Avast WEBforum
Other => Viruses and worms => Topic started by: prong on November 21, 2008, 10:16:20 PM
-
Hi, I really hope someone can help me out with this...
I'm using avast! 4.8.1290, VPS 081120-0 and Windows XP Home SP2
A couple of days ago I updated avast! (program and database), and ran a thorough scan. After a few minutes I got the following message:
avast! Warning
Suspicious Files Found!
Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis.
There were 117 files listed as 'Rootkit: hidden file' (see attached list), and the option to Delete or Ignore. After some quick research on Google, it looked as if at least some of the files were legit, so I clicked 'Ignore'. I then received this message:
avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer?
I clicked 'yes', avast! ran the boot-time scan but it found nothing.
I then took a look at the avast 'Warning' log to try and see what caused the above warning message, and in addition to the aforementioned 'Rootkit: hidden file' entries, it said: 'Sign of "<" has been found in'...listing the location as the same as all 117 of the Rootkit entries, each one followed by '||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||'. Take a look at second attachment to see what i'm on about ;D
I tried running a thorough scan again, and exactly the same thing happened. Weirdly though, the antirootkit scan that avast! performs automatically after start-up never detects anything.
Anyone know whats going on here? Any help would be much appreciated.
-
Do you have an Acer ?
-
Prong,
Sounds like what happened to me.
-
Yeah, I'm using an Acer. I'm guessing that means the first few files on the list are false positives - my googling suggested they were Acer-related files. Still not sure about all the others though.
-
The others are related to windows PID data
-
I am having the same problem too. :(
waiting to see if updates will solve the problem if these are FPs
-
I am having the same problem too. :(
Did you send the files for analysis?
-
I am having the same problem too. :(
Did you send the files for analysis?
Yep. Actually, i did a rescan quite a few times. Ooops.. LOL. Everytime Avast rescans, it sent out the files for analysis (I ticked the check box).
-
Everytime Avast rescans, it sent out the files for analysis (I ticked the check box).
Hope they correct and improve detection soon.
-
The others are related to windows PID data
That explains the files in the \SoftwareDistribution\Download\ folder, and I've subsequently figured out that the files in \twain_32.dll\stdsc\ relate to an old webcam, and the files in \twain_32.dll\escndv\ are Epson scanner drivers. So it looks as if all of those supposed Rootkit: hidden files were false positives. However, I ran a scan again this time selecting the options to submit the files to the virus lab, and to Ignore the files and not be told about them in the future, and I still received the warning message about a virus in the operating memory, and the log entry about 'Sign of "<" has been found in'...etc. ???
Is the 'virus' in the memory just avast! thinking there's still a rootkit present? And is the file with 'Sign of "<", with all the '||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||'s in it, something generated by avast!?
-
The "|COO1||COO2|" etc. thing was fixed in the 1290 build, but chances are the log entries come from a previous version.
Or do you disagree?
-
The "|COO1||COO2|" etc. thing was fixed in the 1290 build, but chances are the log entries come from a previous version.
Or do you disagree?
The problem only started after I updated to the 1290 build. I tried to scan again today (build 1290, VPS 081123-0), and I'm still getting the same problems, only rather than 'Sign of "<" has been found in...', the log now says 'Sign of "#" has been found in...' followed by multiple instances of ||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||
-
Updated to build 1296, and the problem remains :(
Should I just manually add all those FPs to the exclusions list? Will that stop the 'virus in operating memory' warning?
-
Re: http://forum.avast.com/index.php?topic=40382.msg347020#msg347020 (http://forum.avast.com/index.php?topic=40382.msg347020#msg347020)
Since updating to VPS 081229-0, the problem now seems to be solved. Many thanks to Vlk and the Avast team for getting this sorted out.
And yes, my Windows volume is formatted as FAT32.