avast 4.8 Rootkit Problem

[koke4716]

Hi All...

Have used avast home for some time now and just upgraded to the new 4.8 but every time I boot/reboot I get a warning stating that a rootkit has been found in memory.

The warning states the rootkit is in system 32\drivers and identfies the file as QL1240.SYS.

I click DELETE NOW and get an error message saying there was an error processing the action.

I use XP and the funny thing is that the QL (Quick Logic) driver files are in the system32\dllcache folder and not in the driver folder.

I also check under Services and do not see anything running automatically at startup that refers to any Quick Logic PCI Drivers...

I have also uninstalled and rebooted and reinstalled version 4.8 but the problem continues and everything else os working fine.

Anyone have a clue as to what this is all about?

Thanks for your help/comments/suggestions

Peter

[Lisandro]

Seems a false positive... Can you send that file to virus (at) avast.com and inform a link to this thread in the message body saying that it seems a false positive?
Better if you can manually move that file to another folder.

[DavidR]

Some infor on the file properties for ql1240.sys, http://hashes.castlecops.com/hash21141214-ql1240_sys.html. If you are able to find this file in the location reported, you could check if they match. Not terribly good as I don't know what version it is of as the web page dates from 2 Oct 2005.

The problem with rootkits they aren't likely to advertise their presence. Like in services, etc.

I also check under Services and do not see anything running automatically at startup that refers to any Quick Logic PCI Drivers...

I have XP Pro and only have ql1240.sys inside a .cab file, in c:\windows\driver cache\i386\driver.cab. So I don't have it outside the .cab file.

I have a little program Hash Calc and I have extracted the file from the cab and dropped it in hash calc and it gives these details, see image.

[koke4716]

Seems a false positive... Can you send that file to virus (at) avast.com and inform a link to this thread in the message body saying that it seems a false positive?
Better if you can manually move that file to another folder.

Tech - Thanks input - I will send to avast as suggested with a link and suggesting a FALSE POSITIVE.

Many thanks...

[koke4716]

Some infor on the file properties for ql1240.sys, http://hashes.castlecops.com/hash21141214-ql1240_sys.html. If you are able to find this file in the location reported, you could check if they match. Not terribly good as I don't know what version it is of as the web page dates from 2 Oct 2005.

The problem with rootkits they aren't likely to advertise their presence. Like in services, etc.

I also check under Services and do not see anything running automatically at startup that refers to any Quick Logic PCI Drivers...

I have XP Pro and only have ql1240.sys inside a .cab file, in c:\windows\driver cache\i386\driver.cab. So I don't have it outside the .cab file.

I have a little program Hash Calc and I have extracted the file from the cab and dropped it in hash calc and it gives these details, see image.

DavidR - Thanks also for your comments.  Even though avast has reported the file being in a location it is not (i.e. WINDOWS32\DRIVERS), I have not only moved the ql1240.sys file from the WINDOWS32\DLLCACHE folder (into a junk folder) but I have also renamed the extension from ".SYS" to ".OLD" and then rebooted only to find the same warning msge is still generated.

I did a REGEDIT search for QL1240.SYS and nothing came up.

Strange indeed....

Thanks again
Peter

[DavidR]

Your welcome, I think we need some input from the Alwil team as we really don't know that much about the rootkit module or its returns.

[alanrf]

I do have this file on Windows XP SP2 in the folder specified by avast.  Startup will not show you anything about drivers generally.

I use the free program Serviwin from MS/SysInternals.

[koke4716]

Your welcome, I think we need some input from the Alwil team as we really don't know that much about the rootkit module or its returns.

DavidR & Tech - I have emailed avast with a link to this thread as well as a full description of my problem and a copy of the offending file (ql1240.sys)

I have also solved my problem but not 100% sure as to why.  I again removed the file from the DLLCache folder and again renamed the extension. 

I then did a warm boot but the rootkit warning and errors were repeated.  So, I did a complete shut down/cold boot and the problem seems to be solved.

Again, not sure why...

You can see attached the warning message that avast! 4.8 generated....

Thanks all your comments.
Peter

[Lisandro]

Peter, what happens if you click delete button?
Do you receive the message if you run:
XP: Windows Start > Run
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "<RTK>SUPERQUICK"

Vista: Windows Start > write "cmd" without quotes > click CTRL+SHIFT+ENTER
Anwswer 'Yes' to UAC question.
Write down (or paste):
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "<RTK>SUPERQUICK"
Click Enter

[koke4716]

Peter, what happens if you click delete button?
Do you receive the message if you run:
XP: Windows Start > Run
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "<RTK>SUPERQUICK"

Tech -

1) When I click the DELETE button, I get the error message attached to this post.

2) When I run ashQuick.exe (or a full deep scan, nothing is detected - the system is clean)

/peter

[Lisandro]

I need help from the programmers... Igor

[koke4716]

I need help from the programmers... Igor

Igor - Hehehe - I guess the error msge is generated because the file (ql1240.sys) is not residng in the folder \WINDOWS\SYSTEM32\DRIVERS.

The file was however residing in the \WINDOWS\SYSTEM32\DLLCACHE folder but why avast saw the file as being in the \WINDOWS\SYSTEM32\DRIVERS folder is way beyond me.

Anyway, I have found my fix and also passed the info onto avast.  Scanning with avast or trendmicro's housecall and AdAware and SpyBot have all indicated my system is now clean.

Thanks
/peter

[koke4716]

Wonderful - the RootKit warning is back. 

It popped up when I started my scanner, which is on an Adaptec SCSI/Pci Adapter, and now I must assume that this is the hardware device that uses the driver file "ql1240.sys".

The warning message continues to say the file is in "C:\WINDOWS\SYSTEM32\DRIVERS" but after doing a search I cannot find the file anywhere on my harddrive except in a cab file.

/peter

[alanrf]

You may want to go back and look at my previous post.

It is a simple little program from Microsoft/System Internals - requires no install - just run it (make sure in the "View" menu to select "Drivers").

See if tells you anything about that driver on your system.

[koke4716]

You may want to go back and look at my previous post.

It is a simple little program from Microsoft/System Internals - requires no install - just run it (make sure in the "View" menu to select "Drivers").

See if tells you anything about that driver on your system.

AlanRF - Thanks - I did download and install the ServiWin program - much better tool than what XP provides.  Unfortunately, it says nothing about the driver file in question (i.e. ql1240.sys).  Seems avast 4.8 has some bugs in it as nothing I do can identify anything wrong on my system except for avast 4.8.  Everything else I have done to scan for Viruses, Worms, MalWare, RootKits comes up with nothing.

Only avast 4.8 is seeing a RootKit.

hmmmmmm......

Thanks
Peter