Author Topic: virus found sometimes in memory  (Read 6484 times)

0 Members and 1 Guest are viewing this topic.

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
virus found sometimes in memory
« on: January 22, 2011, 05:51:35 PM »
Hi all,

I have a daily scan scheduled, which runs every second day at 10.30pm.  I just checked my logs, and I see that for the last several scans there is a virus found in memory, and it looks like this (I wish cut/paste was available):

Process 1740[ctfmon.exe], memory block 0x0000000000400000, block size 24576, severity high,  win32:Trojan-gen

Sometimes the process number is different.

I have now run a quick scan and a full system scan but found nothing.  

I ran MBAM with the latest defs, nothing found.

I have 5.1.889, and 110121-1.  Running xp sp3.

My questions are, 1st what is this, and second, is there a way to tell avast to get rid of it?


Thanks for any ideas.

Edit to add:  This virus was found also on 5.0.889.  The reason I went to 5.1.889 is because for some reason web shield and mail shield would not run.
« Last Edit: January 22, 2011, 05:57:52 PM by frankey999 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67250
Re: virus found sometimes in memory
« Reply #1 on: January 22, 2011, 06:01:43 PM »
I suppose the ctfmon.exe file is clean... Did you test with www.virustotal.com ?
Seems a false positive, but, anyway, it's strange that it is only detected in memory... Strange for me, not an expert.
The best things in life are free.

Offline Soyer

  • Newbie
  • *
  • Posts: 3
Re: virus found sometimes in memory
« Reply #2 on: January 22, 2011, 06:59:34 PM »
It`s а file of the Windows keyboard switcher. It`s not a virus. But if you are using another keyboard switcher, like Key Switcher. You may remove it.

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
Re: virus found sometimes in memory
« Reply #3 on: January 23, 2011, 12:27:59 AM »
Hi Tech,

I did upload to virustotal, and only 1 out of 43 id'd it as a virus... esafe said it was win32.banker.  I also tried jotti viruscan... came out clean.

Soyer... interesting.  I did get a switcher but only a week or so ago, after avast started reporting this.

Thanks.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85345
  • No support PMs thanks
Re: virus found sometimes in memory
« Reply #4 on: January 23, 2011, 01:56:32 AM »
I think uploading the ctfmon.exe to VT or any other multi-engine scanner is likely to be pointless as it isn't actually a detection on ctfmon.exe, but on data in a block of memory loaded into memory by ctfmon.exe.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
Re: virus found sometimes in memory
« Reply #5 on: January 25, 2011, 11:09:47 AM »
I'd really like to know why only my daily scan shows this as a virus.  If I run an on demand scan, it comes out clean.

Should I be reporting this as a bug report?

Thanks.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85345
  • No support PMs thanks
Re: virus found sometimes in memory
« Reply #6 on: January 25, 2011, 03:35:31 PM »
Your daily scan is also an on-demand scan.

So my only assumption is that you daily scan is a custom scan that also included a memory scan ?
That memory scan in your Custom scan is I assume a more in depth than the Quick or Full System Scans. So essentially they are different scans.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
Re: virus found sometimes in memory
« Reply #7 on: January 26, 2011, 11:06:51 AM »
Well, doesn't really make sense.  Daily scan includes "operating memory", but full system scan includes "modules loaded into memory", although in the settings it only says "quick startup memory".  Why wouldn't full system scan include memory?  And one would think, as it says, full system scan "performs an indepth scan, thorough but slow", so the full scan would be the most complete, no?

Really wish they would use the same terms if they mean the same thing.

I still don't know if this is a bug or a problem or what?  Every time I run a scan it says I have a virus.  Not too encouraging in allowing me to trust the process.

Offline Nesivos

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1352
  • Artists Rendering of New Pauley Pavilion @ UCLA
Re: virus found sometimes in memory
« Reply #8 on: January 26, 2011, 02:59:28 PM »
Have you rebooted since the you got that message?

If not you may want to reboot and rescan.

If you do not want to reboot or already have since detecting the virus and/or it remains after the reboot you could try downloading and running in batch mode ESET On-line scanner and Dr. Web. Just make sure that if you use Dr. Web that when you run the executable which will take put your computer in protected mode that you do not install the trial version when given the option :)  You will get one spam popup while it is running.  Just click the X on the popup and it will close.

I have found that sometimes ESET and/or Dr. Web will find some bad stuff that slips by AIS, however from what I understand AIS is a better product so I stick with AIS and after all nothing is perfect. :) and I am very happy :) :) with AIS.   Running ESET on-line scanner and Dr. Web in the batch mode will not mess up AIS.   If you run ESET on-line scanner it will prompt you to uninstall it when done.  I don't uninstall it and have not experienced any conflict so far by leaving it.  

