Does \MsMpEng.exe(1360):\memory_07d80000 mean malware?

  • Thread starter Thread starter mm
  • Start date Start date
M

mm

Rewritten to be more clear and sit in its own thread:

Does \MsMpEng.exe(1360):\memory_07d80000 mean malware? AVG seems to
think so.

As you may know, after a disabling malware problem, I've been
restoring a friend's HP mini 1000, and got it running about a week
ago, and I've been fixing it up in other ways for about a week now and
it's been working fine and I'm supposed to return it tomorrow, and
just now I found two infections, even though I've not read any email
or gone to more than 8 urls, all of them well known and hopefully
malware free.

I realize just earlier today, Friday, I figured out how to run Windows
Defender without it getting turned off.

And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean? MsMpEng.exe is a regular part of Windows
Defender, an MS antii-malware program. Complaints about it on the web
are that sometimes it uses up most of the cpu, but for in my case it's
not using a thing and the system is 97 percent idle.

What does (1360( etc. mean? Is it possible AVG is finding in Windows
Defender something meant to find a virus and thinks it is a virus?

I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.

What does all this mean?

BTW, googling for the file name and the trojan name as written and
with or without a space between Generic and 18.BNY, I got no hits.

Any help is much appreciated.

MM
 
mm said:
Rewritten to be more clear and sit in its own thread:

Does \MsMpEng.exe(1360):\memory_07d80000 mean malware? AVG seems to
think so.

I believe it's a memory location where AVG seems to *think* there is
trojan code.
As you may know, after a disabling malware problem, I've been
restoring a friend's HP mini 1000, and got it running about a week
ago, and I've been fixing it up in other ways for about a week now and
it's been working fine and I'm supposed to return it tomorrow, and
just now I found two infections, even though I've not read any email
or gone to more than 8 urls, all of them well known and hopefully
malware free.

It *might* be a false positive (all AV's do this from time to time). If
you submit the file (the MsMpEng.exe file detected as malware) to one or
more of the online file submision scanners, you can get some (sometimes)
helpful information.

Virustotal.com
Jotti.org
Virscan.org
I realize just earlier today, Friday, I figured out how to run Windows
Defender without it getting turned off.

If something was turning it off, then you probably still had active
malware.
And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean?

Both are generic detections (which should IMO be taken with scepticism)
of the same thing, one in file form and the other the in memory image of
the same.
MsMpEng.exe is a regular part of Windows
Defender, an MS antii-malware program. Complaints about it on the web
are that sometimes it uses up most of the cpu, but for in my case it's
not using a thing and the system is 97 percent idle.

What does (1360( etc. mean? Is it possible AVG is finding in Windows
Defender something meant to find a virus and thinks it is a virus?

I think the number indicates the infection length (size) of the
suspected malicious code.
I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.
What does all this mean?

Have you tried the AVG forum? If this *is* a FP, then I suspect there
will be many posts on the subject.

[...]
 
mm said:
Rewritten to be more clear and sit in its own thread:

Does \MsMpEng.exe(1360):\memory_07d80000 mean malware? AVG seems to
think so.

I believe it's a memory location where AVG seems to *think* there is
trojan code.
As you may know, after a disabling malware problem, I've been
restoring a friend's HP mini 1000, and got it running about a week
ago, and I've been fixing it up in other ways for about a week now and
it's been working fine and I'm supposed to return it tomorrow, and
just now I found two infections, even though I've not read any email
or gone to more than 8 urls, all of them well known and hopefully
malware free.

It *might* be a false positive (all AV's do this from time to time). If
you submit the file (the MsMpEng.exe file detected as malware) to one or
more of the online file submision scanners, you can get some (sometimes)
helpful information.

Virustotal.com
Jotti.org
Virscan.org
I realize just earlier today, Friday, I figured out how to run Windows
Defender without it getting turned off.

If something was turning it off, then you probably still had active
malware.
And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean?

Both are generic detections (which should IMO be taken with scepticism)
of the same thing, one in file form and the other the in memory image of
the same.

[...]
I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.
What does all this mean?

Have you tried the AVG forum? If this *is* a FP, then I suspect there
will be many posts on the subject.

[...]
 
