Avast WEBforum
Other => Viruses and worms => Topic started by: crofty59 on November 06, 2006, 05:28:44 AM
-
Hi
Did a boot scan and it picked up 2 viruses.
One was Win32 :Adware-gen did a check on Virus total come up clean even avast states it clean.
File C:\Documents and Settings\PeDrO\My Documents\!!..JeNnAz!!\×_Odd.Bits.And.Bobs]].«3\×_DownLoads]].«3\FeLiX.exe is infected by Win32:Adware-gen. [Adw]
Have sent off to Alwil for testing.
I also got this but not sure if it can be quarantined or not
File C:\pagefile.sys is infected by Win32:Agent-SG [Trj]
This only shows up on a bootscan.
Is this okay to quarantine, i tried checking it out but could not find anything that i could understand.
Cheers
-
The content of the pagefile is not reused (when Windows boot up) - so it doesn't really matter what's inside. I'd suggest to ignore the file (i.e. not to move or delete it).
-
Thanks igor
I will do as you have suggested and just leave it.
Thanks a million for your help very much appreciated.
Cheers
-
I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.
-
I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.
Hi
I am not very computer savvy i did try but could not get it to go, most likely i stuffed it up.
I am using Windows xp Home and have Avast Pro installed
Some directions may help me.
Cheers
-
I am not very computer savvy i did try but could not get it to go, most likely i stuffed it up.
Some directions may help me.
Start Menu > Run
Write down there: "C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY"
But Igor, some false positives should be there ::) ???
-
Hi Tech
I tried it but it keeps coming up saying it can't find the path etc to sheck that i have put in the right path.
I did a search the only ashQuick.exe that comes up is in C:Windows /Prefetch folder is this correct or am i losing the plot.
I have clicked to show hidden folders files etc
I appreciate your help, but i am not sure how much longer i can stay on, so if i should disappear i am not being rude.
Cheers Crofty59
-
Hi crofty59,
Go here and get this adware from your comp: http://www.spywareguide.com/product_show.php?id=30
polonus
-
I tried it but it keeps coming up saying it can't find the path etc to sheck that i have put in the right path.
I did a search the only ashQuick.exe that comes up is in C:Windows /Prefetch folder is this correct or am i losing the plot.
No. The prefetched version is not good.
Where is your avast installed? There should be the ashquick.exe file.
I've posted the default folder, where did you install avast?
You have to use two pairs of quotes, like I've posted before.
I appreciate your help, but i am not sure how much longer i can stay on, so if i should disappear i am not being rude.
Sure. Don't worry my friend.
-
@crofty59
The prefetch is only designed to speed up the loading of files it gives HDD cluster information, etc., it isn't the original file.
Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine
-
Hi crofty59,
Go here and get this adware from your comp: http://www.spywareguide.com/product_show.php?id=30
polonus
Hi polonus i have bookedmarked the web site will check it out .
Cheers crofty59
No. The prefetched version is not good.
Where is your avast installed? There should be the ashquick.exe file.
I've posted the default folder, where did you install avast?
You have to use two pairs of quotes, like I've posted before.
Hi tech
I installed in the default folder. I can find a icon in Avast folder for ashQuick but not ashQuick exe.
I ended up getting it to work, i put in what David had posted. i was putting in the wrong path.
@crofty59
The prefetch is only designed to speed up the loading of files it gives HDD cluster information, etc., it isn't the original file.
Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine
Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine
Hi DavidR
Your path you posted worked like a charm. Thanks
Cheers crofty59
I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.
Hi igor
Run the scan and this is what i got
File name Process 876, memory block 0x01880000, block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06
File name Process 876, memory block 0x02B10000 block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06
I tried posting screen shots but didn't work
Hopes this help
Cheers crofty59
-
But Igor, some false positives should be there ::) ???
::) ??? Igor?
-
Can you find out what do these Win32:Agent-SG [Trj] detections correspond to? I mean, if you run Process Explorer (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx) and check the process with ID 876 (or what the virus dialog shows at the particular case)... what is it?
