Win32:Agent-OLD [Trj] [Resolved]

[RufusO]

Hi!

I have a problem with Win32:Agent-OLD [trj] and there is very little information on the net.

Whilst running a system scan, Avast! reported that "C:\System Volume Information\catalog.wci\00000002.PS2" was a Win32:Agent-OLD trojan.

Being part of an active system process it was impossible to get rid of. Unless anyone has a workaround this also prevents me from copying it and sending Avast! a sample for analysis.

I live in France and I got some help from a French message board. I did all the "turn off system restore" stuff. I rebooted in safe mode, scanned my computer with Avast!, Kaspersky online scanner, AVG & AntiVir, ran a whole bunch of spyware programs.

The only program which reports "C:\System Volume Information\catalog.wci\00000002.PS2" as being a Trojan/virus is Avast!

This seems to be a very recent problem. It started on or around the 20th december and may be due to changes in Avast's! virus definitions. This is why I'm contacting Avast! about this.

Maybe it's a false positive, but I'm not 100% sure.

When Avast! detects "C:\System Volume Information\catalog.wci\00000002.PS2" and I click on the "more info from Avast!" link, 3 pages open in my browser.

One is the Avast! site, the second a "page not found" error and the third...opens a "seek spiritual enlightenment/find God" sort of site.

Someone may be pulling our chains...

Has anybody from avast! or this message board any answers about this, please? I've been trying to solve this problem for the past 4 days and I'm a little tired with it. 

Thanks for any comments & help. 

[Lisandro]

Being part of an active system process it was impossible to get rid of. Unless anyone has a workaround this also prevents me from copying it and sending Avast! a sample for analysis.

Boot in Safe Mode. Or you must get access rights to that folder, copy the file and send it for analysis, but it's a more 'advanced' procedure.

I live in France and I got some help from a French message board. I did all the "turn off system restore" stuff. I rebooted in safe mode, scanned my computer with Avast!, Kaspersky online scanner, AVG & AntiVir, ran a whole bunch of spyware programs.

Disabling System Restore will delete all old restore points and the infected files with them...

The only program which reports "C:\System Volume Information\catalog.wci\00000002.PS2" as being a Trojan/virus is Avast!

Most probably a false positive.

One is the Avast! site, the second a "page not found" error and the third...opens a "seek spiritual enlightenment/find God" sort of site.

Weird... what's that?

[RufusO]

I’ll try and keep this short.

One morning around the 20th December on booting up my system Windows signaled me the it had to shut down explorer.exe due to something “interfering” with (or was it “writing to”) the System Volume Information folder. It indicated that the problem had occurred the night before. At that time my daughter was using MSN with 2 correspondents (1 Mac/1 Windows). The same night some programs that I was using were slow or crashed.

I ran Avast! and it reported a Win32:Agent-OLD [trj] as a keylogger Trojan. When I clicked on the “Complete our virus report" on the bottom left hand of the window I got these 3 tabs opened in my browser (Firefox beta 3).

How strange that the 3rd site is “trj.com” a bit like the [trj] in the Trojan. Which leaves the suspicion that it may not be a false positive.

http://www.avast.com/fre/virus-incident-report.php?lang=FRE&name=Rufus&virus=

http://www.o'callaghan&virus=win32.com/

http://www.trj.com/

I have tried to copy the file in safe boot mode in an Administrator role, but the folder is empty and “access is denied”. If anyone has a walkthrough (or a link) for the procedure of how to copy the file I’m very interested.

Whatever happens, the Win32:Agent-OLD [trj] file doesn’t go away even when all the old restore points have been erased.

Thanks for any help.

[Lisandro]

I have tried to copy the file in safe boot mode in an Administrator role, but the folder is empty and “access is denied”. If anyone has a walkthrough (or a link) for the procedure of how to copy the file I’m very interested.

Files on C:\System Volume Information\ have always access denied even to Administrators.
You need to grand the access (take the ownership) or allow access to Administrators. It's an advanced procedure. You can delete the old restore points and you'll get rid of these files.

