Win32:Agent-EBU

This was flagged by avast but I can find no specific information anywhere on it. Why cant I just click on the alert in the log file to open a description? I like AVAST but some things drive me nuts. A search for this on the website forund nothing either.

Hi Steviebone,

It is most likely this is a False Positive. Check the file that caused this alert by uploading it here: http://www.virustotal.com/en/indexf.html

And let us know the results.

polonus

Your most likely to find information when searching using the suspect/infected file name or searching for the win32:agent family rather than a specific malware name, e.g. win32:agent(-EBU).

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

It may or may not be an FP but that need to be tested as polonus said.

I had that same too. Filename is A0049120.exe and it was found from e:\system volume information_restore. Can someone tell what it is. I moved it into quarantine.

I doubt it has gone unless you moved it at a boot-time scan (see below), you can scan again and confirm this if you wish.

Unfortunately the file names in the system volume information_restore points are set by system restore and aren’t the original file name, it could have been an infected file that was in one of the system folders that when deleted windows system restore in its wisdom save a copy because it was in the system folder. Or it could be a bad detection, you could extract it to a temporary folder and upload it to one of the multi-engine scanners to confirm or deny.

The x:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP - How to disable System Restore

David, I was able to move a file into that folder using avast and login in account with admin rights… today…

Yes, I don’t doubt there is a copy in the chest.

But, is that file still in the system volume information folder, if it is the windows protection of that folder is pants or avast has found a new way to do this as it couldn’t in the past.

No, the file was ‘moved’ to Chest… ::slight_smile:

I just did a new scan after rebooting computer and nothing was found!

Looks like an improvement in handling files in the System Volume Information folder, in the past the only way was disable system restore to clear ALL restore points.

@ Jarski
Looks like your good to go unless you want to extract it to a temporary folder and upload it to one of the multi-engine scanners to confirm or deny.

Hi,
I have the same. And it infected my Maple 9 application as well. I deleted the files and scanned the computer by avast and nod32 and it seemd to be ok, but by reinstalling maple from CD the virus appeared again.

Does anyone know how to get it out?
Thanx

Kotik

It may be a false detection and you need to confirm that.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Please post the filenames that are detected within the Maple program.
If possible, pack the files into a password-protected ZIP or RAR and send it to virus@avast.com. (Or, you can also submit them directly from Chest). Let us know about the progress, please.
Thanks!

The files
C:\System Volume Information_restore{EAD5636C-8CA3-46EF-BD06-687800439887}\RP47

C:\Program Files\Netscape\Netscape Browser\defaults\safetynet

Where infected by Win32:Agent-EBU[Trj]. The Virustotal scanner did not find any viruses.

You can send the files to Chest 8)
I suggest that you:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files. You can use the Windows Advanced Care features for that.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers).
  5. Use the immunization of [url=SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

I also got this trojan on my laptop. I hadn’t used it for anything other than streaming Lost off ABC.com in several weeks. MY expired Norton actually found it, but I downloaded Avast and it also detected it, I just hit delete when it asked for action. It was also in the C:\Program Files\Netscape\Netscape Browser\defaults\safetynet location.
What are chances that zapped it? I am scared to use laptop lol. Is there anyway to be sure…some of you are saying it was in several locations?

What Operating System are you using ?
What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
What is the infected file name, you only included a location but no file name e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

First - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Secondly - Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. So you need to ensure the old AV is uninstalled (using ad remove programs) not just disabled.

You have to assume that that particular file is gone, but to be sure there is nothing else you are going to have to use your laptop, no way round that.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition
  3. Spywareblaster Don’t install this until you are clean.

Well - ~‘EBU’[trj] is still out there causing a fuss and there is a lot of talk in here about how to isolate it and quarantine it and package it up and send it off for verification … but what is it? Is it a real virus/trojan or a false alarm - and what does it do or could it do or might it do … or is this much ado about nothing … just an idiosyncracy of avast!?

And I ask because a boot-time scan on a new laptop (Christmas), with a newly-installed (tonight) version of Avast!Pro (4.7) just found it in three files: (SystemVolumeInformation_Restore(big number)\RP89\A0005775.exe [UPX]- and also in ~\RP97\A0006241.exe etc. and Netscape~\safetynet\updatelists.exe).

… and after “repair” failed, I deleted them … then I looked in here.

Too bad you didn’t check here first. you probably would have been advised to send them to the chest and then investigate further. Once in the chest they are harmless. Since you deleted them, you have no optiions left. Repair only works on select system files.

@ tdamm
The name is Win32:Agent-EBU and not just -EBU which is just another variant of agent and it can take many forms. The Win32:Agent family are usually associated with trojan droppers/downloaders, they download other malware to your system. This is just one summary a google search for win32:agent is likely to find many more and the problem that there is no standardisation in malware naming that different AV companies don’t always use the same name.

Summary Win32.Trojan.Agent may download and install adware program(s) to the victim's machine. It may change configurations for Windows Explorer and for the Windows interface.

To be 100% certain of any detection you would need to test it against multi-engined scanners like those previously listed, unfortunately since you deleted the files that can’t be tested. Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

The system volume information folder doesn’t contain anything critical and can be quite safely cleared by disabling system restore and rebooting then enable system restore. It would just mean that you couldn’t use system restore to restore those files, personally if there is any doubt about an infected file in the system volume information folder, clearing it completely is the best option so at some point in the future you don’t use system restore and effectively infect your system.

Re your failed repair:
Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.
Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.