Win32:MalwareX-gen [Trj] alert at every computer startup
DexyFlex
Posted messages
411
Registration date
Status
Membre
Last intervention
-
bazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
bazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
Hello everyone,
I recently encountered a problem.
Context: I have been using a work computer (laptop on Windows 10) for a while. It was working well, but I wanted to install some things I used on my previous computer that weren't present on this one. I installed Avast, Malwarebytes, Chrome, and a few other similar things.
Problem: For the past few days, every time I start the computer, Avast displays an alert message: "We have moved epfyuybf.dll to your Quarantine Zone because this item is infected with Win32:MalwareX-gen [Trj]"
Threat name: Win32:MalwareX-gen [Trj]
File access: C:\Windows\Temp\epfyuybf\epfyuybf.dll
Process: C:\Windows\SysWOW64\AbtSvcHost_.exe
Detected by: File Agent
Already done: I have already checked some forums and have scanned with Malwarebytes, AdwCleaner, Avast, etc., but it keeps telling me that my computer is clean.
Can someone help me resolve this issue?
Thank you in advance and have a great end of the year everyone :)
Dex.
I recently encountered a problem.
Context: I have been using a work computer (laptop on Windows 10) for a while. It was working well, but I wanted to install some things I used on my previous computer that weren't present on this one. I installed Avast, Malwarebytes, Chrome, and a few other similar things.
Problem: For the past few days, every time I start the computer, Avast displays an alert message: "We have moved epfyuybf.dll to your Quarantine Zone because this item is infected with Win32:MalwareX-gen [Trj]"
Threat name: Win32:MalwareX-gen [Trj]
File access: C:\Windows\Temp\epfyuybf\epfyuybf.dll
Process: C:\Windows\SysWOW64\AbtSvcHost_.exe
Detected by: File Agent
Already done: I have already checked some forums and have scanned with Malwarebytes, AdwCleaner, Avast, etc., but it keeps telling me that my computer is clean.
Can someone help me resolve this issue?
Thank you in advance and have a great end of the year everyone :)
Dex.
6 réponses
Hello,
Download FRST, once downloaded save it to the desktop, then open it and you will see this:
Then check the shortcut box like this:
Click on Analyze, at the end of the analysis you will have three text files on the desktop FRST, Addition, and Shortcut, be sure to wait for the messages indicating that the analysis is complete, then send these reports to https://pjjoint.malekal.com/ see this tutorial paragraph Send the analysis reports to pjjoint then provide the three links generated by Pjoint in your next message.
--
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Download FRST, once downloaded save it to the desktop, then open it and you will see this:
Then check the shortcut box like this:
Click on Analyze, at the end of the analysis you will have three text files on the desktop FRST, Addition, and Shortcut, be sure to wait for the messages indicating that the analysis is complete, then send these reports to https://pjjoint.malekal.com/ see this tutorial paragraph Send the analysis reports to pjjoint then provide the three links generated by Pjoint in your next message.
--
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Hello,
To proceed, disable AVAST during the analysis (you will need to do the same for the fix)
--
Security contributor.
To proceed, disable AVAST during the analysis (you will need to do the same for the fix)
--
Security contributor.
Thank you very much for the quick response!
Just for your information, when I started the scan with FRST, I received a (red) alert message from Avast that forced me to "block the app"... but the scan was still able to take place.
I do obtain the 3 reports, but they seem to be empty... When I upload them on the proposed site, I get this message:
"<i>Error class 1000 / 1XXX Errors
Request Blocked
A forbidden operation has been detected by the WEB server.
A forbidden request has been detected and blocked.
Access denied
This website is using a security service to protect itself from online attacks.</i>"
What should I do in this case?
Just for your information, when I started the scan with FRST, I received a (red) alert message from Avast that forced me to "block the app"... but the scan was still able to take place.
I do obtain the 3 reports, but they seem to be empty... When I upload them on the proposed site, I get this message:
"<i>Error class 1000 / 1XXX Errors
Request Blocked
A forbidden operation has been detected by the WEB server.
A forbidden request has been detected and blocked.
Access denied
This website is using a security service to protect itself from online attacks.</i>"
What should I do in this case?
Great, I have redone the scans after temporarily disabling Avast.
This time the scan worked well and the files are no longer empty. However, it is impossible to attach them to the site: "access denied" (see response above).
Is there another way for me to send you the reports?
I should mention that they were saved on the desktop in .txt format under the Notepad application.
This time the scan worked well and the files are no longer empty. However, it is impossible to attach them to the site: "access denied" (see response above).
