Author Topic: New version finds rootkit hidden files - can't delete & nothing else does  (Read 57718 times)

0 Members and 1 Guest are viewing this topic.

gcon60

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #75 on: December 20, 2008, 11:10:45 AM »
I understand fully with what you are saying, but cannot fully accept that the internet is safe enough to take any chances.   To a degree I can work under instructions.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #76 on: December 20, 2008, 01:32:05 PM »
I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.

Not really, at least not for Remote Desktop, not sure about LogMe in.

Anyway, it's understandable that not everybody would agree to that; however, we are really not able to simulate this and the whole thing is a mystery (i.e. there doesn't seem to be any visible problem in the code) - so, we really need somebody to help us out by providing the access to his/her computer where the problem reproduces. Let's hope somebody appears soon.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #77 on: December 20, 2008, 01:48:44 PM »
Not really, at least not for Remote Desktop, not sure about LogMe in.
LogMeIn uses a https (secure) connection if I'm not wrong.
You're will be as opened as when you're using the Internet.
Allowing a remote connection to Vlk won't expose your system.
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #78 on: December 20, 2008, 01:52:47 PM »
That's not what I meant - I was just trying to say that a remote desktop-ped machine has a blank screen, you don't see anything and can't interfere (except for closing the connection).
As I wrote, I don't know LogMe in, could be different there ;)

Of course, Vlk is not interested in the data stored on the machine - only in finding out the cause of the problem.
« Last Edit: December 20, 2008, 02:01:37 PM by igor »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #79 on: December 20, 2008, 01:59:21 PM »
I was just trying to say that a remote desktop-ped machine has a blank screen, you don't see anything and can't interfere (except for closing the connection).
In which side? With LogMeIn, the host desktop could be seen by the guest...
Maybe we're talking the same with different words :-[
The best things in life are free.

kd5

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #80 on: December 20, 2008, 02:30:25 PM »
The computer I was having a problem with now has a new hard drive and a fresh XP Home installation.  Sorry but I could not delay the repair I was doing on that computer.  Turns out the hard drive had numerous errors and SeaTools refused to repair after 99 errors were found.  Don't know if that has anything to do with this problem or not, I'll be reinstalling updates/software for a couple of days, the printer software is always one of the last things I install.  We'll see how it turns out, I'll let you know if I get the same report with this fresh install.       -kd5- 

TheScorpion

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #81 on: December 21, 2008, 01:43:09 AM »
Getting the same problem. Avast 4.8 home. Build1296. Win XP pro on an ASUS laptop.
Thorough scan comes up with a load of 'Suspicious' heuristically found rootkit files. Amongst them is..

Windows\system32\spoolss.dll\drivers\w32x86\BROFX05A.dll
     "            "             "           "          "      \BRIFX05A.dll
     "            "             "           "          "           \ppbiNT.dll
I386\DRWATSON.ex_\FAULTH.dll

It gave the option to delete these or ignore - they looked like they might be ok so I 'Ignored'.

The scan also seems to freeze at around the 35K to 40K file mark.
Don't know if this is relevant too, (I've also posted separately on this) but the 'Current Scan Status' indicator remains at 0% throughout the scans.
AVAST  said it had found a virus in memory or something and got me to do a bootscan which scanned all drives but found nothing.

gcon60

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #82 on: December 21, 2008, 11:00:05 AM »
AVAST CHECKING LOG

Avast revision 1229  >  1296  rootkits detected

Reverted back to 1229 and ok

1229  >  1290  rootkits detected

Reverted back to 1229 and ok

1229  >  (used upgrade) 1282  (081112-0)     crashed around 25,000 files +  approx same area as rootkit detection
            Prior to crash Zone Alarm reported Avast wanted to launch DWWIN.EXE.
            Allowed and crashed

1282 (081112-0)      Same as above, but this time denied – crashed

1282 (081219-0)      At 25,422 files  ….system32\drivers encountered a problem needs to close.

Uninstalled upgraded 1282.  followed by clean install rather than upgrade of 1282.

1282 (081112-0)      Crashed at same point.

Reinstalled  1229 (081220-0)  No problems


It would appear that 1282 had a problem and when 1290 was released rootkits were found around the same area that 1282 had the problem.  I am not qualified to make any assumptions as to what is happening here.

Is this helpful?

