Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Portillas on November 26, 2007, 09:52:20 PM

Title: AAVM Subsystem detected a RPC error
Post by: Portillas on November 26, 2007, 09:52:20 PM
I've exclusively used Avast Home edition for years now with no problems whatsoever - until now. The on acces scanner will no longer work which also disables the Chest. I followed the instructions in the FAQ link provided by the statement (title of this topic) when I try to access the On Access Scanner control. I have two RPC running in my system services and as I recall this is normal. I used the repair option under add/remove programs to no avail. I uninstalled the product, downloaded a new copy, installed it, updated it, rebooted and boot level scannned my drive. Still no resolution.

Shortly before this problem surfaced, during a thorough scan with archive scan enabled, Avast showed to have the PC-Flu II virus and put it in the chest. After it finished scanning, I immediately ran another scan with same options and it detected Win32:Adware-gen [Adw]. It could not put the second virus in the Chest so I deleted it. I've run a thorough scan again and nothing is detected. During the installation of the newly downloaded Home Edition version 4.7 and updated today, 26 Nov, 2007, I noticed something unusual in the parts of the installation listed - The Bat! It is the only thing that was listed without an option not to install.

I am using a Compaq Presario 2200US with a Pentium Celeron M 1.4GHz. with 1GB RAM, 40GB Hitachi Hard Drive running Windows XP Pro. Any advice to resolve my on access scanning issue will be greatly appreciated. Thanks.
Cliff
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 26, 2007, 10:39:42 PM
I uninstalled the product, downloaded a new copy, installed it, updated it, rebooted and boot level scannned my drive. Still no resolution.
What's happening now? How are you scanning with avast?

During the installation of the newly downloaded Home Edition version 4.7 and updated today, 26 Nov, 2007, I noticed something unusual in the parts of the installation listed - The Bat! It is the only thing that was listed without an option not to install.
It's ok. The Bat! will only be available if you have this email client installed.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Portillas on November 26, 2007, 10:59:59 PM
I can scan using the simple user interface. The Chest is unavailable due to the on access concern. A thorough scan including archives found nothing.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 27, 2007, 01:51:14 AM
I can scan using the simple user interface.
So you have on-demand scanning but not on-access protection...
Is it right?
Does avast icon on system tray have a red cross on it?
Title: Re: AAVM Subsystem detected a RPC error
Post by: Portillas on November 27, 2007, 05:45:12 PM
Right, I have on demand scanning but no on access protection. I have since tried the uninstall with the aswclear.exe I downloaded to no avail. Upon reinstallation, I still have the same concerns with the red circle and cross in systray.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on November 27, 2007, 07:18:59 PM
I started getting exactly the same problem a few days ago. I noticed the red circle on avast! a-ball icon which produced the same error message above when I clicked on it. It also appeared to cause all my Internet Explorer 7 and Outlook Express connections to fail.

The first couple of times it happened, I was able to resolve the problem by doing a system restore to a point a day or so before this all started. I had to do another one late last night, and it was fine up until this afternoon when the familiar "Webpage cannot be found" error recurred, and lo and behold, the dreaded red circle had once more reappeared on the Avast icon. I performed another system restore, and decided to uninstall Avast, then re-install it. Unfortunately, immediately I had completed the uninstall I lost all IE connectivity again so I was unable to connect to the site to access the download. The only thing for it was to do another system restore. However, horror of horrors! this time I was confronted by a message saying that my computer could not be restored to the earlier time.

I started to have nightmares about having to perform a complete Windows re-installation. However I tried logging on using another (non-admin) user account, and although the Avast red circle was still present, I found that I could at least connect to the internet. The next step was to log back in on the admin account and grant the other user account admin rights, then log back in on that and hope it had still had internet access - it did!

I was then able to download and reinstall Avast. I checked that all the startup settings, etc, are on automatic, updated the database, rebooted ...... but still the red circle is there. I have followed all the instructions in the FAQ link from the error message, including the Repair option in change/remove programs, which stated (wrongly) it had been successful, but I am now without any effective run-time virus protection. The only saving grace is that I still have internet connectivity, although it was still dead on the original admin account I used, so I ended up having to delete that account and create another with the same name and attributes.

Being naturally paranoid about my pc being open to infection from viruses and other nasties, I would very much welcome urgent advice as to how this issue can be resolved.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 27, 2007, 07:59:03 PM
I noticed the red circle on avast! a-ball icon which produced the same error message above when I clicked on it.
Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on November 27, 2007, 09:28:30 PM
Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
Thanks for the suggestion. I've downloaded and run the AVG anti-rootkit freeware; it has not detected any rootkits on my pc.  ???
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 27, 2007, 10:49:30 PM
Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
Thanks for the suggestion. I've downloaded and run the AVG anti-rootkit freeware; it has not detected any rootkits on my pc.  ???

