Avast WEBforum

Other => Viruses and worms => Topic started by: cassie22 on September 13, 2010, 12:53:37 PM

Title: msmpeng.exe
Post by: cassie22 on September 13, 2010, 12:53:37 PM

Hi

Recently I scanned my computer and the antivirus shown that there are several files (msmpeng.exe) are infected (and one of them is infected by trojan) but I can't do anything to deal with them...Please help!

Title: Re: msmpeng.exe
Post by: Lisandro on September 13, 2010, 01:22:20 PM

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).

Title: Re: msmpeng.exe
Post by: DavidR on September 13, 2010, 03:43:21 PM

Quote from: cassie22 on September 13, 2010, 12:53:37 PM

Hi

Recently I scanned my computer and the antivirus shown that there are several files (msmpeng.exe) are infected (and one of them is infected by trojan) but I can't do anything to deal with them...Please help!

You have windows defender installed ?
- it is loading unencrypted virus signatures into memory.

You are running a custom scan - you have elected to scan Memory ?

These detections are in memory and are loaded by msmpeng.exe it doesn't mean that msmpeng.exe is infected.

~~~~
- Detections in Memory - The Custom scan in which you have elected to scan Memory and that all these detections are in memory or are listings of files that can't be scanned. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory.

Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.

Title: Re: msmpeng.exe
Post by: cassie22 on September 13, 2010, 05:13:46 PM

Thanks for your replies

I don't know much about computer so actually I don't understand what the replies mean.

Quote from: DavidR on September 13, 2010, 03:43:21 PM

You have windows defender installed ?
- it is loading unencrypted virus signatures into memory.

You are running a custom scan - you have elected to scan Memory ?

These detections are in memory and are loaded by msmpeng.exe it doesn't mean that msmpeng.exe is infected.

~~~~
- Detections in Memory - The Custom scan in which you have elected to scan Memory and that all these detections are in memory or are listings of files that can't be scanned. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory.

Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.

I installed the Windows Defender and I chose to scan Memory . You mean the " infected files" cannot be deleted but in my computer scan results the "files" are marked as :
Win32:BHO-TA[Trj]
JS:Pdfka-AJM[Expl]
NSIS:Downloader-CC[Trj]
BV::AutoRun-E[Wrm]
Win32:Wmall-gen2[Trj]
Win32:Small-HUF[Trj]
Win32:2bot-AVH[Trj]

I wondered if they are really infected and what should I do....

Title: Re: msmpeng.exe
Post by: DavidR on September 13, 2010, 05:37:58 PM

You can't delete a memory block these aren't physical files in the same sense as a file on your hard disk.

What should you do either stop scanning the memory of stop using windows defender so it doesn't load virus unencrypted signatures into memory. The Quick and Full System scans are fine for all normal purposes. Either that or you have to know what the repercussions of a custom scan and any settings that you add/change.