AVG found a threat.

For the first time in YEARS I had my antivirus software actually find a threat. AVG detected the trojan horse Agent2.XUS in the C:\Program files\Pegasus Media Software\Agile WMV video splitter\contextmenu.dll

AVG was able to move it to its virus vault, but I noted that the process name associated with it was c:\Windows\System32\rundll32.exe. Not a big surprise, since that the executable responsible for loading DLL's into memory.

So, what I am now trying to track down is WHY rundll32.exe thought it needed to load that DLL. The machine was sitting idle while I was watching TV. An hour latter when I came back I saw the AVG alert. The Agile WMV Video Splitter directory was empty except for that DLL. It was from a video splitter I tried out a few months ago and uninstalled the same day. I did a registry scan to see if I could turn up any reference to the directory, but found none. That leaves me to wonder what could have TRIGGERED the DLL to be loaded. It's not enough for me to know that the DLL is now gone, but I want to know what was trying to bring it to life an how???

Screen shot of AVG alert attached.

Gary

 

A few points here...
1. This thread should be in the security subforum.
2. Upload the file to www.virustotal.com to see if it's a real threat rather than something benign.
3. rundll.exe is, I believe, normally invoked with command-line arguments telling it which dll to load. So... I think a malware program could use rundll.exe as a wrapper to run itself as a way of camouflaging itself... i.e., running under a commonly-used process name. It could put the rundll.exe command in one of the zillion ways to get a command to run when you start Windows or log on, such as using task scheduler, etc.
4. I just searched and went to that program's website (avsofts dot com), and on my machine Norton flagged the website as unsafe... so it's probably bad stuff.

EDIT: Here's Norton/Symantec's report: http://safeweb.norton.com/report/show?url=avsofts.com

... and the removal instructions: http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99&tabid=3

 

Off topic, but if you have such a negative opinion of AVG, why do you still stick with it? Why not use another antivirus program?

 

What makes you think I have a low negative opinion of it? I don't. I just don't put myself into the position very often that would allow me to get a virus.

I was trolling around for a movie file splitter which took me to some obivously nefarious places.

Gary

 

Thanks Swarmer. I'll dig a bit deeper.

Gary

 

download a pair of other free scanners, ad-aware and malwarebytes, If they agree with AVG, then you have a positive.

If not, this is Yet Another False Positive brought to you by AVG.