Additionally, if you select this process (in Process Explorer) and press Ctrl+D to display the DLLs in the lower pane - is there any DLL where the reported addresses (e.g. 02B10000) would fall into?
-
Hi
Belongs to Windows Defender
I ran (Process Explorer) ID 876 is MsMpEng.exe Service Executable Microsoft Corporation .
I pressed Ctrl+D but nothing came up with addresses all there was
Name Description Company Name Version
Cheers
-
Hmm... that's not good >:(
I may be wrong, but it sounds like Windows Defender has unencrypted malware signatures in memory...
-
Hi
You are right it certainly dosn't sound good.
I may post on there newsgroup and see what they have to say
Cheers
-
Well, I guess I make somebody reproduce the problem here first... I would like to see the corresponding memory block (the one where the virus signature is found) before making conclusions.
-
Well, I guess I make somebody reproduce the problem here first... I would like to see the corresponding memory block (the one where the virus signature is found) before making conclusions.
How do i go about doing that as i have not got a clue.
Cheers
-
What version of Windows Defender is that?
-
Can you find out what do these Win32:Agent-SG [Trj] detections correspond to? I mean, if you run Process Explorer (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx) and check the process with ID 876 (or what the virus dialog shows at the particular case)... what is it?
\Windows Defender\MsMpEng.exe
\Common Files\Softwin\BitDefender Scan Server\bdss.exe
Additionally, if you select this process (in Process Explorer) and press Ctrl+D to display the DLLs in the lower pane - is there any DLL where the reported addresses (e.g. 02B10000) would fall into?
C:\WINDOWS\system32\shlwapi.dll
\Common Files\Softwin\BitDefender Scan Server\bdcore.dll
C:\WINDOWS\system32\xcomm.dll
What version of Windows Defender is that?
-
Hi
My version of Windows defender is Final Version 1.1.1592.0
I ran another ashquick memory scan. and the process has changed. Was 876
Now it is Process 912 memory block 0x01880000, block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06
I ran (Process Explorer) ID 912 is MsMpEng.exe Service Executable Microsoft Corporation .
I only get one virus warning now, i did delete what was in ouarantine in windows defender.
When i get the virus warning can i send it to the chest and send it of to Alwil .
If this can be done will i just leave it in the chest or restore.
Cheers
-
Hi
I uninstalled Windows defender, ran a AshQick scan and it came up clean.
Reinstalled Windows defender, updated signatures and ran scan again, came up with Win32: Agent-SG[Trj} again.
Process 912 memory block 0x020f0000 block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06
Cheers crofty59
-
I ran another ashquick memory scan. and the process has changed. Was 876
It's normal, I mean, the ID number change.
When i get the virus warning can i send it to the chest and send it of to Alwil .
If this can be done will i just leave it in the chest or restore.
I think you can't... there isn't such an option scanning the memory...
-
Hi Tech
Thanks for letting me know about it's normal for the id to change.
Also thanks for the info about virus chest with memory
Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.
Cheers
-
Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.
No. You don't have to uninstall Windows Defender.
Probably Igor will say something to MS support. They (MS) should encrypt the signatures loaded in the memory :P :-[
That's not a virus (infection), just a signature that is not encrypted and it is detected by avast.
-
Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.
No. You don't have to uninstall Windows Defender.
Probably Igor will say something to MS support. They (MS) should encrypt the signatures loaded in the memory :P :-[
That's not a virus (infection), just a signature that is not encrypted and it is detected by avast.
Thanks Tech, I will definitely leave it installed.
Cheers Crofty59
-
Hi all
I ran a bootscan today and it comes up clean.
Just curious that if i do ashquick memory scan i still get this
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
When i originally got this i also had a c:pagefile. sys show up in the bootscan.
Also when you do a normal scan doesn't avast also do a memory scan, again just curious why it doesn't show up there as well.
Cheers