question about detections in memory

Discussion in 'ewido anti-spyware forum' started by Pieter_Arntz, Jan 21, 2006.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I see entries in Scan reports that look like this:

    [176] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning

    [180] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning

    [580] VM_10001000 -> Adware.NaviPromo : Error during cleaning

    Can you tell me what the numbers between brackets mean?

    I guessed they are the PID for the process, but would like to know for sure.

    TIA,

    Pieter
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Pieter,

    While you await the Ewido experts....I am of the opinion that the numbers between brackets are associated with the PID.
     

    Attached Files:

  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Bubba, :)

    I reached the same conclusion, but I would like to have it confirmed.
    (+ suck up any extra info they would be willing to provide) :D

    Thanks,

    Pieter
     
  4. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    Hey Pieter,

    How Bubba and you already expected this is the Process ID of the process where the memory currently is scanned belongs to.

    If ewido anti-malware has problems removing a threat ( which is active in memory ) it can be very helpful if you go into safe mode and scan there again.

    In case of trojan.agent.uj you should execute first of all a memory scan in safemode and save a scan report ( To have the PIDs of it )
    Then go to ananlysis->processes and select the infected entries one by one and click on 'Terminate process'

    This will kill the process, but watchout if the threat is in WinLogon.exe or csrss.exe. If you kill that process your pc will reboot!

    After removing the threats from memory execute a complete system scan.

    BR
    Vinzenz
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Thanks Vinzenz :thumb:
     
Thread Status:
Not open for further replies.