Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: gcon60 on November 24, 2008, 04:05:18 PM

Title: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on November 24, 2008, 04:05:18 PM
A couple of days ago I installed the latest version of Avast.  I ran a thorough check and it found umpteen rootkit hidden files, e.g. windows/system32/spoolsv.exe and /spoolss.dll, etc.  I paniced of course, always good in a crisis.  I opted to delete the files, the system reloaded, ran the boot version and loaded again.  A run of Avast still found the rootkit hidden files.

Following this I ran several standalone rootkit finders and they were all clear.  I could not get rid of the Avast warning.  It was then I decided to prime down an August image of my system.  This was successful, so I updated Avast and ran a thorough scan....Oh NO!  I still got rootkit files.  I tried a few more standalone finder programs to no avail.

I deleted Avast and install the free version of AVG.  Clean as a whistle, no nasty files found.  I then reinstalled an older version of Avast (1229) and it was all sweetness and light.

Now I don't know whether the new version is telling the truth and I do have rootkit files and the old version misses them, or it the new Avast is telling me a few porkies.

Please help!
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Styx on November 24, 2008, 10:56:13 PM
I had same issue. Interestingly I submitted a Support Ticket and after I reported that I had
"magically" stopped the Rootkit Notifications the Avast folks Closed the Ticket. So I just
re-opened it as the problem is not fixed, it was just worked around.

Here is how to do it :

http://forum.avast.com/index.php?topic=40203.0
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: DavidR on November 24, 2008, 11:36:04 PM
Well spoolsv.exe and spoolss.dll are a legit file names  but that is no guarantee it hasn't been got at.

However, the anti-rootkit scan (8 minutes after boot) and I don't know if it is the sensitivity of the detection method that is causing this, but the strange thing is that I don't get any alerts (XP Pro SP3) nor it would seem do many others or this forum would be lit up like a Christmas tree.

So there is obviously some other attributes that make it think it might be a rootkit, different OS, network printer driver loading early or hidden, I don't know but it is causing a some problems as there are a few similar topics as Styx mentions and did a lot of work trying to get the workaround to work.

Your test using AVG wouldn't find anything even if it were a valid detection as there is no anti-rootkit in the free version.

When it was detects it there is an option to send the file for analysis, if you didn't do that I would suggest you let that happen before you apply the workaround Styx gave the link for.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: ardvark on November 24, 2008, 11:52:33 PM
Now I don't know whether the new version is telling the truth and I do have rootkit files and the old version misses them, or it the new Avast is telling me a few porkies.

Hi...

You can try using a standalone rootkit scanner to verify which is the case. Here are two...

F-Secure's Blacklight...

http://www.f-secure.com/security_center/

(scroll down to "downloads.")

Trend Micro Rootkit-Buster...

http://www.trendmicro.com/download/rbuster.asp

Hope this helps. :)

Best Regards...
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Styx on November 25, 2008, 03:34:55 AM
Greatis's Reanimator is a superior rootkit detector/remover.

Also RegRun is the ultimate in protection especially the Gold/Platinum version.

http://www.greatis.com/security/
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Maxx_original on November 25, 2008, 11:20:00 AM
wait for the program update, which should be released today.. ;)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: sugaree on December 02, 2008, 06:26:41 AM
Hello,

Avast 4.8 Pro complains about a rootkit hidden file on a WinXP computer I support.
The infected file is c:\Windows\System32\Drivers\cinemsup.sys.  When the problem
first appeared the owner of the computer opted to send the file to the AVAST folks.
When the problem occurred again I opted to delete the file.  A warning was displayed that
the memory is infected and I should restart the OS and run a full scan.  I did that and
no infected files were detected.  The warning appeared again.  This time I opted to
delete the file and when warned about restarting and running a scan I selected to skip
the reboot and go ahead and delete the file.  Now an AVAST full scan of the drive shows no
infected files, yet the rootkit warning continues to appear some time after booting the system.

The last post in this thread mentioned an update to AVAST.  Is this possibly a problem in AVAST
that has been fixed by a recent update?

Thanks for any help/suggestions,

Charles
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 02, 2008, 10:54:01 AM
Hi,

Thanks to everyone for all the good advice.  I tried them all to no avail.  Reanimator gave me a list of possible dodgy files, but I don't believe they are, so I ignored the results.

