Author Topic: Could Avast be trying to remove RollBack Rx? They think so  (Read 6029 times)

0 Members and 1 Guest are viewing this topic.

dagrev

  • Guest
Could Avast be trying to remove RollBack Rx? They think so
« on: February 20, 2013, 12:18:27 AM »
Below is my conversation with RBRx support.  In short they believe avast is removing or trying to remove something with RB because it thinks it's a rootkit.  Their suggestion is to disable rootkit scanning/detection.  For the last week I've removed avast to see if it happens again.

I'd like some thoughts on this by those who might have some good insight into this.

Thanks

Woke up my computer this morning and got a blue screen. Was able to get it restarted but would get another BSOD or it would freeze. I could not rollback.

The error message on the BSOD was the following:
Stop: c000021a {fatal system error} The verification of a knownDLL failed. System process terminated unexpectedly with status of 0xc000021f (0x01549890 0x000000000 System has been shut down.

I was able to boot to an Acronis rescue disk and restore a image to get it working again.

Nothing new or weird on the laptop that I'm aware of.

Update: I'm leaning toward this being RB related. After getting everything back and running I was installing RB and it crashed and I had to use Acronis again to get it back up and running.

Any reason to not thing this is RB related at this point?
----
RB Support:
Please make sure when you using AVG or any 3rd party software to scan your PC, note that you have to disabled the scanning for rootkit because it detect Rollback as a rootkit virus and get removed without any permission from users.

And i believe is the issue that causing Rollback not working properly in your PC
---
Me:
I'm using Avast not AVG and have the whole time I've used RBRx and never had this problem before until recently. There's no indication Avast is removing anything. Normally it would question before just removing.
----
RB:
with Rootkit virus there usually no warning message, because i have the same issue as well.

iroc9555

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #1 on: February 20, 2013, 12:26:22 AM »
Hi Dagrev.

Contact Avast! and report it as a F/P in file. Make a link to this topic.

http://www.avast.com/contact-form.php?loadStyles

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #2 on: February 20, 2013, 01:04:54 AM »
Thanks for your thoughts.

First, I can suggest it to avast, but I have no file to send them saying it is a good file, if I understood you correctly.  When it happens there is no getting in the system to send it as as FP.

Second, I'm still trying to figure out if avast is actually doing this.  Surely  others who use both avast and RB would be having the same file detected. 

So I'm not sure if telling avast anything is right at this point.  Maybe it is, I just don't know.  I was hoping others might have heard about this.  But I don't mind notifying avast if that's the best approach.

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #3 on: February 20, 2013, 01:07:56 AM »
You mention BSOD. You might want to upload your dump files to avast to see if this will help solve this.

ftp://ftp.avast.com/incoming/
« Last Edit: February 20, 2013, 01:17:55 AM by Charyb »

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #4 on: February 20, 2013, 01:16:20 AM »
Thanks, but having had to restore an image (Acronis) to get the system to work at all there is no dump files from the BSOD.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #5 on: February 20, 2013, 12:18:49 PM »
If avast! remove any file it should be sent to Chest automatically.
Can you submit the file from there to analysis?
The best things in life are free.

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #6 on: February 20, 2013, 01:01:33 PM »
Tech- No I can't because to get the system working when I get the BSOD I have to restore a disk image, thus losing any useful information.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #7 on: February 20, 2013, 02:47:57 PM »
Don't restore the disk image immediately, boot into safe mode and using explorer collect the c:\windows\memory.dmp and any mini dump files in c:\windows\minidumps folder. Copy them to a partition that isn't going to be over written by the disk image.

Now that you have retained the information you can restore the disk image. I had to do that recently with avast8 beta3 build.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #8 on: February 20, 2013, 03:01:30 PM »
When it happens I cannot boot into safe mode or anything.  But I should be able boot to a secondary HD and maybe read the primary HD and copy those files.  Thanks for telling me what files to look for and the location.  Now that I know where to get the necessary files possibly I can begin to figure out what is causing it.  It's just a matter of reinstalling avast and waiting till it happens. 

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #9 on: February 20, 2013, 03:07:36 PM »
Hopefully that will work and enable you to get the dump files.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #10 on: February 20, 2013, 03:12:18 PM »
I'll do this when I can later today.  No telling when it will act up.  Possibly a week or more.

Thanks for your suggestion DavidR. 

What do I do with those files if I get them after a crash?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #11 on: February 20, 2013, 04:37:13 PM »
You're welcome.

Upload the zip file to the ftp server ftp://ftp.avast.com/incoming:
Give the zip file you are uploading a unique name (e.g. forumusername-mem-dump.zip, etc), so they can identify it. It might not be a bad idea to create a text file (readme.txt) with any relevant information on the BSOD, avast topic URL, user name, etc. etc. in the zip file. Not to mention posting the name of the file you uploaded in the topic, this acts as another searchable reference.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dagrev

  • Guest
Re: Could Avast be trying to remove RollBack Rx? They think so
« Reply #12 on: February 20, 2013, 04:39:10 PM »
Will do.  Thanks again for your help!