Avast WEBforum
Other => Viruses and worms => Topic started by: cazoza on January 29, 2009, 06:59:46 PM
-
I have installed SuperAntispyware Professional, on my machine, and when i run memory test of avast, it detects three virus, but is after i have istalled super antispyware, and when i use malwarebytes, and avast, and outpost scans, my system is free of infections, what could it be? Maybe a false possitive?
I attached the log of avast, i will be waiting for answers. Thanks.
-
Have you considered uninstalling SAS, is it the trial version ? Are you saying a scan shows nothing ?
-
Have you in the past had these in infections (mentioned in your warning log) in your hard drive?
-
No I have not had these infections before. I think is a false positive from SAS, I mean that when i scan my pc, with avast, or malwarebytes, or SAS, It shows there are no infections. But Avast memory scan, shows that they were on memory.
I have SAS Registered Version, and i ask SAS Support, and they told me, that is a false possitive from Avast. But i want to be 100% sure about that. Because if this is not a false possitive, i will ask for a refund.
What could it be?
-
I'm confused you are saying this is an FP of avast on SAS Pro, I have SAS Pro (see my signature) and I have no such alerts.
How do you know this is a detection on SAS Pro ?
There is nothing in your log that specifically indicates SAS.
-
No, im saying Avast has a false positive, as detecting SAS components as virus. As in my log.
-
But as I said your log doesn't say who the memory detections are associated or belong to and that is why I asked how you made that determination ?
Where does it say this belongs to SAS:
Sign of "Win32:Delf-HWF [trj]" has been found in "*PROCESS\6ac\10060000\800000" file.
If they were truly SAS Pro modules/processes loaded in memory that were being detected then I would have the same detections since I too have SAS Pro and I don't have any detections for memory modules/processes.
-
I have installed SuperAntispyware Professional, on my machine, and when i run memory test of avast, it detects three virus, but is after i have istalled super antispyware, and when i use malwarebytes, and avast, and outpost scans, my system is free of infections, what could it be? Maybe a false possitive?
I attached the log of avast, i will be waiting for answers. Thanks.
When you say you scan with outpost,what is that an AV or antispyware, what realtime protection do you have running.
-
Well, i have recognized one infection, that appeared with SAS Pro, Win32:Autorun-OKA; since i installed SAS, i have that infection. All others dissapeared. And, Outpost, has a built in anti spyware/malware/virus, scanner. And I have Avast Pro resident protection enabled, and SAS PRO real time protection. And none of these can detect the autorun infection. I think, is a false positive from Avast identifying SAS Autorun as a virus process, when windows boots.
Avast just notifies, that was a memory process infected. But after a full scan of HDD, there is no infected archive. And I dont know what to do, as my system is clean. If i could have boot scan, that would be great! I have Win Vista 64 bits, and a quad core, with virtualization built in. And I would like to have boot up scan for 64 bits systems, in avast next release. because is annoying not to have that scan.
I just made that conclusion, because before buying SAS Pro, my system was clean, and after installing SAS and enabling SAS Autorun, everytime windows starts, that process is infected. But there is no infected files on my machine. So i think, is the SAS Process detected as a virus. So is an Avast Pro False Positive. But i need your guidance, to be sure.
-
:) Hi :
SUPERAntiSpyware is a credible, trustworthy program . Since the "subject" is
"autorun", I recommend a "2nd Opinion" by running the FREE "Flash
Disinfector" with Info about this program at
http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs .
-
I too use Agnitum Outpost Firewall Pro, the 2009 version, now when you install that it detects avast and normally suggests you disable the Outpost anti-spyware module and I would recommend that course of action.
The Outpost (OP) anti-spyware is very noisy, in that it opens many files and that fact alone causes avast to also intercept that and scan the file before handing over to OP. This can extent boot-times and since avast has anti-spyware built in I would suggest the OP anti-spyware module is unnecessary, especially since you now have SAS.
You may well notice an improvement in boot times and system performance.
-
Well, I have disabled the Outpost Pro 2009 malware/spyware protection, and Now, only have Avast Pro and SAS Pro protecting my pc. I have tried the Flash Disinfector, but in 64 bits OS, is not functioning, I tried to ran it in compatibility mode and with administrator privileges, but nothing happens. Can anyone, help me for another second opinion? Also I have tried Malwarebytes, but it says, no infections found.
Here is an extract of my log of Avast
30/01/2009 10:15:31 p.m. 1233375331 Luis 4608 Sign of "Win32:AutoRun-AKO [Wrm]" has been found in "*PROCESS\acc\4d10000\990000" file.
Since SAS installation, it appears everytime, but i have no idea, why is this happening. But, maybe is a false positive. Can anyone tell me another tool for scanning my pc? Thanks in advice.
