AVAST VIRUS SCAN

General Topics
1

Hi wonder if someone can advise me, when I do thorough virus scan with Avast after about 10 mins it says infected hidden files (using heuristic method).
Avast asks if I want to delete them so I try to, the files do not delete. Then I get a message from Avast saying there is a virus in my “operation memory” (something like that anyway) then it asks me if I would like Avast to restart my computer and scan from boot mode. I opt yes, computer restarts and Avast scans before the computer loads up only no virus is then detected.
Ive been doing this now for about a week. I have used system restore and same results. Dont understand why Avast says there is a virus then cant find it. Help Please

2

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

3

Since this is a detection in the anti-rootkit scan (8 minutes after boot, I believe) then you won’t see anything in the log viewer (warning section) where it would normally be reported. Check out the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file using notepad and report any files listed in that as infected/suspect/hidden, etc.

4

[quote author=Tech link=topic=40826.msg342291#msg342291 date=1228946818]
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

HI Thanks for replying Avast has allegedly found 21 infected files. I am using Avast4 and most of the files seem to be for eg.
c:\windows\system32\spoolssv.exe\drivers..\netitdrv.dll Rootkit:hidden file

c:\windows\system32\spoolssv.exe\drivers..Rasddui.dll

c:\windows\1386\DR WATSON.EX_\faulth.DLL

I have also checked the Data report for any infected files listed and it states no infected files, all clear.
If I reload my computer with my Reload CD, do you think I can get rid of them.
Thanks

5

[quote author=DavidR link=topic=40826.msg342450#msg342450 date=1229005477]
Since this is a detection in the anti-rootkit scan (8 minutes after boot, I believe) then you won’t see anything in the log viewer (warning section) where it would normally be reported. Check out the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file using notepad and report any files listed in that as infected/suspect/hidden, etc.

HI Thanks for replying Avast has allegedly found 21 infected files. I am using Avast4 and most of the files seem to be for eg.
c:\windows\system32\spoolssv.exe\drivers..\netitdrv.dll Rootkit:hidden file

c:\windows\system32\spoolssv.exe\drivers..Rasddui.dll

c:\windows\1386\DR WATSON.EX_\faulth.DLL

I have also checked the Data report for any infected files listed and it states no infected files, all clear.
If I reload my computer do you think I can get rid of them.
Thanks

6

Well this is somewhat suspect as a folder name spoolssv.exe as in both the entries below, folders normally don’t have a dot in them. So it looks like it is trying to masquerade as a system file spoolsv.exe (not the additional s of the suspect one spoolssv.exe).

c:\windows\system32[b]\spoolssv.exe[/b]drivers..\netitdrv.dll Rootkit:hidden file
c:\windows\system32[b]\spoolssv.exe[/b]drivers..Rasddui.dll

If this is a file and not a folder there are lots of hits on a google search for that name confirming it is undesirable, so the detections would appear to be good.

If this is being reported as a rootkit, it isn’t surprising that you can’t find them, that is the whole point of a rootkit, it hides from the windows APIs, explorer, etc.

There might be an outside chance that you could find it, but it is probably marked as hidden - Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.