Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: drmsucks on May 04, 2008, 02:39:41 AM

Title: "Detected a virus in the operating memory"
Post by: drmsucks on May 04, 2008, 02:39:41 AM
Attached message appears on each boot. Have done two boot scans - clean except for the files it couldn't access. The program also found a rootkit which I told it to ignore - it's a legit program, Magic Folders. Any suggestions?

Thanks.

Edit - Prior to installing Avast!, I uninstalled AVG 7.5 AV.

Win XP SP2
Spyware Terminator running real time
v. 4.8.1169
defs: 080503-0
Win firewall - no other
Title: Re: "Detected a virus in the operating memory"
Post by: Lisandro on May 04, 2008, 03:28:24 PM
it's a legit program, Magic Folders. Any suggestions?
To know if a file is a false positive, please submit it to  VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI (http://virusscan.jotti.org/). VirusTotal and Jotti both have file size limit of 10Mb.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
Title: Re: "Detected a virus in the operating memory"
Post by: Lisandro on May 04, 2008, 03:32:40 PM
I've forgot...
The virus messages about rootkits are about to be changed in the latest avast version. Some of them have already been changed in the beta. I'm not sure this is not a case of non-exact virus warning.
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 04, 2008, 05:34:27 PM
Tech - I do not get a file identified, all I get is the non-specific popup shown in my original post. All scans have come up clean. As I mentioned, Avast! did find a "rootkit" which I told it to ignore.

The virus warning pops up about 1 - 2 minutes after a boot. Could it be that the notification is after the rootkit scan and the program fails to read that I chose to "ignore" the file?

I'll disable the rootkit scan on startup and see what happens.

Thanks for the help.
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 04, 2008, 06:46:40 PM
I'll disable the rootkit scan on startup and see what happens.

Disabled the rootkit startup scan and no difference - got the popup a couple minutes after boot.

Any suggestions? The popup is annoying if it's false and scary if it's not!
Title: "Uninstalling" AVG AV
Post by: Spiritsongs on May 04, 2008, 07:41:48 PM
 :)  Hi :

 This is a long shot, but when you uninstalled AVG AV, did you follow
 the Recommendations at www.pchell.com/virus/uninstallavg.shtml  !?
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 04, 2008, 08:16:37 PM
@spiritsongs: Thanks for the reply. AVG 7.5 had an uninstall routine and I used that prior to installing Avast! I've also uninstalled Avast! using aswclear.exe (v 1.0.0.1) in Safe Mode and re-installed.

The program seems to work normally except for the popup a couple minutes after boot.

Any ideas?
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 04, 2008, 09:27:04 PM
OK - It is as I thought. I uninstalled Magic Folders (the program Avast! identified as a rootkit) and no warning from Avast! on boot. I re-installed Magic Folders and the popup warning re-appeared.

Now - how do I notify Avast! personnel about this situation?
Title: Re: "Detected a virus in the operating memory"
Post by: Lisandro on May 05, 2008, 01:12:39 AM
To know if a file is a false positive, please submit it to  VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI (http://virusscan.jotti.org/). VirusTotal and Jotti both have file size limit of 10Mb.

As I've said before, as a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 05, 2008, 01:28:05 AM
@Tech: Thanks. The problem is that I don't know the particular file that Avast! objects to because I told it to ignore the file. Every rootkit detector I've run has objected to this file but it is legit.

Magic Folders is a security program and I'm sure hooks into the OS in a way that looks like a rootkit.

I'll attempt to contact the program developer and have him contact Avast! Those two entities have to work it out.
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 08, 2008, 01:17:34 AM
I have been in touch with the creator of Magic Folders which Avast! misidentifies as a rootkit. Even though I told Avast! to "ignore" the first time it warned me, I get the bogus warning shown above on each boot.

The creator of Magic Folders says, "They don't listen to me.  Perhaps they would listen to a customer...."

This is a nettlesome (albeit, not widespread, perhaps) problem. I have the contact info for the programmer for Magic Folders. Can anyone tell me how to pass it on to the developers at Avast!?

Thanks.
Title: Re: "Detected a virus in the operating memory"
Post by: Vlk on May 08, 2008, 09:23:41 AM
This is a bug in the current version of avast.
You can update to the latest pre-release version that is supposed to fix the problem.
http://forum.avast.com/index.php?topic=34612.0

BTW the "They don't listen to me.  Perhaps they would listen to a customer...." statement is simply not true. :)

Take care
Vlk
Title: Re: "Detected a virus in the operating memory"
Post by: Lisandro on May 08, 2008, 02:21:26 PM
Thanks Vlk.
People aren't used to a serious and fast support.
Title: Re: "Detected a virus in the operating memory"
Post by: drmsucks on May 08, 2008, 06:40:15 PM
@vlk - Thanks for the prompt reply.

This is a bug in the current version of avast.
You can update to the latest pre-release version that is supposed to fix the problem.
http://forum.avast.com/index.php?topic=34612.0

Beta appears to have fixed the issue.

BTW the "They don't listen to me.  Perhaps they would listen to a customer...." statement is simply not true. :)

I will pass your comment along.