Avast periodically reporting Win32:Agent-ITS

I have a problem with this little piece of malware. At least once a day, Avast reports that c:\Documents and Settings\All Users\Documents\GameSetup.exe is infected with Win32:Agent-ITS. These reports always happen in pairs with about 10-30 seconds between the two.

I tried a maximally thorough scan with the latest virus definitions and also tried to fix it with SDfix, but it didn’t help.

Any suggestions?

What are you doing when the alert happens, as surely unless you are using the game than that file would be dormant so not detected ?

Is it always this file and location that are detected ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Maybe, just maybe, avast! is detecting Gamesetup.exe because it is really a threat^^

I googled gamesetup.exe and the results…the file is dangerous^^

This might help^^http://answers.yahoo.com/question/index?qid=20080223210943AA3lOLn

Furthermore, send that file to VirusTotal for analysis^^

Hope this helps^^

-AnimeLover^^

I don’t remember installing a game with anything called GameSetup.exe. It’s usually just setup.exe. I always delete this file so I guess that some kind of malware that is not detected by Avast is periodically creating this file that is detected as a trojan. I always choose to delete this file and it is absolutely always created in the same directory.

I’ll try the VirtusTotal and see what happens.

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try a scan with DrWeb CureIT!
Try a scan with Kaspersky Virus removal Tool

Try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

Download, install and update the programs.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

The probability of ur PC being infected by that gamesetup.exe is about 75%^^lol^^

Note that the location of the file is almost identical to the location of the user in the link^^

http://forums.cnet.com/5208-6142_102-0.html?threadID=290012

Try the suggestions of FreewheelinFrank and DavidR, those might solve the problem^^

Good luck^^

-AnimeLover^^

Thanks for advices, everyone. I had to urgently go out of town so I didn’t have a chance to try your suggestions immediately.

I’ve sent GameSetup.exe to VirusTotal and here’s the report:

http://www.virustotal.com/analisis/6eedfe191a5cf5aa8cf8b88664317828fff03641a95c6010ffad90f9e8db6244-1243886628

btw, the exe file now has a weird icon that reminds me of an anime robot or spaceship.

I also have 0-byte hidden file in the same folder called simply kht

There is also a highly suspicious wgvnwj.exe in the same folder that has an icon of a mobile phone. Avast says this file is clean. VirusTotal says:

http://www.virustotal.com/analisis/ec5fdf54e89b53ffd85e1416ab4c8937ca57e1cd5f7bb7a3dcd50fb0efcd0fd1-1243887220

I guess it’s thumbs down for Avast this time. At least it’s free :slight_smile:

So, any advices on how to remove this?

Follow FWF’s advice and use Dr. Web Cureit, MBAM, or SAS.

Also like the other guy say if you want to help us at progress the detection rate send the file to the chest and report it as a virus. :slight_smile:

Mr.Agent

Ok, thanks for help everyone. I’ll wait for the file to appear again then report it before hopefully cleaning it from my system.

Good luck bro^^

-AnimeLover