I have another machine I use with Windows XP Home SP3. Last night I scanned my computer before shutting it down and there was no threat detected. However upon turning on my machine the virus definitions updated. Then I scanned my machine and got a threat detected in memory. *PROCESS.…\explorer.exe.….…\explorer.exe. The severity is high and status is Threat: Win32:Malware-gen. I cannot delete or move to chest due to Error: The filename, directory name, or volume label syntax is incorrect (123). It is in memory so that makes sense to me.
Well I’m not really the type to download tools or fix stuff with other programs. Since that can take longer than 45 minutes. If I scan and it doesn’t get fixed I just format/reinstall. Well I did format my entire machine and it is still there! There is no external media hooked up and I haven’t installed anything but Avast!, Trend Micro HouseCall, Zonealarm, Mozilla w/ NoScript & Adblock Plus and windows updates & SP3. So this makes me think the most recent definition causes a false alarm in explorer.exe. I used Trend Micro HouseCall per a friends advice (not really sure it matters) and did a full scan finding no infections/threats. This is the first time in the history of me ever owning a computer (15+ years) for the same “virus” to be present after a format.
Is anybody having the same problem or have any advice? It’s kind of starting to bug me but my process list looks fine and I haven’t installed anything. I have no clue what is going on. Thanks.
Edit:
Just for additional information, if it helps at all. I do not have resident protection running for two different AV. Trend Micro HouseCall was downloaded after the virus was still there. This is after the format and scanning with avast. Also when I do a boot time scan with the most thorough options… there is no virus/malware threat. This situation is quite strange to me.
This is most likely an unencrypted virus signature loaded into memory and any signature based scan is going to alert on this, so technically not a false positive, when you send it off looking for virus signatures when it alerts on finding one.
You can’t delete or move a memory location and that is why you get the message.
We need the full information on the path as the file at the end is what loaded the unencrypted signature ?
Though it is most strange that explorer.exe would load a virus signature into memory and that is why the full path is important as it could be a fake explorer.exe if not in the correct location.
Have you any other security software (anti-spyware, etc.) like windows defender, etc. ?
That’s the thing though I turned my computer off for 20 minutes. Formatted it… and this is still happening. I disable all the windows stuff I never really get much luck with it. I only have the software I listed in my first post installed. The Trend Micro Housecall was installed after the fact of the avast! reporting the malware.
I just formatted my computer and haven’t installed anything or gone anywhere except download.com to get avast!, zonealarm site for the free firewall and after the virus was still there I went to trend micro’s site. Well I did install windows updates and stuff but yeah that’s no big deal. It’s pretty strange to me… I’ve never ever had a problem like this and I’ve done the same thing everyday for … over a decade. I’ve used the same source for the device drivers and I always scan them before installing. I have no other resident protection running other than avast! and zonealarm. Zonealarm is just the basic free firewall too… nothing more. No clashing antivirus programs.
Path is *PROCESS\674\explorer.exe\1000000\ff000\explorer.exe. Nothing can be done with it after the fact according to avast!. There is that error that I posted before… Error: The filename, directory name, or volume label syntax is incorrect (123). So I don’t know what to do. I don’t even know if it’s actually a virus or anything. To me it’s just a false positive since it happened only after the virus definitions updated. I scanned the computer before I turned it off last night… no viruses. Now after the virus def. update… virus. Seems kind of suspicious to me unless I got the latest and greatest virus that remains on your computer after a format. Go me!
I read the link you posted… I don’t have two resident protections running. I ran Trend Micro HouseCall after the fact of avast! reporting the threat. Then Trend Micro finds nothing… avast! still finds it. I can turn off/uninstall Trend Micro and it says the same thing in avast! It has to be a false positive, I’m not running two scanners with resident protection. I guess I could try the malbytes thing but seriously… I just formatted.
The path is a memory location, that’s why the file name, directory name, or volume label syntax is incorrect, as it is looking for a physical location on the hard drive it won’t find it.
We have seen these memory detections before because security software has loaded unencrypted signatures and they are usually able to indicate the actual process location that loaded it/them. That process has always been security related and why, I’m surprised that explorer.exe would be loading anything into memory.
So I don’t really know how to say why this is happening, other than to say I have just tested it by running a memory scan and I have the same result a detection on something loaded by explorer.exe, see image. Though I set my Heuristics sensitivity to High, it is the same in Normal sensitivity.
I know for certain that my system is clean so it looks like you are in the clear too. So it looks like a false positive detection; though how to report it is the thing considering it isn’t a file that can be forwarded for analysis, but let me worry about that.
Thanks for the update. I have also tried MBAM and it detected nothing. It does look like a false positive and I am just as confused as you are. I’m unable to figure out why this is occurring. At least it’s a consistent result perhaps that will help them pinpoint it. I really appreciate you looking into it and am pleased with my first encounter with this forum. I’m glad I could point out a detection error as well to help the team that has helped me so much over the years.
Edit: That is the exact same error that I am getting. Providing it is the same Win32 Malware-gen type. I really hope we don’t have viruses! I am overly paranoid hehe
Yes, it is the same detection win32:malware-gen (a generic signature), I just didn’t want to attach a large image, just enough to confirm it. Thanks for raising it and I have sent a report on it with a link to this topic, so hopefully they will be able to replicate it.
I have exactly the same alert of win32:malware-gen showed by my Avast antivirus with exactly the same memory location. I have spent hours trying to find out how to remove it. I have tried boot scan which showed nothing, I have tried several rootkit detectors, which do not seem to help me much. I scanned the file C:\WINDOWS\explorer.exe with Avast with no virus detected. So I terminated the explorer.exe in task manager and started C:\WINDOWS\explorer.exe as new task. Then I made the scan again and it showed the virus win32:malware-gen again.
The detection is on the memory location and not on the actual explorer.exe file (and why scans on explorer.exe will not detect anything), that is the process which loaded that particular memory block.
So as Igor mentioned hopefully this false positive on the memory block will be resolved quickly.
Thanks a lot Igor for the update. David has been really helpful. Very quick response and accurate response too!
I don’t know how this board works and I viewed the help documents. Do you both actually work for the Avast! team? I notice your member group which is why I ask. Just curious! This has been a lot of help and I’m glad there is a forum like this for such a great software package. Great all around.
What a turnaround time! That’s crazy fast. Holy! I think I may just upgrade to the Pro edition because of how fast they responded to fixing a free user’s issue. Crazy! Kudos Igor. Very quick fix pretty awesome.
Thanks for the information about the groups. It’s kind of neat seeing a senior developer post on the forums directly. Gotta love it when the designers are in the community.
It’s all good just gives me something to do. I’ll go ahead and make one. Is there a sticky anywhere on an avatar guide… like dimensions and FAQ pertaining to the subject? Like what is/isn’t allowed and such.
