New version finds rootkit hidden files - can't delete & nothing else does

A couple of days ago I installed the latest version of Avast. I ran a thorough check and it found umpteen rootkit hidden files, e.g. windows/system32/spoolsv.exe and /spoolss.dll, etc. I paniced of course, always good in a crisis. I opted to delete the files, the system reloaded, ran the boot version and loaded again. A run of Avast still found the rootkit hidden files.

Following this I ran several standalone rootkit finders and they were all clear. I could not get rid of the Avast warning. It was then I decided to prime down an August image of my system. This was successful, so I updated Avast and ran a thorough scan…Oh NO! I still got rootkit files. I tried a few more standalone finder programs to no avail.

I deleted Avast and install the free version of AVG. Clean as a whistle, no nasty files found. I then reinstalled an older version of Avast (1229) and it was all sweetness and light.

Now I don’t know whether the new version is telling the truth and I do have rootkit files and the old version misses them, or it the new Avast is telling me a few porkies.

Please help!

I had same issue. Interestingly I submitted a Support Ticket and after I reported that I had
“magically” stopped the Rootkit Notifications the Avast folks Closed the Ticket. So I just
re-opened it as the problem is not fixed, it was just worked around.

Here is how to do it :

http://forum.avast.com/index.php?topic=40203.0

Well spoolsv.exe and spoolss.dll are a legit file names but that is no guarantee it hasn’t been got at.

However, the anti-rootkit scan (8 minutes after boot) and I don’t know if it is the sensitivity of the detection method that is causing this, but the strange thing is that I don’t get any alerts (XP Pro SP3) nor it would seem do many others or this forum would be lit up like a Christmas tree.

So there is obviously some other attributes that make it think it might be a rootkit, different OS, network printer driver loading early or hidden, I don’t know but it is causing a some problems as there are a few similar topics as Styx mentions and did a lot of work trying to get the workaround to work.

Your test using AVG wouldn’t find anything even if it were a valid detection as there is no anti-rootkit in the free version.

When it was detects it there is an option to send the file for analysis, if you didn’t do that I would suggest you let that happen before you apply the workaround Styx gave the link for.

Hi…

You can try using a standalone rootkit scanner to verify which is the case. Here are two…

F-Secure’s Blacklight…

http://www.f-secure.com/security_center/

(scroll down to “downloads.”)

Trend Micro Rootkit-Buster…

http://www.trendmicro.com/download/rbuster.asp

Hope this helps. :slight_smile:

Best Regards…

Greatis’s Reanimator is a superior rootkit detector/remover.

Also RegRun is the ultimate in protection especially the Gold/Platinum version.

http://www.greatis.com/security/

wait for the program update, which should be released today… :wink:

Hello,

Avast 4.8 Pro complains about a rootkit hidden file on a WinXP computer I support.
The infected file is c:\Windows\System32\Drivers\cinemsup.sys. When the problem
first appeared the owner of the computer opted to send the file to the AVAST folks.
When the problem occurred again I opted to delete the file. A warning was displayed that
the memory is infected and I should restart the OS and run a full scan. I did that and
no infected files were detected. The warning appeared again. This time I opted to
delete the file and when warned about restarting and running a scan I selected to skip
the reboot and go ahead and delete the file. Now an AVAST full scan of the drive shows no
infected files, yet the rootkit warning continues to appear some time after booting the system.

The last post in this thread mentioned an update to AVAST. Is this possibly a problem in AVAST
that has been fixed by a recent update?

Thanks for any help/suggestions,

Charles

Hi,

Thanks to everyone for all the good advice. I tried them all to no avail. Reanimator gave me a list of possible dodgy files, but I don’t believe they are, so I ignored the results.

I still use the older version of Avast (1229) and do a regular full run and all is ok. I have not had the courage to update again to the the lastest version that gave me the problem.

To sum up - I’m confused.

sugaree: the problem (hopefully resolved with last program update) was related to wrong name/path interpretation, which caused multiple wrong rootkit detections on some machines… your entry seems to be ok… the reason, why it has not been cleaned during the boot-time scan is that there’s probaly no exact detection for the scanner… the standalone scanner and the antirootkit module are two different instances based on another schemes (antirootkit is not signature based)… when the AR detection occurs, then you’re notified and you can send the file to further analysis… the file is then analysed in our viruslab and in case of confirmed malicious behavior the exact detection for scanner is added… that’s the moment from when you will be able to remove the file with the boot-time scanner… it’s a safety criteria to not make any definite cleaning, until we’re sure we’re dealing with a piece of malware…

A google of cinemsup.sys shows that it “might” be a malware problem. If the file still exists
check its’ size and then Google it.

Hello,

Thanks for your kind consideration and helpful responses. I’ll try out the latest update of AVAST to see if that helps.

Charles

I bit the bullet and reinstalled Avast 1296 and ran a thorough check. As before it found rootkits, windows/system32/spoolsv.exe and /spoolss.dll, etc., so nothing has changed.

What should I do now?

We’re looking for someone who’d help us analyze this strange issue by allowing us to do a remote desktop connection to his/her machine.

Would anyone of you (who have the problem) be willing and able to do that?

Thanks
Vlk

I’m happy to help, but you’ll have to give me idiot proof step by step instructions as to what i have to do! Also i need to know that my laptop won’t be affected by it, i’m studying for my PGCE and have all my work on here! anyway, let me know.

Christine

OK, let’s try something easy first.

Please do the following:

  1. download this file http://public.avast.com/~vlk/aswAr0.dll and place it to the \data folder (overwrite existing)

  2. rerun the scan, and wait for the “rootkits found” message to appear

  3. send me the file \data\aswAr1.log that should get generated during the scan.

Thanks
Vlk

Erm, when i run it i get a spybot s&d window, not Avast. It runs a scan (takes seconds) and says aswArO.dll nothing found.

I’m doing something wrong aren’t i?!

Christine

Wait a moment. You have to DOWNLOAD the file, and place it to the avast\data folder.
Not RUN it. :slight_smile:

Cheers
Vlk

Hi there, sorry but when i click on the link it just downloads and i get a litle icon on my desktop, i assumed you wanted me to run it. I’m afraid you’ll have to clarify what you mean, i’m a complete lemon when it comes down to anything technical! Or maybe someone else on the forum may be a better bet?

Sorry for being a pain.

Christine

Aha, OK, no problem. What browser are you using?

Thanks
Vlk

Right click the link Vlk gave you, choose “save as”.
Download and save the file to C:\program files\Alwill software\avast4\data
(assuming you have a default avast installation)
If you get a message that the file already excists, overwrite the current file.