Author Topic: "Detected a virus in the operating memory"  (Read 6122 times)

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
"Detected a virus in the operating memory"
« on: May 04, 2008, 12:39:41 AM »
Attached message appears on each boot. Have done two boot scans - clean except for the files it couldn't access. The program also found a rootkit which I told it to ignore - it's a legit program, Magic Folders. Any suggestions?

Thanks.

Edit - Prior to installing Avast!, I uninstalled AVG 7.5 AV.

Win XP SP2
Spyware Terminator running real time
v. 4.8.1169
defs: 080503-0
Win firewall - no other
« Last Edit: May 04, 2008, 02:40:07 AM by drmsucks »

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64891
  • Gender: Male
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #1 on: May 04, 2008, 01:28:24 PM »
it's a legit program, Magic Folders. Any suggestions?
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limit of 10Mb.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
The best things in life are free.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64891
  • Gender: Male
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #2 on: May 04, 2008, 01:32:40 PM »
I've forgot...
The virus messages about rootkits are about to be changed in the latest avast version. Some of them have already been changed in the beta. I'm not sure this is not a case of non-exact virus warning.
The best things in life are free.

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #3 on: May 04, 2008, 03:34:27 PM »
Tech - I do not get a file identified, all I get is the non-specific popup shown in my original post. All scans have come up clean. As I mentioned, Avast! did find a "rootkit" which I told it to ignore.

The virus warning pops up about 1 - 2 minutes after a boot. Could it be that the notification is after the rootkit scan and the program fails to read that I chose to "ignore" the file?

I'll disable the rootkit scan on startup and see what happens.

Thanks for the help.

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #4 on: May 04, 2008, 04:46:40 PM »
I'll disable the rootkit scan on startup and see what happens.

Disabled the rootkit startup scan and no difference - got the popup a couple minutes after boot.

Any suggestions? The popup is annoying if it's false and scary if it's not!

Offline Spiritsongs

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1761
  • Ad-aware orientated Support forum(s)
    • Personal Message (Offline)
"Uninstalling" AVG AV
« Reply #5 on: May 04, 2008, 05:41:48 PM »
 :)  Hi :

 This is a long shot, but when you uninstalled AVG AV, did you follow
 the Recommendations at www.pchell.com/virus/uninstallavg.shtml  !?
For the Best in what counts in Life :
www.tacf.org

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #6 on: May 04, 2008, 06:16:37 PM »
@spiritsongs: Thanks for the reply. AVG 7.5 had an uninstall routine and I used that prior to installing Avast! I've also uninstalled Avast! using aswclear.exe (v 1.0.0.1) in Safe Mode and re-installed.

The program seems to work normally except for the popup a couple minutes after boot.

Any ideas?

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #7 on: May 04, 2008, 07:27:04 PM »
OK - It is as I thought. I uninstalled Magic Folders (the program Avast! identified as a rootkit) and no warning from Avast! on boot. I re-installed Magic Folders and the popup warning re-appeared.

Now - how do I notify Avast! personnel about this situation?

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64891
  • Gender: Male
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #8 on: May 04, 2008, 11:12:39 PM »
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limit of 10Mb.

As I've said before, as a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
The best things in life are free.

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #9 on: May 04, 2008, 11:28:05 PM »
@Tech: Thanks. The problem is that I don't know the particular file that Avast! objects to because I told it to ignore the file. Every rootkit detector I've run has objected to this file but it is legit.

Magic Folders is a security program and I'm sure hooks into the OS in a way that looks like a rootkit.

I'll attempt to contact the program developer and have him contact Avast! Those two entities have to work it out.

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #10 on: May 07, 2008, 11:17:34 PM »
I have been in touch with the creator of Magic Folders which Avast! misidentifies as a rootkit. Even though I told Avast! to "ignore" the first time it warned me, I get the bogus warning shown above on each boot.

The creator of Magic Folders says, "They don't listen to me.  Perhaps they would listen to a customer...."

This is a nettlesome (albeit, not widespread, perhaps) problem. I have the contact info for the programmer for Magic Folders. Can anyone tell me how to pass it on to the developers at Avast!?

Thanks.

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #11 on: May 08, 2008, 07:23:41 AM »
This is a bug in the current version of avast.
You can update to the latest pre-release version that is supposed to fix the problem.
http://forum.avast.com/index.php?topic=34612.0

BTW the "They don't listen to me.  Perhaps they would listen to a customer...." statement is simply not true. :)

Take care
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64891
  • Gender: Male
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #12 on: May 08, 2008, 12:21:26 PM »
Thanks Vlk.
People aren't used to a serious and fast support.
The best things in life are free.

Offline drmsucks

  • Jr. Member
  • **
  • Posts: 25
    • Personal Message (Offline)
Re: "Detected a virus in the operating memory"
« Reply #13 on: May 08, 2008, 04:40:15 PM »
@vlk - Thanks for the prompt reply.

This is a bug in the current version of avast.
You can update to the latest pre-release version that is supposed to fix the problem.
http://forum.avast.com/index.php?topic=34612.0

Beta appears to have fixed the issue.

BTW the "They don't listen to me.  Perhaps they would listen to a customer...." statement is simply not true. :)

I will pass your comment along.



 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now