Avast Home says I have rootkits in memory

Hello- I have notebook running Xp pro SP2. I got a notice last night that Avast free version had detected a rootkit in memory. Just before this happend my firewall (On-Line Armour) blocked a request for drivers from Ashserv.exe. The log viewer gave this as the error:

“Internal error has occurred in module basEncodeFileToSumit failed! , function 00000020”

All the rootkits appeared to be in the drivers on the popup box. I cant find a log for that though. It said I needed to do a boot scan to detect the malware before it loads. I did a boot scan with Avast and a Windows scan but it found nothing. I also used Malwarebytes and Ad-Aware and those scans were clean as well. Was this notice caused by the internal error or is there a rootkit problem? TIA

Hi VanHelsing,

Download the ThreatExpert Memory Scanner from here:
http://www.threatexpert.com/memoryscanner.aspx

There you should get results for things that try to hide and still running in memory,
report the findings here,

polonus

Hello- thanks for the quick response. I have downloaded and run the program. Here are the results:

Scan details:
Scan started: Sunday, December 06, 2009 20:36:06
Scan time: 01 minutes, 42 seconds
Number of memory objects scanned: 7834
processes: 50
modules: 2232
heap pages: 5552
Number of suspicious memory objects detected: 0
Number of malicious memory objects detected: 0
Overall Risk Level: Safe
Summary of the detected threat characteristics:
No suspicious characteristics detected.
Summary of the detected memory objects:
No suspicious memory objects detected.

Hi Vanhelsing,

It was looked like your avast detected something which Ad-Ware encrypted file.
Because last time i used Ad-Ware and their engine crash with avast.

But need to check it again.

ok so are you saying i need to run Ad-Aware again? thanks!

Hi Vanhelsing,

Sorry,
I mean would you please try to shut off your Add-Ware and then scan it again with avast.

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Hello- Ok i disabled Ad-Aware and scanned again with Avast Home and the scan was clean. I remember around the time that this happened Malwarebytes had an automatic update which was a version change. And I restarted the computer and Online-Armour said it had blocked a request of drivers from Ashserv.exe. I looked in the history in OA and it said this:

C:\Program Files\Alwil Software\Avast4\ashServ.exe wants to get a list of the files C:\Windows\system32\drivers*.*
C:\Program Files\Alwil Software\Avast4\ashServ.exe wants to get a list of the files C:\Windows\system32\drivers\disdn*.*
C:\Program Files\Alwil Software\Avast4\ashServ.exe wants to get a list of the files C:\Windows\system32\drivers\etc*.*
C:\Program Files\Alwil Software\Avast4\ashServ.exe wants to get a list of the files C:\Windows\system32\drivers\UMDF*.*

all of these were blocked. And then I got the warning from Avast Home saying It had detected rootkits in memory using heuristic scan method. The pop up box list had all these drivers as being infected. I cant find a log of that though in Avast Home. I did the recommended boot scan and it found nothing. I have since used Malwarebytes, Ad-Aware and Rootkit buster and all scans were clean. Please advise thanks!

Hi Van Helsing,

I am not sure what is exactly causes this problem yet,

But as David mentioned to me at : http://forum.avast.com/index.php?topic=51183.0

Like : “as if windows defender is so stupid as to put unencrypted signatures into memory, you can hardly expect signature based detections of other AVs not to detect them”

And my experience used Ad-Ware Lavasoft which caused my avast engine crash and my OS became slowly.

So my expect that you run some AntiSpyware product which cause this problem.

So it is an imcompatible issue and not a rootkit? I cannot replicate the warnings again with any rootkit scanner. Not even Avast! And this warning was not the typical warning with the nuclear sign labeled box. This was a small box that gave me a choice to ignor. And it seemed that all the files in the box were drivers. Like a list of drivers that Avast was looking for but the On-Line Armour firewall blocked. I did a search for rootkits on this site and it seems when people are infected Avast keeps finding things. I have not had another warning and all scans come up clean. Can someone recommend a good rootkit scanner? I have tried Rootbuster, Ad-Aware and Malwarebytes. Thanks again for your help.

Hi Vanhelsin,

avast itself already included Anti Rootkit, but if you looking for separate Anti Rootkit you could visit : http://www.antirootkit.com/software/index.htm

Goog luck for you

Hello- I ran a GMER scan and here is the result:

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit quick scan 2009-12-08 12:08:55
Windows 5.1.2600 Service Pack 2
Running: sfmspyn1.exe; Driver: C:\DOCUME~1\VANHAL~1\LOCALS~1\Temp\agtorpow.sys

---- System - GMER 1.0.15 ----

SSDT ??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xEB9E2070]
SSDT ??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xEB9E20A0]
SSDT ??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryDirectoryFile [0xEB9D4A10]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.15 ----

Does this look ok? Nothing shows up in RED. Thanks again.

Hi Van Helsing,

It is looked all of your application not harmful to your system.
Just keep aware and update your avast or other antivirus and protect with Anti Spyware if needed or Firewall Desktop (but avast 5 will release with comprehensive protection).

Thank you