Prevx CSI reporting avast! ashDisp.exe as Dropper.Agent.GIT ?

[Hard_ROCKER]

It makes me wonder how long your system was infected ... And no detection from avast! for all that time, were you able to send those infected files to alwil, or perhaps scanned them over at virustotal ?

[szc]

Files were definitely infected... last system image I've tried was going back to July.. that one was still infected. First system image that contained infected ashDisp.exe is the one from September. I had to go all the way back to the last year to make sure.

[Lisandro]

First system image that contained infected ashDisp.exe is the one from September.

Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?

Files were definitely infected...

What does VirusTotal say about them?

[igor]

The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...

[essexboy]

This behavoural change in Vundo was noticed first about 2 weeks ago and it then took about a week for a search and repair tool to be developed.  It appears to have copied some elements from AWF 

[bob3160]

Sasha,
Any idea where the infection might have come from?

[szc]

First system image that contained infected ashDisp.exe is the one from September.

Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?

Not likely, since avast! never reported anything to me... scanning my system wouldn't show anything. Now, when I have perfectly clean installation of my system (used one of the cleanest system images I've created just right after installation of Windows), avast! works like a charm. Not a single time it asked me to reboot except when it was doing program update at one point.

Files were definitely infected...

What does VirusTotal say about them?

Trojan.Vundo infection

The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...

Yes Igor, indeed it's strange.. and it still riddles me. I have no idea as why it was happening.

Sasha,
Any idea where the infection might have come from?

Not sure, because it started so long ago... but it must have been I downloaded some .exe file or something that sneaked inside... that was easy I guess, since avast! never alarmed me. Just to say that I am not visiting those nasty sites, and Site Advisor was always on... when site is marked as green, I am in... if it's suspicious, I am out...

[Lisandro]

Igor, I suppose that that particular Vundo signature was already added to avast...

[oldman]

Well,well,well.....ashdisp does seem to get noticed. For my current version

Ikarus - - Trojan.Win32.Patched.af   

Not reporting a problem, just a comment.

Whatever was altering the file must have been around for awhile as there has been a couple of program updates. Properties of the file show it was created in Oct and modified in Sept 2007. Or doesn't this file get updated?

[Lisandro]

These are the CRC and MD5 for my ashdisp.exe

[oldman]

Just as I thought, FP. All report nothing now.

File size: 79224 bytes
MD5: 8cf58586ae4577ed71ffe8883a6d4b3b
SHA1: 13dca1a373b3efa901dfbd91373433d8bd9881b1

Different numbers than yours, but I'm on version 4.7.1043

[bob3160]

These are the CRC and MD5 for my ashdisp.exe

Our's match

v.4.7 b 1098
88D86112DD9F2BB6A603674706C7E846 ashDisp.exe