I believe it's a memory location where AVG seems to *think* there is
trojan code.
Okay

It *might* be a false positive (all AV's do this from time to time). If
you submit the file (the MsMpEng.exe file detected as malware) to one or
more of the online file submision scanners, you can get some (sometimes)
helpful information.

Virustotal.com

Okay. I just sent it to them and they've seen it before, since April
2007, last seen 10/16/2010 about 28 minutes before I sent it in!

It says Detection ration: 0/43 and it names 43 AV companies and none
say it's bad!!

Hmmm. The post update-definition memory scan just ran, and it says 2
found, none healed. I hope my friend won't find that unnerving, once
a day.
Jotti.org
Virscan.org


If something was turning it off, then you probably still had active
malware.

Apparently the other AV programs are designed to turn it off to
prevent conflicts, invited to do this by MS itself. However I'd still
like here to run it. And I've been running AVG, Superantispyware**,
and Windows Defender together for few hours with no conflicts.

**SAS says specifically that it won't conflict with any other av
program.

Come to think, I had all these same files for days before I got
W-Defender running automatically, and I didn't get any AVG alerts
then. So it only detects it when it's runnning! Interesting.
And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean?

Both are generic detections (which should IMO be taken with scepticism)

Good to know.
of the same thing, one in file form and the other the in memory image of
the same.

I get it. Thanks.
[...]
I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.
What does all this mean?

Have you tried the AVG forum? If this *is* a FP, then I suspect there
will be many posts on the subject.

I thought you guys were the font of all knowledge on this. And I
love newsgroups and hate web forums***, but if you say so, I'll go
look. Well, good thing it has a search function or this would be
terrible. About 7 hits and I looked at four and they all seem like
FPs there.

***If there were nothing better than webforums, they would be
wonderful, but it's so sad to see people leaving or not replenishing
newsgroups, and going to webforums which are so much harder to use.
And which don't allow cross posting even when it would be valid. There
just is no way to do it.
Thanks a lot.
 
mm said:
I believe it's a memory location where AVG seems to *think* there is
trojan code.
Okay

It *might* be a false positive (all AV's do this from time to time).
If
you submit the file (the MsMpEng.exe file detected as malware) to one
or
more of the online file submision scanners, you can get some
(sometimes)
helpful information.

Virustotal.com

Okay. I just sent it to them and they've seen it before, since April
2007, last seen 10/16/2010 about 28 minutes before I sent it in!

It says Detection ration: 0/43 and it names 43 AV companies and none
say it's bad!!

Hmmm. The post update-definition memory scan just ran, and it says 2
found, none healed. I hope my friend won't find that unnerving, once
a day.
Jotti.org
Virscan.org


If something was turning it off, then you probably still had active
malware.

Apparently the other AV programs are designed to turn it off to
prevent conflicts, invited to do this by MS itself. However I'd still
like here to run it. And I've been running AVG, Superantispyware**,
and Windows Defender together for few hours with no conflicts.

**SAS says specifically that it won't conflict with any other av
program.

Come to think, I had all these same files for days before I got
W-Defender running automatically, and I didn't get any AVG alerts
then. So it only detects it when it's runnning! Interesting.
And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean?

Both are generic detections (which should IMO be taken with
scepticism)

Good to know.
of the same thing, one in file form and the other the in memory image
of
the same.

I get it. Thanks.
[...]
I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.
What does all this mean?

Have you tried the AVG forum? If this *is* a FP, then I suspect there
will be many posts on the subject.

I thought you guys were the font of all knowledge on this. And I
love newsgroups and hate web forums***, but if you say so, I'll go
look. Well, good thing it has a search function or this would be
terrible. About 7 hits and I looked at four and they all seem like
FPs there.

***If there were nothing better than webforums, they would be
wonderful, but it's so sad to see people leaving or not replenishing
newsgroups, and going to webforums which are so much harder to use.
And which don't allow cross posting even when it would be valid. There
just is no way to do it.

There were some suggestions about excluding the MSSE default
installation directory from scanning, but I would think that the alerts
will go away when AVG gets tired of handling calls about the FP (if that
is indeed what this is).

Oh, and I think that number (1360) might be the process identification
number (PID).
 
mm said:
Rewritten to be more clear and sit in its own thread:

Does \MsMpEng.exe(1360):\memory_07d80000 mean malware? AVG seems to
think so.

