Beware Epson waste reset / resetter software!

Viruses and worms
1

The following file is a virus that is not picked up by Avast even when scanned:
http://www.nzbclub.com/nzb_view/16728638/PC_S_EPSON_SX100_105_and_S21_Ink_Waste_Resetter_SKE

Running the .exe appears to do nothing but installs a hidden ‘run at boot’ file in the ‘Roaming’ directory which says it is related to a graphics driver and / or audio driver. The actual file it installs is called ‘sKtTdj69HR0z.exe’ and produces another in the same directory called ‘WinLogon.exe’.
I removed it by stopping the service for ‘PC_S_EPSON_SX100_105_and_S21_Ink_Waste_Resetter_SKE‘, then deleting ‘sKtTdj69HR0z.exe’ and ‘WinLogon.exe’. I also removed the ‘HKLM Run’ registry entry that it produced.

Note: ‘WinLogon.exe’ is also a genuine file from Microsoft so only delete it if it resides in the hidden ‘Temp’ directories or ‘Roaming’ / ‘Local’ folders. The only place this file should be is in the ‘C:\Windows\System32’ folder. Also do not stop the ‘Winlogon’ service or your computer will crash!

2

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

3

Hi Pondus

I tried to upload it but it is 21Mb and that site only allows 20Mb upload. I’m sending to you by email. Please could you let me know the results?

Phill.

4

Norman lab say infected

PC-S__EPSON_SX100-105_and_S21_Ink_Waste_Resetter__SKE_.exe : Processed - Smalltroj.ZOLI

As per the analysis, Some malicious activities are found in the file. Such as,

  1. Changing the firewall policy
  2. Creating the selfcopy of file as hidden in “Application Data” directory.
  3. Creating another self-copy with the name of “winlogon.exe”.
    4 Creating multiple entry to run the same file at startup.
    5 Performing malicious network activity may permit unauthorized access to data or may compromise the confidentiality.

also detected by Malwarebytes - Trojan.MSIL.Gen

will upload to avast! and SAS :wink:

5

Great, glad I could contribute.

Phill.

6

The Anubis report gives it as low risk analysis: http://anubis.iseclab.org/?action=result&task_id=1b56ff19121fc1714bdcdf73cb0ecfb2c&format=html
This arouses some suspicion that could be flagged in this software as:
SavedLegacySettings 0x3c0000001600000001000000000000000000000000000000040000000000
could be a trojan gen characteristic
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\ … Value Name: [ MigrateProxy ], also found up as trojan attack code
DD313E04-FEFF-11D1-8ECD-0000F87A470C found also in fake alert code
also DefaultConnectionSettings 0x3c0000000300000001000000000000000000000000000000040000000000
ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 for chat mode
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment general cheat code

polonus