For the first time in YEARS I had my antivirus software actually find a threat. AVG detected the trojan horse Agent2.XUS in the C:\Program files\Pegasus Media Software\Agile WMV video splitter\contextmenu.dll
AVG was able to move it to its virus vault, but I noted that the process name associated with it was c:\Windows\System32\rundll32.exe. Not a big surprise, since that the executable responsible for loading DLL's into memory.
So, what I am now trying to track down is WHY rundll32.exe thought it needed to load that DLL. The machine was sitting idle while I was watching TV. An hour latter when I came back I saw the AVG alert. The Agile WMV Video Splitter directory was empty except for that DLL. It was from a video splitter I tried out a few months ago and uninstalled the same day. I did a registry scan to see if I could turn up any reference to the directory, but found none. That leaves me to wonder what could have TRIGGERED the DLL to be loaded. It's not enough for me to know that the DLL is now gone, but I want to know what was trying to bring it to life an how???
Screen shot of AVG alert attached.
Gary
-
ScuderiaConchiglia NBR Vaio Team Curmudgeon
Attached Files:
-
-
A few points here...
1. This thread should be in the security subforum.
2. Upload the file to www.virustotal.com to see if it's a real threat rather than something benign.
3. rundll.exe is, I believe, normally invoked with command-line arguments telling it which dll to load. So... I think a malware program could use rundll.exe as a wrapper to run itself as a way of camouflaging itself... i.e., running under a commonly-used process name. It could put the rundll.exe command in one of the zillion ways to get a command to run when you start Windows or log on, such as using task scheduler, etc.
4. I just searched and went to that program's website (avsofts dot com), and on my machine Norton flagged the website as unsafe... so it's probably bad stuff.
EDIT: Here's Norton/Symantec's report: http://safeweb.norton.com/report/show?url=avsofts.com
... and the removal instructions: http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99&tabid=3 -
-
ScuderiaConchiglia NBR Vaio Team Curmudgeon
I was trolling around for a movie file splitter which took me to some obivously nefarious places.
Gary -
ScuderiaConchiglia NBR Vaio Team Curmudgeon
Gary -
download a pair of other free scanners, ad-aware and malwarebytes, If they agree with AVG, then you have a positive.
If not, this is Yet Another False Positive brought to you by AVG.
AVG found a threat.
Discussion in 'Windows OS and Software' started by ScuderiaConchiglia, Oct 26, 2009.