Potential false positive in Avast Free?

Hello all. I apologize in advance if my format is off or I don’t present the right information, but I wanted to ask about a possible false positive my Avast has been turning up for a few weeks now. It doesn’t show up on a boot scan or a quick scan, but running an complete in-depth scan of my computer as its running returns the following alert every time.

http://i.imgur.com/dg3tgbg.png

There’s no option to remove, repair, move, or otherwise do anything about the infection (the button is greyed out), and after doing as much online research as I could, I can’t find a single of the markers this worm is supposed to have. All the potential registry changes seem to be missing, and when I ran one of kapersky’s specialized removal tools for this worm (after scanning it and trying it sandboxed, of course), it reported it could find no instances of the worm in my computer’s registry or memory.

Simply put, every single sign I can find points to me not having this worm, yet Avast will throw the above detection every time I do a complete system scan.

Hello and welcome to the Forum! :slight_smile:

Could you please post a screenshot with the filename of the detection?
Have you enabled scanning memory in your scan settings?

DJBone

I can’t seem to find a specific filename associated with the infection, though I might just be looking for it wrong. Memory scanning is enabled for my “full” scan, the one that throws the alert. However, as mentioned, Kaspersky’s specialized removal tool for this worm also scans memory and could detect no infection.

Do you have any other security programm installed?

DJBone

None at all. I used to have AVG, but I did a complete uninstall when I switched over to Avast.

It seems to be a false positive while scanning the memory.

DJBone

  1. You can upload the file to virus total for further testing https://www.virustotal.com/en/
  2. Once in the virus chest right click and select from the drop down menu.
  3. Report the false positive here http://www.avast.com/contact-form.php :slight_smile:

The file name (including its location) of the detection would be to the left of the ‘Severity’ field in your partial image that you posted.

In the avastUI > Maintenance > Scan Logs - select the Full scan that this was detected on and click the View results button. That will display the same information that you saw after your original scan.

There is no field to the left of the Severity field, and it’s not in my virus chest because I don’t have the option to delete, repair, or move it to chest.

there should be a file name to the left…see link to example below

see screenshot posted here. http://forum.avast.com/index.php?topic=120537.msg923610#msg923610

Oooh, yup. My bad.

http://i.imgur.com/hoAEcuV.png

and that show why the button is gray…a detection in memory, this is not a physical file so cant be deleted/moved

have you changed the default scan settings and selected scan memory ?

Yes, I have.

dont use that setting as it give some weird scan results
detection in memory or memory scan is this forums second most asked question…lots of info if
you forum search

unless you know what you are doing, stay with default scan settings for a problem free operation…

This confirms a detection in memory.

Though a Full System Scan on default settings (not a custom scan) shouldn’t do an in-depth memory scan, so a detection on data loaded by svchost.exe is a little strange ?

It could be a loaded virus signature, but generally I would have expected that (if it was a virus signature) to be loaded by the parent process, not svchost.exe.

Detections in Memory -
Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory (which is why I’m surprised by it being attributed to svchost.exe. Having set off a scan of memory by an antivirus application looking for virus signatures, don’t be too surprised if it finds some in memory.

I know you have been asked what other security applications do you have installed, but do you have Windows Defender as this comes pre-installed on some OSes ?

Well hell, it looks like I do have Windows Defender! Now I kind of want to uninstall it…

Either way though, I’ll stop mucking around with memory scans for the time being. Thanks for the information guys! I guess my false positive was a bit of a false positive. :3

You can’t uninstall Windows Defender, only deactivate.

DJBone

you can in WinXP…

You’re welcome.

Well MS try to sneak (windows defender (WD)) this in under the radar with some OS installs.

As mentioned it is best disabled or uninstalled, depending on your OS, which is why I asked about OS as well.

It isn’t really a false positive as I said:

Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory