Avast! found something but can't decide what

[Dwarden]

1) Avast! reported all of sudden on system some hidden drivers (4 files) and suggested upload them to Alwil for analysis
2) System freezed afterward
3) Since that moment no report, bootscan reveal nothing, any other file scan reveal nothing
4) memory scan reveals something in memory

Code: [Select]

4.8.2009 4:27:51 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Zbot-AVH [Trj]"" byl nalezen v souboru ""*PROCESS\770\4a00000\40000"".  "
4.8.2009 4:27:50 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:RPCexploit [Trj]"" byl nalezen v souboru ""*PROCESS\770\49a0000\40000"".  "
4.8.2009 4:27:49 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Small-HUF [Trj]"" byl nalezen v souboru ""*PROCESS\770\4940000\40000"".  "
4.8.2009 4:27:48 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Small-gen2 [Trj]"" byl nalezen v souboru ""*PROCESS\770\4900000\40000"".  "
4.8.2009 4:27:48 avast! Upozornění Klient 90 Není k dispozici "Virus ""JS:Agent-AU [Expl]"" byl nalezen v souboru ""*PROCESS\770\4860000\40000"".  "
4.8.2009 4:27:47 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Agent-WOT [Trj]"" byl nalezen v souboru ""*PROCESS\770\47e0000\40000"".  "
4.8.2009 4:27:46 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Inject-DO [Trj]"" byl nalezen v souboru ""*PROCESS\770\4760000\40000"".  "
4.8.2009 4:27:46 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Banker-CDW [Trj]"" byl nalezen v souboru ""*PROCESS\770\4720000\40000"".  "
4.8.2009 4:27:45 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Small-HZH [Trj]"" byl nalezen v souboru ""*PROCESS\770\4690000\40000"".  "
4.8.2009 4:27:44 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:MalWarrior [Tool]"" byl nalezen v souboru ""*PROCESS\770\4630000\40000"".  "
4.8.2009 4:27:43 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:PcClient-OD [Trj]"" byl nalezen v souboru ""*PROCESS\770\4580000\40000"".  "
4.8.2009 4:27:42 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Agent-SG [Trj]"" byl nalezen v souboru ""*PROCESS\770\44e0000\40000"".  "
4.8.2009 4:27:40 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:FraudLoad-P [Trj]"" byl nalezen v souboru ""*PROCESS\770\43b0000\40000"".  "
4.8.2009 4:26:39 avast! Upozornění Klient 90 Není k dispozici "Virus ""Win32:Adloader-AC [Trj]"" byl nalezen v souboru ""*PROCESS\770\4260000\40000"".  "


obviously the process ID reveals this is MsMpEng.exe which is MS Windows Defender

http://forum.avast.com/index.php?topic=47139.0

so i need to ask does MSWD keeps part of virus in memory non encrypted or is this false positive?

[igor]

does MSWD keeps part of virus in memory non encrypted

Yes, I'm sure it does.
However, I don't see any connection with the hidden files...?

[Dwarden]

does MSWD keeps part of virus in memory non encrypted

Yes, I'm sure it does.
However, I don't see any connection with the hidden files...?

sadly there is no log report about these files
plus Autoruns reports these driver files as missing while Avast! claimed they were 'hidden'

it shown all of sudden (i assume delayed rootkit scan) but not since after repeated OS restarts
i done RTK FULL, MEMORY, STARTUP scan yet nothing appeared too ...

is there way how retriger such search?

[igor]

plus Autoruns reports these driver files as missing while Avast! claimed they were 'hidden'

That is not surprising - if the driver files were really hidden, Autoruns wouldn't be able to see the files (unlike avast! that uses a low-level disk access). However, it's also possible that the files were just deleted - right at the moment avast! performed the scan - and it appeared as they were hidden. What were the filenames?

[Dwarden]

like i said everything freezed so i dont have the filenames and the message never appared again