Adloader-ac [Trj]

I have left to start the Avast Screensaver and this has found in a block of memory of the process of Windows Defender (I have controlled in taskmanager the pid of the process) the Adloader-ac Trojan.
I have quickly programmed a boot-time scan, but this has not found to me null. it is perhaps false a positive one? Trying to leave to work the screen saver, it marks this it newly it in the process of Windows Defender.
What I can make?
Thanks

In the Avast screen saver settings, I will assume that you have “Advanced configuration” boxed checked. If so, under the “Sensitivity” section you might have checked “Ignore virus targeting” box? A while ago (after checking this box myself) I began to experience many “red” Avast screen saver alerts, but only if I had been scanning with Defender or Lavasoft. Those virus definition files were in memory. By Unchecking “Ignore virus targeting” fixed these false positives.

“Ignore virus targeting” is probably overkill.

“Check” it out :wink:

Thanks
I was worrying myself…

I believe you’ve solved the problem by that method, but I really doubt that virus targeting has something to do with memory block detection… maybe I’m wrong…
I don’t think ignore virus targeting is overkill.

On some occassions, the Avast screen saver will begin a scan even while another one is underway. So if the screen saver is also set to scan the memory blocks, certain other anti-malware definition files (if in memory) should be found. This might explain why the DEFAULT setting is unchecked, reducing false positives.

If Avast is the sole anti-malware product being used, then I agree that “Ignore virus targeting” is not overkill, and I would certainly have the box checked myself. Checking the box “Ignore virus targeting” is perhaps overkill only if used simultaneously with other anti-malware definition files.

Note:
I have not re-tested these particulars to see if the lastest Avast 4.8 has changed its behavior.

Not if the software correctly encrypts the signatures loaded in memory…

But it is strange that the boot-time scan has not found nothing…
In theory the result of the boot-time scan would have to be same or the best ones than a scan with operating system started…

Not really, if this is a memory resident issue, then as windows hasn’t started it won’t be resident in memory and whatever is injecting the process in memory isn’t detected, either normally or in a boot-time scan.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

SUPERantispyware On-Demand only in free version.

I don’t think it’s strange… at boot time the signatures (bad encrypted) aren’t loaded into memory so, no detection from avast.

Edited: I haven’t noticed David has already answered the same… sorry.

It has been a couple of years since I tested this issue. Defender and Lavasoft were the two that I had tested so if their encryption techniques have changed, I would be unaware of it. Since that time, I have not re-tested them, because leaving the box unchecked (Avasts default setting) eliminated the problems I was having with false positives. I easily dismissed them as such since on the four machines I had been working on, other anti-malware scanners could not find anything.

If you suspect that your machine is compromised, at a very minimum, run the real time “Standard Shield” set to high. If doubt still remains after double checking with alternative scanners, test it again on another computer or (if you have the time) after doing a clean reformat.

All this depends on how seriously you are convinced (or worried).

Latest result (the avast email notification) after re-testing:

avast! [****]: File “Process 944, memory block 0x04650000, block size 262144” is infected by “Win32:Adloader-AC [trj]” virus. “Screen saver” task used
Version of current VPS file is 080419-0, 04/19/2008

This was found after checking the box “Ignore virus targeting” and running a “Quick Scan” with Windows Defender. It should also be mentioned that I have been adding “Operating memory of the computer” to the list under the screen saver setting “Areas” - “Select the areas to scan” - “Memory.”

By default “All harddisks” is the only entry in the Avast screen saver under “Select the areas to scan.”

This is enough to convince me that it is a false positive.

I’m convinced this is a false positive since from the beginning.
But, maybe, Alwil team has nothing to do with it as it could be unencrypted signatures in memory…

TECH,

I believe you misunderstand. It’s not about blaming anyone. When I say “False Positive” it only means that I’m not worried that I have the same Trojan. After all, in one sense I made it happen, sort of like an EICAR test. This test should do the same thing for anyone who is willing to take the time.

The AWIL team is doing well to have the default settings just as they are, that is why I unchecked the box again after re-testing.

Testing all things . . .