trojan in memory (teatimer) found by avast 5 internet security

[spybotsandra]

Hello,

As Spybot-S&D has no spyware integrated, this must be a false alarm.

The reason for such a false alarm is simple: Spybot-S&D saves backups of the problems you have fixed; to make it possible to recover them in case something stops working after the fix.

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file won't be found and loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives - this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

In recent weeks there was a noticeably high number of cases where other anti-virus and anti-spyware programs wrongly detected parts of Spybot-S&D, which probably has to be traced back to insufficient testing at these companies (see articles in the News section on our homepage).

Best regards
Sandra
Team Spybot

[kdd53]

thanks for your reply. i am aware of the archive reading in anti-virus programs. i am not aware if sb scans system memory as well as the c drive.

if avast finds a sb archive it lists it in the avast scan log. sb runs after avast in my schedule. sb always shows clean. again, avast shows the trojan in memory in the teatimer block. it has shown in the sb memory block also.

if this happens again i will make a note and reply to this thread with particulars. i run a custom scan with avast-is scanning a full rootkit scan and memory.

[Gopher John]

thanks for your reply. i am aware of the archive reading in anti-virus programs. i am not aware if sb scans system memory as well as the c drive.

if avast finds a sb archive it lists it in the avast scan log. sb runs after avast in my schedule. sb always shows clean. again, avast shows the trojan in memory in the teatimer block. it has shown in the sb memory block also.

if this happens again i will make a note and reply to this thread with particulars. i run a custom scan with avast-is scanning a full rootkit scan and memory.

I'm running Avast 5.1.889 and the latest SpyBot Search & Destroy, both of which have the latest updates to their definitions/signatures. I've not had the problems you report.

One reason may be that I don't use TeaTimer, but I can do a full scan including memory with Avast right after running a scan with SpyBot Search & Destroy. Perhaps Sandra can confirm whether SpyBot Search & Destroy puts or leaves unencrypted signatures in memory, but I don't think so.

By default, Avast doesn't scan .ZIP files. If you've set that in a custom scan, Avast would still not be able to scan a password protected .ZIP file and would report that it couldn't in the log, as Sandra stated.

[kdd53]

Hello,

As Spybot-S&D has no spyware integrated, this must be a false alarm.

The reason for such a false alarm is simple: Spybot-S&D saves backups of the problems you have fixed; to make it possible to recover them in case something stops working after the fix.

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file won't be found and loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives - this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

In recent weeks there was a noticeably high number of cases where other anti-virus and anti-spyware programs wrongly detected parts of Spybot-S&D, which probably has to be traced back to insufficient testing at these companies (see articles in the News section on our homepage).

Best regards
Sandra
Team Spybot

here's the image. any thoughts?

[Gopher John]

I just scanned TeaTimer.exe in my installed SpyBot Search & Destroy 1.6.2.46 with Avast 5.1.889 and the current VPS 6.2.2011 - 110206-1. It scanned clean, no infection.

What version of Avast and it's VPS are you using?

You can upload your TeaTimer.exe to VirusTotal where it will be scanned by 43 virus scanners. Post the VirusTotal results link back here.

[drragostea]

kdd53, sorry if you mistook the criticism towards you, it was not.

I was responding to Root Canal.