Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: frankey999 on January 22, 2011, 05:51:35 PM
-
Hi all,
I have a daily scan scheduled, which runs every second day at 10.30pm. I just checked my logs, and I see that for the last several scans there is a virus found in memory, and it looks like this (I wish cut/paste was available):
Process 1740[ctfmon.exe], memory block 0x0000000000400000, block size 24576, severity high, win32:Trojan-gen
Sometimes the process number is different.
I have now run a quick scan and a full system scan but found nothing.
I ran MBAM with the latest defs, nothing found.
I have 5.1.889, and 110121-1. Running xp sp3.
My questions are, 1st what is this, and second, is there a way to tell avast to get rid of it?
Thanks for any ideas.
Edit to add: This virus was found also on 5.0.889. The reason I went to 5.1.889 is because for some reason web shield and mail shield would not run.
-
I suppose the ctfmon.exe file is clean... Did you test with www.virustotal.com ?
Seems a false positive, but, anyway, it's strange that it is only detected in memory... Strange for me, not an expert.
-
It`s а file of the Windows keyboard switcher. It`s not a virus. But if you are using another keyboard switcher, like Key Switcher. You may remove it.
-
Hi Tech,
I did upload to virustotal, and only 1 out of 43 id'd it as a virus... esafe said it was win32.banker. I also tried jotti viruscan... came out clean.
Soyer... interesting. I did get a switcher but only a week or so ago, after avast started reporting this.
Thanks.
-
I think uploading the ctfmon.exe to VT or any other multi-engine scanner is likely to be pointless as it isn't actually a detection on ctfmon.exe, but on data in a block of memory loaded into memory by ctfmon.exe.
-
I'd really like to know why only my daily scan shows this as a virus. If I run an on demand scan, it comes out clean.
Should I be reporting this as a bug report?
Thanks.
-
Your daily scan is also an on-demand scan.
So my only assumption is that you daily scan is a custom scan that also included a memory scan ?
That memory scan in your Custom scan is I assume a more in depth than the Quick or Full System Scans. So essentially they are different scans.
-
Well, doesn't really make sense. Daily scan includes "operating memory", but full system scan includes "modules loaded into memory", although in the settings it only says "quick startup memory". Why wouldn't full system scan include memory? And one would think, as it says, full system scan "performs an indepth scan, thorough but slow", so the full scan would be the most complete, no?
Really wish they would use the same terms if they mean the same thing.
I still don't know if this is a bug or a problem or what? Every time I run a scan it says I have a virus. Not too encouraging in allowing me to trust the process.
-
Have you rebooted since the you got that message?
If not you may want to reboot and rescan.
If you do not want to reboot or already have since detecting the virus and/or it remains after the reboot you could try downloading and running in batch mode ESET On-line scanner and Dr. Web. Just make sure that if you use Dr. Web that when you run the executable which will take put your computer in protected mode that you do not install the trial version when given the option :) You will get one spam popup while it is running. Just click the X on the popup and it will close.
I have found that sometimes ESET and/or Dr. Web will find some bad stuff that slips by AIS, however from what I understand AIS is a better product so I stick with AIS and after all nothing is perfect. :) and I am very happy :) :) with AIS. Running ESET on-line scanner and Dr. Web in the batch mode will not mess up AIS. If you run ESET on-line scanner it will prompt you to uninstall it when done. I don't uninstall it and have not experienced any conflict so far by leaving it.
I would run ESET on-line scanner first since it does not tie up your computer and it does not put much of a drag on system resources. If ESET on-line scanner, which is accessible on their website in small print at the bottom of their main webpage does not find and remove the virus then I would try Dr. Web because Dr. Web running in protected mode locks you out of using your computer.
The default scan in Dr. Web is a quick scan and it finishes pretty quickly. If the Dr. Web quick scan or ESET don't find anything then make sure you run a Dr. Web complete scan. I suggest running this last because their complete scan can take hours literally depending on your computer hardware and locks you out of using your computer during the scan since Dr. Web puts your computer in a protected mode. However if you are running any P2P programs while Dr. Web is running my experience has been that they will continue to run fine but not show any updates to the file transfers until after the computer is out of the protected mode.
Good luck
-
@ frankey999
I still don't know what scan you are doing, I asked that question in Reply #6 and without details of the scan you are doing I can't even hazard a guess.
A daily scan only implies that you ran a scheduled scan and not what the scan or its settings were.
-
@ frankey999
I still don't know what scan you are doing, I asked that question in Reply #6 and without details of the scan you are doing I can't even hazard a guess.
A daily scan only implies that you ran a scheduled scan and not what the scan or its settings were.
Oh sorry, didn't realize I wasn't clear.
My daily scan is:
system drive
memory
auto-start programs
interactive selection (btw what exactly is this?)
Which settings do you need to know?
It's the memory scan that seems to be the problem, since the scan logs show a process in memory block.
Every daily scan has this result, whereas the system scan and the quick scan do not.
It doesn't seem to matter if I re-boot or not, I still get the same log entry.
Thanks.
-
I would disable the memory scan.
The ctfmon.exe application is used by several different functions, so it would be hard to say what that be which may have ctfmon.exe load something into memory. The process ID is likely to change on each boot at the very least, it depends on when it is loaded.
