I Don't Think These Are Harmless .............

I among others have posted in regards to Avast’s memory scan finding Trojans; see http://forum.avast.com/index.php?topic=79604.0;topicseen.

Well I got nailed big time yesterday. Problems started on my WIN 7 x64, Avast 6.x, MBAM Pro box right after booting and receiving the daily Avast updates. Shortly thereafter, my scheduled daily Avast 6 quick scan started. It hung shortly after starting the scan. Also could not terminate the scan. Hum … that never happened before.

Tried to access task manager via ctl-alt-del. I could not. I also could not start any other anti-malware software I had. I could not. Had to do a “hard” power button shutdown. Tried a couple of other re-boots with the same result. Scans in safe mode with my various anti-malware software found nothing. In frustration, I booted using the Avast Rescue CD I received recently and did a “thorough” scan of all my HDDs.

Well, guess what the Rescue CD scan found in pagefile.sys on my WIN 7 installation drive? Win32:FakeVimes-B [Trj] - the same malware Avast’s memory scan had warned me about previously and people on this forum told me to ignore. So I had the rescue CD delete that and rebooted.

Unfortunately, it did not help and I threw in the towel and did an an image restore from a week old backup I had.

Appears to me this Win32:FakeVimes-B is something that lies dormant and then triggered to wipe out your PC.

Sorry but they are harmless as was explained in the topic and this has nothing to do with those detections.

The fact that it is the ‘same malware name’ (I rather doubt the circumstances are the same), even so without full information on what was found you can’t make that assumption. Even then do you realise what the pagefile.sys contains and does ?

When you are running low on memory data from memory it transferred out to the pagefile.sys file if that data is required it is transferred back into memory. So there is every likelihood that if there were unencrypted virus signatures in memory, those too could be swapped out to the pagefile.sys.

I do not know Win7 but Vista deletes the pagefile on shutdown and recreates it from new on boot.
This is a security feature.
Unless you have change the settings of the size etc yourself.
So unless you have changed the pagefile setting then how, after a reboot, could there be anything in the pagefile ???

Whatever happened wasn’t harmless. It trashed my OS installation!

Here’s more info based on further research. When the initial Avast quick scan hung, it was scanning, or at least this is the file shown being scanned,

%APPDAT%.…\Start Menu\Programs[b]explorer[/b].lnk.

According to MS Security Essential encyclopedia, FakeVimes creates entries under some .lnk name.

Guess what is running under explorer.exe? Comodo’s Cmdagent.exe! Sorry, but I am seeing a pattern here that Comodo and Avast have co-resident problems and it appears those problems might have escalated to the point of causing irreversible damage.

I do not know Win7 but Vista deletes the pagefile on shutdown and recreates it from new on boot.

To my knowledge, by default pagefile.sys is not deleted at system shutdown in XP, Vista, and 7. There are Group Policy and manual registry key modifications that can done to permit the pagefile to be deleted at system shutdown time.

My bad
It must be age - I can’t remember changing Memory Managment
::slight_smile:

I didn’t say that, I said it is totally unrelated to your other avast detections on unencrypted signatures found in memory. If it were, then I guess your system would have had this problem from 9 June.

Well the last file displayed in the UI isn’t necessarily the file that is actually being scanned, but the last file which has been scanned and the path written to the UI.

Whilst that may well be correct, explorer.lnk is hardly a rogue and again that has nothing to do with either comodo defence+, cmdagent.exe or avast ???

Guess what, there are hundreds of of applications, processes that run under explorer.exe.

Sorry but I’m not seeing a pattern at all, if you didn’t install the Comodo AV then there shouldn’t be any co-resident/conflict problems as it would be the defence+ element that is loading those signatures into memory.

If it truly were an issue of co-resident/conflict problems between comodo defence+ and avast then these forums would be alight as the comodo firewall with defence + must be one of the most commonly used firewalls.

Sorry but this is something else, as painful as this current issue is it’s unrelated to your previous issue 3 weeks ago.

Sorry but I’m not seeing a pattern at all, if you didn’t install the Comodo AV then there shouldn’t be any co-resident/conflict problems as it would be the defence+ element that is loading those signatures into memory.

Neither Comodo AV nor any other AV were ever installed on this installation; only Avast 6.x. Only Comodo firewall and Defense+ plus MBAM Pro installed with recommended exceptions applied. I did change my Defense+ configuration to Proactive about a week ago. I was definitely running Proactive for a least a week prior to this problem.

At this point, all I can say definitively is something with Avast’s virus definition update yesterday trashed my PC. I had no problems prior to yesterday. Additionally, after I had restored my system and Avast had auto downloaded all available updates, I was still getting messages from WIN 7 Security Center that my definitions were not up to date where in fact they were. Rebooting again fixed that … at least yeaterday it was fixed; I haven’t logged on that PC yet today.

As I said the defence+ under the control of cmdagent.exe is what is loading the unencrypted signatures, which aren’t an issue. So wouldn’t be involved in your current issue.

I really have no idea where you are getting all these assumptions from:

At this point, all I can say definitively is something with Avast's virus definition update yesterday trashed my PC. I had no problems prior to yesterday.

I don’t know how anything can be definite based on what you have said. Since avast usually updates the signatures twice a day. That is certainly going to coincide with any problem that all of a sudden starts, what it doesn’t do is prove that that was the problem.

I have MBAM Pro that updates several times a day, if I happen to have a problem on my system today that doesn’t mean it is MBAMs fault, the same is true with avast updates. I dare say that defence+ under the control of cmdagent.exe may well be getting signature updates too.

I don’t know how anything can be definite based on what you have said. Since avast usually updates the signatures twice a day. That is certainly going to coincide with any problem that all of a sudden starts, what it doesn’t do is prove that that was the problem.

I have MBAM Pro that updates several times a day, if I happen to have a problem on my system today that doesn’t mean it is MBAMs fault, the same is true with avast updates. I dare say that defence+ under the control of cmdagent.exe may well be getting signature updates too.

Agreed. I cannot definitively say Avast was the problem in this episode. However, my system was perfectly fine the prior evening when I shut it down. When I booted up the next day when the problems occured the only activity that had occured was the Avast def. update and quick scan that hung. There was one other thing I was doing at the time. I had opened a command promt window and had issued an ipconfig /all command at the time the Avast quick scan started. Really can’t see how that could hang the quick scan. I had not yet connected to the Net via IE8.