avastsvc.exe flagged as infected?

I may have answered my own question by poking around the forum, but I wanted to ask some more experienced users just to be sure.

I have 2 custom scans that I generally use. Both have “scan all files” checked and both scan the operating memory (the only difference is one scans all drives while the other is limited to the system drive).

After running a MBAM scan today, I ran my “all drives” custom scan and got a THREAT FOUND message with these results:

File Name: Process #### [avastsvc.exe], memory block #x#############, block size #### Severity: High Threat: INF:AutoRun-gen2 [Wrm]

There was no option to take any action other than closing the window.

After seeing this, I ran my “system drive only” custom scan and found nothing. I also did a boot scan which also came up with nothing.

After restarting, I tried my “all drives” custom scan again and got the same warning that avastsvc.exe was infected with the same threat. I then tried my other custom scan and also got the same warning (same memory block, block size, threat name).

I’ve run these scans a couple dozen times before today and never had this result. I looked around the forum and it seems this is some kind of issue with running a memory scan while “scan all files” is also checked. ???

I’m just wondering if this is anything I should be concerned about? I’m also wondering why this wouldn’t have happened before today? I’ve used these custom scans for close to a year and never had this happen. Was there something in the recent updates that would be causing this?

Any info and help is very much appreciated. Thanks in advance. :wink:

I just noticed Pntdexter’s thread a few posts down from mine which has a similar theme. I’m sorry if this is a question that gets asked too often, I’m just looking for clarification that this isn’t anything to worry about. Again, all input is appreciated.

this is bc you have selected “scan memory” and it is detecting virus signatures loaded in memory

i recomend using the default quick/full scan with default settings
it is not necessary to to all these scans as you have a file shield that is constantly monitoring all file movment

Hi, Thanks for the reply, Pondus.

That was my suspicion from seeing the other threads on similar topics. So there is no actual threat to my system and this can be treated as a FP? I don’t need to worry that it was detecting the same type of malware each time?

I’m still a little perplexed as to why this just started happening. Is it just totally random chance? ???

I’ll try to stick to the default scans, for the most part. I’m guessing that I shouldn’t enable the memory scan option if I do any more custom scans?

In what situation would you recommend that a person use the memory scan option?

Thanks again for the help.

How can it be considered an FP when it is doing what you asked it to do, look for virus signatures in memory.

That’s right leave the memory scan alone in the custom scan as it is a deeper memory scan than that of the Quick or Full system scans.

Personally I would have to ask why the need to do a custom scan in the first place ?

In what situation would you recommend that a person use the memory scan option?
good question......
Personally I would have to ask why the need to do a custom scan in the first place ?
+1

Hello again, thanks for the replies.

I guess I phrased that question poorly. What I meant to say is: “so this is avast detecting a signature and not an actual threat?”

Well, I guess I just saw that the option was available and used it without thinking too much about it. Like I said, I used these scans for a while and never had this come up. I’ll do as suggested and leave the memory scan alone in the future.

Again, I’m very sorry if this was a question that gets asked too often, but I just wanted to be certain that this wasn’t an actual infection.

Interesting… but I don’t get any such detection during a memory scan on my system, so it’s kinda hard to say what might be detected there in your case - but it doesn’t look like avast! is detecting its own signatures in memory.
Theoretically, there can be an older block of memory there, used previously to scan some files or other objects… which kept its content and now it’s being detected…
In any case, I wouldn’t worry about it, especially with this particular detection which is normally related to autorun.inf files.

Hi igor, thank you for your reply.

The bit about the memory block holding on to its content is interesting.

Earlier today I was messing around and I created a scan that only scanned the memory. I ran it a few times and got zero threats detected each time. I ran a MBAM quick scan, followed by an avast quick scan and then tried the memory scan again. Again, I got zero threats detected.

Then I did what I normally do about twice a month, a spybot S&D scan, followed by a MBAM full scan, followed by an avast scan (in this case, the “memory only” one). The avast scan came up with the same threat detected as the times before.

