I just did an Avast “Thorough” scan with “Scan Archives” enabled out in SAFE MODE. The Error log after the scan has this entry:

Internal Error has occurred in module aswar scan function failed, function 00000002.

I’ve tried calling up a search of the forums every way I can think of but get no results. Can anyone shed any light on this error message? Other than this one log error entry, the scan results screen just showed what I would expect, just 3 files that were not scanned due to the fact they were SAS quarantined files and PW protected, which I know is normal. ;).

If it’s important, Event Viewer is showing this System error:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 3/12/2009
Time: 1:47:00 PM
User: N/A
Computer: HOME-23AB30824B
Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswSP
aswTdi
cmdGuard
cmdHlp
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip

Also this event msg at the same time:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 3/12/2009
Time: 1:47:00 PM
User: N/A
Computer: HOME-23AB30824B
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

And this one:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 3/12/2009
Time: 1:47:00 PM
User: N/A
Computer: HOME-23AB30824B
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
A device attached to the system is not functioning.

And this one:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 3/12/2009
Time: 1:47:00 PM
User: N/A
Computer: HOME-23AB30824B
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.

And lastly, this event message:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 3/12/2009
Time: 1:47:00 PM
User: N/A
Computer: HOME-23AB30824B
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
A device attached to the system is not functioning.

I have checked Device manager and upon expanding all items, there are no hardware problems. No Exclamation Marks to the left of anything. My ATT DSL modem/router appears to be working OK. It lets me access the internet OK with all 3 lights green. My pc was wiped and aclean install of WinXP was done on Feb 12th. Maybe I need to call AT&T tech support and ask if something needs to be reset on the modem. Maybe it isn’t assigning my dynamic IP in a timely fashion and this is causing the drivers in the first msg to not load properly? Dunno. I welcome any input.

Hmmmmmm. I just ran my wonderful little utility SIW (System Information for Windows) and is shows all of the drivers in the first Event msg ARE loaded and are RUNNING. That would appear to support my thought that they are trying to load before my modem/router does its thing & assigns my dynamic IP address and thus momentarily causes this System msg? This HW technical stuff is way over my head, but that would seem to be what might be happening on that issue.

But that doesn’t resolve the Avast error message.

They would show the drivers, etc. are running as SIW would be running in normal mode and you ran your scan from safe mode. In safe mode there are many drivers/programs that don’t run and that may have been why the anti-rootkit (aswar), but error 2 (00000002) = The system cannot find the file specified, is strange.

So I think the errors could be related to running from safe mode (as avast doesn’t normallt start in safe mode) though I can’t say for sure.

However, the real question is why did you feel it necessary to do a scan from safe mode ?

When you could have run the same scan from normal mode or even scheduled a boot-time scan.

Duh! Now why didn’t I think of that, David? This is a recent clean install of Avast, too, I might add. The reason I like to go out to safe mode to do my weekly scans is because if done in normal mode, my Comodo CIS with Defense+ (HIPS) protects so dang many files from being opened that it causes Avast to render all sorts of errors about not being able to scan half of the executables and files you would WANT it to scan. Took me awhile to figure that one out. But when I turn off my FW those “can’t scan” errors do not appear in the avast log viewer, so I know Comodo’s protecting them from all attempts to open/access.

To be quite honest, I never remember/think about boot scans unless I suspect adware of some sort. I don’t think I thought to check the logs the last time I ran a boot scan, either. I’ll schedule a boot scan in a bit to see if the logs show any of those Comodo induced “can’t scan” errors. The Comodo forums reconfirmed just this week that CIS with D+ uses sandbox technology and is awake protecting my pc even during boot up!

Well a boot-time scan would be even better then as it is before windows runs, so even less likelihood of defence+ interference ;D

Not to mention it doesn’t mess with your screen resolution, reorganising your desktop icons, etc.

However, it shouldn’t take long before defence+ should learn about the avast scan in normal mode from your answers to the pop-ups.

