Hello,

My first post here. I’ve been a user for 2 years and I have to say that Avast! is a welcome change from Symantec.

I run Spy Sweeper 3 nights a week on a scheduled scan and have never had anything but cookies removed previously. This morning I got a report that a “potentially rootkit masked registry is in use”. I let Spy Sweeper quarantine it and then checked to see what it was. To my surprise, it was related to Avast!. I don’t know what the significance of this is or the effect it might have on my Avast! installation. Below I have pasted the excerpt from the Spy Sweeper log of the event with the relevant sections in red. Any and all thought will be appreciated.

9:57 AM: ApplicationMinimized - EXIT
9:57 AM: ApplicationMinimized - ENTER
9:57 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
E-mail Attachment: On
9:57 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
9:57 AM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avast!. Failure: SRegSetDataFailed -1-
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
Tracking Cookies Shield: On
9:57 AM: Shield States
9:57 AM: Spyware Definitions: 1388
9:56 AM: Webroot Software 6.0.2.22 started
9:56 AM: | Start of Session, Saturday, February 14, 2009 |

9:52 AM: Removal process completed. Elapsed time 00:00:12
9:52 AM: Preparing to restart your computer. Please wait…
9:52 AM: HKLM: SOFTWARE\ALWIL Software\Avast\4.0 || UpdateReady is in use. It will be removed on reboot.
9:52 AM: potentially rootkit-masked registry is in use. It will be removed on reboot.
9:52 AM: Quarantining All Traces: potentially rootkit-masked registry
9:52 AM: Removal process initiated3:09 AM: Traces Found: 1
3:09 AM: Scheduled Sweep has completed. Elapsed time 00:08:58
3:09 AM: File Sweep Complete, Elapsed Time: 00:04:20
3:04 AM: Starting File Sweep
3:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:04 AM: Starting Cookie Sweep
3:04 AM: Registry Sweep Complete, Elapsed Time:00:01:07
3:04 AM: HKLM\SOFTWARE\ALWIL Software\Avast\4.0 || UpdateReady (ID = 0)
3:04 AM: Found System Monitor: potentially rootkit-masked registry
3:03 AM: Starting Registry Sweep
3:03 AM: Memory Sweep Complete, Elapsed Time: 00:03:19
3:00 AM: Starting Memory Sweep
3:00 AM: Start Scheduled Sweep
3:00 AM: Sweep initiated using definitions version 1388

Anyone here using Spy Sweeper (or have used in the past) that can help out on this one?

Thanks for jumping in CharleyO. I should add that I’m awaiting an email response from Webroot Support (SpySweeper) to see if they can shed any light on this one.

My suspicion is that it’s a false positive caused when Avast! was checking for an update and SpySweeper was running a scan and didn’t like the activity. But that’s just speculation.

I recieved a canned response from Webroot support that was of no help at all. I’m chalking this one up to the foibles of computers and closing the thread. Thanks.

Seems indeed a false positive from Spy Sweeper…

Did you fully removed Symantec products?

1. Remove NAV or Norton 360 through Add/Remove programs from Control Panel. Boot.
2. Use Norton Removal Tool for Windows 2000/XP/Vista or Norton Removal Tool for Windows 98/Me. Boot.
3. Install avast! (or repair the installation) and boot.

The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.

Thanks for your reply. Good to have an expert agree with my assessment.

To answer your question… Yes, I used the Norton removal tool to rid myself of the “Symantec infection” and followed up with a registry search for Symantec, Live Update and LUCOM just to be as sure as possible that I got all traces of it and it’s Live Update companion.

I haven’t had any AV issues since then, until now. I have to say, that if this is all the trouble Avast! causes (one false positive in almost 2 years), I’m a fan.

Did you receive help from Spy Sweeper team?

Well if isn’t avast that cause a false positive in Spy Sweeper but Spy Sweeper incorrectly identifying an avast registry entry as a “potentially rootkit masked registry is in use”.

In this case avast is the innocent party and Spy Sweeper at fault, though false positives are a fact of life, especially when the word ‘potentially’ or ‘possible’ is used as they aren’t 100% or they would use an affirmative statement. When these words are used it is normally an indication that a generic or heuristic/behavioural method has been used, which are more prone to false positives.

Nothing that I would classify as “Help”. They sent a form email with 4 or 5 prepackaged “suggestions” of possible solutions to try. None of their options applied to my situation and I deleted the email without responding as there was a notation at the bottom that listed my problem as “Closed”.

David,

I agree that this was not anything that Avast! did, but SpySweeper incorrectly identifying normal Avast! activity as a “potential” threat. The false positive appears to be related to Avast! update activity. I was just checking to make sure it wasn’t a know issue or problem. Better safe than sorry.

As I said earlier, I’m very pleased with Avast! and recommend it at every opportunity.