I still use the older version of Avast (1229) and do a regular full run and all is ok.  I have not had the courage to update again to the the lastest version that gave me the problem.

To sum up - I'm confused.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Maxx_original on December 02, 2008, 11:36:44 AM
sugaree: the problem (hopefully resolved with last program update) was related to wrong name/path interpretation, which caused multiple wrong rootkit detections on some machines... your entry seems to be ok... the reason, why it has not been cleaned during the boot-time scan is that there's probaly no exact detection for the scanner.. the standalone scanner and the antirootkit module are two different instances based on another schemes (antirootkit is not signature based)... when the AR detection occurs, then you're notified and you can send the file to further analysis... the file is then analysed in our viruslab and in case of confirmed malicious behavior the exact detection for scanner is added... that's the moment from when you will be able to remove the file with the boot-time scanner... it's a safety criteria to not make any definite cleaning, until we're sure we're dealing with a piece of malware..
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Styx on December 02, 2008, 12:28:09 PM
A google of cinemsup.sys shows that it "might" be a malware problem. If the file still exists
check its' size and then Google it.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: sugaree on December 02, 2008, 02:43:04 PM
Hello,

Thanks for your kind consideration and helpful responses.  I'll try out the latest update of AVAST to see if that helps.

Charles
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 03, 2008, 10:55:06 AM
I bit the bullet and reinstalled Avast 1296 and ran a thorough check.  As before it found rootkits, windows/system32/spoolsv.exe and /spoolss.dll, etc., so nothing has changed.

What should I do now?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 11:44:33 AM
We're looking for someone who'd help us analyze this strange issue by allowing us to do a remote desktop connection to his/her machine.

Would anyone of you (who have the problem) be willing and able to do that?

Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 02:53:13 PM
I'm happy to help, but you'll have to give me idiot proof step by step instructions as to what i have to do! Also i need to know that my laptop won't be affected by it, i'm studying for my PGCE and have all my work on here! anyway, let me know.

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 03:07:32 PM
OK, let's try something easy first.

Please do the following:

1. download this file http://public.avast.com/~vlk/aswAr0.dll and place it to the <avast>\data folder (overwrite existing)

2. rerun the scan, and wait for the "rootkits found" message to appear

3. send me the file <avast>\data\aswAr1.log that should get generated during the scan.


Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 03:15:38 PM
Erm, when i run it i get a spybot s&d window, not Avast. It runs a scan (takes seconds) and says aswArO.dll  nothing found.

I'm doing something wrong aren't i?!

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 03:37:10 PM
Wait a moment. You have to DOWNLOAD the file, and place it to the avast\data folder.
Not RUN it. :)

Cheers
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 03:46:24 PM
Hi there, sorry but when i click on the link it just downloads and i get a litle icon on my desktop, i assumed you wanted me to run it. I'm afraid you'll have to clarify what you mean, i'm a complete lemon when it comes down to anything technical! Or maybe someone else on the forum may be a better bet?

Sorry for being a pain.

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 03:53:13 PM
Aha, OK, no problem. What browser are you using?

Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 03:54:57 PM
Right click the link Vlk gave you, choose "save as".
Download and save the file to C:\program files\Alwill software\avast4\data\
(assuming you have a default avast installation)
If you get a message that the file already excists, overwrite the current file.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 04:11:36 PM
I use Firefox. I right clicked and got 'save link as', and a window appeared, not sure what to do from there... ???

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 04:16:38 PM
Ok, that is good. Select in the window the folder Vlk and I gave you (C:\program files\Alwill software\avast4\data\), then choose to download the file.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Maxx_original on December 03, 2008, 04:25:09 PM
how about disabling the self-defense first? don't know if this has been done already..
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 04:36:33 PM
Sorry guys, but this isn't happening, i get a window and in the text field for file name i've got aswArO. It seems to want to save this to my desktop.

Can hear gnashing of teeth already!
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 04:48:37 PM
Hi Christine,

don't worry about it. Maybe someone else with the same problem will follow up.

We don't want you to spend the whole afternoon with this! :)

Cheers
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 05:00:31 PM
So sorry about that, it's obviously not my day!

Just out of interest, if these false positives keep coming up, how am i to know when i real one is there? After all, i don't want to damage my machine by deleting something i shoudn't, it's a bit like the boy who cried 'Wolf!. I'm wondering whether it's a good idea to carry on using Avast if i can't trust the results. What do you guys think?

p.s. And i am very grateful for your help, please don't think the question above is a reflection on you guys, not meant in that way!

