These threats are detected while scanning the memory. There are no options to move them to the virus chest or to delete them.
When I run a standard Avast Full System Scan and a Boot-time scan I get a clean bill-of-health (no threats). Microsoft Windows Malicious Software removal tool also gives a clean report.
The last time I ran the custom scan was on 21 Feb with a clean report. The only thing that has changed on my PC since that date was that I replaced my DSL modem/router. The only websites accessed since the last custom scan were reputable sites such as IMDb, IGN, Facebook, Gmail etc.
These threats are detected while scanning the memory. [b]There are no options to move them to the virus chest or to delete them[/b].
because they are not files that can be deleted/moved but a process loaded in memory
however you have as many others before you experienced what happens when you play with the scan settings…and selected scan memory DO NOT use the scan memory setting as this will give some weird scan results…unless you are a computer geek and know what you are doing, but then i guess you would not post this
i recomend using avast default scan settings for a problem free avast operation…avast team have played with malware 24/7 for 20 years so there is a reson why the settings are as they are
also detection in memory / memory scan is this forums second most frequently asked question…Nr. 1 is “some files could not be scanned” so there is plenty info if you forum search
When I run a custom Avast scan (which includes memory, auto-start programs and[b] rootkits[/b]) I get the following results:
Cheers Steven, I downloaded Malwarebytes, updated it and ran a quick-scan. All clear!
We’ll hopefully I’m not a complete noob either! I’ve been using Avast for about 10 years now and the fact that this is the first time I’ve had any problems should be a good testament to it’s effectiveness. I’ve also been regularly using the same custom scan for about 3 years now and never had any problems before. Just weird that this is just happening out the blue right now… ???
I’ve got the exact same virus happening on a Windows XP machine, with iertutil.dll showing up as infected in memory. I’ve thrown every antivirus/antirootkit/antimalware utility I could find at it and nothing detected it. I tried both the avast! boot scan that you set off via the UI, and the avast! Rescue Disk, and neither of them found it.
The only place avast! detects it is in memory, and when I use Process Explorer to find the location of the DLL, it points to c:\windows\system32\iertutil.dll. Scanning that file directly shows no infection whatsoever. In order to figure out what that DLL is all about, I used WinDbg with sos.dll to dump the memory-resident iertutil.dll to disk. avast! immediately detects and blocks it from being written to disk, so the only way to dump it to disk is to disable the avast! shields temporarily. Once I dumped it to disk, I compared metadata and file byte sizes between the version dumped from memory and the one at c:\windows\system32\iertutil.dll and found them to be identical in those metrics. I used FCIV to compare the MD5 checksums of the two files and only then did they reveal differences. Opening them in Notepad++ and running the Compare plugin yielded differences in rows 3-6 if I remember correctly, but otherwise identical.
How can I submit this file to avast! for analysis?
Sorry, my post may have been confusing. Only avast! manual scan finds it in memory, and it cannot remove it. Moreover, nothing from avast! finds it at or before boot. Would I still e-mail it to that address?
I am also having very similar scan results from a custom scan which included: System drive, Rootkits (full scan), Memory, Auto-start program, Auto-start programs (all users), top-to-bottom in that order.
Avast! reported the presence of “Threat: Sf:Zbot-K [Trj]” in various processes including firefox.exe, dllhost.exe svchost.exe, explorer.exe, reflextservice.exe, jusched.exe etc. And the “infected” memory block is always 0x000000003D3F0000, block size 2015232 (iertutil.dll). And this happens on 2 of my machines, both XP SP3. On my other Win7 and Win8.1 machines, nothing is detected.
The weird thing is that if I perform another custom scan with only Rootkits (full scan), Memory, Auto-start programs, Auto-start programs (all users) then it will report: No Threats Detected. (redoing the other custom scan again will give back the same list of ZBot-K threats in memory. So it is not something transient.)
FYI, I’ve also scanned the machines with mbam, anti-rootkits-beta, awsMBR but nothing has been found by them.
Pondus is probably, and most hopefully, correct that it is another case of “Stay Away From Memory Scans” but how are users suppose to know that memory scans should not be performed? And why is the inclusion/exclusion of the scanning of system drive affecting the memory scan results?
basically, Avast! thinks it’s caught a virus. It’s a False Positive that I’m sure Avast! is working on. If you are worried, attach MBAM, OTL and aswMBR reports so we can have a look.
I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk. Something is either loading a substitute file into memory when iertutil.dll is called, or modifying iertutil.dll in memory directly. None of the utilities you mention find anything abnormal, so whatever this is, it’s doing a damned good job of hiding itself from usermode utilities. Not sure how avast! manages to find it in memory, but it finds nothing on disk, even from the avast! Rescue Disk.
That’s the analysis of the file I pulled from memory. This doesn’t really explain the discrepancy between the file on disk and the file in memory, though. Here are the relevant MD5 checksums:
Iver wrote: I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk.
You are making me worried. Since you have managed to dump that modified iertutil.dll file onto you HD, could you try to run MBAM or other virus scanners on that file to see if the virus signatures in it are indeed recognized by other scanners as well?
Check out the virustotal.com link I pasted above. It scans an uploaded file against a huge list of antivirus suites. Only avast! showed this as an infected file, so there’s a pretty good chance it’s a false positive. That or everyone else is asleep at the wheel.
You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected
same problem here on windows XP pro as well no option to move or delete, no problem with windows that is obvious. am not that experienced so to be able to find where it is