multi engined scanner on www.security-ops.tk
This is the most thorough scanner to date

OK, done.  No viruses reported in any of the engines used (see below):

Code: [Select]

File:      ginstall.dll
Status:    OK
Packers detected:    None
 
AntiVir    No viruses found (4.17 seconds taken)
BitDefender    No viruses found (5.23 seconds taken)
ClamAV    No viruses found (13.23 seconds taken)
Dr.Web    No viruses found (11.83 seconds taken)
F-Prot Antivirus    No viruses found (0.64 seconds taken)
F-Secure Anti-Virus    No viruses found (7.81 seconds taken)
Kaspersky Anti-Virus    No viruses found (8.01 seconds taken)
Norman Virus Control    No viruses found (1.97 seconds taken)

So this does indeed appear to be a false positive.  Nonetheless, I sent a copy of it to the email address above (virus(at)avast(dot)com), and I'd like final confirmation by someone who knows what they're doing that this is safe.

Thanks for the response!

-- Jeff

p.s. Why isn't Avast in the above list?

[RejZoR]

Don't know. I asked him and he said that there is no stable Linux version of avast! (in that time there really wasn't any),but now is and its still not there... Who knows.

[Jlo]

Hi Beerslayer,

As sugested in the above posts send the dll file to Avast.

If you want a quick answer back as to regards it the file safe then send the file to newvirus@kaspersky.com

I have always had a very quick and helpful reply and they will test the file for you.

Avast will of course as well and am sure they will correct the false alarm but they don't often reply to virus submissions. You normally find detection added in next VPS update.

Hope this helps. Let us know the outcome.

Kind Regards

Jlo

[igor]

It seems to be an false alarm. We will check it and fix as soon as possible.

[beerslayer]

Great, thanks!

One other thing I wanted to make you aware of, though, before you do that.  Here's a link to another anti-virus site that discusses a trojan using the file 'ginstall.dll' as part of its operation (read the 'Description' tab).  I hope that if/when you make it so that "my" file doesn't trigger an alert, you don't disable protection from this particular trojan in the process.

As always, I'm amazed by the quality both of your product and your support.  Keep up the excellent work!

-- Jeff