Author Topic: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?  (Read 14917 times)

0 Members and 1 Guest are viewing this topic.

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« on: December 29, 2007, 03:04:43 PM »
Turned on my PC this morning and this is what popped out on my screen...

Another program is using this file:
C:\Windows\System32\Gebyw.exe

Used PrevX CSI and these are the readings:

MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

rdmaloyjr

  • Guest
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #1 on: December 29, 2007, 03:41:26 PM »
Prevx CSI doesn't report avast! ashDisp.exe as Dropper.Agent.GIT on my computer. 12/29/07 9:30 am EST

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #2 on: December 29, 2007, 03:46:16 PM »
Something is definitely wrong here... I'm restoring my system to a system image I made two weeks ago. Have no patience to go through removal process and I am sure even when it's completed, nothing will be the same as before... so, backup images are a way to go. Thanks God for Norton Ghost, never ever let me down.
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #3 on: December 29, 2007, 07:04:24 PM »
Definitely a vundo infection - they are getting even sneakier now by changing other programme files to do their dirty work

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #4 on: December 29, 2007, 07:12:46 PM »
There was a case a few months ago where ashdisp was in fact infected. I don't remember who it was, but they where a regular on this forum at the time. All I recall was comparing file sizes and that DavidR also commented.

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #5 on: December 29, 2007, 07:16:51 PM »
What is even crazier, is the fact that I went back all the way to my July System Restore Image. When I scanned everything with Prevx CSI, similar thing happened (Trojan.Vundo), but the only difference avast! file is not infected. And guessing right no more avast! asking me to restart my system (from the other thread I started in this forum). So it could be that these two things have something in common.

The question... what happened to avast! protection ? Isn't it supposed to protect us from things like this ?

Ok, going back to my System Restore images... I'm going all the way back to the last year to see what's gonna happen when I restore one of those images... huh, difficult to enjoy these holidays when I have to sit in front of my PC whole day...  ::)
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #6 on: December 29, 2007, 07:19:51 PM »
Yes, I forgot to say, I've noticed few applications had exactly the same files (exactly the same name and extension) residing inside the same folder (how is that possible is beyond me)...

I remember all of them had same size... some 980 Kb or something if I can remember well.

Prevx is reporting this thing... can't fix anything since I don't have registered version (  ::)  ::)  ::) ). Nice touch PrevX developers ^%$#@&%$&%

There is also a Norton Vundo removal tool... funny thing is that it can't find a thing on my computer. Ha ? What now ?
It looks like I really have to go all the way back to the last year with my Ghost System Images.

« Last Edit: December 29, 2007, 07:24:03 PM by SasH »
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #7 on: December 29, 2007, 07:28:30 PM »
Hi Sash can you download and run this programme - it will look for any altered programme files.  They are changed in a specific and detectable way

  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file  and will produce a log for you.
  • Please attach this report to your reply (Do not copy and paste)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #8 on: December 29, 2007, 08:34:57 PM »
How is that possible is beyond me...
Isn't it an infection that passed through avast protection?, i.e., a missdetection of avast?
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #9 on: December 29, 2007, 08:47:20 PM »
Sasha, are you saying in other thread...
It could however have something to do with this (?) :
http://forum.avast.com/index.php?topic=32297.0
that avast could be restarting because it's corrupted (infected) and then it's repaired by the update and then requires a reboot?
The best things in life are free.

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #10 on: December 29, 2007, 08:49:25 PM »
I guess so, sure it looks like that...

I am doing a boot scan as we speak (posting this from my laptop), and avast! already found some file named svcUpdate.exe or something like that that's infected. I sent it to chest... what do I do with it now ? Do I have to replace it with the same file that's not infected or something else ?

Have to go out now, I will leave my desktop PC and avast! boot scan to fight. When I am back I will see what's happening. If nothing helps, I am afraid I will have to restore one of my oldest system images...  :-[
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #11 on: December 29, 2007, 08:56:21 PM »
Do I have to replace it with the same file that's not infected or something else ?
Which file? svcUpdate.exe or any of avast files?
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #12 on: December 29, 2007, 10:19:57 PM »

Have to go out now, I will leave my desktop PC and avast! boot scan to fight. When I am back I will see what's happening. If nothing helps, I am afraid I will have to restore one of my oldest system images...  :-[

Give essexboy's suggestion a shot first.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #13 on: December 29, 2007, 10:29:46 PM »
Here is a link to where this tool was used in a vundo infection http://www.bleepingcomputer.com/forums/topic122459-15.html#entry697476 and as you can see a lot of legit files were corrupted.  This tool is about one week old 

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #14 on: December 30, 2007, 06:29:53 AM »
Thank you guys so much for all replies and your help, I really appreciate everything!  ;)

Unfortunately I haven't noticed my friend's (essexboy) reply with the link for that little tool, and I already restored one of my old system images that had no infected files inside... totally clean.

avast! boot scan started to full around saying it is unable to repair some files, so I gave up and went with restoring one of my old system images.

Problem is solved, I just wish I've noticed that post on time, so at least I could have given it a try and see what happens. Anyway, this is the situation and I had a lot of extra application to reinstall, but at least it's 100% clean now.

Thanks again people, I appreciate your assistance !
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s