I have a daily scan scheduled, which runs every second day at 10.30pm. I just checked my logs, and I see that for the last several scans there is a virus found in memory, and it looks like this (I wish cut/paste was available):
I suppose the ctfmon.exe file is clean… Did you test with www.virustotal.com ?
Seems a false positive, but, anyway, it’s strange that it is only detected in memory… Strange for me, not an expert.
I think uploading the ctfmon.exe to VT or any other multi-engine scanner is likely to be pointless as it isn’t actually a detection on ctfmon.exe, but on data in a block of memory loaded into memory by ctfmon.exe.
So my only assumption is that you daily scan is a custom scan that also included a memory scan ?
That memory scan in your Custom scan is I assume a more in depth than the Quick or Full System Scans. So essentially they are different scans.
Well, doesn’t really make sense. Daily scan includes “operating memory”, but full system scan includes “modules loaded into memory”, although in the settings it only says “quick startup memory”. Why wouldn’t full system scan include memory? And one would think, as it says, full system scan “performs an indepth scan, thorough but slow”, so the full scan would be the most complete, no?
Really wish they would use the same terms if they mean the same thing.
I still don’t know if this is a bug or a problem or what? Every time I run a scan it says I have a virus. Not too encouraging in allowing me to trust the process.
If you do not want to reboot or already have since detecting the virus and/or it remains after the reboot you could try downloading and running in batch mode ESET On-line scanner and Dr. Web. Just make sure that if you use Dr. Web that when you run the executable which will take put your computer in protected mode that you do not install the trial version when given the option You will get one spam popup while it is running. Just click the X on the popup and it will close.
I have found that sometimes ESET and/or Dr. Web will find some bad stuff that slips by AIS, however from what I understand AIS is a better product so I stick with AIS and after all nothing is perfect. and I am very happy with AIS. Running ESET on-line scanner and Dr. Web in the batch mode will not mess up AIS. If you run ESET on-line scanner it will prompt you to uninstall it when done. I don’t uninstall it and have not experienced any conflict so far by leaving it.
I would run ESET on-line scanner first since it does not tie up your computer and it does not put much of a drag on system resources. If ESET on-line scanner, which is accessible on their website in small print at the bottom of their main webpage does not find and remove the virus then I would try Dr. Web because Dr. Web running in protected mode locks you out of using your computer.
The default scan in Dr. Web is a quick scan and it finishes pretty quickly. If the Dr. Web quick scan or ESET don’t find anything then make sure you run a Dr. Web complete scan. I suggest running this last because their complete scan can take hours literally depending on your computer hardware and locks you out of using your computer during the scan since Dr. Web puts your computer in a protected mode. However if you are running any P2P programs while Dr. Web is running my experience has been that they will continue to run fine but not show any updates to the file transfers until after the computer is out of the protected mode.
@ frankey999
I still don’t know what scan you are doing, I asked that question in Reply #6 and without details of the scan you are doing I can’t even hazard a guess.
A daily scan only implies that you ran a scheduled scan and not what the scan or its settings were.
My daily scan is:
system drive
memory
auto-start programs
interactive selection (btw what exactly is this?)
Which settings do you need to know?
It’s the memory scan that seems to be the problem, since the scan logs show a process in memory block.
Every daily scan has this result, whereas the system scan and the quick scan do not.
It doesn’t seem to matter if I re-boot or not, I still get the same log entry.
I would disable the memory scan.
The ctfmon.exe application is used by several different functions, so it would be hard to say what that be which may have ctfmon.exe load something into memory. The process ID is likely to change on each boot at the very least, it depends on when it is loaded.
Personally with a resident on-access antivirus it depreciates the need to do on-demand scans of old and once a day might be considered over the top.
The team at avast have designed the pre-defined scans (Quick & Full System Scans) so that they scan the most important areas and files, those that present an immediate risk or are targets of malware, etc. This provides a good balance between performance and protection, etc.
By going any deeper than this you are going to be scanning files that are either dormant or inert, so there is little benefit in actually doing that.
I run a weekly scheduled Quick scan on the default settings and a monthly Full System Scan (1st day of the month) and haven’t felt the need to dig deeper.
Thanks for your information. Good to know, and I’ll likely reduce the scan frequency and use your recommendations.
Sorry to seem stubborn, but you haven’t answered my questions.
If the daily scan and the full scan and the quick scan are all scanning memory, why is it that only the daily scan is picking up a virus? And not just once, but every time. Is this a bug or false positive? Do I have a virus?
You’ve left me hanging. By saying I should ignore it you imply it’s nothing to worry about, so should I report it as a false positive?
I haven’t answered it as I simply can’t answer it, I have no way of knowing what is loaded into memory.
They are scanning at different levels, not the difference in the custom scan (I hate the term daily scan as it says nothing about it) it has three different memory scan options Memory (which was one of your settings in the Custom scan), auto-start programs and, auto-start programs (all users). The other scans don’t have that, the Quick has Auto-start programs memory check, the Full System scan has QuickStartUpMem check.
So if as I suspect the ctfmon.exe isn’t a startup program then that wouldn’t be checked in these scans.
How is it possible to report it as a false positive as I know of no way as it isn’t a physical file
Here is the link to virustotal. I just noticed the comments in virustotal from 5 days ago:
“Added to %user% startup when machine infeceted wiht Bredolab bot virus.” and someone else also mentions avast catches it in memory scan.
ctfmon.exe is a file in windows/system32, so I’m not sure what you mean by “it’s not a physical file”?
I guess what you’re saying is all 3 scans mentioned check memory in different ways? If that’s true, and the user’s comment is correct, then it seems it might be good to run all 3 scans, since only the custom scan caught it?
It isn’t alerting on ctfmon.exe, which would be why a) avast didn’t alert on the file in its original windows/system32 location and b) why VT scan should come up clean, for some reason the VT link you gave doesn’t work.
This detection is on a memory block that the ctfmon.exe process loaded into memory, that is a memory block and isn’t a physical file.
@Tech
As I mentioned in my post, it happens every time. Do you have any comment about the virustotal user comments? You did ask for a link to VT.
@DavidR
Perhaps you could try the link again? It works for me. You responded to my first question, perhaps you missed the second:
“I guess what you’re saying is all 3 scans mentioned check memory in different ways? If that’s true, and the user’s comment is correct, then it seems it might be good to run all 3 scans, since only the custom scan caught it?”
Anyone in this forum able to respond and answer the question?
Seems Tech and/or DavidR either lost interest or are unable to continue.
Is tehre any creedence to the user comment on Virustotal that it might be a virus, and also why the 3 scans that Avast does seem to have different behaviours as far as catching the virus.
You will get one spam popup while it is running. Just click the X on the popup and it will close.