Author Topic: what is this warning/error  (Read 3965 times)

0 Members and 1 Guest are viewing this topic.

fazio93

  • Guest
what is this warning/error
« on: May 14, 2008, 10:51:25 PM »
5/13/2008 5:04:09 PM   SYSTEM   1484   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\shmgrate.exe (C:\WINDOWS\system32\shmgrate.exe) returning error, 00000005. 

5/13/2008 5:04:09 PM   SYSTEM   1484   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\shmgrate.exe failed, 00000005. 


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: what is this warning/error
« Reply #1 on: May 15, 2008, 12:37:06 AM »
The 00000005, Windows error 5 = Access is denied.

There may well be a legitimate reason for access to be denied, but this one may be a Trojan and something is protecting it (google search for the file name http://www.google.co.uk/search?q=shmgrate.exe). See one of the google returns, http://www.liutilities.com/products/wintaskspro/processlibrary/shmgrate/.

If you can try to upload the file to virus total for a scan, check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php. This may well be able to scan it outside of windows and possibly bypass this protection.

The boot-time scan might take a little time but may well be worth it just in case there might be something else, rather than use the advanced options to restrict the scan to the system32 folder.

What is your OS, XP Home/Pro ?
What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1.  If using winXP or Vista SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don't install the toolbar or crawler or the anti-virus module). Or a-Squared free On-Demand only with free version(if using win98/ME).

« Last Edit: May 15, 2008, 12:39:47 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: what is this warning/error
« Reply #2 on: May 15, 2008, 08:10:42 AM »
Sas will also run on 98se/me

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: what is this warning/error
« Reply #3 on: May 15, 2008, 08:33:21 AM »
So will Spyware Terminator for on-demand scans.
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

fazio93

  • Guest
Re: what is this warning/error
« Reply #4 on: May 15, 2008, 10:45:52 PM »
sorry, never mind.
i saw shmgrate modifying weird files so i put it into quarantined files in CFP. no other app can access it, not even avast scanner so that's why i was getting the error. (at least i know quarantined files work... :-\)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: what is this warning/error
« Reply #5 on: May 15, 2008, 11:36:51 PM »
The location that avast was originally trying to scan the file in is no quarantine area but the windows\system32 folder, so at that point it wasn't in a quarantine.

If CFP allows you to copy/extract the file to a temp location (other than the original location) it shouldn't present a problem so:
a) avast should be able to scan it in the extracted location (as whatever might have been protecting it won't be aware of its new location). It would also allow the other scanners you have to scan it.
b) you should be able to upload it to VirusTotal
c) if avast doesn't detect anything - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject. This should help to improve the avast detections and help other avast users.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location (where you extracted it to), so any further action you take can remove that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fazio93

  • Guest

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: what is this warning/error
« Reply #7 on: May 17, 2008, 03:05:07 PM »
Very interesting considering what you said below.
Quote from: fazio93
i saw shmgrate modifying weird files so i put it into quarantined files in CFP.

It is also strange if you have removed it from its original location without complaint from what might be running it or the command to run it so it can do those weird file modifications.

So it would possibly be worth sending it to avast for analysis as a possible undetected malware sample.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and Possible Undetected Malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fazio93

  • Guest
Re: what is this warning/error
« Reply #8 on: May 17, 2008, 03:36:14 PM »
I never moved it though.

sanctuaryforever

  • Guest
Re: what is this warning/error
« Reply #9 on: May 17, 2008, 04:16:41 PM »
my brothers laptop has this logged also every time he starts his laptop up, he has Windows xp home edition