Try Panda and TrendMicro. I mean, some infections mess the antivirus installation, and I can't guess what is messing your avast installation...
Title: Re: AAVM Subsystem detected a RPC error
Post by: RJARRRPCGP on November 28, 2007, 01:36:02 AM
Could this be a Blaster attack?
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 28, 2007, 01:42:15 AM
Could this be a Blaster attack?
Yes, it could. So the rootkit suggestion...
Title: Re: AAVM Subsystem detected a RPC error
Post by: Portillas on November 28, 2007, 03:50:58 AM
I ran Trend, AWS & Panda Rootkit detectors on thorough and detected nothing. I also ran Panda thorough scan for viruses, spyware, etc. and it only detected 9 low level spyware cookies. I cleared my cache and all cookies and temp files and still the red crossed circle with Avast on access scan. I am also concerned that Panda showed Windows Defender is both disabled and out of date. According to Defender it is active and up to date. I also use Spybot S&D fully updated with all products unchecked for exclusion (they do have some checked for ignore with the installation.) Neither detects any spyware. I also tried the online Symantec check which detected nothing. ::) Microsloth's security alerts keeps prompting me that I have no virus protection. The solution they give is to get a different AV provider. To me, either it is a bug in the software or a virus that hasn't been removed or discovered and identified correctly. Heuristics scans detect nothing. ::)
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on November 28, 2007, 10:33:09 AM
Update: I ran Trend anti-rootkit last night, but that didn't detect anything either, so I then downloaded and ran Trend HouseCall. It  took about an hour and a half (didn't finish until 00:45am), but it did detect 2 viruses which I deleted (I can't remember what they were called). I'd previously run a "medium strength" Avast scan which hadn't revealed anything. The red circle was still present after this operation, but at this point I'd had enough, switched off the pc and went to bed.

This morning after I'd booted up, no red circle! It seems to have done the trick. ;D Many thanks for the rapid responses and suggestions.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 28, 2007, 01:35:20 PM
it did detect 2 viruses which I deleted (I can't remember what they were called).
It would be very helpful if you check down the name and the path of these infected files and submit them to avast team for analysis. This help them to increase detection and improve your security ;)
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on November 28, 2007, 02:38:11 PM
it did detect 2 viruses which I deleted (I can't remember what they were called).
It would be very helpful if you check down the name and the path of these infected files and submit them to avast team for analysis. This help them to increase detection and improve your security ;)
I've managed to track down the location of the HouseCall folders. There are various log files, some of which are to do with the software download and installation. There are 3 others that do appear to relate to the pc scan, however they are obtuse to say the least and I can find nothing specific relating to the two viruses that were identified and deleted. All I know is that they were located in the directory path C:\Documents and Settings\Christopher\My Documents\ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM\, and the only two files referenced by the log with that path are \cncita4c\cncita4.r01 and \cncita4c.zip, so I assume they are the likely culprits. If you give me the contact address I can email the log files to you for examination. Note that the dates and times in the logs are completely wrong.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 28, 2007, 05:40:13 PM
If you give me the contact address I can email the log files to you for examination.
virus [at] avast [dot] com


Note that the dates and times in the logs are completely wrong.
Is your system time and date correct?
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on November 28, 2007, 06:40:39 PM
Yes, I use 1CLick ClockSync which regulates my pc date/time using an atomic clock reference. The dates in the log files start at May 16 2007 13:39 BST, so I assume it's getting those from the parent site.

I've emailed the log files to the address you gave.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Portillas on November 30, 2007, 02:45:43 AM
Well, I've almost completely resolved my concern. While I was having it I did notice one other thing that I hadn't mentioned. While hovering over the systray icon for Avast, I was getting no providers, now I'm back to getting 7 total with 6 running.

I finally gave up. There comes a point when I find I'm pissing in the wind. I disconnected all my external drives and formatted my C:\ drive. I've reinstalled Windows XP Pro up to SP2, installed the only update they'll give me without having to call Microsloth in Pakistan to activate WinXP to explain the fact that I had to do so again with my completely legal retail copy of XP. Now, I'll have to listen to some guy speaking Arab/English giving me twenty-seven alpha-numeric symbols I'll have to guess at what he said or call back and hold for another hour to try for a Chinese person. Why don't they have Mexicans? I speak Spanish fluently. Or Texans? I've got that language down pat - heck! 8)