Well, even granting Avast Trusted Application status in Comodo does not stop the “can’t scan” messages in my logs. But also because of Trusted Application status and the fact that it is now in Clean PC mode, I don’t get any D+ pop up alerts during Avast scans. Guess I could take away that Trusted status, remove all Avast scanner D+ rules for ashquick, aswboot and ashsimpl (did I forget any?) , reset D+ to Training Mode and force it to learn all over again.

FWIW I just did a boot scan and not only did it let Avast scan all files, it did so with NO “can’t scan” error messages on system files, etc.

I don’t think it’s AT&T’s fault. Attempting to contact the author.

Personally I wouldn’t remove the avast trusted status.

With the files that can’t be scanned, are they for a common area, like the comodo folder, etc. ?
Give some examples of common areas, the file names, the locations and why avast can’t scan them.

I would say that the boot-time scan is your best option then for less hassle.

:o :-[ You’re not gonna believe this, David. But twice now this evening I’ve not been able to reproduce the “Can’t Scan” error messages on System executables that Avast has given me for ages now if scan was done in Normal Mode with Comodo running. All I’m seeing in the log of the scan I did this evening, with Comodo left on, is attached to this post.

My recent clean uninstall/reinstall of both Comodo and Avast (in that order) must have cleared up some problem or conflict with the two programs? Who knows. I don’t think I’ve changed any D+ rules regarding Avast that would account for the errors vanishing from my logs. :-\ It would appear I can now scan in normal mode without those warnings/errors anymore. So my Avast will remain in the sacred status of Trusted Application in my Comodo settings. As always, thanks for your time and help resolving this mystery.

Well I don’t see any problem with the information in your .txt attachment and there is absolutely nothing that avast can do about it as error 5 is access denied and that access is set by the application.

Though why firefox would protect these Profile, sessionstore.js, prefs.js settings and Preferences for the extensions, adblockplus.js and noscript.js is beyond me.

If they are different preferences to that of the account that you are logged on to do the scan may be the issue, but that shouldn’t be the issue if doing a boot-time scan and I don’t believe these entries would get placed in the avast log viewer during a boot-time scan.

I keep my nose out of the logs for this very reason, they frequently produce more confusion and questions than answers. Unless there is an error displayed to the screen (and a file that can’t be scanned isn’t something I would be concerned with) I don’t go looking for trouble.

I would also hazard a guess that if you didn’t do a Thorough scan that there files wouldn’t be scanned, I feel a Standard scan without Archives is more than adequate on say a weekly basis. I would only do a thorough scan if I had a suspicion that there might be a problem. After all you have the resident scanners working on files that are accessed.

I concur totally. I rarely include archives in my scans more than say once a month. But I saw some odd things in my Win Event Viewer and thought I’d do a more thorough scan just in case something was sneaking by the standard scan. Thanks again, and have a great weekend!

Again I keep my nose out of the event viewer for the same reasons, they generate more questions than answers. Unless there is something clearly wrong with my computer (and it happens regularly) or errors are being displayed to the screen, ignorance is bliss.

However, you are right to do a thorough scan if you thing something is wrong, but if it is getting past the standard scan, it is in a file type that isn’t considered a high risk of infection, that is what the Quick and Standard sensitivity are hunting for, files that are commonly infected and or executable, see image of avast help file.

The rest are of a lessor risk and the through scan would scan ‘all’ files, so I don’t believe you find that much more than a standard scan. I think where a difference is seen is when archives are scanned, which by their nature are inert until extracted and the contents run, before that the standard shield should have scanned those considered a risk.

Well, thanks for clarifying the focus of each scan, David. On that note, I’ll be doing Standard scans, and in Normal Mode, much more often. Hopefully with a lot less chatter from Avast’s logging in future

You’re welcome, though I would suggest the Standard scan sensitivity as the best performance/protection compromise.