Author Topic: Adloader-ac [Trj]  (Read 4125 times)

0 Members and 1 Guest are viewing this topic.

Offline alfainfo

  • Full Member
  • ***
  • Posts: 125
    • Tecnologia USB
Adloader-ac [Trj]
« on: April 18, 2008, 03:33:10 PM »
I have left to start the Avast Screensaver and this has found in a block of memory of the process of Windows Defender (I have controlled in taskmanager the pid of the process) the Adloader-ac Trojan.
I have quickly programmed a boot-time scan, but this has not found to me null. it is perhaps false a positive one? Trying to leave to work the screen saver, it marks this it newly it in the process of Windows Defender.
What I can make?
Thanks
Windows XP Media Center Edition 2005 SP3; IE 8; Avast 6.0.1367 Free Antivirus; Windows Defender; SUPERAntispyware Free; Amd Athlon64 X2 4200+; Nvidia GeForce 7600Gt; Ram 2.00 GB. Avast 7.0.1401 Free Antivirus on virtualized Windows XP

Offline AVnet

  • Newbie
  • *
  • Posts: 10
Re: Adloader-ac [Trj]
« Reply #1 on: April 18, 2008, 06:26:59 PM »
In the Avast screen saver settings, I will assume that you have "Advanced configuration" boxed checked. If so, under the "Sensitivity" section you might have checked "Ignore virus targeting" box? A while ago (after checking this box myself) I began to experience many "red" Avast screen saver alerts, but only if I had been scanning with Defender or Lavasoft. Those virus definition files were in memory. By Unchecking "Ignore virus targeting" fixed these false positives.

"Ignore virus targeting" is probably overkill.

"Check" it out  ;)

Offline alfainfo

  • Full Member
  • ***
  • Posts: 125
    • Tecnologia USB
Re: Adloader-ac [Trj]
« Reply #2 on: April 19, 2008, 02:44:32 PM »
Thanks
I was worrying myself…
Windows XP Media Center Edition 2005 SP3; IE 8; Avast 6.0.1367 Free Antivirus; Windows Defender; SUPERAntispyware Free; Amd Athlon64 X2 4200+; Nvidia GeForce 7600Gt; Ram 2.00 GB. Avast 7.0.1401 Free Antivirus on virtualized Windows XP

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Adloader-ac [Trj]
« Reply #3 on: April 19, 2008, 03:25:53 PM »
I believe you've solved the problem by that method, but I really doubt that virus targeting has something to do with memory block detection... maybe I'm wrong...
I don't think ignore virus targeting is overkill.
The best things in life are free.

Offline AVnet

  • Newbie
  • *
  • Posts: 10
Re: Adloader-ac [Trj]
« Reply #4 on: April 19, 2008, 09:59:58 PM »
On some occassions, the Avast screen saver will begin a scan even while another one is underway. So if the screen saver is also set to scan the memory blocks, certain other anti-malware definition files (if in memory) should be found. This might explain why the DEFAULT setting is unchecked, reducing false positives.

If Avast is the sole anti-malware product being used, then I agree that "Ignore virus targeting" is not overkill, and I would certainly have the box checked myself. Checking the box "Ignore virus targeting" is perhaps overkill only if used simultaneously with other anti-malware definition files.

Note:
I have not re-tested these particulars to see if the lastest Avast 4.8 has changed its behavior.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Adloader-ac [Trj]
« Reply #5 on: April 19, 2008, 10:08:37 PM »
On some occassions, the Avast screen saver will begin a scan even while another one is underway. So if the screen saver is also set to scan the memory blocks, certain other anti-malware definition files (if in memory) should be found.
Not if the software correctly encrypts the signatures loaded in memory...
The best things in life are free.

Offline alfainfo

  • Full Member
  • ***
  • Posts: 125
    • Tecnologia USB
Re: Adloader-ac [Trj]
« Reply #6 on: April 20, 2008, 04:15:26 PM »
But it is strange that the boot-time scan has not found nothing…
In theory the result of the boot-time scan would have to be same or the best ones than a scan with operating system started...
Windows XP Media Center Edition 2005 SP3; IE 8; Avast 6.0.1367 Free Antivirus; Windows Defender; SUPERAntispyware Free; Amd Athlon64 X2 4200+; Nvidia GeForce 7600Gt; Ram 2.00 GB. Avast 7.0.1401 Free Antivirus on virtualized Windows XP

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84393
  • No support PMs thanks
Re: Adloader-ac [Trj]
« Reply #7 on: April 20, 2008, 04:20:45 PM »
Not really, if this is a memory resident issue, then as windows hasn't started it won't be resident in memory and whatever is injecting the process in memory isn't detected, either normally or in a boot-time scan.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

SUPERantispyware On-Demand only in free version.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.10.2442 (build 20.10.5824.618) UI-1.0.591/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Adloader-ac [Trj]
« Reply #8 on: April 20, 2008, 05:52:09 PM »
But it is strange that the boot-time scan has not found nothing…
I don't think it's strange... at boot time the signatures (bad encrypted) aren't loaded into memory so, no detection from avast.

Edited: I haven't noticed David has already answered the same... sorry.
The best things in life are free.

Offline AVnet

  • Newbie
  • *
  • Posts: 10
Re: Adloader-ac [Trj]
« Reply #9 on: April 20, 2008, 06:04:02 PM »
It has been a couple of years since I tested this issue. Defender and Lavasoft were the two that I had tested so if their encryption techniques have changed, I would be unaware of it. Since that time, I have not re-tested them, because leaving the box unchecked (Avasts default setting) eliminated the problems I was having with false positives. I easily dismissed them as such since on the four machines I had been working on, other anti-malware scanners could not find anything.

If you suspect that your machine is compromised, at a very minimum, run the real time "Standard Shield" set to high. If doubt still remains after double checking with alternative scanners, test it again on another computer or (if you have the time) after doing a clean reformat.

All this depends on how seriously you are convinced (or worried).


 




Offline AVnet

  • Newbie
  • *
  • Posts: 10
Re: Adloader-ac [Trj]
« Reply #10 on: April 20, 2008, 07:47:54 PM »
Latest result (the avast email notification) after re-testing:

avast! [****]: File "Process 944, memory block 0x04650000, block size 262144" is infected by "Win32:Adloader-AC [trj]" virus. "Screen saver" task used
Version of current VPS file is 080419-0, 04/19/2008

This was found after checking the box "Ignore virus targeting" and running a "Quick Scan" with Windows Defender. It should also be mentioned that I have been adding "Operating memory of the computer" to the list under the screen saver setting "Areas" - "Select the areas to scan" - "Memory."

By default "All harddisks" is the only entry in the Avast screen saver under "Select the areas to scan."

This is enough to convince me that it is a false positive.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Adloader-ac [Trj]
« Reply #11 on: April 20, 2008, 08:00:13 PM »
This is enough to convince me that it is a false positive.
I'm convinced this is a false positive since from the beginning.
But, maybe, Alwil team has nothing to do with it as it could be unencrypted signatures in memory...
The best things in life are free.

Offline AVnet

  • Newbie
  • *
  • Posts: 10
Re: Adloader-ac [Trj]
« Reply #12 on: April 20, 2008, 11:25:38 PM »
TECH,

I believe you misunderstand.  It's not about blaming anyone. When I say "False Positive" it only means that I'm not worried that I have the same Trojan. After all, in one sense I made it happen, sort of like an EICAR test. This test should do the same thing for anyone who is willing to take the time.

The AWIL team is doing well to have the default settings just as they are, that is why I unchecked the box again after re-testing.

Testing all things . . .