Hello all. I apologize in advance if my format is off or I don’t present the right information, but I wanted to ask about a possible false positive my Avast has been turning up for a few weeks now. It doesn’t show up on a boot scan or a quick scan, but running an complete in-depth scan of my computer as its running returns the following alert every time.
There’s no option to remove, repair, move, or otherwise do anything about the infection (the button is greyed out), and after doing as much online research as I could, I can’t find a single of the markers this worm is supposed to have. All the potential registry changes seem to be missing, and when I ran one of kapersky’s specialized removal tools for this worm (after scanning it and trying it sandboxed, of course), it reported it could find no instances of the worm in my computer’s registry or memory.
Simply put, every single sign I can find points to me not having this worm, yet Avast will throw the above detection every time I do a complete system scan.
I can’t seem to find a specific filename associated with the infection, though I might just be looking for it wrong. Memory scanning is enabled for my “full” scan, the one that throws the alert. However, as mentioned, Kaspersky’s specialized removal tool for this worm also scans memory and could detect no infection.
The file name (including its location) of the detection would be to the left of the ‘Severity’ field in your partial image that you posted.
In the avastUI > Maintenance > Scan Logs - select the Full scan that this was detected on and click the View results button. That will display the same information that you saw after your original scan.
There is no field to the left of the Severity field, and it’s not in my virus chest because I don’t have the option to delete, repair, or move it to chest.
dont use that setting as it give some weird scan results detection in memory or memory scan is this forums second most asked question…lots of info if
you forum search
unless you know what you are doing, stay with default scan settings for a problem free operation…
Though a Full System Scan on default settings (not a custom scan) shouldn’t do an in-depth memory scan, so a detection on data loaded by svchost.exe is a little strange ?
It could be a loaded virus signature, but generally I would have expected that (if it was a virus signature) to be loaded by the parent process, not svchost.exe.
Detections in Memory -
Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory (which is why I’m surprised by it being attributed to svchost.exe. Having set off a scan of memory by an antivirus application looking for virus signatures, don’t be too surprised if it finds some in memory.
I know you have been asked what other security applications do you have installed, but do you have Windows Defender as this comes pre-installed on some OSes ?
Well hell, it looks like I do have Windows Defender! Now I kind of want to uninstall it…
Either way though, I’ll stop mucking around with memory scans for the time being. Thanks for the information guys! I guess my false positive was a bit of a false positive. :3