Regards

Gerard




gcon60

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #83 on: December 23, 2008, 06:10:51 PM »
Any clues, anybody?

polipodi

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #84 on: December 26, 2008, 02:11:27 PM »
Dear Avast Support Team,

I've got in my hands a computer with this problem. It's an ACER laptop.
Avast is detecting a Rootkit which seems not present into the system.
Avast version is 4.8.1296.
If it can help you to track down the issue, I can install LogMeIn on the computer and give you full access.
FYI: I am located in France.
Feel free to contact me by PM if you are interested in accessing this computer.
Unfortunately, I won't be reachable the next hours. I think we could have a meeting the next week.

Thanks,
Luc

I have never had to use a remote connection but you have to be present and I guess could monitor what is going on.

Not really, at least not for Remote Desktop, not sure about LogMe in.

Anyway, it's understandable that not everybody would agree to that; however, we are really not able to simulate this and the whole thing is a mystery (i.e. there doesn't seem to be any visible problem in the code) - so, we really need somebody to help us out by providing the access to his/her computer where the problem reproduces. Let's hope somebody appears soon.


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #85 on: December 26, 2008, 02:15:31 PM »
Great! So, the symptoms are the same - obviously wrong file paths, right?
For example: C:\Windows\system32\spoolss.dll\drivers\something
- where spoolss.dll is a file, not a folder, i.e. there can't be any further path following.

polipodi

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #86 on: December 26, 2008, 06:49:01 PM »
Yeah, in my case one of the detected file is
"c:\windows\system32\setupapi.dll\medctroc.dll"
and obviously "c:\windows\system32\setupapi.dll" is a file, not a folder, and not an archive.
Note also that I get severals occurences under "setupapi.dll": medctroc.dll, ehOCGen.dll, plusoc.dll.
And finally, all these files are located in the folder "c:\windows\system32\Setup"

Great! So, the symptoms are the same - obviously wrong file paths, right?
For example: C:\Windows\system32\spoolss.dll\drivers\something
- where spoolss.dll is a file, not a folder, i.e. there can't be any further path following.


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #87 on: December 26, 2008, 08:05:20 PM »
polipodi,

I sent you an email.
Again, thanks for your willingness to help to solve this pesky problem.

Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

yare

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #88 on: December 26, 2008, 09:23:39 PM »
I am experiencing same problems as all the folks that have posted here. Hopefully solution will be found soon.

I am running avast! 4.8 Home Edition (updated today to the last version, virus db update December 26th 2008) on Windows 2000 SP4 on a custom built PC.

I use several tools beside avast! (S&D, SuperAntiSpyware and MalwareBytes' AntiMalware), have updated all of them and ran scans but no malware/rootkits were found.

Avast! reports several rootkits (heuristic warnings) within spoolsv.exe and spoolss.dll files (same scenario -> after selecting to ignore these findings I receive "Virus in active memory" warning and then I am prompted to perform boot-scan. Boot scan ends up ok - no virus found).

In the meantime I tried to disable root-kit detection (avast! menu -> Settings -> troubleshooting -> Disable root-kit detection), as suggested in this thread, but without success - when i start local disk scan it moves on through windows system folder and then reports above mentioned error. I guess I am safe enough because boot-scan returned no virus/malware found (am I right?) but would like to be able to run disk scan from Windows.

Can someone tell me what am I doing wrong?
Thank you.
« Last Edit: December 26, 2008, 09:51:12 PM by yare »

kd5

  • Guest
Re: New version finds rootkit hidden files - can't delete & nothing else does
« Reply #89 on: December 27, 2008, 02:08:27 PM »
The computer I was having a problem with now has a new hard drive and a fresh XP Home installation.  Sorry but I could not delay the repair I was doing on that computer.  Turns out the hard drive had numerous errors and SeaTools refused to repair after 99 errors were found.  Don't know if that has anything to do with this problem or not, I'll be reinstalling updates/software for a couple of days, the printer software is always one of the last things I install.  We'll see how it turns out, I'll let you know if I get the same report with this fresh install.       -kd5-

Got the computer back up and running, installed and ran Avast! both before and after the HP printer installation, no rootkits were found.  The same applications that were on the computer before have been reinstalled so I have to assume the rootkit problem had something to do with the 99+ errors Seatools found on the previous hard drive.  Have no idea what the errors were about but I wasn't taking any chances, a 20gb 5400rpm hard drive is woefully inadequate for an acceptable Windows XP installation anyway... ::)       -kd5-