win 32 agent zps

I also keep getting win 32 agent zps, is this a FP? Any help would be appreciated ???

Any information would be helpful.

What is it in relation too (program association, why you think it is an FP, etc.) ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

hi,I’ve had this virus in my chest for about 2 weeks now not had any problems but when i do a full scan it finds it and tells me to put it in the chest any clues could this be a fp? done a scan in safe mode nothing found strange isn’t it?

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Where does it find it ?
The reason I ask it doesn’t scan files ‘within’ the chest (they are encrypted) on a full on-demand scan ?

If you open the chest, infected files section and right click on the file, select scan what are the results.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. Or the chest retains information on the original location.

when i scan in the chest it is infected still, its found in windows/system32/config/reg.file name is software old thanks

Do you use any registry backup (RegBack) ?

I have seen software.old detected in another topic, try a forum search for software.old in the viruses and worms forum. You would find this post of mine, read it and the rest of the topic as it is the same as yours, http://forum.avast.com/index.php?topic=36719.msg307671#msg307671 a false positive.

no i dont use it, thanks for your help with that cheers.

No problem, glad I could help.

Don’t forget send the sample for analysis, etc.

Welcome to the forums.

I have been getting the same alert on win 32 in System volume Information\restore, but the files I checked were more than 10 MB and VirusTotal says it will not accept files over 10. I have three computers and two external drives showing the win 32. I am starting to run through the procedures and scans that were posted earlier, but if it is a FP it would make it a lot easier.

We don’t know if yours is a false positive as a) we don’t know what is in the restore point is the same as the other files detected here and b) since you can’t upload it for analysis we can’t confirm one way or another.

The file in this topic which is being talked about is software.old, the malware name could apply to many different file names and many of those could be valid detections, so we need to look at more than just the malware name when considering if it might be a false positive.

Whilst I would say it is a possibility it isn’t one to gamble on. The best bet is to disable system restore, reboot that will clear all restore points, now enable system restore again, that will create a clean restore point. Assuming you have no other detections outside the system volume information folder.

DavidR

Thanks for the info on …WIN32:Agent-ZPS[trj] …
I have two computers on a home network that seems to have picked this up from SYSTEM MECHANIC oem install disk. I have run multiple scans and one computer has been cleaned of the infection but the other computer keeps having it show up on the restore point file. I’ll try your suggestions on clearing the restore point and let you know if it clears it.
I have tried several AV sites to see if they have any info on this particular Trojan, and AVAST forum is the only place that even addressed it.
Thanks again…
John Kirkpatrick
OS: Win XP Pro
CPU: AMD 64 Athlon

You’re welcome.

The problem is that there is no standardisation in virus naming, so the same virus/trojan could have multiple aliases from other AVs so searching for a malware name if often fruitless or confusing. searching on the file name often brings more useful information, unfortunately files in the system volume information folder don’t retain the original file name.

You can search for a family name like win32:agent, this brings much more information but again it is very varied as an agent trojan can have many different forms and variants. All this does make it harder to get precise information.

original file name is regestry machine software c sys vol info restore snaps…

Well that isn’t actually a file name as it has no file type, e.g. the filename.exe and sounds more like a registry location rather than a file.

If you have been able to move it to the chest then you extract it as outlined in other posts and upload it for scanning to virus total and report the findings.

I have the same exact problem, with the trojan being in my system volume information folder. Whats wierd is avast only detects it once a day, no matter how many times I restart my computer.

I tried disabling and re-enabling my system restore, hopefully that could have taken care of the problem. But how can we extract the file from the chest? Im a little confused about that. I want to know just in case it comes back tomorrow so I can upload it on one of those virus checker sites.

It isn’t strange to me avast scans activity, though it is strange in a way as if it is in the system volume information folder there shouldn’t be any activity in that folder. So what scan are you performing when this is detected ?

You first open the Chest, Infected Files section, right click on it and select Extract.

Avast detects it by the On-Access scanner a few minutes on start up once a day.

This make me think that malware can access/use the System Restore folder to reinfect the computer. But, I’ve read here that it’s not possible, only the user can manually restore files from that folder (restoring the system). Who is right? ???

Again I find this strange as this should be a windows protected area, the file names are changed from the original, though I was able to place a file in there in a little test. I have system restore disabled and I also have the view hidden system files and folders option enabled, so I don’t know if that might have anything to do with being able to do this.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.