I need some help. I use the latest version of Avast! Home (Free) Edition, with the latest updates. I also use the Avast! virus scanner during screen saver mode with advanced settings, as well as memory scanning. So I leave it on to scan, and I run some errands. When I get back, the screen saver scan informs me that there is a virus in my process memory. So it gave me the option to scan before boot, which I do, it finds nothing. I proceeded to scan in safe mode, and it finds nothing again. I’ve also ran a spyware scan using Spybot, it found nothing. Is this a false positive? Or should I be worried. The infected computer is currently offline, as I don’t want the risk of spreading the infection. I’m running Windows XP Pro SP2 with the latest updates.
The problem is that there is no reference to a file on your HDD that you can upload to confirm or deny the detection as it is in memory. What is Process 2668 in the Windows Task Manager (Processes tab, PID column) ?
Unfortunately Process IDs may change from boot to boot, after your system boots does avast find an infection in the memory ?
There is a possibility that there is something on your system that is undetected or hidden that may be responsible for the memory injection.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Thank you for the advice. Avast! doesn’t detect anything on startup. I tried what you suggested with the “PID” setting and it looks like it’s detecting “sp_cla~1.exe” which is the WinClamAV that I opted in to install integrated with Spyware Terminator. To make sure, I restarted a few times, and the same application would be detected. I tried a scan when disabled the ClamAV within Spyware Terminator and ran the screen saver scan, and it seems okay, nothing detected. I also tried disabling Spyware Terminator all together, and it seems alright too. I suppose it was just two anti-virus applications conflicting with each other, which is kind of surprising because ClamAV is just integrated within Spyware Terminator and not a full blown AV.
Personally I wouldn’t load the clamav with ST, as even though some say it is only on-demand only there is some sort of integration (a service running) and the activity you mention clearly shows that and it isn’t recommended to have two resident AVs installed.
It may well be that what was detected was a virus signature file being opened in memory which isn’t encrypted. Some AVs do this because accessing memory is quicker than accessing the HDD. Though signature files really should be encrypted as other AVs will detect the signature/s.
Before upgrading to ST 2.0, I used the previous version of ST with WinClam installed as an on-demand scanner. I also ran avast in screensaver mode at least once a week. Never has avast picked up parts of ST-ClamAV during these screensaver scans. More likely, there is Tic-93 dropper virus present. But, I could be wrong.
I am, as I write this, downloading WinClamAV into ST and will test this by leaving my computer running overnight so that the screensaver & avast will activate. It is a long download in dial-up. We will see what happens by morning (east coast of USA).