New version finds rootkit hidden files - can't delete & nothing else does

[Lisandro]

Interesting!  My Acer has co-existed with the Avast program for several years now and works fine with version 1229, so I guess the bug is in 1296.

Gerard

You're right... seems so.

[anjana]

No, I don't have an Acer, it's HP

[kd5]

I'm running into the same problem here, a whole list of suspected rootkits in the spoolsv.exe and spoolss.dll files, mostly in the Microsoft Document Imaging (mdigraph.dll, mdiui.dll, mdippr.dll) and the Software Distribution folder for printer files and updates.  I've run several online scans, Spybot, SUPERAntiSpyware, and the Sophos Anti-Rootkit scanner, all of which found nothing.  After reading this thread I opted to choose Ignore, and Don't notify me again, but then Avast tells me it detected a virus in memory and wants to scan at reboot.  I've allowed this to happen twice, which found nothing.  I told Avast not to scan at boot once but Avast froze, eventually it continued scanning to completion (including the report containing all the erroneous rootkit detections).  I then exited Avast and rebooted so I could run the scan again, which found the same supposed rootkits, even though I'd told Avast to ignore them and not to notify me again.

This is bad news for Avast.  I hope you get this problem fixed soon.       -kd5-

[Lisandro]

I think it's time to work... there is something cheesy in the rootkit scanning... programmers uh uh 

[Lisandro]

kd5, I've forgot to say that the better will be disabling rootkit scanning in the Troubleshoot page of program settings for a while. You'll decrease protection, but, at least, your computer will be yours...

[kd5]

I hate the idea of disabling any of Avast's capabilities but if that is the only option available to me then I suppose I will have no other choice.       -kd5-

[gcon60]

Better still, revert back to an earlier version of Avast with the up-to-date virus database and you should be protected.  I use 1229.

Gerard

[Lisandro]

Better still, revert back to an earlier version of Avast with the up-to-date virus database and you should be protected.  I use 1229.

Good suggestion.

1. Uninstall avast from Control Panel first.
2. Boot.
3. Use Avast Uninstall for complete uninstallation.
4. Boot.
5. Stay off-line (not connected to Internet)
6. Install again the old version: http://filehippo.com/download_avast_antivirus/
7. Boot.
8. Register avast (insert the registration key).
9. Uncheck the programs updates (set to manual).
10. Only then connect to Internet (go on-line).
11. Check and post the results.

[Vlk]

So, to recap, everyone having the problem has an Acer laptop, correct?

[kd5]

No.  This is a custom-built desktop computer, Windows XP Home Edition, currently SP2, soon to become SP3 (as soon as I can overcome this sense of unease regarding these false positives).  There is no Acer anywhere near this computer.       -kd5-

[Vlk]

Would anyone of you be willing to give me a remote access to your system?

Remote desktop, or LogMeIn, or something similar.


Thanks
Vlk

[anjana]

So, to recap, everyone having the problem has an Acer laptop, correct?

No as I mentioned  mine is a HP

[Dwarden]

i just hate myself i 'destroyed' (total wipe by drive manufacturer test tools) with most likely very infested OS by some weird rookit
(no known AV was able pick it up) but it was able kill any AV (including latest KAV ,Avira, DRW5 etc) in exactly 24-48h timeframe after install ...
but AVs with self protections were able spot something goes wrong but failed to protect itself at max just reporting self damage like avast warning about own files modification

all i know it made several sectors on OS partition to be inaccessable by OS causing issues when OS tried access them in non standard way and OS crashed ...
(HDD is w/o any physical errors tested by several tools to be sure)

the most interesting thig was that due to these errors it was impossible to obtain flawless 1:1 image of the infected OS drive
also inside the whole memory dump there were some traces indicating it's using some of RPC exploits known to date

i got copy of all possible files from that system but i doubt that will lead to any successfull find but if someone is interested just PM me but passive scans reveal nothing ...

[gcon60]

Vik,

Access to someone's PC is a hard one to comply with.  Too many bits 'n pieces that are secure.  Can you not think of another way to crack this problem.  It really needs fixing!!!

Gerard

[DavidR]

And this is what they are trying to do, go the extra mile to research why it might be happening and simply submitting the file may not provide enough information, since this problem (for the most part) only seems to be effecting a limited sub set of users and avast are obviously unable to replicate the problem in their labs.

It is very rare to see this kind of commitment to resolve a problem that isn't effecting all avaast users.

If you can't trust your AV who can you trust as you are effectively trusting them by installing the AV. If you have anything truly sensitive you could encrypt and password protect the folder/s that it is in.

I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.