Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: fazio93 on May 14, 2008, 10:51:25 PM

Title: what is this warning/error
Post by: fazio93 on May 14, 2008, 10:51:25 PM
5/13/2008 5:04:09 PM   SYSTEM   1484   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\shmgrate.exe (C:\WINDOWS\system32\shmgrate.exe) returning error, 00000005. 

5/13/2008 5:04:09 PM   SYSTEM   1484   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\shmgrate.exe failed, 00000005. 

Title: Re: what is this warning/error
Post by: DavidR on May 15, 2008, 12:37:06 AM
The 00000005, Windows error 5 = Access is denied.

There may well be a legitimate reason for access to be denied, but this one may be a Trojan and something is protecting it (google search for the file name http://www.google.co.uk/search?q=shmgrate.exe (http://www.google.co.uk/search?q=shmgrate.exe)). See one of the google returns, http://www.liutilities.com/products/wintaskspro/processlibrary/shmgrate/ (http://www.liutilities.com/products/wintaskspro/processlibrary/shmgrate/).

If you can try to upload the file to virus total for a scan, check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php). This may well be able to scan it outside of windows and possibly bypass this protection.

The boot-time scan might take a little time but may well be worth it just in case there might be something else, rather than use the advanced options to restrict the scan to the system32 folder.

What is your OS, XP Home/Pro ?
What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1.  If using winXP or Vista SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version. Or Spyware Terminator (http://www.spywareterminator.com/) Resident scanner (if you use this don't install the toolbar or crawler or the anti-virus module). Or a-Squared free (http://www.emsisoft.com/en/software/free/) On-Demand only with free version(if using win98/ME).

Title: Re: what is this warning/error
Post by: oldman on May 15, 2008, 08:10:42 AM
Sas will also run on 98se/me
Title: Re: what is this warning/error
Post by: Vladimyr on May 15, 2008, 08:33:21 AM
So will Spyware Terminator for on-demand scans.
Title: Re: what is this warning/error
Post by: fazio93 on May 15, 2008, 10:45:52 PM
sorry, never mind.
i saw shmgrate modifying weird files so i put it into quarantined files in CFP. no other app can access it, not even avast scanner so that's why i was getting the error. (at least i know quarantined files work... :-\)
Title: Re: what is this warning/error
Post by: DavidR on May 15, 2008, 11:36:51 PM
The location that avast was originally trying to scan the file in is no quarantine area but the windows\system32 folder, so at that point it wasn't in a quarantine.

If CFP allows you to copy/extract the file to a temp location (other than the original location) it shouldn't present a problem so:
a) avast should be able to scan it in the extracted location (as whatever might have been protecting it won't be aware of its new location). It would also allow the other scanners you have to scan it.
b) you should be able to upload it to VirusTotal
c) if avast doesn't detect anything - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject. This should help to improve the avast detections and help other avast users.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location (where you extracted it to), so any further action you take can remove that.
Title: Re: what is this warning/error
Post by: fazio93 on May 17, 2008, 02:52:36 PM
http://www.virustotal.com/analisis/688b46bbedcbd014feee450af08bffcf
Title: Re: what is this warning/error
Post by: DavidR on May 17, 2008, 03:05:07 PM
Very interesting considering what you said below.
Quote from: fazio93
i saw shmgrate modifying weird files so i put it into quarantined files in CFP.

It is also strange if you have removed it from its original location without complaint from what might be running it or the command to run it so it can do those weird file modifications.

So it would possibly be worth sending it to avast for analysis as a possible undetected malware sample.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and Possible Undetected Malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Title: Re: what is this warning/error
Post by: fazio93 on May 17, 2008, 03:36:14 PM
I never moved it though.
Title: Re: what is this warning/error
Post by: sanctuaryforever on May 17, 2008, 04:16:41 PM
my brothers laptop has this logged also every time he starts his laptop up, he has Windows xp home edition