Sign in to follow this  
Jack

Persistent virus on virtual memory

Recommended Posts

Hello,

I have a windows 7 sp1 64 bit computer. I have 2 antiviruses installed, panda internet security 2017 and adaware free as secondary, for almost a month. Since yesterday everything was fine.

Today while panda shows no infected files adaware keeps showing a virus which it is always deleted but reappears on every scan. The last report is listed below:

          <ScanInfo EndTime="20180427T234233.669413"         StartTime="20180427T233545.669413" ScanType="Full" ScanMode="Manual"/>

                   <InfectedObjects>

           ω<InfectedObject ThreatName="DeepScan:Generic.PWStealer.9ED5576A" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="<System>=>VirtMem Region Dump 0x8db0000 + 4000 [7684] (pgexec dump)" ObjectType="Process"/>

Also, I noticed that panda at the time of the infection was temprorarily disabled (no antivirus, firewall, monitoring). I have run the following scans:

Panda, adaware (full), malwarebytes free (full), microsoft office scan (full), windows defender offline (full), microsoft essentials (quick) both in normal and in safe mode but the virus keeps appearing.

Please advice on how I should proceed.

Thank you,

Jack

P.S. I apologise for my bad english because it is not my native language.

 

S <Sc

Edited by Jack

Share this post


Link to post
Share on other sites

Hi @Jack,

It's possible that it's a false positive and then adaware antivirus will stop finding the threat when the definitions have been changed.

Please follow the instructions in

 

P.S. No problem with understanding what you wrote and if you don't understand what I've written (not my native language), please ask.

  • Like 1

Share this post


Link to post
Share on other sites

Hello @Jack!  Please answer a few questions: 

  • Can you reproduce this detection alert after every Adaware's Full scan?
  • Do you have PostgreSQL installed?
  • Did you run a full scan by Microsoft antivirus tools  with installed Adaware and Panda?

Share this post


Link to post
Share on other sites

Thank you for the quick reply,

i have attached 5 files: 1)the latest adaware scan report, 2)a jpeg image of adaware notification, 3-5) the three files derived from using FRST.

To answer your questions: 1) The detection alert appears after every adaware scan.

                                                2) PostgreSQL is not installed (checked registry, program files and program files (x86) folders).

                                                3) Also, i have run full scans in safe mode with microsoft security essentials, panda, malwarebytes free , microsoft office scan, windows defender offline.

                                                   All showed everything is fine (no infection).

P.S. I know it is not recommended to have 3 antiviruses installed at the same time but I installed microsoft security essentials to double check panda and adaware.

 

adaware_Report_Full_Manual_28-4-2018 93940.xml

scan results.jpg

Addition.txt

FRST.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

1. It's better to use online antivirus scans instead of installing several antivirus programs, that can lead to BSOD and other types of crashes due to conflicting drivers, and false positives. Therefore it's important to always install adaware antivirus in compatible mode when installed with another antivirus program.

2. The Firefox add-on Flash Control is not compatible with the latest version of Firefox and should be uninstalled.
The installed Adobe Flash and Shockwave Player versions are very old and not safe. Please, uninstall and install the latest version if needed (don't turn off automatic update of it).

3. There are some left-overs of very old Ad-Aware antivirus that might disturb adaware antivirus. You can remove them in this way:

Please, move the FRST program from the Download folder to the Desktop.

Start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2014-03-12] (GFI Software)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2018-03-04] (Sunbelt Software)
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

4. I can't see any threats in the log files of FRST and I'll move this topic to the forum for false positives and let LS Artem handle that problem.

Share this post


Link to post
Share on other sites

Thank you again for your reply. Regarding your remarks I have done the following:

1) There are two antiviruses installed now: Panda and Microsoft Essentials. I will keep Essentials for a while and if there are no infections or alerts I will uninstall it as well.

Adaware has been uninstalled.

2)Flash control has been uninstalled. Instead, i have activated Panda Safe Web.

Adobe flash and Shockwave have been installed with automatic updates on.

3)I have followed the instructions and attached the relevant file.

4)I am relieved that it is a false positive.

Again, thank you.

Jack

Fixlog.txt

Share this post


Link to post
Share on other sites

You're welcome :)

1) Panda and Microsoft don't approve that their antivirus programs are installed together. There are risks for conflicts. MS Security Essentials can be replaced by MS Safety Scanner: https://www.microsoft.com/en-us/wdsi/products/scanner

2) Good :)

3) You don't have those two left-overs any more.

4) Please, wait for a response from Artem.

Share this post


Link to post
Share on other sites

I know it is not recommended to keep two antiviruses installed. I will uninstall essentials tomorrow. I have already downloaded and used MS Safety Scanner which reported everything is Ok.

I am waiting a response from Artem.

Still, thanks for the help.

