Forum Archive

Go Back   3D Realms Forums > General Topics > Software Forum
Blogs FAQ Community Calendar

Notices

 
 
Thread Tools
Old 03-06-2009, 09:24 PM   #1
Simon Charles

Simon Charles's Avatar
Runtime packed fsg virus...?
I use AVG free and the resident shield sometimes detects a threat called "runtime packed fsg", used by c\windows\system32\svchost.exe. Problem is there's no way of removing or healing this threat. AVG only gives you the option to ignore it.

My computer is clean, I reformatted last week. Internet searches yield nothing. AVG website and forums are zero help. Neither AdAware or Spybot detect anything. Full AVG scan detects nothing. Yet, whenever I leave the computer idle for 20-30 minutes and come back to my desk, that resident shield alert is on the screen.

Anyone knows wtf is this and how I can get rid of it? I wouldn't mind reformatting since I have backup on an external HD but that threat was detected on that drive, too.
__________________
Do you know the problem in my life, Inspector? An abundance of leisure.

-Hercule Poirot
Simon Charles is offline  
Old 03-06-2009, 10:02 PM   #2
NutWrench

NutWrench's Avatar
Re: Runtime packed fsg virus...?
Fsg is a compression app that is used by malware writers to hide their trojans and spyware in their files by compressing the executable. In this case though, I think you're getting a false positive from AVG. Your Service Host executable looks like it's running from the appropriate directory.

Try running the System File Checker, which will make sure all your system files are intact and uncorrupted. You could also try running AVG on your Windows XP CD. If you get a warning about the svchost.exe on the CD, then the problem is definitely with AVG.

P.S. Do you use any executable packers? Like, deliberately, to save disk space? AVG might be false-flagging all packed executables whether they contain malware or not.
__________________
"If by chance some day you're not feeling well and you should remember some silly thing I've said or done and it brings back a smile to your face or a chuckle to your heart, then my purpose as your clown has been fulfilled."
Last edited by NutWrench; 03-06-2009 at 10:07 PM.
NutWrench is offline  
Old 03-07-2009, 06:40 AM   #3
Simon Charles

Simon Charles's Avatar
Re: Runtime packed fsg virus...?
System File Checker only works with WinXP Pro. It asks for the CD and I only have XP Home.

Scanning my XP CD with AVG yields nothing.

No, I'm not using any executable packers.


Let's say I unplug my external HD and reformat my system. Do I risk infecting my computer again when I replug it to reinstall my stuff?
__________________
Do you know the problem in my life, Inspector? An abundance of leisure.

-Hercule Poirot
Simon Charles is offline  
Old 03-07-2009, 06:59 AM   #4
NutWrench

NutWrench's Avatar
Re: Runtime packed fsg virus...?
I have Windows XP Home and I've run System File Checker several times without any problems.

You could still try scanning the system32 stuff on your Windows CD. If AVG still claims that the svchost file on CD is infected, then it's definitely a false positive.
__________________
"If by chance some day you're not feeling well and you should remember some silly thing I've said or done and it brings back a smile to your face or a chuckle to your heart, then my purpose as your clown has been fulfilled."
NutWrench is offline  
Old 03-07-2009, 07:57 AM   #5
Bludd

Bludd's Avatar
Re: Runtime packed fsg virus...?
If you run Process Explorer, you should see a process coded purple (default setting) if it is compressed. Try that.
__________________
http://www.modarchive.org/artists/bludd/

"It's only rock 'n' roll but I like it."
What cat detector van? The cat detector van from the Ministry of Housinge.
Bludd is offline  
Old 03-07-2009, 12:02 PM   #6
Simon Charles

Simon Charles's Avatar
Re: Runtime packed fsg virus...?
Quote:
Originally Posted by Bludd View Post
If you run Process Explorer, you should see a process coded purple (default setting) if it is compressed. Try that.
I assume the color is different by default on my end because otherwise that makes no sense. Everything under explorer.exe is purple. Firefox, Steam, AdAware, AVG, Process Explorer itself... basically, all running applications.
__________________
Do you know the problem in my life, Inspector? An abundance of leisure.

