How to "unignore" a file?

[risingTide]

Greetings,

I recently downloaded Avast! and so far I love it.  After the first pre-boot scan it found one suspicious file upon startup.  The recommended action for it was to "ignore" so that's what I did.  However, I'd like to see what that file was again (and possibly just delete it).  Is there a way I can find that ignored filed and "unignore" it?  I'm looking for some kind of exclusion list or something but can't find it.

Thanks for your help!

[Lisandro]

The report file is created automatically in <avast4>\Data\Report\aswBoot.txt

[risingTide]

That seems to be the report file for the initial pre-boot scan.  It does not contain the information I am looking for; sorry for the confusion.  The issue I'm dealing with is a file that it found after the pre-boot scan, right after it booted for the first time.  It found a file (I think) with the hueristic method and asked me what I wanted to do with it.  This was in a pop-up window and had two options:  Ignore or Delete.  I chose Ignore but would like to see details about where that file is now.

[DavidR]

Then you are talking about the anti-rootkit scan 8 minutes after boot and that file is here, C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log

[risingTide]

That does appear to be the file I'm looking for.  However, it only has the log from today's scan.  The scan I'm looking for is from about 10 days ago. 

Is there some way I can see what files are included on the RootKit exclusion list?  Shouldn't the file in question have been put somewhere like that? (There should be only this one in the list, since it was the only one I chose to ignore.)

Thanks!

[DavidR]

This log isn't appended but replaced as it would quickly grow very large. So unfortunately you only se data for the last scan.

I'm not sure if this Ignore is something that gets carried over for every anti-rootkit scan or just that one. If it isn't then the detection may have been corrected in a VPS update, though there is no way to tell without information about the detection. So we are unfortunately in the chicken and egg scenario.

As for your planned action of if you could un-ignore it and delete it next time it was detected, that would really be even worse than the situation your in. Deletion isn't really a good first option (you have none left), 'first do no harm' and investigate right away not 8 days later.

To be sure you haven't got anything malicious hidden, you could run some other anti-rootkit tools.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Remember, don't react, report.

[risingTide]

Thanks for the help.  I downloaded and installed Panda Rootkit Cleaner.  It didn't find anything, which is great, but how do I uninstall this program?  It doesn't show up in Add/Remove Programs and I also have Revo Uninstaller which doesn't show it either.

Any help removing Panda Rootkit Cleaner would be much appreciated.

Thanks.

[DavidR]

It is a stand alone application, you should be able to just delete the location you put it.

Now you use the next application and if that finds nothing, run the next one. If nothing is found then you can be reasonably confident there isn't a rootkit on your system.

[risingTide]

Wow.  I can't believe I didn't notice that was an .exe when I ran it. 

Anyway, I used the other two and they both found nothing as well.  So I guess I'm looking good.

I think the file that was originally found might have been an odd-named driver, but I can't be sure: 

Service symc8xx [C:\WINDOWS\System32\Drivers\symc8xx.sys]

Regardless, I'm satisfied with the lack of findings.  Thanks so much for your help!

[DavidR]

You're welcome.

The driver looks suspiciously like something from Symantec though a google search on the file name doesn't seem to support my guess. http://www.google.co.uk/search?q=symc8xx.sys.

Does this one ring any bells, e.g. do you have a scsi drive or card on your system ?
http://www.runscanner.net/filelibrary/symc8xx.sys.html

So it would seem legit.
You could also check the suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

[igor]

Regarding the original question:
I believe the excluded items are stored somewhere in avast4.ini - so to unignore the file, you'd have to open avast4.in in Notepad, find the occurrence and remove it.

[risingTide]

Perfect!  That is exactly what I was looking for.  Here it is...the last two lines of the file:

[AntiRootkit]
Exceptions=C:\WINDOWS\System32\Drivers\symc8xx.sys

Turns out that the rest of this discussion was extremely helpful so I'm not going to delete it after all, but I really was curious as to where that Exception was stored.

Good show.  Many thanks to everyone!!

[DavidR]

You're welcome, glad things are a little clearer now.