AVG detects MsMpEng.exe as threat

[Kicnit]

Why do I get an alert that reads?

Accessed file is infected
Threat detected
File name: C:\WINDOWS\system32\WinCtrl32.dll
Threat name: Virus found Win32/Agent
Detected on open
Details
Process Name: C:\WINDOWS\system32\WinCtrl32.dll
Process ID: 888

Of course AVG asks to remove, Ignore, or Move to vault.
What should be done?

 

[Engel]

Hello Kicnit,

The filename is associated with the malware group Trojan.Downloader. Some
files using the name WINCTRL32.DLL are also associated with the malware group:

Win32/Agent

Source:
<http://www.prevx.com/filenames/X1877030665626356773-X1/WINCTRL32.DLL.html>



This could well be a false positive.

One way to get further information is to submit the file at one or more of
the following sites:

http://altagradazione.blogspot.com/2007/08/virustotal.html (en ITALIAN)
http://www.virustotal.com/es/indexf.html (en SPANISH)

<http://www.virustotal.com>

<http://virusscan.jotti.org>

Each has a browse window in the upper right to do the submission, and will
check out your file with 10 or so antivirus vendors with one submission.

A clean reading at these sites is not proof that a file is safe, but I'd say
in this case that it is likely to be a good indicator that, in fact, the file
is safe, and you are seeing a false positive.



If you cannot remove this through Add/Remove screen Id
suggest using Hijack This
<http://wiki.castlecops.com/Malware_Removal:_Reference_HijackThis_Log> and
posting back the log it produces to show if this is a Trojan Infection.

The Trojan drops files all over the place and most scanners will not remove
this,

Download Hijack This if needed :

Save it to desktop or c:/drive, Run Hijack This and
choose to do a system scan and save the logfile, when its
finished it will open the results in notepad, and please do not fix anything
using HijackThis as most will be harmless or essential files.

You could post the results over at spywareinfo or
tomcoyote or other Hijack This forums or Ron Kinner

Get HijackThis.exe from
Hijack This has been taken over by Trend Micro. This new version can be
downloaded here. <http://www.bleepingcomputer.com/files/hijackthis.php>
Trend Micro HijackThis 2.02
<http://computercops.biz/HijackThis.html>

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

<http://forums.us.dell.com/supportforums/board?board.id=si_hijack>

(if it wraps you can go tº:

<http://tinyurl.com/ckuzq> instead.)

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner
Microsoft MVP 2004 & 2005
(e-mail address removed)



SUPERAntiSpyware Malwarebytes Antimalware

Have you done any scans within safe mode ?

Restart in safe mode and scan with both updated Windows Defender, your
antivirus, Malwarebytes Antimalware (AntiTrojan) and SUPERAntiSpyware
(Malaware),

SUPERAntiSpyware (Free)
<http://www.superantispyware.com/>
Malwarebytes Antimalware (Free) <http://www.malwarebytes.org/mbam.php>


Unexplained computer behavior may be caused by deceptive software
<http://support.microsoft.com/kb/827315>



Good luck
-=-

 

[Stu]

Hi Engel.

Nice to see you`re still putting in your `monies worth` (used in the very
loosest sense of the meaning) from time to time in these NGs. The squawk code
you provided some time back. I must be rather dim when it comes to lateral
thinking. Can you give me any more small clues without giving the game away?

Stu