what is this warning/error

5/13/2008 5:04:09 PM SYSTEM 1484 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\shmgrate.exe (C:\WINDOWS\system32\shmgrate.exe) returning error, 00000005.

5/13/2008 5:04:09 PM SYSTEM 1484 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\shmgrate.exe failed, 00000005.

The 00000005, Windows error 5 = Access is denied.

There may well be a legitimate reason for access to be denied, but this one may be a Trojan and something is protecting it (google search for the file name http://www.google.co.uk/search?q=shmgrate.exe). See one of the google returns, http://www.liutilities.com/products/wintaskspro/processlibrary/shmgrate/.

If you can try to upload the file to virus total for a scan, check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php. This may well be able to scan it outside of windows and possibly bypass this protection.

The boot-time scan might take a little time but may well be worth it just in case there might be something else, rather than use the advanced options to restrict the scan to the system32 folder.

What is your OS, XP Home/Pro ?
What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. If using winXP or Vista SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don’t install the toolbar or crawler or the anti-virus module). Or a-Squared free On-Demand only with free version(if using win98/ME).

Sas will also run on 98se/me

So will Spyware Terminator for on-demand scans.

sorry, never mind.
i saw shmgrate modifying weird files so i put it into quarantined files in CFP. no other app can access it, not even avast scanner so that’s why i was getting the error. (at least i know quarantined files work… :slight_smile:

The location that avast was originally trying to scan the file in is no quarantine area but the windows\system32 folder, so at that point it wasn’t in a quarantine.

If CFP allows you to copy/extract the file to a temp location (other than the original location) it shouldn’t present a problem so:
a) avast should be able to scan it in the extracted location (as whatever might have been protecting it won’t be aware of its new location). It would also allow the other scanners you have to scan it.
b) you should be able to upload it to VirusTotal
c) if avast doesn’t detect anything - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject. This should help to improve the avast detections and help other avast users.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location (where you extracted it to), so any further action you take can remove that.

http://www.virustotal.com/analisis/688b46bbedcbd014feee450af08bffcf

Very interesting considering what you said below.

i saw shmgrate modifying weird files so i put it into quarantined files in CFP.

It is also strange if you have removed it from its original location without complaint from what might be running it or the command to run it so it can do those weird file modifications.

So it would possibly be worth sending it to avast for analysis as a possible undetected malware sample.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and Possible Undetected Malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I never moved it though.

my brothers laptop has this logged also every time he starts his laptop up, he has Windows xp home edition