Hi - don't know if anyone can offer advice on this but here goes. I am running Windows XP Home Edition I ran my Avast! AV prog (free version) this morning - a job I do every Friday. It is reporting a Trojan found in file name C: WINDOWS MEMORY.DMP The Malware name is Win32:Agent-BHA which is reported to be a Trojan.

1. Help Re Mal And Troy Foundation

After Googling it the only reference I can find is on a spanish website and I didn't find it very helpful. Program recommends moving the file to the Virus Chest as the preferred course of action but then reports that there is insufficient room for the file on disk.

The other option is to Delete but this would delete the entire file and not just remove the Trojan. I have assumed that this would be undesirable!! The malware is not detected by Spybot or by Adaware. I have also visited Trendmicro Housecall but their scan did not pick up any virus or malware on my computer. I'm not very technically minded but can follow any instructions pretty well.

Any ideas or suggestions for what I should do next?? Quote Choosing recovery actions if Windows stops unexpectedly Using Startup and Recovery in System in Control Panel, you can configure Windows to do the following when a severe error (called a Stop error or Fatal system error) occurs: - Write an event to the system log. Alert administrators.

Dump system memory to a file that advanced users can use for debugging. Automatically restart the computer. The dump of system memory to a log file can be valuable for debugging the cause of the Stop error. If you contact your technical support representatives about the error, they might ask for the log file. Note that Windows writes the log file to the same file name (Memory.dmp, by default) each time a Stop error occurs. If your system is running fine and you dont have any problems then it should be safe to delete the whole file.

Out of curiousity when was the file generated? Because the file is so large then its likely that your system is set to do a complete memory dump. Mine is set as per the screen cap below. (which is the XP default) The only dumps that I have go back to a couple of years ago to a time when I was having probs with my graphics card overheating and the system kept shutting down unexpectedly.

Theres some good info on dump files here which may help you decide if you want to delete the whole file. Thanks for your reply Kitz. The file is 522,416KB in size which is why it won't fit in the virus chest. It was created at 1340hrs on 31 May 2007. I was reading The Register at the time and clicked a link to a news story about the Independent newspaper website being hacked - I never got to the news item as Windows then interrupted the browsing session with a notification that it was going to close down. It suggested that if I had installed new software or drivers that I should remove these after rebooting.

I had not installed anything for several weeks and when I rebooted all worked fine and the computer sent an error report to Microsoft. With hindsight I presume that this was when the trojan installed itself (though I have Avast on permanent realtime scan). I am contemplating deleting the file to the recycle bin (which Avast offers as an option) and then see how the system works.

If it is ok over the following few days then I presume it should be ok to delete it permanently from the computer? Thanks for your linky - I'll have a look at that.

I'll keep researching what this is before taking any action but obviously I don't want the thing doing any harm to my system or moving on to harm other people. Just a quick update.I found information on the website which appears to identify the trojan as Win/SillyDI.CVE also known as Troj/Agent-BHA (Sophos) or Win32.Agent.gj (Kaspersky). However the site also indicates that the trojan is normally installed via Internet Explorer exploits though I use Opera (and ocacasionally Firefox) and have all my OS security, AV, and Firewall up to date.

SunsetScreen Alternatives for Mac OS. SunsetScreen is another tool that automatically reduces the brightness of your screen and modifies its colour temperature to an orange hue to match indoor lighting, so as they reduce eye strain. The software is known as the fact that the computer screen glare and brightness need. Sunsetscreen alternatives for mac. SunsetScreen is a free Windows app (for personal use) which helps take the glare off your your screen in the evening. Scientific research has shown that melatonin - the chemical the brain makes late in the day - is reduced when exposed to blue light.

Anyway, if I find out nothing more I shall delete the offending file to the Recycle Bin in the morning and see if the computer pines for the Windows.DMP file before deleting it altogether early next week! I'll let you know how I get on By the way Kitz.how do you get to that Startup and Recovery Window that you show in your posting?? Thanks for your help and advice Kitz. I have now removed the trojan. 8) For the benefit of others who may have the same problem I proceeded as follows:- With my router disconnected I ran Avast!

And located the file containing the trojan (your explanation of the purpose and probable content of a windows memory.dmp file was invaluable in giving me the reassurance I needed to proceed!). To delete the file to the Recycle Bin then switched off and restarted my computer (still with the router disconnected). I then checked that all my programs that did not need internet access wouldstill operate ok and that the computer seemed to be acting normally without the file that was in the Recycle Bin. I then switched off the computer, switched on the router and started the computer again and checked that I could access the internet ok. Once I had confirmed that it was alright I went to the router main page and disconnected. I then emptied the Recycle Bin and ran Avast!