Christine  :)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 05:44:42 PM
You can ignore the "suspicious file" type of warnings. However, don't ignore the "A virus was found" warnings (if any).
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 05:45:44 PM
Disable the self protection (steps 4 - 6 on THIS website (http://imbacore.blogspot.com/2008/08/how-avast-antivirus-can-be-temporarily.html)

Then click HERE (http://downloads.ache.nl/avasthelp.exe) and open (run) that file,
or save it and then double click it.

It will do exactly what Vlk told. (downloading and installing the file in the correct folder.

Edit:
Vlk, for your information: That little .exe is just a installer that places the aswAr0.dll in the data folder for her.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 06:39:36 PM
Hi there,

Did as you asked, even got a nice orangey screen with my name on it (i'm easily pleased!); it's now sitting as an icon on my desktop, should i run it?

C
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 07:07:01 PM
On the screen with your name on it, click next, then click install (after you have disabled the self-protection)
That is all you have to do.
It you done it, you can enable the self protection again.

This has copied aswArO.dll to the correct folder as Vlk asked you.
I leave it up to him to guide you further.

You can remove the icon from your desktop if you want.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 03, 2008, 07:31:34 PM
I'd say the file is called aswAr0.dll, not aswArO.dll (i.e. it's zero, not "O" letter)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 08:04:17 PM
Is this what you need? Attached it down below.

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 08:15:34 PM
See, you can do it (with a little help)  ;)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 08:33:16 PM
Is this what you need? Attached it down below.

Unfortunately not quite. :)

I need the file C:\Program Files\ALWIL Software\Avast4\Data\Log\aswAr1.log (if it exists; if it doesn't, we have done something wrong)...


Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 08:59:49 PM
Hi there, i think i've got it but couldn't attach it as the file was too large, any suggestions? Can't copy/paste it as there's too much text; it's a looong list! I could email it if that's any good?

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 03, 2008, 09:06:26 PM
Sure, you can send it to Vlk's e-mail (you'll see it when you click on his profile).
Or, if needed, you can upload it to our FTP server: ftp://ftp.avast.com/incoming
Thanks!
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 09:34:50 PM
Thanks for that, i've just emailed it to him, bet you're all fed up of me now!  ;)

Cheers all!

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 03, 2008, 09:39:45 PM
Of course not... we'd like to uncover this mystery.
Thanks for your help, let's hope Vlk finds out something.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Eddy on December 03, 2008, 09:44:48 PM
Quote
Thanks for that, i've just emailed it to him, bet you're all fed up of me now!
No way!  :D

Vlk loves these problems ;D
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 10:08:29 PM
I'm glad someone does! Viruses, trojans, rootkits...for me it's the stuff of nightmares! I'm even starting to feel nostalgic for those halcyon days of Sinclair ZX Spectrums (my Dad had one), before viruses and all the other nasties were ever invented! Ahh... happy days!  :D

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 03, 2008, 10:58:03 PM
Interesting indeed. :)

Could you please try doing the following?

Go to My Computer, right-click disk C: and choose Properties. Go to the Tools page and click the "Check Now..." button.

Click Start, and let the operation complete.

Does it report any problems?

And if you re-run the scan after this, does it still find the "rootkits"?

Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 03, 2008, 11:57:30 PM
Hi there,

Just did the disk check as you asked and no problems - 'Disk check complete'. Will re run Avast scan and let you know! When you say 'interesting' does that mean good interesting or bad (you're full of nasty viruses) interesting?

Cheers,

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 04, 2008, 01:08:55 AM
Grrrr...ok, just finished the Avast scan and it's exactly the same; the pop up saying suspicious files (the rootkits) have been found using the heuristic method and asking me to reboot, then the pop up appears informing me there's a virus in the memory.

Nothing's changed i'm afraid!  >:(

Night night all...

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 04, 2008, 05:08:41 PM
Hi Vik,

I have been reading your latest suggestions.  Would it be useful if I also sent you the resultant file?

