Please help: Avast Detected VBS: Agent-CM Trojan

[nesschap]

Avast just detected  VBS: Agent-CM Trojan but it will not let me move it to the chest or delete the file.  Can someone please help me to be rid of it???  Thank you soooo much!!!

Vanessa

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

[nesschap]

Thank you David...here is the pasted entry from the warning log!

7/22/2009   10:03:30 PM   1248314610   Vanessa   3224   Sign of "VBS:Agent-CM [Trj]" has been found in "C:\WINDOWS\Installer\9aa425.msi\Binary.vista.vbs" file. 

As far is I have searched there is no file by this name.

[DavidR]

The actual file you are loking for is 9aa425.msi, a windows installation file and the detected file (binary,vista.vbs) is within that archive file and I believe the problem is that avast can't extract the suspect/infected file from within the .msi file without possibly corrupting it.

You don't say what the error was when you couldn't move or delete the file, I suspect it was something like this is an unsupported file type, or words to that effect ?

The file name is certainly a weird one, 9aa425.msi which looks like it was randomly generated as there are zero hits on google for that file name. I would have expected for an installation file more hits would have been returned.

A search for the binary.vista.vbs, does bring some hits which tend to indicate this is a good detection, See Binary_vista_vbs information and a google search http://www.google.com/search?q=Binary.vista.vbs.

So to me I would say that the detection is good but the only real option is to place the 9aa425.msi in the avast chest (or delete it but I hate deletion, no more options left):

You can add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

####
There is more you may need to do to clean up after this installation:
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[nesschap]

Ah...yes....I did leave out the error code...it would not let me delete or send the file to the chest    Sorry for leaving that out!

[DavidR]

Lets not dwell on that now, you need to take the other suggested actions I mentioned and run the other tools.