Win32:Agent-OLD [Trj]

Viruses and worms
1

I posted this earlier but I think I made a mistake by including it in a thread marked Resolved so I am trying again.

I have the exact same problem described by RufusO on December 28, 2007:
“Avast! reported that “C:\System Volume Information\catalog.wci\00000002.PS2” was a Win32:Agent-OLD [trj]” I have been able to delete it but it keeps reappearing.

I’ve tested the file with Norton Security, AVG Antivirus, AVG Antispyware, AVG AntiRootkit, Kaspersky online, TrendMicro online, Spybot, and AdAware but none of them identify it as a problem. The first time it was identified by Avast I was able to move it to the Moved directory. Avast found it there during the next scan and I was able to move it from there to the Chest. It is a large file: 29425664 bytes.

Unfortunately it soon reappeared in the original folder C:\System Volume Information\catalog.wci. I have been marking it for deletion on reboot and Avast is able to delete it that way but it always comes back again within a couple of hours.

Has this been identified as a false positive?

Thanks for any help. I have a HijackThis file so I might as well include it:
(actually it took me over my character limit so I just included the running processes)

Logfile of HijackThis v1.99.1
Scan saved at 6:56:19 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Wireless Optical Mouse\MOffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Wireless Optical Mouse\MOUSE32A.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\My Downloads\ProcessExplorer\procexp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\IrfanView\i_view32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

2

I see two ways:

  1. If you have knowledge to take the ownership of that folder, you can copy or directly send it for analysis on www.virustotal.com. Then you can know if it is a false positive. If so, you can add the file (do not add the whole folder!) to avast exclusion list of Standard Shield.
  2. If you don’t want to have this work, just disable the System Restore (it will delete the ‘infected’ restore points), click ‘Apply or Ok’, enable it again.
3

Hi Raybo,

Your hjt log is only partially there, you need to use more postings to send the complete logfile, then we can analyze it. You might have to block third party cookies in Firefox:

  1. Type about:config in the location bar
  2. Type “cookie” in the Filter field
  3. Right-click network.cookie.cookieBehavior and select “Modify” from the pop-up menu
  4. Change the value to 1
  5. Click OK.
  6. Close the window
    Waiting for your complete hjt logfile to analyze,

polonus

4

OK thanks Polonus. Here is a hjt scan I did right after Avast told me it found the trj again and before I did anything with the file through Avast. And here is a clue that is probably significant: it finds several thousand files in the System Volume Information folder but it always tells me it has found an infected file while the display still says “Tested files: 1”.
(I’ll send the rest of the hjt log in another post, it’s too long for one)

Logfile of HijackThis v1.99.1
Scan saved at 10:13:21 AM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Wireless Optical Mouse\MOffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Wireless Optical Mouse\MOUSE32A.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\My Downloads\ProcessExplorer\procexp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WMP\WindowsMediaPlayer\MPLAYER2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Startup Inspector for Windows\wsInspector.exe
C:\Program Files\HijackThis\HijackThis.exe

5

(continuing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\JunoForVistaAug07\qsacc\X1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\JunoForVistaAug07\Toolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Groowe 2 - {D52EE69D-ADC2-4AE7-BC19-4AEEC1890C76} - C:\PROGRA~1\Groowe\Toolbar2\GrooweToolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Wireless Optical Mouse\MOffice.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [WinZip E-Mail Companion OEAPI] “C:\Program Files\WinZip E-Mail Companion\loadwzco.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe
O4 - HKCU..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Shortcut to procexp.lnk = C:\My Downloads\ProcessExplorer\procexp.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Display All Images with Full Quality - “res://C:\Program Files\JunoForVistaAug07\qsacc\appres.dll/228”
O8 - Extra context menu item: Display Image with Full Quality - “res://C:\Program Files\JunoForVistaAug07\qsacc\appres.dll/227”
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

6

(continuing again)
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra ‘Tools’ menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqnbk2/downloads/sysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

7

Tech, thanks to you too. The most recent time Avast found the file I moved and renamed it. Then I zipped it and sent it to virustotal. It is about 27MB unzipped and they say their limit is 10MB so I hope they accept zipped files. It zipped to less than 2 MB. If I hear from them I will let you know.

Polonus, I also took your advice and reconfigured my third-party cookies in Firefox according to your instructions.

8

Yes, they accept. It will be good to post the results. Thanks.