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 05, 2008, 09:32:58 AM
Hi gcon60,

I don't know how proficient you are with computers, but if you can handle the command line, I'd be grateful if you could do the following:

1. download http://public.avast.com/~vlk/avar.exe and place it to a directory
2. start cmd.exe, go to the directory where you placed avar.exe and run the following command

avar.exe -a -f c:\ >avar.txt

3. when the command completes (may take some time, roughly 10 minutes or so, depending on the size of your C: drive) send me the resulting file avar.txt (by email).


Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 05, 2008, 12:24:44 PM
Vik,

I have emailed the avar.txt file - good luck.  I know, not luck....but ...SKILL.

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 05, 2008, 12:33:46 PM
Great, thanks for that.
Could you please also send the scan log? (so that we can match these logs together)?

Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 06, 2008, 01:26:51 PM
Hi all,

So is there a verdict on this yet? Are we clean (and can i carry on with my internet crimbo shopping?!) or full of 'orrible nasties?  :o

Cheers guys,

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: boston on December 06, 2008, 03:39:00 PM
I'm having the same rootkit issues here.  Is progress being made on how to solve this?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: anjana on December 15, 2008, 07:49:44 AM
My computer is been acting weird, in fact ewhen i turned it on a couple of days ago, rebooted my windows XP to a few years ago, I lost all my info .
I ran and antivirus today and it froze when i came back on the log I found that every 2 seconds it has found "rootkit: hidden file" has been found in...actually in many places
I could not complete the scam because it froze after an hour running
Is this a real threat or just something else.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 15, 2008, 03:40:13 PM
anjana, some recent hidden files detections were false positives. Update your avast and check if the problem persists.
If so, can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 15, 2008, 06:17:33 PM
Vik,

I still get a load of rootkit hidden file comments when I run a thorough scan.  This afternoon a single file report popped up without having to run an Avast scan at all.  I did the usual; ignore, reload and run bootscan...... as before, NIL found.

Are you any nearer finding the problem with this?  I am going to revert back to version 1229 to avoid rootkits in the meantime, unless I can do any more to help.

Regards

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: anjana on December 15, 2008, 08:20:40 PM
I update automatically regularly.
i also get a load of rootkit hidden file comments when I run a thorough scan .
i run the scan again last night,and again after an hour it froze.
for the first hour every second or two this came out:
"rootkit hidden file" has been found inC:\WINDOWS\softwaredistribuition\download\59fc8f12b80caa9911...

then this come out:
Sign of "rootkit hidden file" has been found inC:\WINDOWS\SYSTEM.CB\mapi32.dll"file
Sign of"rootkit hidden file" has been found inC:\WINDOWS\SYSTEM.CB\MAPISRVR.EXE"file
Sign of"rootkit hidden file" has been found inC:\WINDOWS\system.ini\mapi32.dll"file
Sign of"rootkit hidden file" has been found inC:\WINDOWS\system.ini\MAPISRVR.EXE"file

thanks!

Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Crowella on December 15, 2008, 10:29:06 PM
It's still happening to me too, and i'm getting a bit fed up of it. Was anything found when i emailed the log?

Thanks all!

Christine
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 15, 2008, 10:38:16 PM
Did you update to the latest virus database?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: anjana on December 16, 2008, 06:53:04 AM
yes, I did...
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 16, 2008, 11:53:52 AM
yes, I did...
Do you have an Acer computer?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 16, 2008, 03:29:39 PM
I have an Acer laptop although I don't see what that has to do with it as I updated another Acer last week to 1296 and it was fine.

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 16, 2008, 03:37:22 PM
I have an Acer laptop although I don't see what that has to do with it as I updated another Acer last week to 1296 and it was fine.

Gerard
Some Acer computers are affected by a bug (in avast or in Acer, we don't know yet).
Disable rootkit scanning in the Troubleshooting tab of program settings as a workaround.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 16, 2008, 03:48:00 PM
Interesting!  My Acer has co-existed with the Avast program for several years now and works fine with version 1229, so I guess the bug is in 1296.

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 16, 2008, 09:59:59 PM
Interesting!  My Acer has co-existed with the Avast program for several years now and works fine with version 1229, so I guess the bug is in 1296.