Whatever happens, the Win32:Agent-OLD [trj] file doesn’t go away even when all the old restore points have been erased.

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[RufusO]

Hello!

Thanks for the help. 
I hope I'm not submerging you with too much information. 

Avast! boot time rapport.

28/12/2007 23:34
Analyse de tous les lecteurs locaux
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\Adding_Lites_to_Door_and_Window.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\Customizing_Cabinets.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\GettingStarted.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\Painting_Walls.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\Plant_Encyclopedia.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\Plant_Maturity_and_Growth_Over_Time.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\Downloaded Installations\{8C5C9D7E-5AAD-4331-8E77-F2D1045D7E33}\3D Home Architect Home Design Deluxe 6.msi\Data1.cab\_DHomeDesign.chm\Tutorials\movies\What_are_Footings.swf Erreur 42136 {archive CHM corrompue.}
Fichier C:\WINDOWS\SoftwareDistribution\Download\93a233c2dff315e0408559775486f5b2\BIT54.tmp\legitcheckcontrol.dll Erreur 42127 {archive CAB corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\Adding_Lites_to_Door_and_Window.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\Customizing_Cabinets.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\GettingStarted.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\Painting_Walls.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\Plant_Encyclopedia.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\Plant_Maturity_and_Growth_Over_Time.swf Erreur 42136 {archive CHM corrompue.}
Fichier I:\3D Home Architect Design Suite Deluxe v6.0 Retail\Help\3DHomeDesign.chm\Tutorials\movies\What_are_Footings.swf Erreur 42136 {archive CHM corrompue.}

Nombre de dossiers parcourus : 13915
Nombre de fichiers analysés : 839113
Nombre de fichiers infectés : 0


+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
+----------------------------------------------------


--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
   KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
   Root      : 0
   SubKey    : jdgg40
   ValueName : ujdew
   Data      : 20 2 0 0 E4 A 82 C ...
   ValueType : 3
   AccessType: 0
   FullLength: 0x4a
   DataSize  : 0x220
[HIDDEN_REGISTRY][Hidden Reg Value]:
   KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
   Root      : 0
   SubKey    : jdgg40
   ValueName : ljej40
   Data      : B5 7F F4 64 4B 8D 89 78 ...
   ValueType : 3
   AccessType: 0
   FullLength: 0x4a
   DataSize  : 0x1c9
 2 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

Run Scanner file
http://www.runscanner.net/report.aspx?report=af9a3cbd-8797-4c7b-8044-89363ed6dc44

[Lisandro]

Avast! boot time rapport.
Nombre de fichiers infectés : 0

It's ok, clean.
The files reported couldn't be scanned by avast: due to an internal problem into the package or avast unpackers couldn't be able to manage them. Don't worry, it does not mean the files are infected.

[RufusO]

Hi!

Just to say thank you to Tech! 

I ran everything you suggested and my system is now clean.
Just to make sure I closed down "sysyen restore Information" for good luck.

Thanks again! 

I'm now downloading a Linux Mandrivia OS; bye bye Bill... 

[Lisandro]

Just to make sure I closed down "sysyen restore Information" for good luck.

System restore is a good feature. You don't have to let it disable if you're clean...

[Raybo]

I have the exact same problem described by RufusO on December 28, 2007:
"Avast! reported that "C:\System Volume Information\catalog.wci\00000002.PS2" was a Win32:Agent-OLD trojan."  I have been able to delete it but it keeps reappearing.

I've also tested it with Norton Security, AVG Antivirus,  AVG Antispyware, AVG AntiRootkit, Spybot, and AdAware but none of them identify the file as a problem.  The first time it was identified I was able to move it to the Moved directory.  Avast found it there during the next scan and I was able to move it from there to the Chest.  It looks like I can email it to Alwil from the Chest if you wish.

Unfortunately it soon reappeared in the original folder C:\System Volume Information\catalog.wci.  I have been marking it for deletion on reboot and Avast is able to delete it that way but it always comes back again within a couple of hours. 

Has this been identified as a false positive?

Thanks for any help.