80+ False Positives being reported on Acer Aspire 3000 help please...thankyou

[vetinari]

Hello I'm a newbie here so not sure what I should put so here goes, The other day, Avast free edition found loads of rootkits on my laptop. I scan every 2 days or so and nothing had been found upuntil that date, so I was very surprised to find rootkits on my laptop.

There was a tick in the send to Avast box but I didn't know how to send them?

Avast suggested that I do a scan on bootup which I did and nothing was found.

I've since scanned my laptop with Homestart/ Nod/ F-Secure/ online scanners and nothing was found.

Using Jotti I scanned a selection of the files said to contain rootkit problem and they where clean.

I've sent a HighjackThis log off to malware University asking for their help. (This was before I found this site)

Scanning today has shown the same files again saying they have a Rootkit infection.

I've read some of the postings and know some of the files could be false positives but which ones if any?

Is there any way I can cut and past the list of files shown onto a posting?

The version of Avast I'm using is as follows:

4.8 Dec2008 (4.8.1296)

Thankyou for your help.

[Lisandro]

There is a well known bug with Acer computers.
They're working on it.
Until there, as a workaround, disable rootkit scanning in the Trobleshooting tab of program settings.

[polonus]

Hi vetinari,

This issue has been coming up here several times, apparently a FP from the rootkit heuristical scanner for this bundle of files.
Upload one of this typical acer files to virustotal.com and you see that not much av scanners flag it and they that do share the same rootkit scanner. Exclude the files from scanning for the moment in the way Tech explains.  An update will eventually revise the heuristics for these kind of files,

polonus

[DavidR]

You don't need to know as it should be done automatically (uploaded to avast) as part of the avast update process (auto or manual initiation).

Have you got the latest VPS update, which is 081215-1 as there has been some work on this area, so it might help reduce the reporting.

[vetinari]

Hello everyone,

I've put a tick in the 'Disable rootkit scan on system startup'  box in Troubleshooting, (as suggested by Tech), and clicked on ok.

I then restarted my laptop and re-run Avast, its still finding the same files as before and saying there is a Rootkit in them.

So how do I check that there really is not a Rootkit problem on my laptop?

Thank you in advance for any help provided :-)

[Lisandro]

re-run Avast

Do you mean you star a scanning? If so, you're doing the same as the first rootkit scanning...
That setting will disable the automatic scan (until they correct it), but you're manually starting another... am I wrong?

[vetinari]

Hi Tech, I mean when I start a scan myself. I did not know you could do an automatic scan with the Avast! Free edition.

This is what I do when preparing to scan with Avast.

I turn laptop on,

wait until I hear Avast has updated,

then click on the desktop icon for Avast.

I wait until the Avast memory scan is over

then do a thorough scan by clicking on the drive icon and then scan button on the left hand side of Avast .

How do I  set Avast up to do an automatic scan?

Thank you,

Mike

[Lisandro]

I did not know you could do an automatic scan with the Avast! Free edition.

You can't... the only one is the rootkit scanning 8 minutes after booting...

[vetinari]

Hello Tech, could you please explain how I scan for Rootkits automatically after eight minutes then?

[DavidR]

You don't have to the anti-rootkit scan is an integral part of avast and is automatic, unless you choose to disable it.

[vetinari]

Hello DavidR, I've just heard Avast update and ran the scan as normal. It's still finding files that it says have Rootkit problem.

Does this mean I'll just have to wait until the people at Avast Towers work a fix for this.

Any idea how long this takes?

How do you go about detecting if any real Rootkits find their way onto my laptop whilst the scanning for Rootkits is turned off???

[DavidR]

What are the file names and location ?
Some details about your system wouldn't go amiss, make/manufacturer, laptop/desktop, etc. ?

These are considered suspicious (yes), if so then the recommended course of action is to click ignore and allow it to be sent to avast for analysis.

I have no idea how long this takes to analyse, I'm an avast user just like you.

Personally I wouldn't disable the anti-rootkit scan, how else would you know if it has been fixed and your submissions would bump the analysis process I would think.

[Lisandro]

Does this mean I'll just have to wait until the people at Avast Towers work a fix for this.

Right now, we have no other option...

Any idea how long this takes?

We're users... but we hope soon.

How do you go about detecting if any real Rootkits find their way onto my laptop whilst the scanning for Rootkits is turned off???

The only thing you're disabling is the automatic scanning, not the avast protection for rootkits. You can always manually start a scan. Just the actual situation is that the rootkit scanner is detecting false positives... the user can't use his/her computer with confidence... warnings, recurring problems with detections... how can we stand for a computer that each boot is bringing false alerts?

[vetinari]

Hello all in reply to DavidR, my system is an Acer Aspire 3000 laptop. My operating system is XPhome, SP3.

There are about 90 files being shown as having rootkit infection, unfortunately I cannot find a way to copy and paste them to here, so here are just four of them:

C:\WINDOWS\system32\autorun\acer.ico\ScmSvr\Setup.exe
C:\WINDOWS\system32\autorun\acer.ico\TOOLS\LaunchRS.ocx
C:\WINDOWS\system.ini\ACEAPCTL.OCX
C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0_b03f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll

These four files represent the groups of files where Avast starts to detect Rootkits

I hope this helps,

Mike

[DavidR]

Currently there would appear to be an issue with detection of some Acer laptop files by the anti-rootkit scan (as per this topic title) and it is being looked into there are a few other topics relating to that, try a forum search for Acer and see if you can get some more info.

I would suggest that when detected you a) allow samples to be sent to avast for analysis, b) click Ignore which I believe is the recommended action in the alert.

One of the Alwil software developers is asking if someone would be prepared to allow a remote link so they can look in depth to try and find the cause.

Hopefully this won't take too long to resolve.