Sorry if this is in the wrong forum…

I recently got an alert from AVG antivirus about 2 rootkits detected on my system. In response, I ran a full GMER scan, which listed the following rootkit detections:

[b]---- Services - GMER 2.1 ----

Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi ← ROOTKIT !!!
Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm ← ROOTKIT !!!
Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus [/b]

Problem is, as far as I can tell, ALL of these are all valid Avast files. Is this a simple case of AV collision? If so, why would GMER flag Avast Free as rootkit, when I’ve heard some parts of Avast are actually modeled after/derived from GMER itself? Is it possible that the alert is not in fact a false positive but in fact the Avast directory has been hijacked by malware, and of so how can I verify the installation of Avast Free?

Thanks in advance for any assistance - I’ve been running Avast for several years and recommend it to all my friends, so I’d hate to have to uninstall.

This is NOT a place to seek support with AVG/GMER. Plus, you should not be using GMER at all if similar issues bother you and are unable to work around them on your own, and you definitely should NOT EVER be installing Avast and AVG at the same time.

Having two resident AVs isn’t advised and this is just one example.

Since these files are avast drivers to do their job effectively they are low level, hidden drivers. GMER is actually only reporting Hidden, which they would be as low level drivers, they could also be mistaken for a rootkit.

Um… OK. Thanks for the friendly, helpful reply. Couple quick things:

  1. I’ve run multiple AVs for years. Why? Because not all apps catch all malware. Not even Avast. I understand that collisions happen, and I was pretty sure this was one such case (thanks to DavidR for confirming what I was 98% certain I already knew).

  2. That said, after running AVG, Avast, Malwarebytes, and sometimes even other AVs like AdAware, I think I can count on one hand the times when one has interfered with another like this. That, to me, is well worth the hassle occasional collisions.

  3. “You can’t work it out on your own.” Interesting comment. On a support forum. Good point: let’s just shut these damn things down altogether and let people work things out on their lonesome. Because, you know, that’s why the internet an forums exist. Thank you SO much for illuminating my darkness while simultaneously showing the world what a true internet help guru can be. You da man… ::slight_smile:

Thanks again to DavidR for actually posting useful info -appreciate it.

Most of heavily infected unusable machines I have seen had multiple AVs installed. Guess what - none of those AVs worked properly. Installing multiple realtime AVs makes you LESS safe, NOT more.

Answer to your problem is pro-active protection - sandboxing, LUA, SRP/AppLocker, HIPS, firewalls, behaviour blockers, … (choose your poison :P) and using common sense. Definitely NOT cramming tons of AVs on one box.

You’re welcome.

Hi, there, ImagoX, so you are just ignoring those? 'Cuz I use gmer, too(although I’m waiting right now for Malware Bytes Rootkit Killer final to come out), and those are the EXACT SAME THINGS that it is flagging. I am not a whiz by any means. I research a lot, though, and since I didn’t know all that much about gmer, I did find it interesting that you need to be a little knowledgable about what to delete.

I ran into some trouble when I was using Kaspersky Anti Rootkit Killer. I had deleted something VERY IMPORTANT to my system, and so had to do system restore.
Anyways, I’ve been sort of leery, and so tried d/l Kaspersky again. It didn’t find ANYTHING as far as those drivers go.

So, I guess I my mind can be eased that there is no worm or anything running around, ready to eat up my files!

Thank you all for your input here. I also run several programs, and I think it’s a good thing, as some will have false positives, etc.

Just FYI, I run avast AV, Malware Bytes Anti Malware, Super AntiSpyware, & the gmer. And, let me tell ya, they have kept my PC brand spankin’ clean!!!

Just FYI, I run avast AV, Malware Bytes Anti Malware, Super AntiSpyware, & the gmer. And, let me tell ya, they have kept my PC brand spankin' clean!!!
if you run avast, then you are already running GMER....

A little confused on your post? If you prefer not to answer my question about your post on the forum, Please send me a PM, as I would like to know what you are saying, Please.

The avast anti-rootkit scan (which runs 8 minutes after boot) is based on GMER and is a little more user friendly in that you don’t have to have it analysed for it to make a decision.

Avast also has another specialist tool aswMBR which was also designed by Mr GMER himself, so anti-rootkit related scans in avast are created by the same man.