Threat Descriptions

Trojan:W32/Agent.ALZ

Classification

Category :

Clean - Not Malware

Type :

Other

Platform :

W32

Aliases :

Trojan:W32/Agent.ALZ, Trojan:W32/Agent.ALZ

Summary

It has come to our attention that F-Secure Anti-Virus generated a false alarm on Trojan.Win32.Agent.ALZ. The detection is of a Chinese Microsoft .DLL file on systems running Windows XP SP2 with the file name: SHDOCVW.dll. We apologize if this has caused any inconvenience to our customers. Database update 2007-05-18_01 or later is needed to resolve this false alarm.

Removal

Manual action

Step by Step Recovery Instructions

How to recover a system when Windows file "SHDOCVW.DLL" has been falsely detected as Trojan.Win32.Agent.alz and the file was renamed.(Assuming that the system has just been rebooted)Note: Administrator rights are required in order to perform the following steps.

  • Open the Windows Task ManagerSimultaneously press the following keys : Ctrl+Shift+Esc
  • Open a Command Prompt windowOn the File menu of the Task Manager window, choose the option: "New Task (Run...)"Type cmd.exe in the "Open" text box then click the OK button
  • Temporarily disable F-secure real-time scannerFrom the Command Prompt window type the following command then press the "Enter" key:net stop fsgkhs
  • Rename the file "SHDOCVW.0LL" back to its proper name of "SHDOCVW.DLL"From the Command Prompt window type the following command then press the "Enter" key:ren C:\WINDOWS\SYSTEM32\SHDOCVW.0LL SHDOCVW.DLL
  • Run Windows ExplorerFrom the Command Prompt window type the following command and then press the "Enter" key:explorer
  • Update to the latest pattern database that has the correction for the false detection
  • Use this link for instructions: https://www.f-secure.com/download-purchase/updates.shtml
    • (Note: The minimum pattern version that has the corrected signature for the False Alarm is: 2007-05-18_01)
  • Activate the real-time scanner againFrom the Command Prompt window type the following command then press the "Enter" key:net start fsgkhs

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

N/A