Avast WEBforum
Other => Viruses and worms => Topic started by: WHY on November 29, 2006, 01:08:42 PM
-
I use QuickBooks pro 2000, copied from a friend, and have not used since I started using Avast. Weekly scans are clean. But when I opened QB went to invoices the avast warning thing popped up and brought an otherwise productive day to a screeching halt. I have searched for more info on Win32:Agent-DEP [Drp], but the only place I have found anything is on the avast VSP history 27.11.2006 - 0651-0. And this topic in this forum http://forum.avast.com/index.php?topic=25171.0 is the only thing I can find for Win32:Agent (other than the "We'll remove your virus, for only $49.98!" adds). Now my question is this so new that nobody has any info on it or is it part of the program I was using and not a problem. Any info would much appreciated
UPDATE: a complet scan shows that only some intuit (QB) files are infected and nothing else. The dates they were changed are before 7/10/2005. No other pevious scans detected any thing. So dose this mean that Win32:Agent-DEP [Drp] was dormant. Or what???
-
So dose this mean that Win32:Agent-DEP [Drp] was dormant. Or what???
Well... could be... I'll suggest that you:
1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Download, install, update and run other trojan remover tools:
a-squared (http://www.emsisoft.com/en/software/free/)
Free AVG Antispyware (http://www.ewido.net/en/)
SUPERantispyware (http://www.superantispyware.com)
Spyware Terminator (http://www.spywareterminator.com/)
-
Thanks Tech. I've used AVG and a-squared I'll try the others.
I still haven't found anything about Win32:Agent, what is it a virus, worm, trojan or other ??? or how much damage it might cause
-
It is a Trojan and the [Drp] I would say is for dropper, indicating that it probably drops or downloads other files ?
However I would confirm the detection.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779), how to report and what to do to exclude them until the problem is corrected.
I use QuickBooks pro 2000, copied from a friend, and have not used since I started using Avast.
However, since the origin of QB is suspect, you got it from a friend, who got it from where. We obviously can't condone how you came by this program, but when not got from an authorised source it is quite possible you could have also received an unwanted gift.
-
We obviously can't condone how you came by this program
I just looked and it is an original cd I installed from, wich still dosn't explane why only the QB files are infected.
-
As David said it could be a false positive identification, which all anti-malware programs suffer from from time to time. You need to follow the procedure David mentioned and send the file detected to avast! so they can alter the malware signature so that it no longer detects the legitimate program.
-
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.