-Hercule Poirot
Simon Charles is offline  
Old 03-07-2009, 12:08 PM   #7
Bludd

Bludd's Avatar
Re: Runtime packed fsg virus...?
This is default, this is what I mean. If a lot of your processes are indeed my purple, you should check if their signatures are valid (turn it on in Process Explorer). If for instance Explorer.exe's signature isn't valid and you know you haven't modified it yourself, you have a compromised system
Attached Images
File Type: png colours.png (27.1 KB, 11 views)
__________________
http://www.modarchive.org/artists/bludd/

"It's only rock 'n' roll but I like it."
What cat detector van? The cat detector van from the Ministry of Housinge.
Bludd is offline  
Old 03-07-2009, 12:14 PM   #8
Simon Charles

Simon Charles's Avatar
Re: Runtime packed fsg virus...?
Hey, you know what? Languages are funny. For example, did you know that in french, those colors are the opposite? Your pale blue is our purple.

Anyway, this is what I have :
Attached Images
File Type: jpg process.JPG (122.1 KB, 11 views)
__________________
Do you know the problem in my life, Inspector? An abundance of leisure.

-Hercule Poirot
Simon Charles is offline  
Old 03-07-2009, 12:17 PM   #9
Bludd

Bludd's Avatar
Re: Runtime packed fsg virus...?
None of those are packed if you are running default highlighting settings. You can check/change the highlighting colours in Process Explorer thus: Options - configure highlighting.

Anyway, you should enable verify image signatures in Process Explorer. It is under options. See if any Microsoft stuff fails. You may have to add the column for image signatures, but you can do that under view.
__________________
http://www.modarchive.org/artists/bludd/

"It's only rock 'n' roll but I like it."
What cat detector van? The cat detector van from the Ministry of Housinge.
Bludd is offline  
Old 03-07-2009, 12:26 PM   #10
Simon Charles

Simon Charles's Avatar
Re: Runtime packed fsg virus...?
Quote:
Originally Posted by Bludd View Post
None of those are packed if you are running default highlighting settings. You can check/change the highlighting colours in Process Explorer thus: Options - configure highlighting.
Yeah, it was already enabled by default. Nothing shows purple.



Quote:
Anyway, you should enable verify image signatures in Process Explorer. It is under options. See if any Microsoft stuff fails. You may have to add the column for image signatures, but you can do that under view.
Nothing seems wrong when I enable signatures.
__________________
Do you know the problem in my life, Inspector? An abundance of leisure.

-Hercule Poirot
Simon Charles is offline  
Old 03-07-2009, 12:48 PM   #11
Bludd

Bludd's Avatar
Re: Runtime packed fsg virus...?
Svchost runs services. Maybe you have a service which uses a packed executable. I would keep an eye on it and next time AVG complains, fire up Process Explorer and see if you can see anything. You could also download Autoruns from Microsoft Sysinternals and see if anything weird starts up when Windows starts up. It also supports verify image signatures, I would enable it and run a scan.
__________________
http://www.modarchive.org/artists/bludd/

"It's only rock 'n' roll but I like it."
What cat detector van? The cat detector van from the Ministry of Housinge.
Bludd is offline  
Old 03-07-2009, 03:08 PM   #12
NutWrench

NutWrench's Avatar
Re: Runtime packed fsg virus...?
Try running msconfig, click the Services tab and then sort the list by manufacturer. All the third party services should be grouped near the top (or bottom). Look for anything suspicious that does NOT start from your windows directory. (A lot of malware services boot up from a temp directory deep in the Documents and Settings folder or from Program Files.)
__________________
"If by chance some day you're not feeling well and you should remember some silly thing I've said or done and it brings back a smile to your face or a chuckle to your heart, then my purpose as your clown has been fulfilled."
NutWrench is offline  
Old 03-07-2009, 05:32 PM   #13
Bludd