Personally with a resident on-access antivirus it depreciates the need to do on-demand scans of old and once a day might be considered over the top.
The team at avast have designed the pre-defined scans (Quick & Full System Scans) so that they scan the most important areas and files, those that present an immediate risk or are targets of malware, etc. This provides a good balance between performance and protection, etc.
By going any deeper than this you are going to be scanning files that are either dormant or inert, so there is little benefit in actually doing that.
I run a weekly scheduled Quick scan on the default settings and a monthly Full System Scan (1st day of the month) and haven't felt the need to dig deeper.
-
Hi Davidr,
Thanks for your information. Good to know, and I'll likely reduce the scan frequency and use your recommendations.
Sorry to seem stubborn, but you haven't answered my questions.
If the daily scan and the full scan and the quick scan are all scanning memory, why is it that only the daily scan is picking up a virus? And not just once, but every time. Is this a bug or false positive? Do I have a virus?
You've left me hanging. By saying I should ignore it you imply it's nothing to worry about, so should I report it as a false positive?
Thanks.
-
I did upload to virustotal, and only 1 out of 43 id'd it as a virus...
Do you have the virustotal link for it?
-
Hi Davidr,
Thanks for your information. Good to know, and I'll likely reduce the scan frequency and use your recommendations.
Sorry to seem stubborn, but you haven't answered my questions.
If the daily scan and the full scan and the quick scan are all scanning memory, why is it that only the daily scan is picking up a virus? And not just once, but every time. Is this a bug or false positive? Do I have a virus?
You've left me hanging. By saying I should ignore it you imply it's nothing to worry about, so should I report it as a false positive?
I haven't answered it as I simply can't answer it, I have no way of knowing what is loaded into memory.
They are scanning at different levels, not the difference in the custom scan (I hate the term daily scan as it says nothing about it) it has three different memory scan options Memory (which was one of your settings in the Custom scan), auto-start programs and, auto-start programs (all users). The other scans don't have that, the Quick has Auto-start programs memory check, the Full System scan has QuickStartUpMem check.
So if as I suspect the ctfmon.exe isn't a startup program then that wouldn't be checked in these scans.
How is it possible to report it as a false positive as I know of no way as it isn't a physical file
-
@Tech
Here is the link to virustotal. I just noticed the comments in virustotal from 5 days ago:
"Added to %user% startup when machine infeceted wiht Bredolab bot virus." and someone else also mentions avast catches it in memory scan.
http://www.virustotal.com/file-scan/report.html?id=5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1-1296298358
@Davidr
ctfmon.exe is a file in windows/system32, so I'm not sure what you mean by "it's not a physical file"?
I guess what you're saying is all 3 scans mentioned check memory in different ways? If that's true, and the user's comment is correct, then it seems it might be good to run all 3 scans, since only the custom scan caught it?
Thanks.
-
Does the detection continue to happen?
Seems a false positive...
-
<snip>
@Davidr
ctfmon.exe is a file in windows/system32, so I'm not sure what you mean by "it's not a physical file"?
I guess what you're saying is all 3 scans mentioned check memory in different ways? If that's true, and the user's comment is correct, then it seems it might be good to run all 3 scans, since only the custom scan caught it?
Thanks.
It isn't alerting on ctfmon.exe, which would be why a) avast didn't alert on the file in its original windows/system32 location and b) why VT scan should come up clean, for some reason the VT link you gave doesn't work.
This detection is on a memory block that the ctfmon.exe process loaded into memory, that is a memory block and isn't a physical file.
-
@Tech
As I mentioned in my post, it happens every time. Do you have any comment about the virustotal user comments? You did ask for a link to VT.
@DavidR
Perhaps you could try the link again? It works for me. You responded to my first question, perhaps you missed the second:
"I guess what you're saying is all 3 scans mentioned check memory in different ways? If that's true, and the user's comment is correct, then it seems it might be good to run all 3 scans, since only the custom scan caught it?"
Thanks.
-
Anyone in this forum able to respond and answer the question?
Seems Tech and/or DavidR either lost interest or are unable to continue.
Is tehre any creedence to the user comment on Virustotal that it might be a virus, and also why the 3 scans that Avast does seem to have different behaviours as far as catching the virus.
Thanks.
-
Nobody can answer a simple question about the different avast scan types? Good grief. Very strange behaviour... start to answer and then leave the user hanging.
I'll try again... why one type of memory scan seems to catch a virus but the other types do not, yet the recommendation is that they're not really needed?
Thanks.
-
Ok trying again...
Is there any reason why the different Avast scans report different results?
Should I be reporting this somewhere as a false positive? (if it is false, that is)
How to stop this from happening?
Thanks.
-
The custom scan run's deeper than the others so that is why DavidR previously advised you to turn off the memory scanning part of custom scan or you can stick to running the normal full scan which is sufficient.
-
Ok thanks.
I guess the concensus is then that it's a bug in Avast and the custom scan is finding a false positive, so I should just stop that part of the scan.
But what about the other user's comment on Virustotal, that "Added to %user% startup when machine infeceted wiht Bredolab bot virus." Is that just nonsense? How would I check that?
Thanks.