Two files detected by Avast

Viruses and worms
1

Avast detected this two files in my system:

  • msconfd.exe
  • wmssys.exe

Before the scanning (and files “chesting”) I noticed that windows sometimes wasn’t able to shut down… I don’t know if this is due to the files (may be trojans).
Could someone add infos about: explain what the files are and their action?

Thanks
ping1it

2

Hi, welcome to the forums.

Please Help us to Help you In order to help fully we need more information…

  • What OS are you using? is it up to date?
  • What email program are you using - if applicable?
  • avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
  • What was the virus name, what was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?
  • What actions have you taken to try and resolve the problem?
    Also see this thread for further information and advice User’s FAQ.

A google search for either of these files would also give you some further information. When avast reported these it would also have given you a virus name.

3

Thank you DavidR

OK let’s proceed with order with the information needed

[]OS: Windows 98SE, not up to date at the files detection time.
(but now it is!!)[]no e-mail client used
(I manage my e-mail account directly by the site)[]Avast version: 4.1 Home edition[]VPS file: unfortunately I don’t remember which it was at the time of detection. But not older than one month ago version[]virus name: Win32:Trojan-gen.{UPX!} (this is what I read in the Avast’s report. The same name for both two files[]files names and their original position: []C:_wmssys.exe[]C:\windows\system\msconfd.exe[*]actions taken: I moved both files in the “virus chest” like suggested by Avast, and compiled the “Virus incident report” on Avast’s site

Moreover, when I noticed my system wasn’t able to shut down (before Avast’s scanning, I checked all active processes with the MS Process viewer, but found out nothing! Is it possible any malicious process to run not in the user space, like a driver or something like this?

Well, that’s all. I hope this information to be enough. if not please let me know.

Thank you
ping1it

4

Now that you have rid yourself of the infected files and I assume confirmed your system is clean. I would advise running hijackthis to ensure that no registry entries, etc. were set-up by the trojan.

A visit to Eddy’s HiJackThis Info and Analysis page, HijackThis log file analyzer and follow the directions there and get back to us if you need more help…

You can cut and paste your hijackthis.log file here (or attach it ,must be renamed to yourfilename.txt) or if you want to try an online scan of your Hijackthis file try here [b]http://hijackthis.de/index.php[/b]