Then, I'll have to download 87 security fixes one at a time to find out which one screwed up the Avast software.  ::)
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on November 30, 2007, 02:48:33 AM
Portillas, I know reinstall is painful... but we can learn.
Better if you have a full partition backup to restore your computer to the original (updated) situation, something like Norton Ghost or Acronis True Image Backup.
If you need help, we'll be here.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Portillas on November 30, 2007, 09:02:54 PM
Thanks, I think this has somehow infected my entire data files. I can't seem to find a lot of what the PC-Flu II does. But, my first symptoms were CRC errors on all my hard drives. I have four external drives with a combined terabyte of data - including a complete system backup. While trying to recover those drives, the CRC errors started appearing on my 40GB hard drive in the computer. I disconnected all external drives to attempt to resolve the CRC problem. SpinRite worked for my 40GB drive but won't see the other external drives. I suspected it to be viral, and ran numerous scans without any detection at all. After updating Avast three days before I started this thread, I ran the scan and it found the two viruses I mentioned. After putting on in the Chest and deleting the other due to the chest becoming unavailable, I installed a couple of updates from Auto updates at Microsoft. After restarting, Avast was down with the RPC error. It is running fine now, but I am still updating after talking to Pakistan to gettin the 36 numbers to activate XP because I've done this numerous times over the years. I just bought another terabyte of external hard drives that after I get what I can recovered, I'll back up on them and leave them offline. Geeze, I've been using computers since 1969! You'd have thought I would know the importance of good backup after over 35 years of using these infernal machines! ::)
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 03, 2007, 01:53:21 PM
it did detect 2 viruses which I deleted (I can't remember what they were called).
It would be very helpful if you check down the name and the path of these infected files and submit them to avast team for analysis. This help them to increase detection and improve your security ;)
Another update: I ran a standard on-demand scan again today, and it detected a Trojan Horse in the same directory as the one I quoted you last week. I have now successfully deleted it. I don't know if it was the same one that caused the earlier problems I had, but it seems suspiciously likely. I completed and submitted the virus report form, but here are the full details that I took down:

File name: C:\Program Files\mIRC\download\ImT00.3GP.Video.Converter.v3.1.8.07

Malware name: Win32:Neptunia-BQ[trj]

Malware type: Trojan Horse

VPS version: 071203-0, 03/12/2007

There has, thankfully,  been no recurrence of the Avast "red circle" since I reinstalled it last week.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on December 03, 2007, 03:54:43 PM
There has, thankfully,  been no recurrence of the Avast "red circle" since I reinstalled it last week.
Good to know. Remember that send the file to Chest is safer than just deleting it, due to the possibility of restore and rescan (false positives).
Title: Re: AAVM Subsystem detected a RPC error
Post by: DavidR on December 03, 2007, 05:32:35 PM
I see it is in the mIRC downloads folder, what is your mirc program ?
Does it have the means to scan files that are downloaded, e.g. you can say what to scan files with ?
If so, assuming that you installed avast! in the default folder, this is the path needed to scan downloads, C:\Program Files\Alwil Software\Avast4\ashQuick.exe.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 03, 2007, 09:49:23 PM
I see it is in the mIRC downloads folder, what is your mirc program ?
Does it have the means to scan files that are downloaded, e.g. you can say what to scan files with ?
If so, assuming that you installed avast! in the default folder, this is the path needed to scan downloads, C:\Program Files\Alwil Software\Avast4\ashQuick.exe.
I'm afraid I don't know - it's not one of mine, but something my son has downloaded, hence it's in his directory path. Following previous problems with malware that resulted in my having to wipe the hard drive and reinstall Windows XP, I have now imposed a regime that seeks to minimise the risk of malware getting on to my PC by ensuring that all the user accounts, including the one I normally use to access the internet, are limited access only. There is only one account that has administrator privileges, to which only I have the password, that I use if I need to install/update software - or delete viruses in someone else's directory  ;). Despite my son's user account being limited access, it would seem that this trojan has still managed to install itself, although I know that the mIRC software he uses was installed much longer ago, when his account used to have admin rights.

Title: Re: AAVM Subsystem detected a RPC error
Post by: DavidR on December 03, 2007, 10:56:24 PM
A limited user account won't stop a trojan installing itself, but it will limit the things that it can do and that will limit the potential damage.

To create registry entries (needed for run commands so the malware starts on boot, disabling task manager, configsys, regedit, etc.) you need admin privileges. To place malware in the system folders requires admin privileges.

So having limited user accounts will save a great deal of damage, but it won't stop everything.

