Author Topic: New version finds rootkit hidden files - can't delete & nothing else does  (Read 49585 times)

0 Members and 1 Guest are viewing this topic.

Offline gcon60

  • Newbie
  • *
  • Posts: 14
A couple of days ago I installed the latest version of Avast.  I ran a thorough check and it found umpteen rootkit hidden files, e.g. windows/system32/spoolsv.exe and /spoolss.dll, etc.  I paniced of course, always good in a crisis.  I opted to delete the files, the system reloaded, ran the boot version and loaded again.  A run of Avast still found the rootkit hidden files.

Following this I ran several standalone rootkit finders and they were all clear.  I could not get rid of the Avast warning.  It was then I decided to prime down an August image of my system.  This was successful, so I updated Avast and ran a thorough scan....Oh NO!  I still got rootkit files.  I tried a few more standalone finder programs to no avail.

I deleted Avast and install the free version of AVG.  Clean as a whistle, no nasty files found.  I then reinstalled an older version of Avast (1229) and it was all sweetness and light.

Now I don't know whether the new version is telling the truth and I do have rootkit files and the old version misses them, or it the new Avast is telling me a few porkies.

Please help!

Offline Styx

  • Jr. Member
  • **
  • Posts: 87
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #1 on: November 24, 2008, 10:56:13 PM »
I had same issue. Interestingly I submitted a Support Ticket and after I reported that I had
"magically" stopped the Rootkit Notifications the Avast folks Closed the Ticket. So I just
re-opened it as the problem is not fixed, it was just worked around.

Here is how to do it :

http://forum.avast.com/index.php?topic=40203.0
Toshiba S-6267 T2350 CoreDuo 2 Gig - Intel 945GM Chip Set - 1.75 Gig ReadyBoost - Vista Home Premium x86 SP1 - all drivers up-to-date from OEM sites. Windows Firewall & Defender On. MalWareBytes, SpyBot, SuperAntiSpyware, AdAware, & WinPatrol on demand. RegRun Platinum.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83537
  • No support PMs thanks
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #2 on: November 24, 2008, 11:36:04 PM »
Well spoolsv.exe and spoolss.dll are a legit file names  but that is no guarantee it hasn't been got at.

However, the anti-rootkit scan (8 minutes after boot) and I don't know if it is the sensitivity of the detection method that is causing this, but the strange thing is that I don't get any alerts (XP Pro SP3) nor it would seem do many others or this forum would be lit up like a Christmas tree.

So there is obviously some other attributes that make it think it might be a rootkit, different OS, network printer driver loading early or hidden, I don't know but it is causing a some problems as there are a few similar topics as Styx mentions and did a lot of work trying to get the workaround to work.

Your test using AVG wouldn't find anything even if it were a valid detection as there is no anti-rootkit in the free version.

When it was detects it there is an option to send the file for analysis, if you didn't do that I would suggest you let that happen before you apply the workaround Styx gave the link for.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline ardvark

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1512
  • John 3:16 (I'm not an "avast! evangelist")
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #3 on: November 24, 2008, 11:52:33 PM »
Now I don't know whether the new version is telling the truth and I do have rootkit files and the old version misses them, or it the new Avast is telling me a few porkies.

Hi...

You can try using a standalone rootkit scanner to verify which is the case. Here are two...

F-Secure's Blacklight...

http://www.f-secure.com/security_center/

(scroll down to "downloads.")

Trend Micro Rootkit-Buster...

http://www.trendmicro.com/download/rbuster.asp

Hope this helps. :)

Best Regards...

Offline Styx

  • Jr. Member
  • **
  • Posts: 87
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #4 on: November 25, 2008, 03:34:55 AM »
Greatis's Reanimator is a superior rootkit detector/remover.

Also RegRun is the ultimate in protection especially the Gold/Platinum version.

http://www.greatis.com/security/
Toshiba S-6267 T2350 CoreDuo 2 Gig - Intel 945GM Chip Set - 1.75 Gig ReadyBoost - Vista Home Premium x86 SP1 - all drivers up-to-date from OEM sites. Windows Firewall & Defender On. MalWareBytes, SpyBot, SuperAntiSpyware, AdAware, & WinPatrol on demand. RegRun Platinum.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #5 on: November 25, 2008, 11:20:00 AM »
wait for the program update, which should be released today.. ;)

