I ran a scan with malwarebytes and received 2 warnings.
I right clicked the offending file with avast and received : no Virus found:
I then redid a scan with right clicking the offending file with Malwarebytes and received this .
Malwarebytes’ Anti-Malware 1.44
Database version: 3766
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svowj (Rootkit.Agent) → No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\drivers\xjilsp.sys (Rootkit.Agent) → No action taken.
I was going to send them to Quarantine and thought the better since the registry is involved.
Does anyone know if they are false positives from malwarebytes, or if Avast just does not find them.
Any assistance will be appreciated, but sorry i must leave in about 10 minutes and may not be able to get back to the computer to tommorrow.
Sorry :-[
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or send the sample to avast as a Undetected Malware:
Open the chest and right click in the Chest and Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
Thanks
I have placed it in the virus chest and will now wait for the next update. You instructions were easy to follow, but for some reason i couldn’t see the image.
Thanks
Nothing showed up on virus total scan for f_secure.
Just out of curiosity i did a manual update and Avast said uploading file c:\WINDOWS\system32\drivers\xjilsp.sys.
I have checked and file is still located in the original place, and if i scan it with Malware bytes it still shows up as infected.
The file is in the Avast chest as well. I thought with the file being in the chest, would remove it from the original place it is situated .
Should i quarantine it with malwarebytes or wait for a actual automated vps update.
I ran malwarebytes and now it is in quarantine and have rebooted twice and so far has not returned to original location.
After first reboot which malawarebytes asked for:: I noticed these errors,in Advent viewer:
The following boot-start or system-start driver(s) failed to load:
ViaIde
The System Restore filter encountered the unexpected error ‘0xC0000001’ while processing the file ‘’ on the volume ‘HarddiskVolume1’. It has stopped monitoring the volume.
I rebooted again and all came up okay no errors in Event Viewer.
So i still have the file in Avast chest, will probably leave it there for a while than delete it, hope will cause no problems.
I was suprised when i added the file xjilsp.sys. to the chest, that it left the file in original location. As don’t see the point of the chest if the file is still active.
So lucky that Malwarebytes has allowed me to quarantine them, at this stage still not sure if they are False positives or not.
Just wondering if you sent a file to Avast as in my case Malwarebytes flagged i had rootkit warning.
If you don’t get a reply back from Avast, if it was not a virus, how would you know if you can restore the file. ( how long do you keep scanning the file in the chest.)
I added the suspect file to the Chest. Sent it to Avast on the 20th February.
Every time there is a vps update i scan it in the chest.
Also when i added the file to the chest it left the file behind, and i had to quarantine using Malwarebytes.
My question is if the file showed up as having a virus would then the file not have been left behind.
Because i added the file as a :undetected malware:, was this the reason the file was left behind.
I am concerned about the file being left behind when i sent it to the chest.
First, general advice is, there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
The problem in this case is slightly different in that it currently isn’t detected, given file name xjilsp.sys, its location c:\WINDOWS\system32\drivers\ folder and no google hits for the file name outside of this topic it is highly suspect, so there is no way it should be left in its original location or restored from the chest.
When you add a file to the chest it is different to a detection, as all you are doing is adding a copy of the file, you still have to deal with the original file in its location, so allow MBAM to deal with it…
DavidR Thanks once again for your Advice, much appreciated.
Yep i will leave the file in Avast chest for the foreseeable future.
At the moment the offending file is Quarantine in Malwarebytes, where it will stay for quite awhile.
Last but not least, thanks for explaining how when you add a file to the chest you are placing a copy.
Different if Avast had picked up a infection in the file, which the file itself would be quarantined by avast.
