Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: 515910298 on September 03, 2007, 10:19:34 AM

Title: Win32:Agent
Post by: 515910298 on September 03, 2007, 10:19:34 AM

2007-9-3 15:20:21   Administrator   1604   Sign of "Win32:Agent-IVW [Trj]" has been found in "C:\dosh\ghos\1KG_su.exe" file. 
2007-9-3 15:20:51   Administrator   1604   Sign of "Win32:Agent-IVW [Trj]" has been found in "C:\dosh\ghos\del_gho" file. 
2007-9-3 15:20:58   Administrator   1604   Sign of "Win32:Zlob-ACD [Trj]" has been found in "C:\dosh\ghos\fr" file. 
2007-9-3 15:21:13   Administrator   1604   Sign of "Win32:Agent-IVW [Trj]" has been found in "C:\dosh\ghos\gho_run.exe" file. 
2007-9-3 15:27:18   Administrator   1604   Sign of "Win32:Agent-CHS [Trj]" has been found in "C:\SDRC\I-DEAS9\ideas\mech\ADAMS\common\aview.dll" file. 
2007-9-3 15:27:48   Administrator   1604   Sign of "Win32:Agent-CHS [Trj]" has been found in "C:\SDRC\I-DEAS9\ideas\mech\ADAMS\ppt\aview.dll" file. 
2007-9-3 15:37:12   Administrator   1604   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINNT\ServicePackFiles\i386\ssmarque.scr" file. 
2007-9-3 15:41:08   Administrator   1604   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINNT\system32\ssmarque.scr" file. 

???

Title: Re: Win32:Agent
Post by: FreewheelinFrank on September 03, 2007, 01:30:57 PM

Hi 515910298,

To confirm detections, submit the file to VirusTotal (http://www.virustotal.com/).

This one looks like a real detection- ssmarque.scr:

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=37397 (http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=37397)

The others VirusTotal will confirm.

If you have the file in the chest, you will need to extract them, then temporarily disable avst while you submit them to VirusTotal (http://www.virustotal.com/).

Title: Re: Win32:Agent
Post by: Lisandro on September 04, 2007, 05:43:54 AM

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.