Is this agp.440.sys a virus?

HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an infected
file in the /drivers/agp440.sys file. They call it a Trojan Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it is
all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

Thanks,


rock

You can rename it and if you don't see any problems for about two weeks,
you can then delete it. It is a proper Windows driver (actual name is:
agp440.sys) so deleting it is not advisable. Renaming it as agp440.old
might just do the trick. If the file name is: agp.440.sys (note the
difference) then it is NOT a Windows driver. So please check the
filename again.

hth


rock wrote:

HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an
infected file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it
is all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

Thanks,


rock

ANONYMOUS wrote:
You can rename it and if you don't see any problems for about two weeks,
you can then delete it. It is a proper Windows driver (actual name is:
agp440.sys) so deleting it is not advisable. Renaming it as agp440.old
might just do the trick. If the file name is: agp.440.sys (note the
difference) then it is NOT a Windows driver. So please check the
filename again.

hth


rock wrote:

HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an
infected file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it
is all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

Thanks,


rock
Thanks.

My mistake..

It is /drivers/AGP440.SYS (It is also all caps)

A few days ago AVG said it was also in /dllcache/ but as infected. I did
delete it but so far not this one.

So should it go?

rock

crossposted to the public.security.homeusers

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"rock" wrote in message
...
HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an infected file in
the /drivers/agp440.sys file. They call it a Trojan Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it is all day
coming up.

I also get the message from Dr Web saying it is called a Trojan.Download.47257. It
also asks whether to delete it?

Thanks,


rock

rock wrote:
HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an infected
file in the /drivers/agp440.sys file. They call it a Trojan Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it is
all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

Thanks,


rock

I have changed the name, but can I delete it.

Does the correct agp440.sys file have a known size which make it legit?

Thanks

rock

What is "SVG 8.5 Free virus checker?"

Assuming you mean AVG (Free) Anti-Virus v8.5, did you just install it?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


"rock" wrote in message
...
I am getting an SVG 8.5 FREE virus checker telling me I have an infected
file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it is
all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

PA Bear [MS MVP] wrote:
What is "SVG 8.5 Free virus checker?"

Assuming you mean AVG (Free) Anti-Virus v8.5, did you just install it?

Yes it is AVG (typo) and no, I have had it on and working for a year or
so as well as Ad-aware and Nod. Only recently has this come up. The
file is date stamped 16 Sept 2009.

Thanks

rock

"rock" wrote in message
...
HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an
infected file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl

It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it
is all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

Evidently you have two scanners telling you it is malware (not
specifically a "virus"). Having a second opinion scanner is a good
thing, but sometimes even more is needed. Virustotal.com and jotti.org
offer a way to get even more scanner's opinions.

My guess is that it is malware (not a virus though). Rather than
deleting it, you could rename it away to see if it being gone causes any
obvious problems.

rock wrote:
HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an
infected file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl
It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it
is all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

You should definitely *not* delete it -- at least for the time being --
becuase it might be a false positive. Instead, send it to the "vault."
You can know for sure by following these instructions:

Quote:

In the case where AVG Free detects a file on your PC as infected, moves
it to the AVG Virus Vault, and you are sure that this file is correct
and clean, it is possible that the detected file is a false alarm. If
so, we shall prepare the correction as soon as possible. Unfortunately,
false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly
from the AVG Free program this way:

Open AVG Free User Interface.

Choose the "Virus Vault" option from the "History" menu.

Right-click the false positive file and select the "Send to analysis"
option from context menu.

Fill in your e-mail address

Confirm the dialog

This file will be sent to our virus specialists for analysis and we will
inform you about the result.

The above is from:
http://free.avg.com/faq.num-1244#faq_1320

Are your definitions up to date?

Post here instead: http://forums.avg.com/

rock wrote:
PA Bear [MS MVP] wrote:
What is "SVG 8.5 Free virus checker?"

Assuming you mean AVG (Free) Anti-Virus v8.5, did you just install it?

Yes it is AVG (typo) and no, I have had it on and working for a year or
so as well as Ad-aware and Nod. Only recently has this come up. The
file is date stamped 16 Sept 2009.

Thanks

rock

Daave wrote:
rock wrote:
HI,

I am getting an SVG 8.5 FREE virus checker telling me I have an
infected file in the /drivers/agp440.sys file. They call it a Trojan
Generic14.BLZl
It says not to delete as it is a critical system file.

It is 93kb big.

Should I delete it? I have never had this message before but now it
is all day coming up.

I also get the message from Dr Web saying it is called a
Trojan.Download.47257. It also asks whether to delete it?

You should definitely *not* delete it -- at least for the time being --
becuase it might be a false positive. Instead, send it to the "vault."
You can know for sure by following these instructions:

Quote:

In the case where AVG Free detects a file on your PC as infected, moves
it to the AVG Virus Vault, and you are sure that this file is correct
and clean, it is possible that the detected file is a false alarm. If
so, we shall prepare the correction as soon as possible. Unfortunately,
false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly
from the AVG Free program this way:

Open AVG Free User Interface.

Choose the "Virus Vault" option from the "History" menu.

Right-click the false positive file and select the "Send to analysis"
option from context menu.

Fill in your e-mail address

Confirm the dialog

This file will be sent to our virus specialists for analysis and we will
inform you about the result.

The above is from:
http://free.avg.com/faq.num-1244#faq_1320

Are your definitions up to date?



Thank you guys for your time and advice.

I did rename it and there no was difference so I bit the bullet and
removed it to quarantine. Both files also noticed a 7758ql.exe file
which I also gave to quarantine. After the last quarantine, XP closed
and warm booted. I noticed a slight speed up in the box at that stage as
well.

At the moment the box is up and running without the agp440.sys in
/drivers/ however it is in the /SoftwareDistribution/ dir.

Yes did the VirusTotal thing as well. A great free service.

I do also have.. SpywareBlaster, Spyware Terminator, SysProt, HiJack
this, procexp, Ad-Aware, Security Check and RootRepleal. All have been
helpful in letting me know some of what is happening.

I eventually got a reply the from SpywareWarriors forum and they have
done an excellent and thorough job diagnosing my box and we are just
about through showing a clean system!! He has suggested to move the
agp440.sys from /software/ to /drivers/ when he is ready. Box speed is
up tremendously and so are my 'spirits'.

It sure is a heavy load when these things happen, especially when the
box is so importantly used for business 16 hours a day.

This box is using ftp much of the day to our clients sites and we had
been breached through ftp somehow. We had several sites which had all
index files across the sites changed, some with those iframes pointing
to a site with a ru extension.

We checked the ftp log and I did an IP search and found they were from
Slovenia, Romania, Netherlands, Sweden, Hungary and all points east so
it seems. They must have been using some proxy or something as they
were all uploading the new index files within seconds of each other.

Anyway, that some my gossip!!

Thanks again guys. It is always good to know that there are some who
balance up the evil on the Internet.

oz

from downunda

:-)