Offline sugaree

  • Newbie
  • *
  • Posts: 2
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #6 on: December 02, 2008, 06:26:41 AM »
Hello,

Avast 4.8 Pro complains about a rootkit hidden file on a WinXP computer I support.
The infected file is c:\Windows\System32\Drivers\cinemsup.sys.  When the problem
first appeared the owner of the computer opted to send the file to the AVAST folks.
When the problem occurred again I opted to delete the file.  A warning was displayed that
the memory is infected and I should restart the OS and run a full scan.  I did that and
no infected files were detected.  The warning appeared again.  This time I opted to
delete the file and when warned about restarting and running a scan I selected to skip
the reboot and go ahead and delete the file.  Now an AVAST full scan of the drive shows no
infected files, yet the rootkit warning continues to appear some time after booting the system.

The last post in this thread mentioned an update to AVAST.  Is this possibly a problem in AVAST
that has been fixed by a recent update?

Thanks for any help/suggestions,

Charles

Offline gcon60

  • Newbie
  • *
  • Posts: 14
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #7 on: December 02, 2008, 10:54:01 AM »
Hi,

Thanks to everyone for all the good advice.  I tried them all to no avail.  Reanimator gave me a list of possible dodgy files, but I don't believe they are, so I ignored the results.

I still use the older version of Avast (1229) and do a regular full run and all is ok.  I have not had the courage to update again to the the lastest version that gave me the problem.

To sum up - I'm confused.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #8 on: December 02, 2008, 11:36:44 AM »
sugaree: the problem (hopefully resolved with last program update) was related to wrong name/path interpretation, which caused multiple wrong rootkit detections on some machines... your entry seems to be ok... the reason, why it has not been cleaned during the boot-time scan is that there's probaly no exact detection for the scanner.. the standalone scanner and the antirootkit module are two different instances based on another schemes (antirootkit is not signature based)... when the AR detection occurs, then you're notified and you can send the file to further analysis... the file is then analysed in our viruslab and in case of confirmed malicious behavior the exact detection for scanner is added... that's the moment from when you will be able to remove the file with the boot-time scanner... it's a safety criteria to not make any definite cleaning, until we're sure we're dealing with a piece of malware..

Offline Styx

  • Jr. Member
  • **
  • Posts: 87
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #9 on: December 02, 2008, 12:28:09 PM »
A google of cinemsup.sys shows that it "might" be a malware problem. If the file still exists
check its' size and then Google it.
« Last Edit: December 02, 2008, 12:30:43 PM by Styx »
Toshiba S-6267 T2350 CoreDuo 2 Gig - Intel 945GM Chip Set - 1.75 Gig ReadyBoost - Vista Home Premium x86 SP1 - all drivers up-to-date from OEM sites. Windows Firewall & Defender On. MalWareBytes, SpyBot, SuperAntiSpyware, AdAware, & WinPatrol on demand. RegRun Platinum.

Offline sugaree

  • Newbie
  • *
  • Posts: 2
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #10 on: December 02, 2008, 02:43:04 PM »
Hello,

Thanks for your kind consideration and helpful responses.  I'll try out the latest update of AVAST to see if that helps.

Charles

Offline gcon60

  • Newbie
  • *
  • Posts: 14
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #11 on: December 03, 2008, 10:55:06 AM »
I bit the bullet and reinstalled Avast 1296 and ran a thorough check.  As before it found rootkits, windows/system32/spoolsv.exe and /spoolss.dll, etc., so nothing has changed.

What should I do now?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #12 on: December 03, 2008, 11:44:33 AM »
We're looking for someone who'd help us analyze this strange issue by allowing us to do a remote desktop connection to his/her machine.

Would anyone of you (who have the problem) be willing and able to do that?

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Crowella

  • Jr. Member
  • **
  • Posts: 21
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #13 on: December 03, 2008, 02:53:13 PM »
I'm happy to help, but you'll have to give me idiot proof step by step instructions as to what i have to do! Also i need to know that my laptop won't be affected by it, i'm studying for my PGCE and have all my work on here! anyway, let me know.

Christine

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #14 on: December 03, 2008, 03:07:32 PM »
OK, let's try something easy first.

Please do the following:

1. download this file http://public.avast.com/~vlk/aswAr0.dll and place it to the <avast>\data folder (overwrite existing)

2. rerun the scan, and wait for the "rootkits found" message to appear

3. send me the file <avast>\data\aswAr1.log that should get generated during the scan.


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.