-
The problem here is the process is continually changing *PROCESS\6ac\ in the first batch and now *PROCESS\acc\, now this doesn't resemble any process I'm used to seeing in the Task Manager PID column, see image, though I have no idea if this is different in the 64bit OS.
Well you could try this tool MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
For some info on this check this link, Win32:AutoRun-Ako (http://www.sophos.com/security/analyses/viruses-and-spyware/w32autoruncu.html), look in the More Information tab and check if any of this files or the registry entry are on your system.
-
I have tried Malwarebytes, and my system is clean, also i searched for the info you supplied me, and nothing. What could it be? I have attached my malwarebytes log.
ANd my latest Avast memory scan results.
31/01/2009 09:05:21 p.m. 1233457521 Luis 2036 Sign of "Win32:AutoRun-AKO [Wrm]" has been found in "*PROCESS\aa4\4c30000\657000" file.
31/01/2009 09:05:22 p.m. 1233457522 Luis 2036 Sign of "Win32:Dialer-DW [trj]" has been found in "*PROCESS\aa4\5296000\32a000" file.
31/01/2009 09:05:25 p.m. 1233457525 Luis 2036 Sign of "Win32:Agent-ZRP [trj]" has been found in "*PROCESS\aa4\e9e0000\20000" file.
31/01/2009 09:05:25 p.m. 1233457525 Luis 2036 Sign of "Win32:Tiny-IF [trj]" has been found in "*PROCESS\aa4\f260000\387000" file.
31/01/2009 09:05:26 p.m. 1233457526 Luis 2036 Sign of "Win32:Femad-R [trj]" has been found in "*PROCESS\aa4\f8e1000\e9000" file.
-
Whilst I don't know if it will make any difference, but I would suggest a Full scan not Quick/Examen Rápido. If you didn't run it from safe mode that too is more efficient.
Unfortunately, with a 64bit OS you aren't able to do a boot-time scan as when avast detects malware in memory it normally suggest a boot-time scan. So the next best thing would be to boot into safe mode (avast doesn't start), use the desktop icon to start avast and run a scan from safe mode.
Other than this I really don't know what else to suggest.
-
Well, thanks, i have tried safe mode scan, and my system is clean, and altough is sayin the memory scan that is infected, again with win32:AutoRun-AKO. I have tried Avast PRO Full Scan, Malwarebytes Full Scan, SAS PRO Full Scan, Outpost 2009 Pro Full Scan, also an Avast Bart CD 2.0 Trough Scan, and nothing. All scans says, no infection found.
Thanks for your help.
I'll wait for a SAS Update, so i can see if it corrects the problem.
I attached my hijack this log. Hope it can help.
-
If your convinced its SAS, could you not use the option not to start SAS when windows starts( preferences ),then try a memory scan.
I was playing with a program today called Hijack free, its like process explorer.It has a search function.I doubt very much it would be of any use,and it has limitations with vista 64.
http://www.hijackfree.com/en/ (http://www.hijackfree.com/en/)
-
I'd say you have a conflict of two anti-malware solutions here.
avast! is simply detecting unpacked/uncrypted virus signatures in SAS memory.
-
Why then do I not see this as I also have SAS Pro ?
-
Honestly, don't know, might be something option-specific.
Btw, the "process IDs", as shown by avast!, are in hexadecimal format - while Task Manager shows them in decimal format, so you have to convert the values before matching them.
-
Any tools to do the conversion you know of at the top of your head ?
What might also help is that generally I always pause the standard shield before I run a scan with any other security application, so I don't know if this would help the original poster.
-
Any tools to do the conversion you know of at the top of your head ?
The following utility will enable you to convert hexadecimal to decimal and vice versa
http://www.statman.info/conversions/hexadecimal.html
http://www.easycalculation.com/hex-converter.php
Google is your friend.
-
Thanks.
He He, depends if Google isn't blocking all sites as bad ;D
-
I will try to pause the standard shield. But as a comment, i have tried Avast Bart CD v3 beta, and also it didnt find infections. So i dont know what else to do. Well, i think my system is clean, For now. Thanks.
-
You're welcome, I always recommend pausing the standard shield when running other on-demand security scan, as it does reduce the possibility of any clash (possibly in this case the loading of signature files into memory). Another consideration it would also reduce overall scan duration as there isn't a lot of duplicate scanning going on as avast would also scan files that SAS wanted to open to scan.
Let us know if pausing the standard shield resolves this problem before you run and SAS scan.
-
I have tried pausing the standard shield, and it is the same. No infections found. Well. I think there is nothing to do. I have tried everything you said to me, and, the Autorun-OKA, is still in my PC. Thank you for all your help! This is an awesome Forum! Keep up the good work!
P.S. The Bart CD v3 Beta is awesome! It has improved scan speed.