win 32 agent zps

[Waarluaken]

I have the same exact problem, with the trojan being in my system volume information folder. Whats wierd is avast only detects it once a day, no matter how many times I restart my computer.

I tried disabling and re-enabling my system restore, hopefully that could have taken care of the problem. But how can we extract the file from the chest? Im a little confused about that. I want to know just in case it comes back tomorrow so I can upload it on one of those virus checker sites.

[DavidR]

It isn't strange to me avast scans activity, though it is strange in a way as if it is in the system volume information folder there shouldn't be any activity in that folder. So what scan are you performing when this is detected ?

You first open the Chest, Infected Files section, right click on it and select Extract.

[Waarluaken]

Avast detects it by the On-Access scanner a few minutes on start up once a day.

[Lisandro]

Avast detects it by the On-Access scanner a few minutes on start up once a day.

This make me think that malware can access/use the System Restore folder to reinfect the computer. But, I've read here that it's not possible, only the user can manually restore files from that folder (restoring the system). Who is right?

[DavidR]

Avast detects it by the On-Access scanner a few minutes on start up once a day.

Again I find this strange as this should be a windows protected area, the file names are changed from the original, though I was able to place a file in there in a little test. I have system restore disabled and I also have the view hidden system files and folders option enabled, so I don't know if that might have anything to do with being able to do this.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

[Waarluaken]

Heres what it says pertaining to anything to do with Win32:Agent-ZPS

6/26/2008 10:06:38 PM   SYSTEM   1424   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP488\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 1:27:51 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP476\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:47:59 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP477\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:50:06 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP478\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:50:27 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP479\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:50:44 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP480\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:50:56 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP481\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:11 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP482\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:18 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP483\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:26 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP484\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:32 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP485\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:39 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP486\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:49 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP487\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/27/2008 2:51:58 AM   Justicen   1804   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP489\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/28/2008 2:28:06 AM   SYSTEM   1356   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP490\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/28/2008 6:15:59 AM   Justicen   3596   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP491\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/29/2008 5:53:39 AM   SYSTEM   1452   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP492\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
6/30/2008 9:21:14 AM   SYSTEM   1428   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP493\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
7/1/2008 10:06:17 AM   SYSTEM   1332   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP494\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 
7/2/2008 7:21:32 AM   SYSTEM   1424   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\System Volume Information\_restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP497\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 

[scott27052]

the files are too large to be checked, I believe. I have this same issue as do many others.

[DavidR]

Well I don't know what this is, but I can only guess that something is taking a snapshot of your registry and saving it as a restore point. It is that act that is triggering avast to scan it and the subsequent detection.

Now without being able to analyse the restore point it is going to be extremely difficult to resolve and as an avast user like yourselves I'm unable to suggest how this might be done.

You can check out this google search to see if any of the hits suggest what this REGISTRY_MACHINE_SOFTWARE application is and if it can be stopped, http://www.google.co.uk/search?q=REGISTRY_MACHINE_SOFTWARE. I had a quick look but it is heavy going and it would seem it is something that is set in windows, unfortunately I stopped using system restore years ago so I don't see these created on my system.

This was one that I found although it is about recovering these restore points it also says when and why they are created. http://forum.sysinternals.com/forum_posts.asp?TID=7672&PN=1

[Waarluaken]

Hmmm, today I avast hasn't detected anything so far....maybe disabling and re-enabling system restore fixed it.

[DavidR]

Well disabling system restore would clear all restore points so there wouldn't be any infected/suspect restore points.

Just it monitor and see if these restore points in C:\System Volume Information for any _restore{10C55AB4-6DA6-4E72-A6F9-7F744635BE74}\RP491\snapshot\_REGISTRY_MACHINE_SOFTWARE entries and see if they are detected.

[scott27052]

cleaning the system restore did indeed "fix" the problem, but what about the files in the chest? Should I delete them or just leave them alone? Thanks

[DavidR]

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[scott27052]

before I cleaned the system restore points, the files in the chest would come up as infected when scanned in the chest,now they don't, so will they reinfect if restored? thanks

[DavidR]

Well it would appear that the file/s have been sent to avast for analysis and found to be a false positive detection (which I suspected and why I tried to get you to upload to VirusTotal) and the VPS corrected.

That is why they are no longer detected in the chest. This is a good example of why files should be sent to the chest and left for a few weeks and rescanned before deletion.

[scott27052]

they were too large for virustotal as I and another poster commented earlier