I would run ESET on-line scanner first since it does not tie up your computer and it does not put much of a drag on system resources.  If ESET on-line scanner, which is accessible on their website in small print at the bottom of their main webpage does not find and remove the virus then I would try Dr. Web because Dr. Web running in protected mode locks you out of using your computer.

The default scan in Dr. Web is a quick scan and it finishes pretty quickly. If the Dr. Web quick scan or ESET don't find anything then make sure you run a Dr. Web complete scan.  I suggest running this last because their complete scan can take hours literally depending on your computer hardware and locks you out of using your computer during the scan since Dr. Web puts your computer in a protected mode.  However if you are running any P2P programs while Dr. Web is running my experience has been that they will continue to run fine but not show any updates to the file transfers until after the computer is out of the protected mode.

Good luck

« Last Edit: January 26, 2011, 03:04:31 PM by Nesivos »
OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85345
  • No support PMs thanks
Re: virus found sometimes in memory
« Reply #9 on: January 26, 2011, 04:14:03 PM »
@ frankey999
I still don't know what scan you are doing, I asked that question in Reply #6 and without details of the scan you are doing I can't even hazard a guess.

A daily scan only implies that you ran a scheduled scan and not what the scan or its settings were.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
Re: virus found sometimes in memory
« Reply #10 on: January 27, 2011, 12:45:38 AM »
@ frankey999
I still don't know what scan you are doing, I asked that question in Reply #6 and without details of the scan you are doing I can't even hazard a guess.

A daily scan only implies that you ran a scheduled scan and not what the scan or its settings were.

Oh sorry, didn't realize I wasn't clear.

My daily scan is:
system drive
memory
auto-start programs
interactive selection (btw what exactly is this?)
Which settings do you need to know?

It's the memory scan that seems to be the problem, since the scan logs show a process in memory block.
Every daily scan has this result, whereas the system scan and the quick scan do not.

It doesn't seem to matter if I re-boot or not, I still get the same log entry.

Thanks.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85345
  • No support PMs thanks
Re: virus found sometimes in memory
« Reply #11 on: January 27, 2011, 01:03:13 AM »
I would disable the memory scan.
The ctfmon.exe application is used by several different functions, so it would be hard to say what that be which may have ctfmon.exe load something into memory. The process ID is likely to change on each boot at the very least, it depends on when it is loaded.

Personally with a resident on-access antivirus it depreciates the need to do on-demand scans of old and once a day might be considered over the top.

The team at avast have designed the pre-defined scans (Quick & Full System Scans) so that they scan the most important areas and files, those that present an immediate risk or are targets of malware, etc. This provides a good balance between performance and protection, etc.

By going any deeper than this you are going to be scanning files that are either dormant or inert, so there is little benefit in actually doing that.

I run a weekly scheduled Quick scan on the default settings and a monthly Full System Scan (1st day of the month) and haven't felt the need to dig deeper.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline frankey999

  • Jr. Member
  • **
  • Posts: 40
Re: virus found sometimes in memory
« Reply #12 on: January 27, 2011, 11:07:53 AM »
Hi Davidr,

Thanks for your information.  Good to know, and I'll likely reduce the scan frequency and use your recommendations.

Sorry to seem stubborn, but you haven't answered my questions.

If the daily scan and the full scan and the quick scan are all scanning memory, why is it that only the daily scan is picking up a virus?  And not just once, but every time.  Is this a bug or false positive?  Do I have a virus? 

You've left me hanging.  By saying I should ignore it you imply it's nothing to worry about, so should I report it as a false positive?

Thanks.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67250
Re: virus found sometimes in memory
« Reply #13 on: January 27, 2011, 11:24:36 AM »
I did upload to virustotal, and only 1 out of 43 id'd it as a virus...
Do you have the virustotal link for it?
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85345
  • No support PMs thanks
Re: virus found sometimes in memory
« Reply #14 on: January 27, 2011, 04:28:39 PM »
Hi Davidr,

Thanks for your information.  Good to know, and I'll likely reduce the scan frequency and use your recommendations.

Sorry to seem stubborn, but you haven't answered my questions.

If the daily scan and the full scan and the quick scan are all scanning memory, why is it that only the daily scan is picking up a virus?  And not just once, but every time.  Is this a bug or false positive?  Do I have a virus? 

You've left me hanging.  By saying I should ignore it you imply it's nothing to worry about, so should I report it as a false positive?

I haven't answered it as I simply can't answer it, I have no way of knowing what is loaded into memory.

They are scanning at different levels, not the difference in the custom scan (I hate the term daily scan as it says nothing about it) it has three different memory scan options Memory (which was one of your settings in the Custom scan), auto-start programs and, auto-start programs (all users). The other scans don't have that, the Quick has Auto-start programs memory check, the Full System scan has QuickStartUpMem check.

So if as I suspect the ctfmon.exe isn't a startup program then that wouldn't be checked in these scans.

How is it possible to report it as a false positive as I know of no way as it isn't a physical file
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security