Gerard
You're right... seems so.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: anjana on December 16, 2008, 11:24:58 PM
No, I don't have an Acer, it's HP
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: kd5 on December 16, 2008, 11:28:43 PM
I'm running into the same problem here, a whole list of suspected rootkits in the spoolsv.exe and spoolss.dll files, mostly in the Microsoft Document Imaging (mdigraph.dll, mdiui.dll, mdippr.dll) and the Software Distribution folder for printer files and updates.  I've run several online scans, Spybot, SUPERAntiSpyware, and the Sophos Anti-Rootkit scanner, all of which found nothing.  After reading this thread I opted to choose Ignore, and Don't notify me again, but then Avast tells me it detected a virus in memory and wants to scan at reboot.  I've allowed this to happen twice, which found nothing.  I told Avast not to scan at boot once but Avast froze, eventually it continued scanning to completion (including the report containing all the erroneous rootkit detections).  I then exited Avast and rebooted so I could run the scan again, which found the same supposed rootkits, even though I'd told Avast to ignore them and not to notify me again.

This is bad news for Avast.  I hope you get this problem fixed soon.       -kd5-

Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 17, 2008, 12:58:33 AM
I think it's time to work... there is something cheesy in the rootkit scanning... programmers uh uh  :(
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 17, 2008, 12:59:40 AM
kd5, I've forgot to say that the better will be disabling rootkit scanning in the Troubleshoot page of program settings for a while. You'll decrease protection, but, at least, your computer will be yours...
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: kd5 on December 17, 2008, 04:56:03 AM
I hate the idea of disabling any of Avast's capabilities but if that is the only option available to me then I suppose I will have no other choice.       -kd5-
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 17, 2008, 10:00:21 AM
Better still, revert back to an earlier version of Avast with the up-to-date virus database and you should be protected.  I use 1229.

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 17, 2008, 11:42:32 AM
Better still, revert back to an earlier version of Avast with the up-to-date virus database and you should be protected.  I use 1229.
Good suggestion.

1. Uninstall avast from Control Panel first.
2. Boot.
3. Use Avast Uninstall for complete uninstallation.
4. Boot.
5. Stay off-line (not connected to Internet)
6. Install again the old version: http://filehippo.com/download_avast_antivirus/
7. Boot.
8. Register avast (insert the registration key).
9. Uncheck the programs updates (set to manual).
10. Only then connect to Internet (go on-line).
11. Check and post the results.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 17, 2008, 12:31:15 PM
So, to recap, everyone having the problem has an Acer laptop, correct?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: kd5 on December 17, 2008, 02:10:34 PM
No.  This is a custom-built desktop computer, Windows XP Home Edition, currently SP2, soon to become SP3 (as soon as I can overcome this sense of unease regarding these false positives).  There is no Acer anywhere near this computer.       -kd5-
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 17, 2008, 06:20:28 PM
Would anyone of you be willing to give me a remote access to your system?

Remote desktop, or LogMeIn, or something similar.


Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: anjana on December 18, 2008, 10:03:41 PM
So, to recap, everyone having the problem has an Acer laptop, correct?

No as I mentioned  mine is a HP
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Dwarden on December 19, 2008, 06:24:55 AM
i just hate myself i 'destroyed' (total wipe by drive manufacturer test tools) with most likely very infested OS by some weird rookit
(no known AV was able pick it up) but it was able kill any AV (including latest KAV ,Avira, DRW5 etc) in exactly 24-48h timeframe after install ...
but AVs with self protections were able spot something goes wrong but failed to protect itself at max just reporting self damage like avast warning about own files modification

all i know it made several sectors on OS partition to be inaccessable by OS causing issues when OS tried access them in non standard way and OS crashed ...
(HDD is w/o any physical errors tested by several tools to be sure)

the most interesting thig was that due to these errors it was impossible to obtain flawless 1:1 image of the infected OS drive
also inside the whole memory dump there were some traces indicating it's using some of RPC exploits known to date

i got copy of all possible files from that system but i doubt that will lead to any successfull find but if someone is interested just PM me but passive scans reveal nothing ...
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 20, 2008, 01:27:33 AM
Vik,

Access to someone's PC is a hard one to comply with.  Too many bits 'n pieces that are secure.  Can you not think of another way to crack this problem.  It really needs fixing!!!

Gerard
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: DavidR on December 20, 2008, 01:38:05 AM
And this is what they are trying to do, go the extra mile to research why it might be happening and simply submitting the file may not provide enough information, since this problem (for the most part) only seems to be effecting a limited sub set of users and avast are obviously unable to replicate the problem in their labs.

