Author Topic: small boot scan question?  (Read 4363 times)

0 Members and 1 Guest are viewing this topic.

sanctuaryforever

  • Guest
small boot scan question?
« on: April 07, 2008, 10:55:29 PM »
Sorry if this has been highlighted elsewhere, but at what stage do the rookit boot scan and other scans run (ie after bios screen, before welcome screen or after desktop loads etc)?

ps When a rootkit is detected (by the boot time function) does the warning come up on a dos type screen or does it display its findings when windows has finished booting up?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: small boot scan question?
« Reply #1 on: April 07, 2008, 11:37:10 PM »
The rootkit scan runs a few minutes after the desktop loads (it's a rootkit scan - looking for active rootkits (= hidden files, processes, ...); so, there's actually no point in trying to load as soon as possible, because if the rootkit is not yet active - it's not hidden, and it wouldn't get detected, at least not as a rootkit).

The boot-time scanner has also been improved, regarding the detection of hidden files (should the rootkit already be loaded at the time boot-time scanner runs).

sanctuaryforever

  • Guest
Re: small boot scan question?
« Reply #2 on: April 08, 2008, 03:19:55 PM »
thanks for the reponse :)

psw

  • Guest
Re: small boot scan question?
« Reply #3 on: April 08, 2008, 05:21:47 PM »
It it curious what the following boot scan records mean
--
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
g_dwKbdNum: 3
FreeMemory: 3487739904
avworkInitialize
\Device\KeyboardClass2 failed: 0xC0000034
\Device\KeyboardClass2 failed: 0xC0000034
\Device\KeyboardClass2 failed: 0xC0000034
FreeMemory: 3449499648
\Device\KeyboardClass2 failed: 0xC0000034
s_dwKbdClassCnt: 3
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
--
Everything works fine, I can abort boot-scan by Esc, but why records about failure are present in the log?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: small boot scan question?
« Reply #4 on: April 08, 2008, 05:34:07 PM »
What kind of keyboard(s) do you use?

psw

  • Guest
Re: small boot scan question?
« Reply #5 on: April 08, 2008, 06:09:23 PM »
Genius SlimMate 300 PS/2
HID\VID_0518&PID_0005&MI_01&COL01\7&31C90A83&0&0000

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: small boot scan question?
« Reply #6 on: April 08, 2008, 10:40:51 PM »
I thought HID usually meant USB, not PS/2...
Anyway, I think that it just means that the initialization of the keyboard took a while - and avast! had to retry a few times before it was successfully "connected".
Nothing to worry about.