ESET & TurboTax files: False Positives?

It appears several ESET NOD32 users are having an issue with threats identified in TurboTax files. (See https://ttlc.intuit.com/post/show_f...ects-certain-turbotax-files-as-possible-virus)

For all I know, these are false positives. But based on the fact that ESET detected the following threat prior to picking up on a cascade of threats in TurboTax, I'm wondering if the initial infection of Java/Agent.CA trojan caused subsequent problems or infections in my TurboTax files.

Here's the first threat identified by ESET on 5/25 during a regularly scheduled scan. It does not appear to be targeting TurboTax files.

C:Users\*Username*\AppData\Local\Low\Sun\Java\Deployment\cache6.0256a752759-66971b4f » ZIP » Lware.class - Java/Agent.CA trojan - was a part of the deleted object

The next two alerts occurred as the result of real-time protection -- not a scheduled scan:

5/29/2011 7:27:05 PM
Real-time file system protection file
C:WindowsInstaller$PatchCache$Managed5F579832AAEB210DA4B0000000000009.0.236\_lld.2.8v.niW.2scitsigarfnI_rgnerepw_
probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
cleaned by deleting - quarantined
NT AUTHORITYSYSTEM
Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

5/29/2011 7:29:11 PM
Real-time file system protection file C:WindowsInstaller$PatchCache$ManagedB00E525A9066E244D9DC4654C332E3D810.0.307\_lld.2.8v.niW.2scitsigarfnI_tib23_rgnerepw_
probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
cleaned by deleting - quarantined
NT AUTHORITYSYSTEM
Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

Then, a few minutes later, EST picked up on this. It's the first time I see TurboTax appearing in the threat log:

5/29/2011 7:41:33 PM
Real-time file system protection file
C:\PROGRAM FILES\TURBOTAX\32BIT\INFRAGISTICS2.WIN.V8.2.DLL probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
cleaned by deleting - quarantined NT AUTHORITY\SYSTEM
Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

During a scan a few hours later, ESET later detected the same Trojan variant in a TurboTax 2009 .dll file:

Crogram\Files\TurboTaxHome & Business 2009\32bit\Infragistics2.Win.v8.2.dll

The next morning, another scan caught the same Trojan variant in this TurboTax 2010 .dll file:

Crogram Files\Intuit\Turbo Tax\TY10\PER\MSI\WinPerReleaseEngine.msi

...and also in that same file within TurboTax 2009:

Crogram Files\Intuit\Turbo Tax\TY09\PER\MSI\WinPerReleaseEngine.msi

I've since quarantined several files and deleted those that ESET couldn't quarantine. The result is that TurboTax no longer launches.

I contacted ESET support asking if, in their opinion, these TurboTax detections are false positives. I received a bit of a boilerplate response basically describing how I can configure ESET to keep from scanning TurboTax files.

But here's my question: Are these, in ESET's opinion, genuine threats? It's interesting that other TurboTax/ESET users are experiencing the same issues at the same time.

Thanks in advance for any insights you can offer.

 

You must be using an outdated signature database. This FP was fixed several days ago.

 

Thanks for the fast reply. So these were known FPs?

I have NOD32 configured to update hourly, so I guess I got caught in a pretty narrow window.

If these are known FPs, then I'm happy. I'll just reinstate/reinstall the files and all should be fine.

Thanks again.

 

There is no need to reinstall your software, assuming it is current and that your virus signatures are current. Updating hourly via your scheduler is every sixty minutes by default.

If only the TurboTax files were quaratined you may remove them. Awaiting further details.

Thanks.

 

I think he's referring to reinstalling the files that were removed as FPs, rather than reinstalling ESET.


Jim

 

It should be ok just to restore them from quarantine. This can be done globally on all computers using ERA.

 

Thanks guys. Yes, I was referring to reinstalling TurboTax 2010, which is one fix that someone on the TurboTax board suggested.

But if these truly are FPs, then restoring them out of quarantine ought to do the trick.

Bottom line....based on your responses, it appears these TurboTax files, once restored or reinstalled (whichever method successfully gets TurboTax operating again), should pose no threat to my system. And that's precisely what I needed to know.

Thanks again.

 

You are welcome, let us know if we can be of further assistance.

Regards,