Like the subject says i have a problem. The problem is that i have been having trouble scanning the ddr memory of my computer because everytime i start the scan and when it comes to the memory the whole computer hangs totally. The thing now is that i ran avast today again and it hang it self again but after i had restarted the computer and went to check the scanloggs i found that all of my processes which are active after i have started the computer were infected with Win32:Kryptik-EWK [Trj] virus. Is this a false positive or is it a Real virus? Because its only in one memory block and only found in the memory and not in any file, yet it says its Kernel32.dll which is infected :(. Please help i dont want to need to install windows again if its not needed :(.
So is this a bug in avast or is it a virus, well yea i picked the “scan memory” in avast.
The strange thing is that it has never happend with previous versions (have been using avast since v4,8 pro).’
Ohwell i didnt have much on the main harddrive anyway and SUPERantispyware found a trojan downloader so i think its safer to do a clean format and clean windows install again :), i had just only games mostly on the main harddrive.
Sorry i havent checked other cases yet, but when i ran the avast fullscan on my minipc it didnt find any of the stuff like on my mainrig. And this has never happend with avast 5 and 6 versions.
And sorry to dissapoint ya but well i know the result of doing a fullscan, and well i have changed the default settings before to. but now it found like 37 viruses only in the memory before the computer hanged it self.
Im gonna do a fullscan without the memoryscan and see if it finds anything in the harddrives.
And if it dosent its probably a false positive, And btw SAS didnt find any of those trojans but it did find 3 other ones. but none in the memory only on the harddrive.
If it does and it cant repair or anything like that, then its easiest to do a clean windows install again
Well sure its important to have the memoryscan, but if its a bug or false positive or if the computer chrashes then its best to not scan the memory to see if there is any viruses or trojans in the harddrive
There are three levels of memory scan and the one that causes all of this grief is when a user creates a custom scan and chooses memory it is the most thorough/sensitive. So my guess is the OP is running a custom scan with memory scan option.
Memory scans are a throwback from long ago, as has been mentioned if a malware/virus is in memory, you are too late. The idea is to catch the malware before it loads stuff into memory.
I just ran a fullscan without the memory option and there were absolutlely no viruses in my 2 hardrives.
After that i ran a custom memory scan 2 times and it didnt find the kernel32.dll trojans which i found before, but it did find a few but they are from known programs (cmdagent.exe and from superantispyware.exe) so its clean.
SUPERantispyware didnt find any trojans in the memory but did find 3 on the harddrive which were completely quarantined :).
Was this after all just a catch of false positives from the custom scan or what :-?
EDIT: i forgot to mention that i havent got any isusses or slow downs on my computer except the avast custom scan crash when the whole computer and memory are selected to be scanned in scan settings.
Not a false positive:
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don’t be too surprised if it finds some in memory.
It isn’t alerting on either cmdagent.exe or superantispyware.exe, but the signatures that those processes loaded into memory.
So is there anything in my computer? Because it dosent say that there is anything in the memory with the custom memory scan. And i dont get it, why does my computer hang itself when scanning with the memory selected in total custom system scan with everything else selected, but when i only scan the memory it dosent hang itself?
Which memory scan is the most sensitive? because it hasnt found anything after that i quarantined the trojans with superantispyware.
EDIT: the strange thing was that every one f the 36 trojans the memoryscan found were in the same memory block and had the same block size and all were only processes that were running + they had the kernel32.dll in the name to. But when i scanned with the special memory scan it didnt find anything.
I don’t know, or rather I can’t answer that as there is insufficient information in this topic to do so.
But the detections in memory related to cmdagent.exe or superantispyware.exe loading unencrypted signatures. I can’t see how you can possibly have sent these to quarantine as it is impossible if there are memory blocks. Now perhaps you can see why I said there is insufficient information to say.
We need the file name, location and malware name of detections.
If that is a memory detection you can’t give that as it is Process: (responsible for the loading) Memory Block and Malware name, because it isn’t a physical file it can’t be sent to the chest.
The Quick and Full System scans are more than adequate (they both scan memory but at a lower sensitivity avoiding this type of detection), so I’m not entirely sure why you feel the need for the custom scan and the memory scan (if selected) is the most sensitive/thorough.
Some security applications run at a low level it is how they catch things before they can execute, so it may not be unusual to have something run at a kernel level. But again without full information all of this is supposition.
The names for the processes are many, but all are in the memory block: 0x0000000075FE0000 with the name (kernel32.dll) Threat: Win32:Krytik-EWK [Trj]
But all of these havent showed up at all after i quarantined a few other trojans with SUPERantispyware. And now today nothing at all havent showed up at any scan i run.
I didnt quarantine the cmdagent.exe or Superantispyware.exe because they were in the memory, but i assume they are safe even if they show upp on the memory scan
Because they are both from security related programs.
Am i supposed to upload a support package to you at avast? Because there is the option to create a support package with logs, memory dumps and basic information.
As I said it is impossible to quarantine a memory detection as it isn’t a physical file. The named file/process isn’t what is being detected but what was responsible for loading whatever is detected in that memory block.
The support package would normally be used when there was a crash or problem with avast, etc. and would normally be asked for rather than sent and not in relation to something like this as the information it is gathering wouldn’t relate to detections (it is more debug data for the developers).
Ohman, iam saying that i havent quarantined the Trojans avast memory scan found, but 2 Trojan.Agent/ Gen- Downloader and 1 Trojan.Agent/ Gen- Koobface with SUPERantispyware.
But the Trojans which showed up at the avast memory scan havent showed up today, only yesterday and every security program (Avast, SUPERAntiSpyware etc.) says my computer is clean.
The programs it said to have loaded the trojan were like: Asus AI suite 2, Razer Driver programs and Creative audio programs etc. theres to many to tell but none that have been infected when downloaded and installed. But the programs that it detected to have loaded the file into my system doesn’t show up on todays memory virus scan or even shown as a virus in the Harddrive scan.
Can a trojan infect the windows Kernel32.dll file? because that is the file that showed up inside () after i checked the scan log file after the scan crashed my computer.
Ok so im not gonna send a support package? Thanks for the help.
I’m sorry I simply can’t answer your questions with out supporting information, if you were ab;le to send them to the chest (then they weren’t memory detections) and the information on the detection would be in the chest, file name, original location and malware name.
I don’t know what you mean by showed up between the () if it relates to the memory detection, you still haven’t grasped the way detections in memory are reported, it always lists the process responsible for loading that memory block, it isn’t an indication that that file is infected. If it were infected then the file system shield would alert on it.
Hers a screenshot of the problem, hope imagehack is ok for posting pictures i didnt find how to attach a picture in the forum, but this is the scan result.
All of these which are shown in the scan log dosent show up anymore no matter how many times i do a memory scan.
In the reply window, there is a cunningly disguised ‘Attachments and other options’ click that and it expands to allow image and certain file attachments.
Unfortunately many people can’t view imageshack.us as they block many domains/locations and you also can’t expand the image, so it can’t be view at full size.
Though the text is just about readable. The problem being I have never seen the memory block detections laid out in this way as the responsible process is at the start in [square brackets], then the memory block, but I haven’t seen reference to (kernel32.dll) at the end.