Once more to check that the trojan was no longer anywhere on my system. Once that was complete I switched on the router and rebooted the computer.

This may have been a bit 'belt and braces' for the techies out there but I felt happier doing the whole thing with the minimum of connection to the net. Anyway, I'm now going to access the Startup and Recovery page (thanks for the directions Kitz) and reset the memory dump as you suggest to make things easier in the future. I've learned a few more things about my computer from this incident and after several years of doing weekly checks with my AV it's nice(in a strange kind of way!) to know that the routine is worth it even if you only come across a problem once in a blue moon. Thanks again for your help! Regards Tony.

Glad you removed the trojan successfully It does seem odd how it got onto your PC and took refuge in the memory.dmp file. I expect that shutdown notice was the result of something like that Remote Procedure Call service or whatever it is, which if anything throws it shuts down Windows within 60 seconds. Perhaps the website was the source of this malicious activity and the trojan found itself a home when the computer did a memory dump? On this speculation I have disabled memory dumps, they serve me no purpose anyway and I guess they are used for error reporting? Or maybe not?

Anyway, I doubt they are very beneficial, especially if they might prove a vulnerability of some description. Since they are reporting 31st of May thats probably the reason why we couldnt find anything when we both tried looking yesterday morning, as it probably hadn't yet been indexed by the search engines. Some of the AV/security sites only started reporting and implementing patches/removal instructions as from yesterday. Out of curiosity I just googled again just now using the same keywords and the ca link is now there. I did however find highly amusing was that if you do a today on today on 'Agent-BHA', look whats at the top of the list, whilst the CA one is 5th down. What I do find disturbing is the fact that you picked this up by following a link from the register. Did you try following a link to the Independent website?

Judging from the time of the report on the register, and the time on your dump file then it looks like you tried to access the site whilst it was still having problems. And therefore could perhaps have been inadvertently hosting the virus on the web-server?? An alarming number of big name servers seemed to have been 'hacked' over the past couple of weeks. Some of the names involved have stated openly that exploits have been deposited.

Some have said nothing or little about the incidents. Some of the companies involved with site problems/hacking in the past week or so have been AbbeyNat (problems), Plusnet webmail (compromised), Telegraph, Mirror (hacked) Independant (they ain't saying). Some trojans do hide themselves in valid windows files (or a url in the case of key-clickers which they write to say the host file).

It does seem that using hacked or rogue websites to deposit downloaders/key loggers on users machines right now is in vogue. Its also vital to make sure that you have installed all the latest windows updates.

Help Re Mal And Troy Foundation

Som's explanation sounds likely, but IMHO it was just 'that file' it picked. It could have been any windows file. For you in a way it was quite lucky - because.dmp files arent necessary and if you read between the lines of my posts yesterday, I was trying to say yeah they are safe to delete cause you dont really need them - without having any recourse on myself it things went belly-up.:/.

Yes - it looks like it was a new one!! I'm quite impressed that Avast! Picked it up so quickly.

The program does update its virus file very frequently. My McAfee used to update daily from Mon to Friday but Avast! Is updating at least once and sometimes twice a day (even three times on one occasion!). It also does updates quite often at the weekend as well.

Yes, I was interested in the number of high profile sites that had been affected over the last couple of weeks (I'm with PlusNet and felt the effect of that hack with my first Spam in well over 10 years using the net). I had read the Register item on 30 May about the Daily Mirror and when I saw the item about the Independent on 31 May I clicked on that link too (to the Register news item - I didn't try to go to the Independent website) but never got there. After the problems in Estonia and all the issues going on in the world you could be forgiven for wondering if someone is testing things before trying to cause major problems - just shows how vulnerable we are to this sort of thing nowadays.

As you say - it was probably lucky that the trojan hid in a disposable file - perhaps a good reason for soms to keep one around (like a plastic carrier bag to put the fish and chip papers in!) Anyway - thanks again Kitz regards Tony. Glad its all sorted now. As regards to the spam thing - I got hit too - unfort not just my username -since there was also an association with this site that also got targeted. I read somewhere on one of the security sites last week (sorry cant remember where now), that DDoS for sites was now seen as.old hat., and that targeting for spam is much more profitable. Spamming as a whole does seem to have increased across the board and one thing Ive noticed that is random names at domains seems rife and although Ive never used addresses such as admin@ sales@ mail@ etc they also get hit fairly hard - so I just blackhole them now.