It is very rare to see this kind of commitment to resolve a problem that isn't effecting all avaast users.

If you can't trust your AV who can you trust as you are effectively trusting them by installing the AV. If you have anything truly sensitive you could encrypt and password protect the folder/s that it is in.

I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 20, 2008, 11:10:45 AM
I understand fully with what you are saying, but cannot fully accept that the internet is safe enough to take any chances.   To a degree I can work under instructions.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 20, 2008, 01:32:05 PM
I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.

Not really, at least not for Remote Desktop, not sure about LogMe in.

Anyway, it's understandable that not everybody would agree to that; however, we are really not able to simulate this and the whole thing is a mystery (i.e. there doesn't seem to be any visible problem in the code) - so, we really need somebody to help us out by providing the access to his/her computer where the problem reproduces. Let's hope somebody appears soon.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 20, 2008, 01:48:44 PM
Not really, at least not for Remote Desktop, not sure about LogMe in.
LogMeIn uses a https (secure) connection if I'm not wrong.
You're will be as opened as when you're using the Internet.
Allowing a remote connection to Vlk won't expose your system.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 20, 2008, 01:52:47 PM
That's not what I meant - I was just trying to say that a remote desktop-ped machine has a blank screen, you don't see anything and can't interfere (except for closing the connection).
As I wrote, I don't know LogMe in, could be different there ;)

Of course, Vlk is not interested in the data stored on the machine - only in finding out the cause of the problem.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Lisandro on December 20, 2008, 01:59:21 PM
I was just trying to say that a remote desktop-ped machine has a blank screen, you don't see anything and can't interfere (except for closing the connection).
In which side? With LogMeIn, the host desktop could be seen by the guest...
Maybe we're talking the same with different words :-[
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: kd5 on December 20, 2008, 02:30:25 PM
The computer I was having a problem with now has a new hard drive and a fresh XP Home installation.  Sorry but I could not delay the repair I was doing on that computer.  Turns out the hard drive had numerous errors and SeaTools refused to repair after 99 errors were found.  Don't know if that has anything to do with this problem or not, I'll be reinstalling updates/software for a couple of days, the printer software is always one of the last things I install.  We'll see how it turns out, I'll let you know if I get the same report with this fresh install.       -kd5- 
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: TheScorpion on December 21, 2008, 01:43:09 AM
Getting the same problem. Avast 4.8 home. Build1296. Win XP pro on an ASUS laptop.
Thorough scan comes up with a load of 'Suspicious' heuristically found rootkit files. Amongst them is..

Windows\system32\spoolss.dll\drivers\w32x86\BROFX05A.dll
     "            "             "           "          "      \BRIFX05A.dll
     "            "             "           "          "           \ppbiNT.dll
I386\DRWATSON.ex_\FAULTH.dll

It gave the option to delete these or ignore - they looked like they might be ok so I 'Ignored'.

The scan also seems to freeze at around the 35K to 40K file mark.
Don't know if this is relevant too, (I've also posted separately on this) but the 'Current Scan Status' indicator remains at 0% throughout the scans.
AVAST  said it had found a virus in memory or something and got me to do a bootscan which scanned all drives but found nothing.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 21, 2008, 11:00:05 AM
AVAST CHECKING LOG

Avast revision 1229  >  1296  rootkits detected

Reverted back to 1229 and ok

1229  >  1290  rootkits detected

Reverted back to 1229 and ok

1229  >  (used upgrade) 1282  (081112-0)     crashed around 25,000 files +  approx same area as rootkit detection
            Prior to crash Zone Alarm reported Avast wanted to launch DWWIN.EXE.
            Allowed and crashed

1282 (081112-0)      Same as above, but this time denied – crashed

1282 (081219-0)      At 25,422 files  ….system32\drivers encountered a problem needs to close.

Uninstalled upgraded 1282.  followed by clean install rather than upgrade of 1282.

1282 (081112-0)      Crashed at same point.

Reinstalled  1229 (081220-0)  No problems


It would appear that 1282 had a problem and when 1290 was released rootkits were found around the same area that 1282 had the problem.  I am not qualified to make any assumptions as to what is happening here.

Is this helpful?