I believe it's a memory location where AVG seems to *think* there is
trojan code.
Okay

As you may know, after a disabling malware problem, I've been
restoring a friend's HP mini 1000, and got it running about a week
ago, and I've been fixing it up in other ways for about a week now
and
it's been working fine and I'm supposed to return it tomorrow, and
just now I found two infections, even though I've not read any email
or gone to more than 8 urls, all of them well known and hopefully
malware free.

It *might* be a false positive (all AV's do this from time to time).
If
you submit the file (the MsMpEng.exe file detected as malware) to one
or
more of the online file submision scanners, you can get some
(sometimes)
helpful information.

Virustotal.com

Okay. I just sent it to them and they've seen it before, since April
2007, last seen 10/16/2010 about 28 minutes before I sent it in!

It says Detection ration: 0/43 and it names 43 AV companies and none
say it's bad!!

Hmmm. The post update-definition memory scan just ran, and it says 2
found, none healed. I hope my friend won't find that unnerving, once
a day.
Jotti.org
Virscan.org

I realize just earlier today, Friday, I figured out how to run
Windows
Defender without it getting turned off.

If something was turning it off, then you probably still had active
malware.

Apparently the other AV programs are designed to turn it off to
prevent conflicts, invited to do this by MS itself. However I'd still
like here to run it. And I've been running AVG, Superantispyware**,
and Windows Defender together for few hours with no conflicts.

**SAS says specifically that it won't conflict with any other av
program.

Come to think, I had all these same files for days before I got
W-Defender running automatically, and I didn't get any AVG alerts
then. So it only detects it when it's runnning! Interesting.
And the two infections are:

c:\program files\windows defender\MsMpEng.exe(1360):\memory_07d80000
and
c:\program files\windows defender\MsMpEng.exe(1360)

They are both labeled: Trojan horse Generic18.BNY]

What does this mean?

Both are generic detections (which should IMO be taken with
scepticism)

Good to know.
of the same thing, one in file form and the other the in memory image
of
the same.

I get it. Thanks.
[...]

I tried to move both items to the virus vault. For the first
line it says Object is inaccessible. The second line got a green
check. There is nothing in the virus vault and the exectuable
MsMpEng.exe is still in place.

What does all this mean?

Have you tried the AVG forum? If this *is* a FP, then I suspect there
will be many posts on the subject.

I thought you guys were the font of all knowledge on this. And I
love newsgroups and hate web forums***, but if you say so, I'll go
look. Well, good thing it has a search function or this would be
terrible. About 7 hits and I looked at four and they all seem like
FPs there.

***If there were nothing better than webforums, they would be
wonderful, but it's so sad to see people leaving or not replenishing
newsgroups, and going to webforums which are so much harder to use.
And which don't allow cross posting even when it would be valid. There
just is no way to do it.

There were some suggestions about excluding the MSSE default
installation directory from scanning, but I would think that the alerts

Hey, that's a good idea. I know about excluding and yet I didn't
think of it. Maybe after I've excluded something once, today, it will
come to mind more readily the next time.

AVG had Potentially Unwanted Programs exceptions, and also Resident
Shield exceptions. I'm not sure which one will affect scanning, so I
entered the file name the first one.

The PUP exception calculated a Checksum, too. I have no idea why.
Well, the excluseion there didn't work anyhow.

Oh, here are 4 kinds of scans, whole computer, shell extension,
specific files and folders, and removable device, and they provide for
excluded extensions, but non provide for a file or folder. I can
hardly exclude all .exe files!

The next possible item, Resident Shield, allows excluded files, so I
added this one, and ran a scan. It seemed to go to this file FIRST,
and scan several addresses, and then again it found two errors but
instead of
\MsMpEng.exe(1360) and
\MsMpEng.exe(1360):\memory_07d80000
it listed
\MsMpEng.exe(1356) and
\MsMpEng.exe(1356):\memory_07dr0000 !!

I suppose I should try excluding the whole folder but I'm pessimistic
and want to do something else. Did it anyhow, it didn't help.

Sigh.

will go away when AVG gets tired of handling calls about the FP (if that
is indeed what this is).


Oh, and I think that number (1360) might be the process identification
number (PID).

So maybe 1356 is anoter PID.
 
Back
Top