Runtime packed fsg virus...?

[Simon Charles]

I use AVG free and the resident shield sometimes detects a threat called "runtime packed fsg", used by c\windows\system32\svchost.exe. Problem is there's no way of removing or healing this threat. AVG only gives you the option to ignore it.

My computer is clean, I reformatted last week. Internet searches yield nothing. AVG website and forums are zero help. Neither AdAware or Spybot detect anything. Full AVG scan detects nothing. Yet, whenever I leave the computer idle for 20-30 minutes and come back to my desk, that resident shield alert is on the screen.

Anyone knows wtf is this and how I can get rid of it? I wouldn't mind reformatting since I have backup on an external HD but that threat was detected on that drive, too.

[NutWrench]

Fsg is a compression app that is used by malware writers to hide their trojans and spyware in their files by compressing the executable. In this case though, I think you're getting a false positive from AVG. Your Service Host executable looks like it's running from the appropriate directory.

Try running the System File Checker, which will make sure all your system files are intact and uncorrupted. You could also try running AVG on your Windows XP CD. If you get a warning about the svchost.exe on the CD, then the problem is definitely with AVG.

P.S. Do you use any executable packers? Like, deliberately, to save disk space? AVG might be false-flagging all packed executables whether they contain malware or not.

[Simon Charles]

System File Checker only works with WinXP Pro. It asks for the CD and I only have XP Home.

Scanning my XP CD with AVG yields nothing.

No, I'm not using any executable packers.


Let's say I unplug my external HD and reformat my system. Do I risk infecting my computer again when I replug it to reinstall my stuff?

[NutWrench]

I have Windows XP Home and I've run System File Checker several times without any problems.

You could still try scanning the system32 stuff on your Windows CD. If AVG still claims that the svchost file on CD is infected, then it's definitely a false positive.

[Bludd]

If you run Process Explorer, you should see a process coded purple (default setting) if it is compressed. Try that.

[Simon Charles]

Quote:

Originally Posted by Bludd

If you run Process Explorer, you should see a process coded purple (default setting) if it is compressed. Try that.

I assume the color is different by default on my end because otherwise that makes no sense. Everything under explorer.exe is purple. Firefox, Steam, AdAware, AVG, Process Explorer itself... basically, all running applications.

[Bludd]

This is default, this is what I mean. If a lot of your processes are indeed my purple, you should check if their signatures are valid (turn it on in Process Explorer). If for instance Explorer.exe's signature isn't valid and you know you haven't modified it yourself, you have a compromised system

[Simon Charles]

Hey, you know what? Languages are funny. For example, did you know that in french, those colors are the opposite? Your pale blue is our purple.

Anyway, this is what I have :

[Bludd]

None of those are packed if you are running default highlighting settings. You can check/change the highlighting colours in Process Explorer thus: Options - configure highlighting.

Anyway, you should enable verify image signatures in Process Explorer. It is under options. See if any Microsoft stuff fails. You may have to add the column for image signatures, but you can do that under view.

[Simon Charles]

Quote:

Originally Posted by Bludd

None of those are packed if you are running default highlighting settings. You can check/change the highlighting colours in Process Explorer thus: Options - configure highlighting.

Yeah, it was already enabled by default. Nothing shows purple.

Quote:

Anyway, you should enable verify image signatures in Process Explorer. It is under options. See if any Microsoft stuff fails. You may have to add the column for image signatures, but you can do that under view.

Nothing seems wrong when I enable signatures.

[Bludd]

Svchost runs services. Maybe you have a service which uses a packed executable. I would keep an eye on it and next time AVG complains, fire up Process Explorer and see if you can see anything. You could also download Autoruns from Microsoft Sysinternals and see if anything weird starts up when Windows starts up. It also supports verify image signatures, I would enable it and run a scan.

[NutWrench]

Try running msconfig, click the Services tab and then sort the list by manufacturer. All the third party services should be grouped near the top (or bottom). Look for anything suspicious that does NOT start from your windows directory. (A lot of malware services boot up from a temp directory deep in the Documents and Settings folder or from Program Files.)

[Bludd]

Quote:

Originally Posted by NutWrench

Try running msconfig, click the Services tab and then sort the list by manufacturer. All the third party services should be grouped near the top (or bottom). Look for anything suspicious that does NOT start from your windows directory. (A lot of malware services boot up from a temp directory deep in the Documents and Settings folder or from Program Files.)

Autoruns shows more.

[unforgiven]

FSG is not Virus , it's Executable Packer which designed mainly for 64kb DEMOz

also windows won't load without the svchost.exe ( WinDir\System32\svchost.exe ) it's essential file for Windows , virus probably is svchost .exe or something like that

I suggest you to check the System32 Folder \ Svchost.exe , if the file size is around ~14 and copyrighted by Microsoft it's okay and AVG Notification was a False Alarm ( but if you see TWO svchost or similar names like svchost .exe then something is wrong )

To repair your Windows system files , Go Start Menu -> Run -> Type :

sfc /scannow

Windows System File Checker will scan your PC and repair the Incorrect/damaged system files

[shantelhaynes]

Quote:

Originally Posted by Simon Charles

I use AVG free and the resident shield sometimes detects a threat called "runtime packed fsg", used by c\windows\system32\svchost.exe. Problem is there's no way of removing or healing this threat. AVG only gives you the option to ignore it.

My computer is clean, I reformatted last week. Internet searches yield nothing. AVG website and forums are zero help. Neither AdAware or Spybot detect anything. Full AVG scan detects nothing. Yet, whenever I leave the computer idle for 20-30 minutes and come back to my desk, that resident shield alert is on the screen.

Anyone knows wtf is this and how I can get rid of it? I wouldn't mind reformatting since I have backup on an external HD but that threat was detected on that drive, too.

For those who don't know, a runtime packed FSG, normally, is an executable file that was compressed/packed by a program called FSG Packer (Fast Good Small). If you have this, it doesn't mean you have a virus. Some genuine software developers use FSG to make their files faster and smaller, as well as from protecting them from possible piracy. However, it doesn't mean you have to relax too. This technology used to be exploited in the past, therefore, you need to double check by locating the file containing it to check for the program's credibility. (your antivirus will most likely tell you the name and location).

Hope, somehow, this helps.

[Inanimate Carbon Rod]

Did you look for a thread that was exactly 2 years old?

[NutWrench]

As folks have already mentioned here, just because an executable is packed with FSG, does not necessarily mean that it contains a virus. FSG IS popular however, with virus spreaders because the compression routines will hide the virus and make it impossible to detect by programs that detect viruses using CRC signatures and virus fragments.