Find out what the mIRC is, ensure that it is the latest version and if it has the ability to have downloads scanned do so. The file name you posted seems incomplete, e.g. there is no file type, .exe, etc. Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

The reason I mention this is the Standard Shield should under normal circumstances scan newly created files (depending on file type) this is normally the executable or potentially dangerous file types. So for it to be found on an on-demand scan seems strange. It could well be that this detection signature has been recently added and the file is old.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 04, 2007, 08:42:43 PM
Sorry, I assumed the the path name I quoted was complete, as it was all that was displayed on the scan results screen. I now realise it was truncated. I have now managed to locate the full log that gives the entire path and the offending file - which is indeed an .exe and is probably the same one as that identified by the earlier Trend Micro HomeCall scan.

Here it is: "C:\Program Files\mIRC\download\ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar\ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM\cncita4c.zip\cncita4.r01\imtoo.x089x-patch.exe"

I have looked at the mIRC software, it's version 6.16 and appears to be an unlicensed evaluation copy. There do not seem to be any options for scanning downloads.
Title: Re: AAVM Subsystem detected a RPC error
Post by: DavidR on December 04, 2007, 09:54:11 PM
Well the actual detection appears reasonably sound. The reason I say this is that the actual file that was detected (imtoo.x089x-patch.exe) was inside a zip file (cncita4c.zip) and that was inside another type of archive ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar. The use of multiple archives and different types of archive is on occasion used to try and defeat anti-virus detection.

From the above I guess that avast was unable to move it to the chest (?) as on occasion an infected file can't be extracted from a .rar file and this is further complicated by also being inside another zip file.

I suggest that you use windows explorer and navigate to the C:\Program Files\mIRC\download\ folder and delete the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file if it is present.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 05, 2007, 12:44:41 AM
From the above I guess that avast was unable to move it to the chest (?) as on occasion an infected file can't be extracted from a .rar file and this is further complicated by also being inside another zip file.

I suggest that you use windows explorer and navigate to the C:\Program Files\mIRC\download\ folder and delete the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file if it is present.
Thanks David. When I ran Avast initially I did move it to the chest, however on completion of the scan I was unable to delete it. I then realised that this was because I was logged into my limited access account which would not have had the necessary privileges. I therefore switched users, logged in via the admin account and ran the scan again. This time when the scan picked up the trojan I didn't bother to move it to the chest first, but just selected the option to delete it there and then, which it did successfully.

At your suggestion I have now gone back and deleted the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file as well. Hopefully that will be the last of it .... but realistically I know it's only a matter of time before another one rears its ugly head.
Title: Re: AAVM Subsystem detected a RPC error
Post by: DavidR on December 05, 2007, 01:08:51 AM
It might be a matter of time (hopefully not, but I would certainly look at getting a new mIRC update/program), but the limited user accounts should hopefully limit the potential of any infection.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 05, 2007, 03:18:40 PM
I don't know if it was a last, despairing, act of vindictiveness by some remnant of the trojan still present in that .rar file when I deleted it last night, but when I switched on my pc this morning, the dreaded Avast red circle had returned once more. I ran a thorough scan which was clean, so have reinstalled Avast once again which, for the moment at least, seems to be OK.

When I said it was only a matter of time, I didn't expect it to be quite so soon! :o
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on December 05, 2007, 08:42:06 PM
You can, probably, still have an infection, probably a rootkit on your system that is killing avast.

See http://forum.avast.com/index.php?topic=26554.0
http://forum.avast.com/index.php?topic=25941.0

http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
http://www.f-secure.com/blacklight/try_blacklight.html

After running the above rootkit tools if nothing is found try these.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware or SUPERantispyware or Spyware Terminator.
Title: Re: AAVM Subsystem detected a RPC error
Post by: hotmog on December 06, 2007, 03:42:33 PM
You can, probably, still have an infection, probably a rootkit on your system that is killing avast.

See http://forum.avast.com/index.php?topic=26554.0
http://forum.avast.com/index.php?topic=25941.0

http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
http://www.f-secure.com/blacklight/try_blacklight.html

After running the above rootkit tools if nothing is found try these.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware or SUPERantispyware or Spyware Terminator.

I already have AVG anti-spyware, which I run daily, also Ad-Aware, Spywareblaster and Spybot. I also downloaded and ran AVG anti-rootkit, which found nothing. I have just finished running Trend Micro HouseCall, which again found no viruses or malware, just 9 items of gray/spyware which it deleted, and 3 so-called security vulnerabilities relating to Microsoft patches dating back to 2001 which have long since been subsumed within SP2.

Still no sign of the red circle, so I am inclined to think that whatever was responsible on my pc has now been shuffled off.
Title: Re: AAVM Subsystem detected a RPC error
Post by: Lisandro on December 06, 2007, 09:00:51 PM
Still no sign of the red circle
If you have ashserv.exe running in background (process), probably everything is all right...