A very similar sequence of events has happened to my system too. This may shed additional light on this thread’s problem, because I know something about the file that Avast finds.

Preliminaries: Avast Home Version 4.8, Build: Dec2008 (4.8.1296). Win XP SP2 Home, AMD Athlon XP 2500+, NFII 400-AL motherboard (NVidia nForce2 400 chipset). The system is not overclocked. I’m located in Los Angeles, California, USA (GMT-8).

What’s unusual: It’s a multiboot system using BootMagic from Partition Magic 8.0 (Symantec/PowerQuest). BootMagic is a program which runs in a separate tiny partition and overlays the MBR to select among several available C: partitions by hiding and unhiding them. This setup with BootMagic has been highly stable; it dates to 2002 and is on its third processor, second motherboard, and second operating system (Win XP SP2 was installed over Win 98 in this C: partition in 4/2007.) While a few program files are on C:, most, including Avast, are run from D:. All partitions are FAT32.

On 11/24/2008, I received a “Suspicious File Found!” warning:
File name: C:\WIN98SE2\system32\Drivers\PQNTDRV.sys
Type: Rootkit: hidden file

As others in this thread have done, I checked the box to submit the file to ALWIL, checked the box to not tell me about this file in the future, and clicked “Ignore”. Not only was that the Avast-recommended action, but I suspected that PQNTDRV.sys was part of BootMagic because of the “PQ” that PowerQuest uses to identify its file names. (The rest of the name, NTDRV.sys, is rather common.)

Almost immediately thereafter I received a warning that “avast! has detected a virus in the operating memory…” I clicked “Yes” to schedule a boot-time scan. The scan ran to completion on all partitions it could see and found nothing bad.

Since then, like others in this thread, I have received the two error messages. I continue to click Ignore each time but have not done a boot-time scan again.

Avast had run without any problems or false alarms for more than a year before the above events. I suspect that the latest Avast version has discovered my BootMagic–first on the disk, then, left over somewhere from startup, as a “virus in the operating memory”. I am pleased that Avast did not force me to delete the PQNTDRV.sys file or try to “repair” my MBR, as either action would have caused a catastrophe. For your analysis I am attaching the files aswAr.log, aswBoot.log, and Error.log which I found in D:\Program Files\Alwil Software\Avast4\DATA\log with appropriate dates.

Thanks in advance for your assistance.

–Lee

Thanks for reporting. Maybe the MBR change (and the possibility of change with the driver) is being detected as a rootkit. Hope they correct (if any) these detections.

Note: My original posting was in the thread started by gcon60 because IMHO the symptoms are very similar. I suspect that the problem discussed in that thread and the problem I discuss above are likely to have the same root cause of overzealous and/or erroneous behavior of the new aswAr rootkit detection component of Avast. Perhaps aswAr is looking at my MBR and misinterpreting its nonstandard contents as a rootkit. I bet if I could turn aswAr off the problem would vanish.

Unfortunately, people following gcon60’s thread will not have a chance to consider the similarity of my case since they won’t see it and there is no link to this thread from that one…

But you can turn off the rootkit scan … you just have to look at the options afforded you by avast.

You can turn off the rootkit scan by selecting the option to do so:

avast > Program Settings > Troubleshooting > Check the box “disable rootkit scan on startup” > OK

On review of the logs you posted …

I note in the “aswBoot.log” file the presence of a line:

SystemRoot=C:\WIN98SE2

You have not told us in detail of the configuration of your multiboot system but the rootkit is not supported on Win 98SE systems. While I must leave it to the avast team for real analysis I suspect that the errors appearing in the aswar.log may be the result of some confusion (for avast) in your environment about which operating system is really in use.

I have split the threads, because in my opinion they are unrelated and would only lead to confusion.

Regarding the C:\WIN98SE2 folder - it’s just a (somehow surprising) folder name, but the OS is XP SP2, from what I can see from aswBoot.log.

What if you run the standalone antirootkit tool:
http://forum.avast.com/index.php?topic=33753.0
Does it also report this file as hidden?