Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: robinb on May 31, 2011, 03:51:25 PM
-
these files keep coming up but Avast doesn't quarantine them but asks for a boot scan
Superantispyware is a real program and the outlook program is not corrupted so why does this keep happening after a full scan
I cannot even set them to ignore
robin
-
well, no supprise....you have done a custom scan and selected "scan memory" and avast then detect the signatures from those security programs loaded in memory
You are not the first on to do this.... use forum search
i recomend using the default quick/full scan with default settings ;)
-
well, no supprise....you have done a custom scan and selected "scan memory" and avast then detect the signatures from those security programs loaded in memory
You are not the first on to do this.... use forum search
i recomend using the default quick/full scan with default settings ;)
no I just checked, this is a custom scheduled scan but scan memory is not included in the scan
robin
-
Please post an image of your custom scan settings.
These are detections in memory so memory has to have been scanned.
The process loaded by the winlogon.exe one is somewhat strange though. Not sure is this isn't something like SAS being linked to the winlogon process. See image2, I have SAS Pro and there is a link to winlogon.
-
ok here it is attached
Funny I ran a the scan again today manually to see if this pops up and it did not. It seems to do it only on the scheduled day scan
robin
-
also here are all the logs, as you can see the scheduled scans have it. This computer has had advast set up with same schedule for 1year and never did this. How come now it is?
robin
-
There has to be a "Memory" scan included - otherwise the processes, shown on the first screenshot, wouldn't be detected.
-
There has to be a "Memory" scan included - otherwise the processes, shown on the first screenshot, wouldn't be detected.
you see the pictures? no memory scan in it
it has been this way for one year
and as said i ran the exact same scan manually and did not get what you see in the first picture
I am going to set up another sechduled scan for next week (it does it every Sunday) without the auto start program in it and see if it changes.
I will let you know
btw these files that it found are not trojans correct?
because i ran superantispyware pro and malwarebytes free full scans and they found nothing.
robin
-
Check my image again all of those indicated in the highlighted area do a memory scan at varing degrees of sensitivity.
-
Check my image again all of those indicated in the highlighted area do a memory scan at varing degrees of sensitivity.
i looked at yours dave but are these really trojans since they say they are especially since they belong to programs that are legit?
Why would Avast tag them as trojans?
robin
-
I see the picture... but the areas shown simply don't include memory scan, so it's not possible.
Besides, the image shows the settings of "Full scan", while the list of results shows "Full Scheduled Scan" (i.e. a different one).
Also, the results don't say anything about the Outlook mailbox being corrupted - just that it cannot access the file (most likely because it's opened & locked by Outlook).
As for the detections - yes, it's decrypted signatures in Superantispyware being detected.
Btw, setting "System drive" and "All harddisks" for a scan is duplicit (though the engine probably throws out whatever drives are there twice).
-
Check my image again all of those indicated in the highlighted area do a memory scan at varing degrees of sensitivity.
i looked at yours dave but are these really trojans since they say they are especially since they belong to programs that are legit?
Why would Avast tag them as trojans?
robin
When you ask an antivirus which looks for virus signatures, don't be too surprised when it finds them and SAS has loaded unencrypted virus signatures into memory and you have asked avast to scan memory.
Which is why we are saying don't scan the memory or realise that you can get unforeseen results.
- With a resident on-access antivirus like avast, the need for frequent on-demand scans is much depreciated. For the most part the on-demand scan is going to be scanning files that would be otherwise be dormant or inert. If they were active files then the on-access file system shield would be scanning them before being created, modified, opened or executed.
I have avast set to do a scheduled weekly Quick scan, set at a time and day that I know the computer will be on. If for some reason my system wasn't on, no big deal I will catch up on the next scheduled scan.
If you check out this image with the Quick and Full scans you will see that they both scan memory up to a degree. Now I think that those two scans can roughly be equated to the two settings in the Memory section of the custom scan.
-
ok i get it
thanks
This is on a client's machine that i was seeing all of this. What i could not understand is why it was doing a memory scan since it was not set to do a memory scan and I set it to scan weekly on the configurations you see above in the picture i put up.
I removed the auto scan programs on startup and am going to wait to see what it does on the next scheduled scan. I am wondering if this is a glitch in the program or what
robin
-
No, the "Auto-start programs" option does not scan memory - only the "Memory" option.
-
Well, i'd be concerned about winlogon.exe mostly on that list. Because what todays viruses usually do is to infect winlogon.exe first. So if you want to clean it you can't boot the system but if you leave it, it will continue to infect anything you execute. I've experienced such scenario in the past with Virut.
So inspect what's going on there and especially take care about this EXE. Check it out if it's realyl infected on VirusTotal or something.
-
Well, i'd be concerned about winlogon.exe mostly on that list. Because what todays viruses usually do is to infect winlogon.exe first. So if you want to clean it you can't boot the system but if you leave it, it will continue to infect anything you execute. I've experienced such scenario in the past with Virut.
So inspect what's going on there and especially take care about this EXE. Check it out if it's realyl infected on VirusTotal or something.
That is what I mentioned in Reply #3, and SAS hooks this as can be seen in the small second image in that post (using HiJackThis), so I suspect this might be what this is.
-
i tested the winlogin.exe file with virual labs and it comes up clean
but thanks anyway
robin
-
It would because it isn't winlogon.exe that is being detected, but a process loaded into memory by winlogon.exe.