 

Share this post


Link to post
Share on other sites

Hello!  

Adaware's scanner found some suspicious activity in your system memory.  The problem is that it couldn't be deleted or terminated because it is a part of some Process that was allowed to run by your system and all antiviruses. It can also be a part of Panda utilities. 

I can't find any anomalies except too working antivirus services and suspicious CCleaner64.  CCleaner was compromised last year. 

First of all please send us binary file of CCleaner that is located here " C:\Program Files (x86)\CCleaner\CCleaner64.exe".  

Clean your %Temp% folder (C:\Users\ADMINI~1\AppData\Local\Temp).

So please try to uninstall all installed antivirus solutions (leave just license information).  Uninstall all Utilities that were installed with Antivirus.  Reboot your PC. 

After that you can try to reinstall AdAware and make a new scan. 

 

  • Like 1

Share this post


Link to post
Share on other sites

Hello,

I cannot attach Ccleaner64.exe because upload fails and a message appears ( There was a problem processing the uploaded file. -200 ). I have also tried to zip it for less space but to no avail.

Could you please explain that CCleaner was compromised last year ?

I have just uninstalled Microsoft Essentials. How do I uninstall Panda without losing the license information? (Thus I can install it again).

I have emptied temp folder.

Thank you for your reponse

P.S. I could send the file via email. If this is safe and possible please provide with an email adress.

Edited by Jack

Share this post


Link to post
Share on other sites
17 minutes ago, Jack said:

I cannot attach Ccleaner64.exe because upload fails and a message appears ( There was a problem processing the uploaded file. -200 ). I have also tried to zip it for less space but to no avail.

It should be possible to upload .zip files, but you can also try to change the file extension to .txt.

If you're using a file sharing site (Dropbox, Microsoft OneDrive, Google Drive etc.) you can upload the file there and link to it in your reply.

Share this post


Link to post
Share on other sites
3 hours ago, Jack said:

Hello,

I cannot attach Ccleaner64.exe because upload fails and a message appears ( There was a problem processing the uploaded file. -200 ). I have also tried to zip it for less space but to no avail.

Could you please explain that CCleaner was compromised last year ?

I have just uninstalled Microsoft Essentials. How do I uninstall Panda without losing the license information? (Thus I can install it again).

I have emptied temp folder.

Thank you for your reponse

P.S. I could send the file via email. If this is safe and possible please provide with an email adress.

Thank you. 

 It seems your binary file of CCleaner is clean. 

 About CCleaner you can read a note here https://www.ccleaner.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Actually I don't know how Panda license works but the normal way to AV vendors is to provide user's accounts with licenses or store the key in a system for reinstall purpose. Panda's account might be here https://myaccount.pandasecurity.com 

Also maybe this information can be useful for you https://www.pandasecurity.com/usa/support/andnow/.   If you have activation code - you can reinstall Panda without problems.

Try to install the latest version of Adaware and do a new scan just to be sure that the problem was in AV conflict.

Share this post


Link to post
Share on other sites

Hello again,

I apologise for my late reply. I followed the instructions above (fully removed all antiviruses, rebooted and installed adaware free with all definition updates and activated it).

The scan showed no infections (all clean). I attach the files of the scan.

Moreover, I also executed FRST64 file and attach the relevant files.

Most likely it was a conflict between Panda and Adaware.

Thank you again for your help and your patience,

Jack

adaware_Report_Full_Manual_30-4-2018 31554 μμ.xml

Addition.txt

FRST.txt

scan.jpg

Shortcut.txt

Share this post


Link to post
Share on other sites

Hi Jack,

Very good that adaware antivirus no longer finds something potentially bad.

If you want to continue to use both Panda and adaware antivirus, please uninstall adaware, restart the computer, run the removal tool and restart the computer again before installing Panda, restarting the computer and installing adaware in compatible mode. In compatible mode, adaware won't be running the whole time (no real-time protection) but you can start a scan of the computer with it (turn off Panda's real-time protection during the scan to minimize the risk of false positives and to make the scan faster).

Share this post


Link to post
Share on other sites
5 hours ago, Jack said:

Hello again,

I apologise for my late reply. I followed the instructions above (fully removed all antiviruses, rebooted and installed adaware free with all definition updates and activated it).

The scan showed no infections (all clean). I attach the files of the scan.

Moreover, I also executed FRST64 file and attach the relevant files.

Most likely it was a conflict between Panda and Adaware.

Thank you again for your help and your patience,

Jack

adaware_Report_Full_Manual_30-4-2018 31554 μμ.xml

Addition.txt

FRST.txt

scan.jpg

Shortcut.txt

Hello @Jack! 

Glad to help you.  Yes it seems was one of the antivirus components.  If you have another questions please ask. 

 

Many thanks to @CeciliaB

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this