Win32:Small-IFZ [Trj]

Viruses and worms
1

Hello Everyone,

I hope some can help me. Avast caught something tonight and I can’t find any information. It detected Win32:Small-IFZ [trj] in LXCEtime.exe which I believe is a file for my Lexmark printer. What’s puzzling me is that Avast says the file was last modified on 7/20/2005. Is this a false positive or something of which I should be concerned?

Thanks in advance for any assistance.

2

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

3

Will do. Thanks for the quick reply!

4

The file has been sent. On a whim, I deleted the file, uninstalled my printer, and downloaded the latest install package from Lexmark (for a Lexmark P4350). During the installation, I received alerts on lxceserv.exe, lxceupld.exe, lxceview.exe, and, again, lxcetime.exe. I can send you three other files if you wish. Thanks again for the assistance.

5

I have also had a number of virus warnings. Submitted to virustotal and only avast shows them as positive

7/11/2007 2:59:30 PM SYSTEM 1740 Sign of “Win32:Small-IFZ [trj]” has been found in “C:\Windows\System32\spool\drivers\w32x86\3\dlciview.exe” file.
7/11/2007 2:57:24 PM SYSTEM 1740 Sign of “Win32:Small-IFZ [trj]” has been found in “C:\Windows\System32\spool\drivers\w32x86\3\dlciupld.exe” file.
7/11/2007 2:57:24 PM SYSTEM 1740 Sign of “Win32:Small-IFZ [trj]” has been found in “C:\Windows\System32\spool\drivers\w32x86\3\dlcitime.exe” file.
7/11/2007 2:46:32 PM SYSTEM 1740 Sign of “Win32:Small-IFZ [trj]” has been found in “C:\Windows\System32\spool\drivers\w32x86\3\dlcitime.exe” file.

6

ook… send one or more files to virus[at]avast[dot]com in a password protected archive… we will add these files to our cleanset… fill in “false positive” as the subject :wink:

7

I also had this problem last night with my Lexmark printer drivers/exe files…Is it definately safe to return them to their original places from the vault? I ask because last night I had a virus warning when I looked at my Gmail account. I was thinking maybe it slipped through and targetted the Lexmark files??? The reported virus was the infamous “Loveletter {VBS}”…

8

I have also had an e-mail arrive that isn’t viewable, addressed from my sister. I use gmail notify, and it says there is an e-mail from her, but it is nowhere to be found in gmaiul, also not in spam folder or deleted items…

9

I too have had a similar experience as Masefield has had.
Last night avast! detected Win32:Small-IFZ on 8 of my Lexmark printer files. I deleted these files, then uninstalled my printer. I rebooted, then reinstalled the printer from the supplied Lexmark CD.
I then ran a quick scan, and avast! found the same infection on the newly installed files.
These files are now quarantined until I know more.
I have already emailed the files to avast!

10

Most probably a false positive. You took the right decision: send to Chest is smarter than just delete.
Now you can scan the files into Chest and when they are shown as clean you can restore them back.

11

Many thanks for that.

12

You’re welcome 8)

13

I was also hit by this “trojan” last night. It says its located in C:\Program Files\Lexmark 2300 Series\Drivers\I386\lxcgserv.exe

Avast also identifies the following as containing the same trojan…lxcgtime.exe lxcgview.exe and a few more lxcg…exe files.

However, when I try to delete or move these files to the chest it says Access is denied and a message as follows "Cannot process “C:\Program Files\Lexmark 2300 Series\Drivers\I386\lxcgserv.exe” file

Can anyone advise me as to whether this is actually a virus or just an error with Avast. No other anti-virus software is detecting it. What should I do to stop Avast identifying it as a trojan?

Thanks

14

It must be a false positive.
See the workaround on #1.

15

the FP is fixed now… can you update your VPS and confirm it?

16

Following the latest virus data base update, all of the previously infected Lexmark printer files in my quarantine chest have now been rescanned and declared virus free. All now restored and in order. Thank you.