Author Topic: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?  (Read 14861 times)

0 Members and 1 Guest are viewing this topic.

Hard_ROCKER

  • Guest
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #15 on: December 30, 2007, 09:32:48 AM »
It makes me wonder how long your system was infected ... And no detection from avast! for all that time, were you able to send those infected files to alwil, or perhaps scanned them over at virustotal ?

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #16 on: December 30, 2007, 11:01:21 AM »
Files were definitely infected... last system image I've tried was going back to July.. that one was still infected. First system image that contained infected ashDisp.exe is the one from September. I had to go all the way back to the last year to make sure.
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #17 on: December 30, 2007, 12:54:20 PM »
First system image that contained infected ashDisp.exe is the one from September.
Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?

Files were definitely infected...
What does VirusTotal say about them?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #18 on: December 30, 2007, 12:57:45 PM »
The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #19 on: December 30, 2007, 02:59:26 PM »
This behavoural change in Vundo was noticed first about 2 weeks ago and it then took about a week for a search and repair tool to be developed.  It appears to have copied some elements from AWF 

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48469
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #20 on: December 30, 2007, 03:20:44 PM »
Sasha,
Any idea where the infection might have come from?
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #21 on: December 30, 2007, 04:02:42 PM »
First system image that contained infected ashDisp.exe is the one from September.
Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?

Not likely, since avast! never reported anything to me... scanning my system wouldn't show anything. Now, when I have perfectly clean installation of my system (used one of the cleanest system images I've created just right after installation of Windows), avast! works like a charm. Not a single time it asked me to reboot except when it was doing program update at one point.

Quote
Files were definitely infected...
What does VirusTotal say about them?

Trojan.Vundo infection

The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...

Yes Igor, indeed it's strange.. and it still riddles me. I have no idea as why it was happening.

Sasha,
Any idea where the infection might have come from?

Not sure, because it started so long ago... but it must have been I downloaded some .exe file or something that sneaked inside... that was easy I guess, since avast! never alarmed me. Just to say that I am not visiting those nasty sites, and Site Advisor was always on... when site is marked as green, I am in... if it's suspicious, I am out...
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #22 on: December 30, 2007, 06:34:36 PM »
Igor, I suppose that that particular Vundo signature was already added to avast...
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #23 on: December 30, 2007, 08:30:54 PM »
Well,well,well.....ashdisp does seem to get noticed. For my current version

Ikarus - - Trojan.Win32.Patched.af   ;)

Not reporting a problem, just a comment.

Whatever was altering the file must have been around for awhile as there has been a couple of program updates. Properties of the file show it was created in Oct and modified in Sept 2007. Or doesn't this file get updated?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #24 on: December 30, 2007, 09:51:49 PM »
These are the CRC and MD5 for my ashdisp.exe
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #25 on: December 30, 2007, 11:10:50 PM »
Just as I thought, FP. All report nothing now.

File size: 79224 bytes
MD5: 8cf58586ae4577ed71ffe8883a6d4b3b
SHA1: 13dca1a373b3efa901dfbd91373433d8bd9881b1

Different numbers than yours, but I'm on version 4.7.1043

« Last Edit: December 30, 2007, 11:12:53 PM by oldman »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48469
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?
« Reply #26 on: December 31, 2007, 01:22:38 AM »
These are the CRC and MD5 for my ashdisp.exe
Our's match

v.4.7 b 1098
88D86112DD9F2BB6A603674706C7E846 ashDisp.exe
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet