The computer I was having a problem with now has a new hard drive and a fresh XP Home installation. Sorry but I could not delay the repair I was doing on that computer. Turns out the hard drive had numerous errors and SeaTools refused to repair after 99 errors were found. Don’t know if that has anything to do with this problem or not, I’ll be reinstalling updates/software for a couple of days, the printer software is always one of the last things I install. We’ll see how it turns out, I’ll let you know if I get the same report with this fresh install. -kd5-

Getting the same problem. Avast 4.8 home. Build1296. Win XP pro on an ASUS laptop.
Thorough scan comes up with a load of ‘Suspicious’ heuristically found rootkit files. Amongst them is…

Windows\system32\spoolss.dll\drivers\w32x86\BROFX05A.dll
" " " " " \BRIFX05A.dll
" " " " " \ppbiNT.dll
I386\DRWATSON.ex_\FAULTH.dll

It gave the option to delete these or ignore - they looked like they might be ok so I ‘Ignored’.

The scan also seems to freeze at around the 35K to 40K file mark.
Don’t know if this is relevant too, (I’ve also posted separately on this) but the ‘Current Scan Status’ indicator remains at 0% throughout the scans.
AVAST said it had found a virus in memory or something and got me to do a bootscan which scanned all drives but found nothing.

AVAST CHECKING LOG

Avast revision 1229 > 1296 rootkits detected

Reverted back to 1229 and ok

1229 > 1290 rootkits detected

Reverted back to 1229 and ok

1229 > (used upgrade) 1282 (081112-0) crashed around 25,000 files + approx same area as rootkit detection
Prior to crash Zone Alarm reported Avast wanted to launch DWWIN.EXE.
Allowed and crashed

1282 (081112-0) Same as above, but this time denied – crashed

1282 (081219-0) At 25,422 files ….system32\drivers encountered a problem needs to close.

Uninstalled upgraded 1282. followed by clean install rather than upgrade of 1282.

1282 (081112-0) Crashed at same point.

Reinstalled 1229 (081220-0) No problems

It would appear that 1282 had a problem and when 1290 was released rootkits were found around the same area that 1282 had the problem. I am not qualified to make any assumptions as to what is happening here.

Is this helpful?

Regards

Gerard

Any clues, anybody?

Dear Avast Support Team,

I’ve got in my hands a computer with this problem. It’s an ACER laptop.
Avast is detecting a Rootkit which seems not present into the system.
Avast version is 4.8.1296.
If it can help you to track down the issue, I can install LogMeIn on the computer and give you full access.
FYI: I am located in France.
Feel free to contact me by PM if you are interested in accessing this computer.
Unfortunately, I won’t be reachable the next hours. I think we could have a meeting the next week.

Thanks,
Luc

Great! So, the symptoms are the same - obviously wrong file paths, right?
For example: C:\Windows\system32\spoolss.dll\drivers\something

• where spoolss.dll is a file, not a folder, i.e. there can’t be any further path following.

Yeah, in my case one of the detected file is
“c:\windows\system32\setupapi.dll\medctroc.dll”
and obviously “c:\windows\system32\setupapi.dll” is a file, not a folder, and not an archive.
Note also that I get severals occurences under “setupapi.dll”: medctroc.dll, ehOCGen.dll, plusoc.dll.
And finally, all these files are located in the folder “c:\windows\system32\Setup”

polipodi,

I sent you an email.
Again, thanks for your willingness to help to solve this pesky problem.

Cheers
Vlk

I am experiencing same problems as all the folks that have posted here. Hopefully solution will be found soon.

I am running avast! 4.8 Home Edition (updated today to the last version, virus db update December 26th 2008) on Windows 2000 SP4 on a custom built PC.

I use several tools beside avast! (S&D, SuperAntiSpyware and MalwareBytes’ AntiMalware), have updated all of them and ran scans but no malware/rootkits were found.

Avast! reports several rootkits (heuristic warnings) within spoolsv.exe and spoolss.dll files (same scenario → after selecting to ignore these findings I receive “Virus in active memory” warning and then I am prompted to perform boot-scan. Boot scan ends up ok - no virus found).

In the meantime I tried to disable root-kit detection (avast! menu → Settings → troubleshooting → Disable root-kit detection), as suggested in this thread, but without success - when i start local disk scan it moves on through windows system folder and then reports above mentioned error. I guess I am safe enough because boot-scan returned no virus/malware found (am I right?) but would like to be able to run disk scan from Windows.

Can someone tell me what am I doing wrong?
Thank you.

Got the computer back up and running, installed and ran Avast! both before and after the HP printer installation, no rootkits were found. The same applications that were on the computer before have been reinstalled so I have to assume the rootkit problem had something to do with the 99+ errors Seatools found on the previous hard drive. Have no idea what the errors were about but I wasn’t taking any chances, a 20gb 5400rpm hard drive is woefully inadequate for an acceptable Windows XP installation anyway… : -kd5-

With the invaluable help of polipodi, it seems that we have solved the problem now.
The fix should be included in the latest VPS update (081229-0).

Please try this latest VPS and report back if the problem is really solved.

BTW can anyone who had the problem confirm that their Windows volume is formatted as FAT32? (this would explain the increased number of Acer laptops in the set as Acer seems to preinstall Windows XP on FAT32 volumes).

Thanks
Vlk

Hi, my OS is running on FAT32 - I know, outdated but after installing all tools I left it like that (will transfer to NTFS in the future).

I have updated VPS and I am ready to run full scan - will report results here as soon the scan is over.

Again thank you very much for very quick response to this issue.

No need for a full scan, just reboot, the anti-rootkit scan runs 8 minutes after boot and takes seconds, so would be quicker than a full scan.

I found that the problem only made itself known if I did a ‘full’ scan. The scan would freeze at that point (about 3/4 through) and the suspicious files indicated. Just starting or rebooting my pc didn’t produce the problem.

My system is FAT32 on an ASUS laptop. I’ll run a full scan this morning and report results.
Impressed with the immediate action on the problem.

Everything works just fine Full scan using avast! GUI completed w/o problems I have to admit that there are differences in new build - scan is much faster than before (in my case even 30% faster - using same scanning options (thorough/scan archives/all local disks))

I ran full scan (via GUI) because boot-scan worked OK all the time (as TheScorpion has said) - issue with heuristic engine (at least in my case) occurred only when full scan was initiated using avast! GUI and only if scan area included system folder - on demand scan of every other folder/file worked ok.

Again, many thanks to avast! support team for such a quick response. Also many thanks to polipodi for providing test/debug machine that helped with bug reproduction.

Just completed a ‘thorough’ full scan with no problems.
Also, the ‘percentage of files checked’ gauge is now working. Before it would remain at 0%.
Well sorted. Thanks.

Vik, polipodi and the rest of the Avast team, thank you all very much for the efforts you put into resolving this problem. It has been a long journey from November 24th when I raised the issue, until now. I am delighted you cracked it before we ran out of 2008 – a clean slate for the New Year.

Sorry, I was reluctant to allow access to my PC, but I have been working in computers most of my long life and you get cynical about security matters – paranoid even. I was relying on a more trusting approach from others; thanks polipodi.

Anyway, upgraded from 1229 to 1296 with VPS 081230-0 and did a thorough scan. BRILLIANT! It all worked.

Have a Guid Ne’er day and a great 2009

Gerard
;D

The problems I mentioned here:

http://forum.avast.com/index.php?topic=41157.0

at both the Packardbell-desktop and the Acer-laptop were solved with installing VPS (081229-0)

Both systems were FAT32 formatted.

Thanks to everbody contributing to the solution.

Art

Though I did not have this problem, I would also like to thank Vik and the rest of the Avast team for a job well done … and to polipodi for trusting the avast team to use his computer to research the problem.

I had AVAST on 2 systems. I tried the new version. It identified about 90 rootkit viruses that could not be deleted from one system. Then I did a system restore. AVAST new version still did the same thing.

BitDefender found about the same number of inaccessible files that were password protected (I recognized them) or compressed. McAfee found no viruses.

I believe the new version has a design flaw that is misinterpreting password protected or compressed files as rootkit infections. I thought the problem was my computer until I found this forum. Thank you.