Did another scan, same results (on the same memory block). This was right before I checked the forum for any new comments. After reading what you wrote, I ran the memory scan again while my browser was open and the scan came up CLEAN. I’m assuming that my browser was now occupying the memory block that the signatures used to inhabit. So your theory that the signature is stuck in one of the memory blocks makes quite a bit of sense, in my opinion (whatever that’s worth! ;))

I’ll restart, rescan, and check a couple more things to see if I can determine what program is loading those signatures into the memory.

Thanks again for the assistance.

Well, in retrospect, I think I misinterpreted what igor was trying to say. But I did a few different tests to see if I could figure out if another scanner was responsible for loading the signatures to memory or if the order of scanning was causing it.

I was unable to find a sequence of scans that consistently resulted in a THREAT DETECTED message, in fact, I was actually able to run my old SBS&D, MBAM, and avast! custom scan sequence without issue. The only consistency that occurred was that my last several scans showed absolutely nothing. :slight_smile:

I’m completely clueless as to why it stopped happening (or why it began in the first place).

At any rate, I’ve deleted all but one custom scan and unselected the memory scan option from it. On the advice given here, I’ll use the default quick and full system scans for the majority of scans in the future.

Just to clarify one last time, it should be safe to disregard the aforementioned THREAT DETECTED messages since they were only found in memory blocks during the course of a memory scan and not detected in any physical file on any HDD?

I’m also still interested in knowing the proper situation to utilize the memory scan (just for reference).

Again, thanks for the replies given here. All further input is welcome and appreciated.

Both the Quick and Full System scan also scan memory but not in the same depth/thoroughness and don’t seem to have this type of detection.

I can’t recall who it was, Igor or Vlk (avast team) who said something along the lines of; the memory scan is from the old days and if malware was already in memory it is a bit late.

Thanks for the reply, DavidR.

So I should be able to safely ignore the previous detections since they didn’t happen consistently and my quick, full system, and custom scans (minus the memory scan) all come up clean?

I’m still just a bit concerned since igor said it didn’t look like avast detecting its own signatures.

You can never ignore detection without investigation and that process has now been completed as you know why it happened and it wasn’t malicious.

The scan in effect doesn’t care whose signatures they are, I don’t even know if it is able to or even tries to determine that on a simple scan. If it did have that functionality (and there would likely be an overhead in scan duration, etc.) it should be able to come to the conclusion that there is nothing wrong.

Thanks again for replying, DavidR

OK, I just wanted to be as thorough as I could be. So its safe to say that my system isn’t in any danger? The detections were from signatures loaded into memory from a scanning program and not indicative of a malicious threat and refraining from memory scans should prevent this issue from coming up again.

In the future, I’ll also keep away from custom settings I don’t 100% understand.

Is there anything I’ve missed or anything that I should do further, or is it safe to call it good?

Thanks very much for helping me out.

PS - What’s a good resource for checking about what a particular virus does? I’d like to know what type of symptoms I should have looked for based on the detected threat. I looked around a bit but didn’t find anything specific about the particular detection I had.

You’re welcome.

Yes it is safe to say your system isn’t in any danger, certainly not from this.

No, nothing else to do.

I have never really found a source that is that good as virtually every AV has its own name for viruses/malware so searching often finds little as there are too many aliases, submission to the likes of virustotal will show up the additional aliases for the same malware. With 43 scanners you will se many different detections for the same file, but it will give you other malware names to google and find the info.

However, I really have never felt the need to find out what it does, just to get rid of it.

Thanks, David. I was pretty much freaking out about this for the last couple of days. I feel better knowing that this wasn’t a malicious infection.

Much appreciation to you (and the others) for helping me out here and putting up with my sub-par tech knowledge. :wink:

Its good to know that this great software has a helpful community, too.

Thanks again for helping me out.

No problem, glad I could help.