Virus in memory, but no files infected

OK, this one’s really got me stumped (not to mention worried).

About three weeks ago, I installed the new Microsoft OneCare beta (combo antivirus/firewall suite that MS is planning to sell next year). At the same time, I disabled avast!. Everything was OK with OneCare - virus scans appeared to run fine, with no virus alerts.

Today, I decided to re-enable avast! in order to run a scan - just to see that its findings were consistent with Microsoft’s. Instead, avast! found signatures for three viruses resident in memory that have never showed up before:

Bleah-D
win32:Bolzano-5396
win32:Gremo

avast! cannot clean, move, rename or quarantine any of these viruses (just the following error: “The filename, directory name, or volume label syntax is incorrect”). Actually, during a regular scan (using the GUI), the only option that is provided when the alert pops up for all three of these viruses is to run a boot-time scan - no Clean, Move, Quarantine buttons at all.

After the scan is complete, there are no viruses reported in any of the files on my computer, just those three resident in my memory. [I’ve set avast! to scan all files and all compressed types as well.]

So, I do a boot-time scan (all files, all drives, all compressed files) and avast! tells me there are no viruses found anywhere on my hard drive.

I looked up the three viruses on Google and, while one of them is a Master Boot Record attacker, all three are said to work by infecting executable files on the hard drive.

So, my question is: How can my memory be infected yet not one single file on my hard drive? And, if these kinds of viruses are supposed to be infecting all sorts of files on my system, why haven’t they (or why aren’t they showing up)?

There has to be some file, being run by a program I’ve installed since disabling avast! three weeks ago, that is being loaded in memory and causing these alerts! (I have installed four or five new programs since then, including Microsoft OneCare - but have no reason to suspect OneCare except it’s the only one of them that I can think of having any reason to run in memory at startup).

Are these all false positives (being caused by one program, one would suppose)? Or has some really insidious invasion occurred on my computer that is hiding itself from avast! even when it does a boot-time scan (when no files are inaccessible to it)?

Anyone have any ideas?

Thanks.

PBear, it’s ot easy to answer…
Maybe you should run an on-line scanning in all your computer to be sure.
I see no reason to get in panic but just to be sure.
You could try on-line scanning and report what you get.

http://www.virustotal.com/flash/index_en.html
http://www.kaspersky.com/virusscanner
http://www.mwti.net/antivirus/mwav.asp
http://www.security-ops.tk
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/index.html
http://support.f-secure.com/enu/home/ols.shtml

Effectively if you have two anti-virus scanners active at the same time there is every likelihood of conflict and since OneCare is beta I would suggest you get rid of it and I think when you try that you may find it will be difficult to remove as this has bee reported in other forums/newsletters.

Files in use generally can’t be moved, deleted or repaired (if that were possible), they are protected by windows, nice windows. This is why the boot-time scan is given as an option as they won’t be in use.

It is quite possible to have a virus in memory but not on the HDD. Rebooting would clear them from memory if you scanned again after boot you would see if they had been reinstated to memory. If so then there is more detective work to do.

Thanks for the reply. I checked out a couple of the online scanner services you listed, but couldn’t really see the point, as they apparently don’t scan memory or MBR, only files. I can’t imagine what they could find that avast!, running at boot time, wouldn’t have found.

On the other hand, I’m pretty sure I’ve isolated the problem: I disabled the four resident components of Microsoft OneCare, then re-enabled them one at a time, rebooting after each change and running an avast! virus scan (just through the memory scan phase).

It all boils down to one resident component of OneCare: Microsoft Malware Protection Service (loaded as a service from “C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.EXE -n 4”). After mucking about and rebooting all those times, I finally found that, even with OneCare fully re-enabled, I could simply stop the MSMPSVC service, run an avast! scan and all the virus alerts would go away, re-enable MSMPSVC and they’d all come back - the same three virus alerts in memory every time.

Scanning the file itself produces no virus alerts, just what it loads into memory does. I seriously doubt there is any chance of infection, just something in the malware checking routines that it uses that resemble virus signatures themselves.

I suppose it would be difficult to adapt avast! to recognize the presence of this Malware Protection Service and stop throwing false positives about it (since there is nothing suspicious in the executable file, only its memory routines), but it certainly would be desirable. I’m sure a few other people may wind up using the same combination of OneCare and avast!, just because a lot of techies like to see how far they can tweak their systems, and will wind up suffering the same panic I did when they see these false alerts showing up.

Right now, I seem to have a good working solution having both programs running simultaneously and both working properly, as I want to continue testing the Microsoft program while still preserving features that OneCare doesn’t currently provide - mainly, the ability to do daily backups of just selected areas of the hard drive and resident protection for eMail, P2P, IM and scripts. I’ve turned off avast!'s Standard Shield so OneCare can continue doing that task, while leaving avast! to do the rest, then tested OneCare with EICAR to make sure it was still functioning with avast! loaded into memory (it went berserk the instant I saved the EICAR file and plagued me about it until I deleted the file - which is great).

The main drawback of OneCare’s antivirus component at this point (and something MS will probably improve) is the inability to customize scheduled virus scans (it will only do the entire system), which is impossible to live with more often than the default-scheduled once a month. With avast! loaded in tandem, I can go on doing my quick, 2-3 minute daily scans of just the most vulnerable areas (memory, startup programs, system folder, download folder, temp folder, eMail folder and browser cache) - although, I’m now going to have to put up with avast! finding three viruses in memory every time a scan is run (at least for the time being). I guess I can live with that.

Best regards.

Thanks for taking the time to check this out fully and more so for letting us know.

There are always going to be issues with two resident scanners and the element of One Care memory element is indeed strange. We have see false positive detections by avast (and likely any other AV) after Panda’s on-line scanner deposits its signature files on to the HDD because they are unencrypted.

I wonder if this isn’t something similar, does MS One Care extract its signatures to memory to speed scanning, I guess only MS will know the answer to that.