win 32 agent zps

[scott27052]

I also keep getting win 32 agent zps, is this a FP? Any help would be appreciated

[DavidR]

Any information would be helpful.

What is it in relation too (program association, why you think it is an FP, etc.)  ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[azza3000]

hi,I've had this virus in my chest for about 2 weeks now not had any problems but when i do a full scan it finds it and tells me to put it in the chest any clues could this be a fp? done a scan in safe mode nothing found strange isn't it?

[Lisandro]

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[DavidR]

hi,I've had this virus in my chest for about 2 weeks now not had any problems but when i do a full scan it finds it and tells me to put it in the chest any clues could this be a fp? done a scan in safe mode nothing found strange isn't it?

Where does it find it ?
The reason I ask it doesn't scan files 'within' the chest (they are encrypted) on a full on-demand scan ?

If you open the chest, infected files section and right click on the file, select scan what are the results.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. Or the chest retains information on the original location.

[azza3000]

when i scan in the chest it is infected still, its found in windows/system32/config/reg.file name is software old thanks

[DavidR]

Do you use any registry backup (RegBack) ?

I have seen software.old detected in another topic, try a forum search for software.old in the viruses and worms forum. You would find this post of mine, read it and the rest of the topic as it is the same as yours, http://forum.avast.com/index.php?topic=36719.msg307671#msg307671 a false positive.

[azza3000]

no i dont use it, thanks for your help with that cheers.

[DavidR]

No problem, glad I could help.

Don't forget send the sample for analysis, etc.

Welcome to the forums.

[jomagenie]

I have been getting the same alert on win 32 in System volume Information\restore, but the files I checked were more than 10 MB and VirusTotal says it will not accept files over 10. I have three computers and two external drives showing the win 32. I am starting to run through the procedures and scans that were posted earlier, but if it is a FP it would make it a lot easier.

[DavidR]

We don't know if yours is a false positive as a) we don't know what is in the restore point is the same as the other files detected here and b) since you can't upload it for analysis we can't confirm one way or another.

The file in this topic which is being talked about is software.old, the malware name could apply to many different file names and many of those could be valid detections, so we need to look at more than just the malware name when considering if it might be a false positive.

Whilst I would say it is a possibility it isn't one to gamble on. The best bet is to disable system restore, reboot that will clear all restore points, now enable system restore again, that will create a clean restore point. Assuming you have no other detections outside the system volume information folder.

[JPKirkpatrick]

DavidR

Thanks for the info on ...WIN32:Agent-ZPS[trj] ...
I have two computers on a home network that seems to have picked this up from SYSTEM MECHANIC oem install disk.  I have run multiple scans and one computer has been cleaned of the infection but the other computer keeps having it show up on the restore point file.  I'll try your suggestions on clearing the restore point and let you know if it clears it.
I have tried several AV sites to see if they have any info on this particular Trojan, and AVAST forum is the only place that even addressed it.
Thanks again...
John Kirkpatrick
                               OS:  Win XP Pro
                              CPU:  AMD 64 Athlon

[DavidR]

You're welcome.

The problem is that there is no standardisation in virus naming, so the same virus/trojan could have multiple aliases from other AVs so searching for a malware name if often fruitless or confusing. searching on the file name often brings more useful information, unfortunately files in the system volume information folder don't retain the original file name.

You can search for a family name like win32:agent, this brings much more information but again it is very varied as an agent trojan can have many different forms and variants. All this does make it harder to get precise information.

[scott27052]

original file name is regestry machine software   c sys vol info restore         snaps...

[DavidR]

Well that isn't actually a file name as it has no file type, e.g. the filename.exe and sounds more like a registry location rather than a file.

If you have been able to move it to the chest then you extract it as outlined in other posts and upload it for scanning to virus total and report the findings.