Error 267 Directory Name is Invalid

Hi:

I just downloaded Avast! Free Antivirus the other day and I am very pleased with this excellent product.

Just one question: Every time I do a scan, I get a message at the end that not all files were scanned and it says: Error 267 Directory Name is Invalid. The directory name is C:\WINDOWS: 2B2696B30AD92EF4. There is no indication of how to correct this and I do not see any such directory in my c:\windows folder.

Hopefully, someone technical from Avast! will see this post and enlighten me on what this error means and how I can get rid of it.

Thank you.

Try a forum search for Directory Name is Invalid as this has cropped up recently, I think it was either in this forum or the viruses and worms forum.

By all accounts, this is pointing to the ADS address the colon : after c:\windows, so technically there is nothing to correct, but why it is saying it is an invalid name is strange.

David:

I just tried a forum search like you suggested but nothing came up about this (maybe) problem.

I should mention that this did not happen when I did a Boot Scan this morning. It only appears at the end of full or quick scans within the Avast! environment. So maybe I should just forget about it and stop worrying but I guess in the back of my mind I do get concerned when there is some kind of message that might indicate a problem.

I did a search and found a few, but didn’t find the one that I referred to by one of the Alwil team members. But basically this path is to an Alternative Data Stream (ADS), this is no NTFS formatted hard disks and as the name implies is an alternative data stream to the file or folder name.

This can contain additional information, etc. but could also harbour malware, which is why avast scans the ADS area of files/folders. See http://en.wikipedia.org/wiki/Fork_(filesystem) and scroll down to Windows for more information on this.

Technically the error is correct, as if you try to create a folder with a : colon in it, windows won’t let you create it as that character isn’t allowed.

Further to that, this isn’t an indication that it is infected/suspect, just that avast can’t scan it, but the reason is as I said strange if the directory file name was not valid it has still found it.

David:

I just did a full scan with Malwarebytes and no infections were found. Some of what you have stated is a bit above my head (ADS). But why Avast! is giving me this “not all files were scanned” message at the end of a scan is puzzling. I never got it with Symantec, CA, Ad-Aware, VIPRE, or any other anti-virus software that I had used in the past.

Should I just stop worrying about this?

Many AVs don’t tell you about files that they haven’t scanned, for fear of frightening the horses ;D

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

I cannot even find this so-called invalid directory. So is there any setting I can make in Avast! so that this message will not appear in future scans?

Did you mean this thread? http://forum.avast.com/index.php?topic=58971.0
Igor replied there.
asyn

Yes, I did see that thread and Igor’s reply.

But the situation there is different than mine if you look at the folder(s) in question. Mine was a wierd C:\WINDOWS: 2B2696B30AD92EF4 which makes no sense since I could not find any such thing in explorer.

I just want to get rid of this message at the end of the scan where it says that some files could not be scanned. The Error 267 and above invalid file name shows up in details with no mention whatsoever about how to handle it.

The situation is exactly the same in both cases.
I must say I don’t know what to think about it… either there’s a problem somewhere in avast! engine - but I’m not aware of any recent changes to the related pieces of code, or… there’s a rootkit/malware spreading, manifesting with these symptoms.
Well, I’m sure there are other explanations, but these two look the most likely to me at the moment.

Can you find (e.g. in the scan logs) what was the first time this was reported (which, in your case, probably means when you installed avast!)? I’m looking for the first version of the virus database (if there was a new problem there, it would be easier to find knowing when the change happened).

Well, if it’s new rootkit/malware maybe tripplechecking it wouldn’t be a bad idea…
http://www.emsisoft.com/en/software/free/ (use deep scan)
asyn

can you please give us gmer log or radix anti rootkit log?

Igor:

This was reported at the end of every scan I performed since I installed Avast! Free on Saturday.

Asyn:

Thanks for the link. I will install and run it this evening when I return home from work. I might also perform a chkdsk c: /r.

superhacker:

Sorry but I do not understand what these logs are or where they are located.

No problem, i am also interested in solving this riddle, so please keep us informed… :slight_smile:
asyn

superhacker:

Sorry but I do not understand what these logs are or where they are located.


gmer:
http://forum.avast.com/index.php?topic=53253.msg469486;topicseen#msg469486
radix:
http://www.usec.at/rootkit.html
press save log button,then attach logs here

No, as in the reply it explained that this was an ads stream not a physical folder but the ads stream of that folder location.

As Igor mentions it is possible that malware can use the ads stream of files/folders and that is why avast scans the ads stream in NTFS formatted drives. But why the error is reported is the mystery, which hopefully now Igor is aware we may get a resolution.

Thanks for the feedback, so we have to wait, i guess…
asyn

@ mdubin
You could also run a scan using SuperAntiSpyware (SAS) as that also scans alternative data streams, so it would be looking in the same areas and see if there are any reported issues there. However I don’t know if SAS reports things that it has been unable to scan.

SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

David:

Thanks. I’ll give Superantispyware a try also. I guess it cannot hurt to run several different scanners.

Sure, as long as they are free and no rogues… :wink:
asyn