Hello folks.
I did a manual scan with AVAST this evening, and it found a WIN32:ROOTKIT-gen that came in an email. But I don’t understand why it didn’t catch it when the email came instead of waiting for me to do a scan. I have AVAST set up to scan emails, and it always seems to be doing something (little icon in the taskbar) when email is coming or going. Since it found the rootkit during the manual scan, I don’t understand why it didn’t detect it when it came in. What is it doing when it’s checking email?

I’m using the free version 4.8, and it automatically updates every day.

Thanks for any info.

What e-mail program are you using? Also what providers are installed in avast! ? Internet Mail or MS Outlook/Exchange (or both?)?
Also what e-mail service are you using (GMail, your ISP mail server etc)?

Thunderbird
providers are Internet Mail, Instant messaging, Network shield, Standard shield, Web shield
The offending email came through a service that’s hosted by my domain name host Cybertec.

Thanks for the quick response.

Do you know if Cybertec is using secure SSL connection or a regular POP3 without encryption?

It’s regular, not SSL.

The only thing that I can think of off the top of my head is that when the email came in, you had yesterday’s definitions, then avast updated, and could then find the infected file.

Otherwise, if it was a standard POP3 connection, I believe it would have found it beforehand…

I’ve seen several posts where people are talking about rootkits, and they talk about how they’ve deleted the rootkit several times, and it keeps coming back.
Avast says it has deleted this rootkit, and a subsequent scan didn’t find it. Can I trust that it’s really gone?

The avast anti-rootkit uses heuristics and the regular scan doesn’t so it is entirely possible that it won’t find anything.

When detected in this anti-rootkit scan (8 minutes after boot) it mentions allowing it to be sent to avast, the default is to allow and on the next update it will be uploaded to avast for analysis. If it is found to be malware, a signature will be inserted into the VPS so that regular scans can detect and deal with it.

So that is how a subsequent scan could detect it.

I didn’t know there was more than one kind of scan. Can you manually run a rootkit scan?

You don’t have to it is incorporated into the avast scans, first 8 minutes after boot it happens.

If you do an on-demand scan it also happens if you select Local Drives as the area to scan and set the sensitivity of the scan To Standard or Thorough (but not if you seloct a Quick scan or folder select as the area).

XP: Windows Start > Run
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “SUPERQUICK”

Vista: Windows Start > write “cmd” without quotes > click CTRL+SHIFT+ENTER
Anwswer ‘Yes’ to UAC question.
Write down (or paste):
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “SUPERQUICK”
Click Enter

You can use also “FULL”

Thanks Tech!

Wish they had this integrated into the menu though, my brain can’t fit anymore commands!

Neither do mine… I use FlashPaste

Neither do mine... I use FlashPaste

Thanks, I’m looking into that…

Strangely enough I have been looking at clipboard extenders, so I will have a look too.

Thanks, guys, this is good info. Let me repeat a question I asked earlier that got overlooked.
Avast says it has deleted this rootkit, and a subsequent scan didn’t find it. Can I trust that it’s really gone?

Thanks again.

You’re welcome.

It should be gone by now. Just keep running scans, and as long as you don’t experience any strange behavior, you might be ok.

I might be ok? That’s very encouraging!

No guarantees in life (death and taxes, excepted) and it is no different in system security ;D