Is there another way for me to send you the reports?
I should mention that they were saved on the desktop in .txt format under the Notepad application.
Cool, it's working:
- FRST Link : https://www.cjoint.com/c/JLBm6A3HUJC
- ADDITION Link : https://www.cjoint.com/c/JLBm7HRRJVC
- SHORTCUT Link : https://www.cjoint.com/c/JLBm73QpwGC
Thanks again!
- FRST Link : https://www.cjoint.com/c/JLBm6A3HUJC
- ADDITION Link : https://www.cjoint.com/c/JLBm7HRRJVC
- SHORTCUT Link : https://www.cjoint.com/c/JLBm73QpwGC
Thanks again!
Threat name: Win32:MalwareX-gen [Trj]
File path: C:\Windows\Temp\epfyuybf\epfyuybf.dll
Process: C:\Windows\SysWOW64\AbtSvcHost_.exe
Detected by: File Agent
This means that this file is in the Windows temporary folder and is linked to the process AbtSvcHost_.exe, which is related to CTES from Absolute Software Corp. See this page https://www.absolute.com/
Do you know this program? Is your PC a professional PC? This software may have been installed by your company for protection.
Yes, it is a professional PC (provided by the department). I do not know this program at all but I trust you; if its removal helps and it does not have major consequences on the computer, then yes, I agree to have it removed please.
Would that be enough to stop the Win32 alert message...?
Did the three links help to identify what is wrong?
Would that be enough to stop the Win32 alert message...?
Did the three links help to identify what is wrong?
There's no infection on your PC; I think the Avast alert is a false positive. I don't like running FRST scripts on company PCs because they aren't configured like personal computers; they have specific settings for the company. Since this is a work PC, I believe Absolute Software is used to secure your connection for telecommuting. There are quite a few group policies that have been configured, and I won't touch those either. I'm just creating a script that will remove the file found by Avast.
Procedure to follow in the indicated order:
1- Open FRST
2 - Copy the entire script in the box below:
3- Once the script is copied, click on Fix.
Let the correction take place; once it's finished, you'll be asked to restart your PC, do so as soon as you are prompted, see below.
Then, once your computer has restarted:
4- You will have a Fixlog file on your desktop; send it via https://pjjoint.malekal.com/, then put the link generated by Pjoint in your next message.
5- To reassure yourself, you can do an online scan with the NOD32 scanner online https://www.malekal.com/scan-antivirus-ligne-nod32/
Procedure to follow in the indicated order:
1- Open FRST
2 - Copy the entire script in the box below:
Start::
CreateRestorePoint:
CloseProcesses:
C:\Windows\Temp\epfyuybf\epfyuybf.dll
EmptyTemp:
End::
3- Once the script is copied, click on Fix.
Let the correction take place; once it's finished, you'll be asked to restart your PC, do so as soon as you are prompted, see below.
Then, once your computer has restarted:
4- You will have a Fixlog file on your desktop; send it via https://pjjoint.malekal.com/, then put the link generated by Pjoint in your next message.
5- To reassure yourself, you can do an online scan with the NOD32 scanner online https://www.malekal.com/scan-antivirus-ligne-nod32/
6- CHECK AND LET ME KNOW IF YOUR ISSUE IS STILL PRESENT
FOR INFORMATION:
Your version of Windows 10 is not up to date. To check, go to this page, click on Update Now; this will start the download of the Microsoft tool, and you just need to open it, and it will allow you to update Windows 10 to the latest version and let you know if it's compatible with your PC. Be careful, this update takes some time; if you have a laptop, plug it into the power supply, because it would be a shame to run out of battery before the update is complete. Since this PC does not belong to you, you are not obliged to update it; this remark was just for your information.
Thank you for the explanation, here is the link generated after these steps: https://www.cjoint.com/c/JLBq5XQHy0C
Just so you know, after the restart I received the alert again (the file name is slightly different but comes from the same source...).
Just so you know, after the restart I received the alert again (the file name is slightly different but comes from the same source...).
Okay, I'm going to scan right away.
Just to be sure, I have redone the correction procedure with the new file "threat". Here is the attached report: https://www.cjoint.com/c/JLBrkc7AVWC
Just to be sure, I have redone the correction procedure with the new file "threat". Here is the attached report: https://www.cjoint.com/c/JLBrkc7AVWC
The file has changed its name, so restarting the procedure is pointless. I think it is automatically created by Absolute Software. You can analyze this file on https://www.virustotal.com/gui/, where it will be analyzed by more than 60 antivirus programs. Once the analysis is complete, provide the link to the analysis page.