Regards

Gerard



Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 23, 2008, 06:10:51 PM
Any clues, anybody?
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: polipodi on December 26, 2008, 02:11:27 PM
Dear Avast Support Team,

I've got in my hands a computer with this problem. It's an ACER laptop.
Avast is detecting a Rootkit which seems not present into the system.
Avast version is 4.8.1296.
If it can help you to track down the issue, I can install LogMeIn on the computer and give you full access.
FYI: I am located in France.
Feel free to contact me by PM if you are interested in accessing this computer.
Unfortunately, I won't be reachable the next hours. I think we could have a meeting the next week.

Thanks,
Luc

I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.

Not really, at least not for Remote Desktop, not sure about LogMe in.

Anyway, it's understandable that not everybody would agree to that; however, we are really not able to simulate this and the whole thing is a mystery (i.e. there doesn't seem to be any visible problem in the code) - so, we really need somebody to help us out by providing the access to his/her computer where the problem reproduces. Let's hope somebody appears soon.

Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on December 26, 2008, 02:15:31 PM
Great! So, the symptoms are the same - obviously wrong file paths, right?
For example: C:\Windows\system32\spoolss.dll\drivers\something
- where spoolss.dll is a file, not a folder, i.e. there can't be any further path following.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: polipodi on December 26, 2008, 06:49:01 PM
Yeah, in my case one of the detected file is
"c:\windows\system32\setupapi.dll\medctroc.dll"
and obviously "c:\windows\system32\setupapi.dll" is a file, not a folder, and not an archive.
Note also that I get severals occurences under "setupapi.dll": medctroc.dll, ehOCGen.dll, plusoc.dll.
And finally, all these files are located in the folder "c:\windows\system32\Setup"

Great! So, the symptoms are the same - obviously wrong file paths, right?
For example: C:\Windows\system32\spoolss.dll\drivers\something
- where spoolss.dll is a file, not a folder, i.e. there can't be any further path following.

Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 26, 2008, 08:05:20 PM
polipodi,

I sent you an email.
Again, thanks for your willingness to help to solve this pesky problem.

Cheers
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: yare on December 26, 2008, 09:23:39 PM
I am experiencing same problems as all the folks that have posted here. Hopefully solution will be found soon.

I am running avast! 4.8 Home Edition (updated today to the last version, virus db update December 26th 2008) on Windows 2000 SP4 on a custom built PC.

I use several tools beside avast! (S&D, SuperAntiSpyware and MalwareBytes' AntiMalware), have updated all of them and ran scans but no malware/rootkits were found.

Avast! reports several rootkits (heuristic warnings) within spoolsv.exe and spoolss.dll files (same scenario -> after selecting to ignore these findings I receive "Virus in active memory" warning and then I am prompted to perform boot-scan. Boot scan ends up ok - no virus found).

In the meantime I tried to disable root-kit detection (avast! menu -> Settings -> troubleshooting -> Disable root-kit detection), as suggested in this thread, but without success - when i start local disk scan it moves on through windows system folder and then reports above mentioned error. I guess I am safe enough because boot-scan returned no virus/malware found (am I right?) but would like to be able to run disk scan from Windows.

Can someone tell me what am I doing wrong?
Thank you.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: kd5 on December 27, 2008, 02:08:27 PM
The computer I was having a problem with now has a new hard drive and a fresh XP Home installation.  Sorry but I could not delay the repair I was doing on that computer.  Turns out the hard drive had numerous errors and SeaTools refused to repair after 99 errors were found.  Don't know if that has anything to do with this problem or not, I'll be reinstalling updates/software for a couple of days, the printer software is always one of the last things I install.  We'll see how it turns out, I'll let you know if I get the same report with this fresh install.       -kd5-

Got the computer back up and running, installed and ran Avast! both before and after the HP printer installation, no rootkits were found.  The same applications that were on the computer before have been reinstalled so I have to assume the rootkit problem had something to do with the 99+ errors Seatools found on the previous hard drive.  Have no idea what the errors were about but I wasn't taking any chances, a 20gb 5400rpm hard drive is woefully inadequate for an acceptable Windows XP installation anyway... ::)       -kd5-
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: Vlk on December 29, 2008, 05:07:07 PM
With the invaluable help of polipodi, it seems that we have solved the problem now.
The fix should be included in the latest VPS update (081229-0).

Please try this latest VPS and report back if the problem is really solved.


BTW can anyone who had the problem confirm that their Windows volume is formatted as FAT32? (this would explain the increased number of Acer laptops in the set as Acer seems to preinstall Windows XP on FAT32 volumes).