Bludd's Avatar
Re: Runtime packed fsg virus...?
Quote:
Originally Posted by NutWrench View Post
Try running msconfig, click the Services tab and then sort the list by manufacturer. All the third party services should be grouped near the top (or bottom). Look for anything suspicious that does NOT start from your windows directory. (A lot of malware services boot up from a temp directory deep in the Documents and Settings folder or from Program Files.)
Autoruns shows more.
__________________
http://www.modarchive.org/artists/bludd/

"It's only rock 'n' roll but I like it."
What cat detector van? The cat detector van from the Ministry of Housinge.
Bludd is offline  
Old 03-08-2009, 09:54 AM   #14
unforgiven
 
Re: Runtime packed fsg virus...?
FSG is not Virus , it's Executable Packer which designed mainly for 64kb DEMOz

also windows won't load without the svchost.exe ( WinDir\System32\svchost.exe ) it's essential file for Windows , virus probably is svchost .exe or something like that

I suggest you to check the System32 Folder \ Svchost.exe , if the file size is around ~14 and copyrighted by Microsoft it's okay and AVG Notification was a False Alarm ( but if you see TWO svchost or similar names like svchost .exe then something is wrong )

To repair your Windows system files , Go Start Menu -> Run -> Type :

sfc /scannow

Windows System File Checker will scan your PC and repair the Incorrect/damaged system files
unforgiven is offline  
Old 03-08-2011, 10:52 AM   #15
shantelhaynes
Re: Runtime packed fsg virus...?
Quote:
Originally Posted by Simon Charles View Post
I use AVG free and the resident shield sometimes detects a threat called "runtime packed fsg", used by c\windows\system32\svchost.exe. Problem is there's no way of removing or healing this threat. AVG only gives you the option to ignore it.

My computer is clean, I reformatted last week. Internet searches yield nothing. AVG website and forums are zero help. Neither AdAware or Spybot detect anything. Full AVG scan detects nothing. Yet, whenever I leave the computer idle for 20-30 minutes and come back to my desk, that resident shield alert is on the screen.

Anyone knows wtf is this and how I can get rid of it? I wouldn't mind reformatting since I have backup on an external HD but that threat was detected on that drive, too.
For those who don't know, a runtime packed FSG, normally, is an executable file that was compressed/packed by a program called FSG Packer (Fast Good Small). If you have this, it doesn't mean you have a virus. Some genuine software developers use FSG to make their files faster and smaller, as well as from protecting them from possible piracy. However, it doesn't mean you have to relax too. This technology used to be exploited in the past, therefore, you need to double check by locating the file containing it to check for the program's credibility. (your antivirus will most likely tell you the name and location).

Hope, somehow, this helps.
__________________
Runtime packed FSG
shantelhaynes is offline  
Old 03-12-2011, 01:25 AM   #16
Inanimate Carbon Rod

Inanimate Carbon Rod's Avatar
Re: Runtime packed fsg virus...?
Did you look for a thread that was exactly 2 years old?
__________________
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein
Inanimate Carbon Rod is offline  
Old 03-12-2011, 01:41 PM   #17
NutWrench

NutWrench's Avatar
Re: Runtime packed fsg virus...?
As folks have already mentioned here, just because an executable is packed with FSG, does not necessarily mean that it contains a virus. FSG IS popular however, with virus spreaders because the compression routines will hide the virus and make it impossible to detect by programs that detect viruses using CRC signatures and virus fragments.
__________________
"If by chance some day you're not feeling well and you should remember some silly thing I've said or done and it brings back a smile to your face or a chuckle to your heart, then my purpose as your clown has been fulfilled."
NutWrench is offline  
 

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:39 AM.

Page generated in 0.18720603 seconds (100.00% PHP - 0% MySQL) with 19 queries

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.

Website is ©1987-2014 Apogee Software, Ltd.
Ideas and messages posted here become property of Apogee Software Ltd.