Is this a false positive?

[Radiation]

A while ago i started getting the blue screen crash which dumps the memory, avast found "Win32:SdBot-gen28 [trj]" in "C:\WINDOWS\MEMORY.DMP", the weird thing is whenever i've scanned either on boot or in windows it never finds it anywhere else, yet after a blue sceen it finds it in the memory.dmp as it's happened a few times, i've since wiped the hard drive by writing zeros to disk and reinstalled windows just in case.

It's been ok for a few days but i've just had the crash again and when i did a scan on just the memory.dmp file it found oddly, at first i thought the blue screens may have just been a memory stick issue and the virus was a false positive but i ran memtest and it passed 3 times so im not sure whats going on here, nothing seems suspicious on the pc as i've checked stuff and since ran other various scanners, only a few programs have been installed since reinstalling and everything seems to be fine otherwise, i try to keep decent security so i don't get what's going on, please help!

[polonus]

Hi Radiaton,

This is normal behavior because the crash changed the file, so avast find up the changed file. When you delete this file a new one will be built up automattically,

polonus

[DavidR]

The memory.dmp file is created when your system crashes it contains what is in memory at the time of the crash, which could have contained malware. It could be as large as your memory so may not be allowed to send to the chest without changing the settings.
 
If you have the tools and experience you can examine this file to help discover why the crash happened, if you don't have this experience and tools, it is worthless to you. The older the file is the less worth it is also.
 
If windows were to crash again then it would create a new memory.dmp file if one wasn't present or replace any existing one. So there really is no downside to deleting this memory.dmp file.

[Radiation]

Thanks though i know that, what i don't get is why it would only be found in the memory.dmp and no where else, i have since also scanned using nod32 and nothing showed up, could it be a false positive then? what are the chances a memory dump would cause the same detection after a fresh install of xp?

If it is a real threat then why isn't it detected elsewhere on the system and where does it likely come from if you had to guess?

[polonus]

Hi Radiation,

"The memory dump file contains the contents of your computer's memory and
other technical information. The information is pretty much unintelligible
to ordinary users, but it can be helpful to Microsoft engineers when
diagnosing a crash.

Your system is probably set up to write a 'complete memory dump' if it halts
unexpectedly. It doesn't have to be this way: You can choose to have a
'small memory dump' instead, which will record the smallest amount of
information that will help identify a problem. To learn how to do this, open
Help and Support and search for 'memory dump' (without the quotes, of
course). Read the article entitled "Specify what Windows does if the system
stops unexpectedly."

As long as you've re-installed Windows, you can safely delete the old dump
file (as they're called.)

As for why it doesn't defragment - that's by design. In the interest of
getting the job done more quickly, XP's defragmenter doesn't defrag files in
low priority paths. Since Microsoft doesn't anticipate that you'll have
great need for dump files, they aren't defragmented.

How to Configure the dump type in XP

      1. Click Start, point to Settings, and then click Control Panel.
      2. Double-click System.
      3. On the Advanced tab, click Startup and Recovery.

Unless you plan on debugging it or paying MS to analyze it, just delete
it. (It's a dump from a prior system crash.)
In to delete memory.dmp in vista.

1. Start > Programs > Accessories > System tools
2. Disk Cleanup
3. Select Drive C and hit OK
4. then delete them

polonus

[Radiation]

I appreciate you're trying to help but the issue isn't the memory.dmp file as such, its the possibility theres an actual virus causing the crash and i've yet to find it anywhere but these memory dumps, which leads me to believe its coming from some other source im unaware of or its a false positive, i've reinstalled xp and done all the checks and scans i can and nothing has really helped in tracking this down, i just want to know whats going on so i know whether i should be worried or not?

[polonus]

Hi radiation,

Then download hjt 2.02 from here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe
and give us a hjt logfile.txt additional to your next posting..and then we try to analyze that for ye,

polonus

[DavidR]

The problem stems from the physical size of these files as there really is no way to upload it to the likes of virustotal (a multi-engine scanner) as that has 10MB file upload limit.

What you don't mention is how old this memory.dmp file is (creation date), as that would give an idea if this is a current or historic issue.

Personally I would remove it and monitor the situation since you have scanned using both avast and nod32 (on-line scan I presume?) and found nothing.