Thanks
Vlk
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: yare on December 29, 2008, 08:50:40 PM
Hi, my OS is running on FAT32 - I know, outdated but after installing all tools I left it like that (will transfer to NTFS in the future).

I have updated VPS and I am ready to run full scan  - will report results here as soon the scan is over.

Again thank you very much for very quick response to this issue.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: DavidR on December 29, 2008, 09:46:05 PM
No need for a full scan, just reboot, the anti-rootkit scan runs 8 minutes after boot and takes seconds, so would be quicker than a full scan.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: TheScorpion on December 29, 2008, 10:10:30 PM
No need for a full scan, just reboot, the anti-rootkit scan runs 8 minutes after boot and takes seconds, so would be quicker than a full scan.
I found that the problem only made itself known if I did a 'full' scan. The scan would freeze at that point (about 3/4 through) and the suspicious files indicated. Just starting or rebooting my pc didn't produce the problem.



BTW can anyone who had the problem confirm that their Windows volume is formatted as FAT32? (this would explain the increased number of Acer laptops in the set as Acer seems to preinstall Windows XP on FAT32 volumes).

My system is FAT32 on an ASUS laptop. I'll run a full scan this morning and report results.
Impressed with the immediate action on the problem.  :)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: yare on December 29, 2008, 11:18:36 PM
Everything works just fine  :) Full scan using avast! GUI completed w/o problems :)  I have to admit that there are differences in new build - scan is much faster than before (in my case even 30% faster - using same scanning options (thorough/scan archives/all local disks))

I ran full scan (via GUI) because boot-scan worked OK all the time (as TheScorpion has said) - issue with heuristic engine (at least in my case) occurred only when full scan was initiated using avast! GUI and only if scan area included system folder - on demand scan of every other folder/file worked ok.

Again, many thanks to avast! support team for such a quick response. Also many thanks to polipodi for providing test/debug machine that helped with bug reproduction.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: TheScorpion on December 30, 2008, 01:35:08 AM
Just completed a 'thorough' full scan with no problems.
Also, the 'percentage of files checked'  gauge is now working. Before it would remain at 0%.
Well sorted. Thanks.  :)
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: gcon60 on December 31, 2008, 04:59:31 PM
Vik, polipodi and the rest of the Avast team, thank you all very much for the efforts you put into resolving this problem.  It has been a long journey from November 24th when I raised the issue, until now.  I am delighted you cracked it before we ran out of 2008 – a clean slate for the New Year.

Sorry, I was reluctant to allow access to my PC, but I have been working in computers most of my long life and you get cynical about security matters – paranoid even.  I was relying on a more trusting approach from others; thanks polipodi.

Anyway, upgraded from 1229 to 1296 with VPS 081230-0 and did a thorough scan.  BRILLIANT!  It all worked.

Have a Guid Ne’er day and a great 2009

Gerard
 ;D
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: art13 on December 31, 2008, 05:55:08 PM
The problems I mentioned here:

http://forum.avast.com/index.php?topic=41157.0

at both the Packardbell-desktop and the Acer-laptop were solved with installing VPS (081229-0)

Both systems were FAT32 formatted.

Thanks to everbody contributing to the solution.

Art
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: CharleyO on December 31, 2008, 11:11:53 PM
***

Though I did not have this problem, I would also like to thank Vik and the rest of the Avast team for a job well done ... and to polipodi for trusting the avast team to use his computer to research the problem.   :)


***
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: judy one on January 01, 2009, 10:25:09 PM
I had AVAST on 2 systems.  I tried the new version.  It identified about 90 rootkit viruses that could not be deleted from one system.  Then I did a system restore.  AVAST new version still did the same thing.

BitDefender found about the same number of inaccessible files that were password protected (I recognized them) or compressed.  McAfee found no viruses. 

I believe the new version has a design flaw that is misinterpreting password protected or compressed files as rootkit infections.  I thought the problem was my computer until I found this forum.  Thank you.
Title: Re: New version finds rootkit hidden files - can't delete & nothing else does
Post by: igor on January 01, 2009, 10:33:45 PM
I believe the new version has a design flaw that is misinterpreting password protected or compressed files as rootkit infections. 

No, it's certainly not the case.
Please post a few examples of the detected filenames - and also check what version of VPS you have.