Author Topic: Avast periodically reporting Win32:Agent-ITS (Read 5261 times)

Nameless One · « **on:** May 28, 2009, 04:13:40 PM »

I have a problem with this little piece of malware. At least once a day, Avast reports that c:\Documents and Settings\All Users\Documents\GameSetup.exe is infected with Win32:Agent-ITS. These reports always happen in pairs with about 10-30 seconds between the two.

I tried a maximally thorough scan with the latest virus definitions and also tried to fix it with SDfix, but it didn't help.

Any suggestions?

DavidR · « **Reply #1 on:** May 28, 2009, 04:22:55 PM »

What are you doing when the alert happens, as surely unless you are using the game than that file would be dormant so not detected ?

Is it always this file and location that are detected ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

cinchez · « **Reply #2 on:** May 29, 2009, 06:29:29 AM »

Maybe, just maybe, avast! is detecting Gamesetup.exe because it is really a threat^^

I googled gamesetup.exe and the results...the file is dangerous^^

This might help^^http://answers.yahoo.com/question/index?qid=20080223210943AA3lOLn

Furthermore, send that file to VirusTotal for analysis^^

Hope this helps^^

-AnimeLover^^

Nameless One · « **Reply #3 on:** May 29, 2009, 12:52:33 PM »

I don't remember installing a game with anything called GameSetup.exe. It's usually just setup.exe. I always delete this file so I guess that some kind of malware that is not detected by Avast is periodically creating this file that is detected as a trojan. I always choose to delete this file and it is absolutely always created in the same directory.

I'll try the VirtusTotal and see what happens.

FreewheelinFrank · « **Reply #4 on:** May 29, 2009, 12:59:05 PM »

Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try a scan with DrWeb CureIT!
Try a scan with Kaspersky Virus removal Tool

Try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes' Anti-Malware

Download, install and update the programs.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

cinchez · « **Reply #5 on:** May 29, 2009, 02:39:00 PM »

The probability of ur PC being infected by that gamesetup.exe is about 75%^^lol^^

Note that the location of the file is almost identical to the location of the user in the link^^

http://forums.cnet.com/5208-6142_102-0.html?threadID=290012

Try the suggestions of FreewheelinFrank and DavidR, those might solve the problem^^

Good luck^^

-AnimeLover^^

Nameless One · « **Reply #6 on:** June 01, 2009, 10:16:16 PM »

Thanks for advices, everyone. I had to urgently go out of town so I didn't have a chance to try your suggestions immediately.

I've sent GameSetup.exe to VirusTotal and here's the report:

http://www.virustotal.com/analisis/6eedfe191a5cf5aa8cf8b88664317828fff03641a95c6010ffad90f9e8db6244-1243886628

btw, the exe file now has a weird icon that reminds me of an anime robot or spaceship.

I also have 0-byte hidden file in the same folder called simply kht

There is also a highly suspicious wgvnwj.exe in the same folder that has an icon of a mobile phone. Avast says this file is clean. VirusTotal says:

http://www.virustotal.com/analisis/ec5fdf54e89b53ffd85e1416ab4c8937ca57e1cd5f7bb7a3dcd50fb0efcd0fd1-1243887220

I guess it's thumbs down for Avast this time. At least it's free

So, any advices on how to remove this?

Jtaylor83 · « **Reply #7 on:** June 02, 2009, 12:54:03 AM »

Follow FWF's advice and use Dr. Web Cureit, MBAM, or SAS.

Mr.Agent · « **Reply #8 on:** June 02, 2009, 02:06:06 AM »

Also like the other guy say if you want to help us at progress the detection rate send the file to the chest and report it as a virus.

Mr.Agent

Nameless One · « **Reply #9 on:** June 02, 2009, 01:49:53 PM »

Quote from: Mr.Agent on June 02, 2009, 02:06:06 AM

Also like the other guy say if you want to help us at progress the detection rate send the file to the chest and report it as a virus.

Mr.Agent

Ok, thanks for help everyone. I'll wait for the file to appear again then report it before hopefully cleaning it from my system.

cinchez · « **Reply #10 on:** June 02, 2009, 03:42:34 PM »

Good luck bro^^

-AnimeLover

Author Topic: Avast periodically reporting Win32:Agent-ITS (Read 5261 times)

Nameless One

Avast periodically reporting Win32:Agent-ITS

DavidR

Re: Avast periodically reporting Win32:Agent-ITS

cinchez

Re: Avast periodically reporting Win32:Agent-ITS

Nameless One

Re: Avast periodically reporting Win32:Agent-ITS

FreewheelinFrank

Re: Avast periodically reporting Win32:Agent-ITS

cinchez

Re: Avast periodically reporting Win32:Agent-ITS

Nameless One

Re: Avast periodically reporting Win32:Agent-ITS

Jtaylor83

Re: Avast periodically reporting Win32:Agent-ITS

Mr.Agent

Re: Avast periodically reporting Win32:Agent-ITS

Nameless One

Re: Avast periodically reporting Win32:Agent-ITS

cinchez

Re: Avast periodically reporting Win32:Agent-ITS