6 infections cannot be removed

Hello,

last days I am running almost every day complete scan of my hard drives and Avast detects 6 infections which cannot be removed.

The scan log writes:

[b]*PROCESS\3e8\msmpeng.exe\6320000\40000 Threat: BV:Autorun-E [Wrm]

*PROCESS\3e8\msmpeng.exe\6450000\40000 Threat: JS:Pdfka-AJM [Expl]

*PROCESS\3e8\msmpeng.exe\6540000\6e000 Threat: Win32:Small-HUF [Trj]

*PROCESS\3e8\msmpeng.exe\65d0000\40000 Threat: Win32:Small-gen2 [Trj]

*PROCESS\3e8\msmpeng.exe\6770000\40000 Threat: Win32:Zbot-AVH [Trj]

*PROCESS\f70\teatimer.exe\1c70000\140000 Threat: JS:ScriptSH-inf [Trj] [/b]

Severity for all: High.

No action can be taken since next to each entry there is the following message:

“Error: the filename, directory name, or volume label syntax is incorrect (123)”

I know that those entries are referring to Windows Defender and Teatimer of Spybot which both I uninstalled and reinstalled.
While I had uninstalled them, I run Avast complete scan in Safe Mode which gave me no infections at all.
Next day I scanned again and the 6 entries were still there!

Can you please help me with this issue?

Looks like you have been tweaking the avast scan settings - Ignore Virus Targeting

In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code). With "Ignore virus targeting" option enabled avast! can detect these harmless fragments.

These items in scan results are not the files but the virus is detected in memory allocated to security_program_name.exe process - because of this no action is available.

Thank you for the reply!
But there is no option like “Ignore Virus Targeting” in my settings of Avast!
I looked well in “Sensitivity” screen and I see all other options like “test whole files” etc, but not this one… ???
I use Avast free antivirus 5.0.594.

That image came from an earlier version, so I don’t know if it might have changed in 5.0.594, but that was the normal cause of the Ignore Virus Targeting, though this is still mentioned in the help file, see below. This may possibly have been changed as there was a period of time when we had a lot of this type of post on the forum so they might have removed that option.

Ignore virus targeting - if this box is checked, all files will be tested against all of the current virus definitions. If it is not checked, files will be tested only against those viruses that target the particular type of file, for example, the program will not look for viruses that normally affect files with a ".exe" extension, in files with a ".com" extension.

Which Scan were you doing ?
In a Custom Scan you can have it scan memory so that may show these loaded signatures. But not as many if the Ignore Virus Targeting option was available and checked.

The main thing is that you know what they are and that there is no way you can actually remove them.

Yes, I understand now the meaning of those 6 threats & it was clear from the beginning there is no way to be removed. That was the reason I posted in this forum. :wink:

Version 5.0.594 does not have the option “Ignore virus targeting”. I am posting the image of the settings.

http://i184.photobucket.com/albums/x304/Dzo_2007/Avast_Sesnitivity.jpg

I thought maybe there is another option to avoid those false positives.

I used custom scan with the following selections:

  • Scan areas - All harddisks, Memory, Auto-start programs, Interactive selection, Rootkits (full).
    Scan all files.
    Heuristics sensitivity - normal.
    Scan for PUPs.
    Follow links.
    All packers.

In any case, thank you for the help. If you find a way to avoid this kind of false positives, please let me know. :slight_smile:

There is no real way to avoid this, short of not using teatimer and windows defender or don’t scan memory - It is the memory scan that you have selected that is bringing these up. Of course knowing what you do now you can ignore them in the report of the scan.

They aren’t really false positives, you are setting loose an on-demand scan that is looking for virus signatures and that is what it has found, unencrypted virus signatures in memory. I and many others would consider dumping unencrypted virus signatures in memory, where a resident antivirus could detect them as a bad decision.

PDronma,
I was getting similarly unsettling scan results recently (see attached image), but only when I left Microsoft’s Malicious Software Removal tool (mrt.exe) open during Avast! scans.

Do you exit out of Windows Defender (msmpeng.exe) and Spybot during your Avast! scans?


Celeron M 1.5GHz 32-bit; 1.25 GB RAM; XP Pro (SP3); CFP v4.1.x.920; Webroot Spy Sweeper v6.1.0.145; Avast! v5.0.594

No, I was scanning while Windows Defender & Spybot were still running in the background.
But I’ll try scanning as you suggest. Thank you MostlyHarmless! :slight_smile:
Moreover, I already scanned by skipping the memory scan, which resulted no threat at all.

Here is the relevant portion of the reply I received from an Avast! support centre ticket I submitted when I had a similar problem to yours back in February, 2010:
“in general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code).”

I think Avast! may be detecting some of the “fragments of malicious code” being used by Windows Defender (msmpeng.exe) and/or Spybot as they run in the background.

Personally, I never run two malware detector scans at the same time. Yes, it makes for a long scanning time, but at least I’m confident these programs aren’t fighting with each other as they do their work 8)


I would suggest that the problem is with Windows Defender which I do not have.

I have never gotten any alerts concerning Spybot which I do not disable while scanning with avast.

I use the default settings in avast for these scans.


@ DavidR., The picture the OP posted is not the default for 5.0.594 GUI- both the left pane of the window is different and there is an added field on the bottom of the OP’s center window.

I’m aware of that as the OP answered my question that he is using a Custom scan which will have more options than the pre-defined default Quick/Full System Scans. Plus as has been mentioned .594 appears to have withdrawn the Ignore Virus Targeting option (in my image, captured with an earlier version).

My guess being that Avast feel it causes both confusion (because they don’t appreciate the affect) and panic when avast suddenly starts alerting.

@ DavidR.,

Thank you for the clarification.