Win32:Agent-OLD [Trj]

[Lisandro]

Do you still think I should add it to the exclusion list now that you think it is a false positive?  If you do, can you tell me how?

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...
Write down exactly this:
C:\System Volume Information\catalog.wci\00000002.PS2

I suggest you add this file to Chest, right clicking the Chest folder (User folder) and adding the same file. After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

[Raybo]

OK, thanks again.  I've followed your latest suggestions and I will probably also send it off to virustotal.com again periodically if it continues to be flagged by Avast, just to see if any of the other scanners decide to agree with Avast that it is a Trojan.

[polonus]

Hi Raybo,

If none other in virustotal found something, exept avast, it could be put into the exclusion list.

polonus

[Raybo]

Polonus, do you mean there is no need to keep checking with virustotal?  I already put it in my exclusion list as Tech suggested.

[Lisandro]

Polonus, do you mean there is no need to keep checking with virustotal?

I don't think it is necessary. Check into Chest when avast corrects the false positive detection, then submit it again to virustotal and only after that restore the file.

Edited to increase security...

[MattH]

Running XP SP2

Dec !@, 2007 - bought flash drive
investigated software on drive

started having problems with programs loading and hesitating

ran AVG - no problems shown

After three days of tearing hair reloaded xp (without formatting drive C

uninstalled AVG - Loaded Avast

Avast scan showed Win32:agent-old [trj]

Did most of problem resolutions I found here and elsewhere (including shutting off Restore)

No Go  problems still ongoing


Turned off Indexing - Hesitation and Stalling programs started running normaly

trj is still sitting SVI folder

Because of the problems running programs I don't think Avast is giving a false positive 

Still would like to remove trj from computer PERMANENTLY

[Lisandro]

MattH could be right. I've edited my post to increase security.

[polonus]

Hi Tech,

Raybo and MattH can give us a HJT log, just to have a look at,

polonus

[Raybo]

I don't think it is necessary. Check into Chest when avast corrects the false positive detection, then submit it again to virustotal and only after that restore the file.

Edited to increase security...

I don't understand what you mean.  I have checked it into Chest and put a copy in User Files for periodic testing as Tech suggested but it continues to restore itself in the System Volume Information folder within hours after I reboot (I can't move it or delete it until I reboot).  So I don't need to restore it and I thought that was why you suggested putting it in the exlusion list.

I recently rebooted and scanned the SVI folder but Avast did not find an infection.  As I mentioned this is what always happens just after a reboot but I expect it will be back again as usual when I scan again in a few hours.  I am attaching a Hijack This log I just created.  I can also send another one after the infection returns if you wish.

Thanks,
Raybo


 

[Raybo]

Did another scan and as expected the file is back.  Then I ran another hjt and the log looks identical to the one I submitted in my last post, I think, except Notepad was running during the second one. I'm attaching it anyway.

[Raybo]

I sent it to virustotal.com again.  Results below:
Complete scanning result of "00000002.ps2.2.zip", processed in VirusTotal at 01/05/2008 03:48:38 (CET).

[ file data ]
* name: 00000002.ps2.2.zip
* size: 2572538
* md5.: 04f2231d60cf0d03eec28529e7f47be5
* sha1: 3fc427eb0996eb3a0cc40163ca6ba997aa8025e6
* peid..: -

[ scan result ]
 AhnLab-V3 2008.1.5.11/20080105 found nothing
AntiVir 7.6.0.46/20080104 found nothing
Authentium 4.93.8/20080104 found nothing
Avast 4.7.1098.0/20080104 found [Win32:Agent-OLD]
AVG 7.5.0.516/20080104 found nothing
BitDefender 7.2/20080105 found nothing
CAT-QuickHeal 9.00/20080104 found nothing
ClamAV 0.91.2/20080105 found nothing
DrWeb 4.44.0.09170/20080104 found nothing
eSafe 7.0.15.0/20080103 found nothing
eTrust-Vet 31.3.5432/20080104 found nothing
Ewido 4.0/20080104 found nothing
F-Prot 4.4.2.54/20080104 found nothing
F-Secure 6.70.13030.0/20080104 found nothing
FileAdvisor 1/20080105 found nothing
Fortinet 3.14.0.0/20080104 found nothing
Ikarus T3.1.1.15/20080105 found nothing
Kaspersky 7.0.0.125/20080105 found nothing
McAfee 5200/20080104 found nothing
Microsoft 1.3109/20080105 found nothing
NOD32v2 2766/20080104 found nothing
Norman 5.80.02/20080104 found nothing
Panda 9.0.0.4/20080104 found nothing
Prevx1 V2/20080105 found nothing
Rising 20.25.42.00/20080104 found nothing
Sophos 4.24.0/20080104 found nothing
Sunbelt 2.2.907.0/20080105 found nothing
Symantec 10/20080105 found nothing
TheHacker 6.2.9.180/20080104 found nothing
VBA32 3.12.2.5/20080102 found nothing
VirusBuster 4.3.26:9/20080104 found nothing
Webwasher-Gateway 6.6.2/20080104 found nothing

[Raybo]

I've edited my post to increase security.

Tech and Polonus, you increased security on this issue several days ago but I haven't seen any new feedback since then.  I still can't get rid of the infection except by rebooting and even then it comes back almost immediately.  Are there any new developments or ideas?  The last I heard you agreed with Matth that it may not be a false positive.  I'm afraid to do any online transactions while this trojan is on my computer. 

Thanks again. 

[Lisandro]

The solution are on oldman and essexboy hands... I'm not a cleaner expert. I can only post general cleaning procedures. What I know, it that Combofix is being the solution for a lot of problems.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Also, follow the instructions here: http://forum.avast.com/index.php?topic=32337.msg270377#msg270377

Also if you do have vundo / virtumonde, after you delete it with combofix be sure to update your sun java because, most probably, that is what allowed the infection in the first place.

[Raybo]

OK Tech, I followed your instructions and I am attaching the ComboFix log and the Hijackthis log.  It looks like combofix quarantined Autorun.inf.vir but I don't see any sign of "vundo" or "virtumonde" so I did not proceed with RenV.exe. 

C:\System Volume Information\catalog.wci\00000002.ps2 [L] Win32:Agent-OLD [trj] was there again but this time it did allow me to move it into the chest instead of complaining it was in use by another process.

Please advise.
Thanks again. 

[Lisandro]

OK Tech, I followed your instructions and I am attaching the ComboFix log and the Hijackthis log.  It looks like combofix quarantined Autorun.inf.vir but I don't see any sign of "vundo" or "virtumonde" so I did not proceed with RenV.exe.

Better users should help you with this. I'm not able.

C:\System Volume Information\catalog.wci\00000002.ps2 [L] Win32:Agent-OLD [trj] was there again but this time it did allow me to move it into the chest instead of complaining it was in use by another process.

You can disable System Restore on Windows ME,  XP or Vista. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.