cisvc.exe detected as infected

[Syzich]

I just ran an online scan with Trendmicro's scanner and then another scan with my onboard AVG(scanned earlier today but AVG had an update so I scanned again). Both scans earlier today showed up as clean. But this time, AVG detected cisvc.exe as being infected with Dropper.Agent.8.B. The path to the file is C:\Windows\$NtServicePackUninstall$/cisvc.exe. Avg deleted the file. There are a few things I want to know though. Was this detection just added today(I ran AVG earlier and nothing was detected), or did I pick this up from some site I was at? Though if that is the case, I don't see how, seeing as I don't go to any site that would be considered questionable. Also, is this a legit file that was infected or is that the virus itself? I couldn't seem to find a straight answer from my google and yahoo searches. I also couldn't find anything on Dropper.Agent.8.B anywhere, not even the AVG site. Is it possible this was a false positive?

EDIT: I just ran a search on my computer for cisvc.exe and there were two more, one located in C:\WINDOWS/system32 and another in C:\WINDOWS\ServicePackFiles\i386, so it would seem that there is a legit file by that name.

[Syzich]

Ok, the file wasn't deleted. It was moved to the virus vault. I don't know why AVG said the file was deleted when it was moved to the vault.
The details on the file that the vault gives me are:
Size:5KB(5120 bytes)
Healable: No

I really wish I knew for sure if this was a false positive. It'd really be helpful if the AVG site had any info on the site so I could go about taking care of this manually(if there is anything to take care of that is).

[fink]

It is the name of a legit Windows file although viruses can masquerade as such... Still, I'd say it's very likely a false positive since one of the files was found in the service pack file folder. There's really no reason a virus laden file would be lurking there unless someone manually put it there. I'd do one of two things... just wait for a day or three for AVGs next update and see if they've corrected it or submit one of the quarantined files here....,

http://virusscan.jotti.org/

They use many different scanners, one of which is AVG, and see if it is detected as a virus by any of the other scanners.

or do both of these things.

[Tufenuf]

Syzich, I found this info on another forum.

do NOT delete the files !
I found a discussion on the AVG free forum:

quote:

Dear Sir/Madam,
>
> Thank you for your email.
>
> Yesterday, we noticed a false alarm on file
>
> C:\Windows\System32\cisvc.exe
>
> This file was detected as a
>
> Dropper.Agent.8.B
>
> in Windows XP with Service Pack 1, but this false is already fixed
> by the latest update. Please update your AVG and run a Complete Test
> again. In case that there will be still some infection,
> please run AVG program (basic or advanced interface) and
> choose Test Results from Results menu (you can also use F6 key
> to get the same). Now you can see the list of finished tests, double
> click the latest one (by date) and you will get the full list of
> detected viruses (if there were any), including the path, the name
> and status of infected object. When it is opened, go back to
> main AVG program screen -> Program menu -> Export... item (or you
> can user Ctrl+S shortcut to get Save as... option). Please send
> this created file for further analysis.
>
> Thank you.
>
> Best regards,
>
> Alena Kasparkova

http://reviews.cnet.com/5208-6132-0....sageID=1349046

Tufenuf

[Syzich]

Wow, thanks for that Tufenuf . I updated AVG after reading that. Now I'll restore the file and run a complete scan with AVG again.

[Syzich]

After restoring the file from quarantine, I uploaded it to the site you linked to, fink, and it was clean. I also ran a scan with 3 online scanners(just to make certain) and with AVG after I updated it. It's nice to see that AVG reacted this fast after finding out about the problem.