9

Below are the results from my submission to virustotal.com. Note that I had renamed the file according to how Avast had referred to it and their version of Avast came up with the same description.

Complete scanning result of “Agent-OLD[trj].zip”, processed in VirusTotal at 01/02/2008 17:25:22 (CET).

[ file data ]

  • name: Agent-OLD[trj].zip
  • size: 1832753
  • md5.: c31615a7c25b5cf32087ec5d4a915144
  • sha1: bac3ec4315da68060934d245ae368472b718e74a
  • peid…: -

[ scan result ]
AhnLab-V3 2008.1.2.10/20080102 found nothing
AntiVir 7.6.0.46/20080102 found nothing
Authentium 4.93.8/20080102 found nothing
Avast 4.7.1098.0/20080101 found [Win32:Agent-OLD]
AVG 7.5.0.516/20080102 found nothing
BitDefender 7.2/20080102 found nothing
CAT-QuickHeal 9.00/20071231 found nothing
ClamAV 0.91.2/20080102 found nothing
DrWeb 4.44.0.09170/20080102 found nothing
eSafe 7.0.15.0/20080101 found nothing
eTrust-Vet 31.3.5424/20080102 found nothing
Ewido 4.0/20080102 found nothing
F-Prot 4.4.2.54/20080101 found [Unknown format or compression method]
F-Secure 6.70.13030.0/20080102 found nothing
FileAdvisor 1/20080102 found nothing
Fortinet 3.14.0.0/20080102 found nothing
Ikarus T3.1.1.15/20080102 found nothing
Kaspersky 7.0.0.125/20080102 found nothing
McAfee 5196/20071231 found nothing
Microsoft 1.3109/20080102 found nothing
NOD32v2 2761/20080102 found [error - unknown compression method ]
Norman 5.80.02/20080102 found nothing
Panda 9.0.0.4/20080101 found nothing
Prevx1 V2/20080102 found nothing
Rising 20.25.22.00/20080102 found nothing
Sophos 4.24.0/20080102 found nothing
Sunbelt 2.2.907.0/20071230 found nothing
Symantec 10/20080102 found nothing
TheHacker 6.2.9.176/20080101 found nothing
VBA32 3.12.2.5/20080102 found nothing
VirusBuster 4.3.26:9/20080102 found nothing
Webwasher-Gateway 6.6.2/20080102 found nothing

10

Hi Raybo,

You could consider to fix this adware hjt entry:
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Load hjt, tag this entry, and give enter,

polonus

11

I submitted it again to virustotal in a different zip format and this time all the software packages were able to decompress it. All but Avast said “nothing found”.
Would you say it is safe to assume it is a false positive now?
Should I upload the file to Avast?

Polonus, I took your advice about fixing the Winamp adware that hjt flagged.

Thanks again!

12

I suppose the other scanners say the same (nothing found).

Most probably if the others say nothing too.

It won’t be necessary.

13

I want to say it again because from your response I think you misunderstood me (It did not make sense when you wrote:“I suppose the other scanners say the same (nothing found).”)

Avast does NOT say “nothing found”. Avast still thinks it is a trojan but all the others say “nothing found”.

14

So, seems a false positive.

15
"1. If you have knowledge to take the ownership of that folder, you can copy or directly send it for analysis on www.virustotal.com. Then you can know if it is a false positive. If so, you can add the file (do not add the whole folder!) to avast exclusion list of Standard Shield."

Tech, this is what you had suggested earlier. Do you still think I should add it to the exclusion list now that you think it is a false positive? If you do, can you tell me how?

Thanks for your help.
And thank you too, Polonus.
My mind is much relieved now. ;D

16

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…
Write down exactly this:
C:\System Volume Information\catalog.wci\00000002.PS2

I suggest you add this file to Chest, right clicking the Chest folder (User folder) and adding the same file. After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

17

OK, thanks again. I’ve followed your latest suggestions and I will probably also send it off to virustotal.com again periodically if it continues to be flagged by Avast, just to see if any of the other scanners decide to agree with Avast that it is a Trojan.

18

Hi Raybo,

If none other in virustotal found something, exept avast, it could be put into the exclusion list.

polonus

19

Polonus, do you mean there is no need to keep checking with virustotal? I already put it in my exclusion list as Tech suggested.

20

I don’t think it is necessary. Check into Chest when avast corrects the false positive detection, then submit it again to virustotal and only after that restore the file.

Edited to increase security…