14 undeletable trojans [solved]

[blueskirt]

Alright, here's my problem, recently I discovered the Full System scan in Avast did only a quick scan for rootkits, so I created a new scan, one that would do a full scan for rootkits. Next thing I know, Avast detects the following 14 trojan:

Win32:Adloader-AC [Trj]
Win32:FraudLoad-P [Trj]
Win32:Agent-SG [Trj]
Win32:PcClient-OD [Trj]
Win32:MalWarrior [Tool]
Win32:Small-HZH [Trj]
Win32:Banker-CDW [Trj]
Win32:Delf-IZG [Trj]
BV:AutoRun-E [Wrm]
JS:Pdfka-SP [Expl]
Win32:Small-HUF [Trj]
Win32:Small-gen2 [Trj]
Win32:Zbot-AVH [Trj]

All attempts to repair or quarantine result with this message:

Process 1100 [msmpeng.exe], memory block 0x000000000CFF0000, block size 262144 [L] Win32:Adloader-AC [Trj] (0)
During the file repair, error occurred: File cannot be found.
While moving file to chest, error occurred: File name, folder or volume syntax is incorrect.

I get the same message for all 14 trojans. They're all in the same process, with same block size, with the same message when I try to repair or quarantine. The only thing that change is the memory block. I scheduled a boot scan for rootkits but it did not detect anything.

So, what do I do now?
Is my computer infected?
What is msmpeng.exe?
Are these the remains of non dangerous, damaged, deleted or quarantined virus?
Could damaged clusters on my hard drive have rendered these virus unusable?
Are these virus protecting themselves to the point Avast believe they cannot be written over?

[doktornotor]

msmpeng.exe is Windows Defender which probably locks those files and prevents their deletion. You should disable it. Anyway, with a PC infected by 14 trojan, you go, wipe the drive and reinstall from scratch. Waste of time trying to disinfect the PC.

[Pondus]

antivirus software can't 'clean / repair a worm or a trojan, because there is nothing to clean - the entire file IS the worm or trojan.

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

[DavidR]

Lets start from square one - where were these detections found ?

I suspect these are detected in memory as they are probably unencrypted virus signatures loaded into memory by Windows Defender and that you have made some changes to the default settings in the scan that you did.
What was the type of scan you and did you make any changes to the settings (if so what ones) ?

####
- Ignore Virus Targeting

In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code). With "Ignore virus targeting" option enabled avast! can detect these harmless fragments.

These items in scan results are not the files but the virus is detected in memory allocated to security_program_name.exe process - because of this no action is available.

[blueskirt]

The scan I did was a fully customized one, which I created to scan everything thoroughly. It scans all hard drives, memory, rootkits (full scan), auto-start programs, system drive. Heuristics sensitivity is set to high, and the following options are checked:
Use Code Emulation
Test Whole Files
Ignore virus targeting
Scan for PUPs
Follow Links During Scan

"Ignore virus targeting" was checked. By unchecking it and then scanning again, Avast only detected 6 trojans. If these trojans are harmless unencrypted signatures loaded into memory by Windows Defender like you suspect, is there a way to confirm they indeed are and that my PC is actually safe?

[Jtaylor83]

Please download and run MalwareByte's AntiMalware. Once MBAM finds the infections, click Remove.

Next download Trend Micro HiJackThis 2.0.4 (executable only) and save it into a different folder besides the desktop. Run HiJackThis and attach log in your next post.

[DavidR]

The scan I did was a fully customized one, which I created to scan everything thoroughly. It scans all hard drives, memory, rootkits (full scan), auto-start programs, system drive. Heuristics sensitivity is set to high, and the following options are checked:
Use Code Emulation
Test Whole Files
Ignore virus targeting
Scan for PUPs
Follow Links During Scan

"Ignore virus targeting" was checked. By unchecking it and then scanning again, Avast only detected 6 trojans. If these trojans are harmless unencrypted signatures loaded into memory by Windows Defender like you suspect, is there a way to confirm they indeed are and that my PC is actually safe?

I have highlighted the three which may make avast dig deeper into files and possibly find more than a standard scan might return. The chief one being Ignore Virus Targeting followed by Test Whole Files and lastly Scan for PUPs (though I don't believe it found any).

A simple test would be to disable WDs resident protection, reboot and repeat the test.

What other security applications do you have installed ?

[blueskirt]

Yup, the problem was indeed Windows Defender. I disabled it, did a full scan and my computer is as clean as the last time I formatted it. Thanks for the info and advices, guys!

[YoKenny]

I do not have a problem with Windows Defender on Windows 7 and I do not use it on my XP Pro system.

I do not have Test Whole Files nor Ignore virus targeting selected.

[DavidR]

Yup, the problem was indeed Windows Defender. I disabled it, did a full scan and my computer is as clean as the last time I formatted it. Thanks for the info and advices, guys!

Whilst that might be the problem in it loading unencrypted signatures into memory, the really heavy customising of the scan will root out things like this which will give you headaches as you won't know if it is real or other signatures. Me I have never used WD, but personally if I did I would set the Test Whole Files and Ignore virus targeting back to their defaults (unchecked).