Author Topic: AAVM Subsystem detected a RPC error  (Read 15128 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: AAVM Subsystem detected a RPC error
« Reply #15 on: November 28, 2007, 05:40:13 PM »
If you give me the contact address I can email the log files to you for examination.
virus [at] avast [dot] com


Note that the dates and times in the logs are completely wrong.
Is your system time and date correct?
The best things in life are free.

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #16 on: November 28, 2007, 06:40:39 PM »
Yes, I use 1CLick ClockSync which regulates my pc date/time using an atomic clock reference. The dates in the log files start at May 16 2007 13:39 BST, so I assume it's getting those from the parent site.

I've emailed the log files to the address you gave.

Portillas

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #17 on: November 30, 2007, 02:45:43 AM »
Well, I've almost completely resolved my concern. While I was having it I did notice one other thing that I hadn't mentioned. While hovering over the systray icon for Avast, I was getting no providers, now I'm back to getting 7 total with 6 running.

I finally gave up. There comes a point when I find I'm pissing in the wind. I disconnected all my external drives and formatted my C:\ drive. I've reinstalled Windows XP Pro up to SP2, installed the only update they'll give me without having to call Microsloth in Pakistan to activate WinXP to explain the fact that I had to do so again with my completely legal retail copy of XP. Now, I'll have to listen to some guy speaking Arab/English giving me twenty-seven alpha-numeric symbols I'll have to guess at what he said or call back and hold for another hour to try for a Chinese person. Why don't they have Mexicans? I speak Spanish fluently. Or Texans? I've got that language down pat - heck! 8)

Then, I'll have to download 87 security fixes one at a time to find out which one screwed up the Avast software.  ::)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: AAVM Subsystem detected a RPC error
« Reply #18 on: November 30, 2007, 02:48:33 AM »
Portillas, I know reinstall is painful... but we can learn.
Better if you have a full partition backup to restore your computer to the original (updated) situation, something like Norton Ghost or Acronis True Image Backup.
If you need help, we'll be here.
The best things in life are free.

Portillas

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #19 on: November 30, 2007, 09:02:54 PM »
Thanks, I think this has somehow infected my entire data files. I can't seem to find a lot of what the PC-Flu II does. But, my first symptoms were CRC errors on all my hard drives. I have four external drives with a combined terabyte of data - including a complete system backup. While trying to recover those drives, the CRC errors started appearing on my 40GB hard drive in the computer. I disconnected all external drives to attempt to resolve the CRC problem. SpinRite worked for my 40GB drive but won't see the other external drives. I suspected it to be viral, and ran numerous scans without any detection at all. After updating Avast three days before I started this thread, I ran the scan and it found the two viruses I mentioned. After putting on in the Chest and deleting the other due to the chest becoming unavailable, I installed a couple of updates from Auto updates at Microsoft. After restarting, Avast was down with the RPC error. It is running fine now, but I am still updating after talking to Pakistan to gettin the 36 numbers to activate XP because I've done this numerous times over the years. I just bought another terabyte of external hard drives that after I get what I can recovered, I'll back up on them and leave them offline. Geeze, I've been using computers since 1969! You'd have thought I would know the importance of good backup after over 35 years of using these infernal machines! ::)

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #20 on: December 03, 2007, 01:53:21 PM »
it did detect 2 viruses which I deleted (I can't remember what they were called).
It would be very helpful if you check down the name and the path of these infected files and submit them to avast team for analysis. This help them to increase detection and improve your security ;)
Another update: I ran a standard on-demand scan again today, and it detected a Trojan Horse in the same directory as the one I quoted you last week. I have now successfully deleted it. I don't know if it was the same one that caused the earlier problems I had, but it seems suspiciously likely. I completed and submitted the virus report form, but here are the full details that I took down:

File name: C:\Program Files\mIRC\download\ImT00.3GP.Video.Converter.v3.1.8.07

Malware name: Win32:Neptunia-BQ[trj]

Malware type: Trojan Horse

VPS version: 071203-0, 03/12/2007

There has, thankfully,  been no recurrence of the Avast "red circle" since I reinstalled it last week.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: AAVM Subsystem detected a RPC error
« Reply #21 on: December 03, 2007, 03:54:43 PM »
There has, thankfully,  been no recurrence of the Avast "red circle" since I reinstalled it last week.
Good to know. Remember that send the file to Chest is safer than just deleting it, due to the possibility of restore and rescan (false positives).
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86921
  • No support PMs thanks
Re: AAVM Subsystem detected a RPC error
« Reply #22 on: December 03, 2007, 05:32:35 PM »
I see it is in the mIRC downloads folder, what is your mirc program ?
Does it have the means to scan files that are downloaded, e.g. you can say what to scan files with ?
If so, assuming that you installed avast! in the default folder, this is the path needed to scan downloads, C:\Program Files\Alwil Software\Avast4\ashQuick.exe.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #23 on: December 03, 2007, 09:49:23 PM »
I see it is in the mIRC downloads folder, what is your mirc program ?
Does it have the means to scan files that are downloaded, e.g. you can say what to scan files with ?
If so, assuming that you installed avast! in the default folder, this is the path needed to scan downloads, C:\Program Files\Alwil Software\Avast4\ashQuick.exe.
I'm afraid I don't know - it's not one of mine, but something my son has downloaded, hence it's in his directory path. Following previous problems with malware that resulted in my having to wipe the hard drive and reinstall Windows XP, I have now imposed a regime that seeks to minimise the risk of malware getting on to my PC by ensuring that all the user accounts, including the one I normally use to access the internet, are limited access only. There is only one account that has administrator privileges, to which only I have the password, that I use if I need to install/update software - or delete viruses in someone else's directory  ;). Despite my son's user account being limited access, it would seem that this trojan has still managed to install itself, although I know that the mIRC software he uses was installed much longer ago, when his account used to have admin rights.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86921
  • No support PMs thanks
Re: AAVM Subsystem detected a RPC error
« Reply #24 on: December 03, 2007, 10:56:24 PM »
A limited user account won't stop a trojan installing itself, but it will limit the things that it can do and that will limit the potential damage.

To create registry entries (needed for run commands so the malware starts on boot, disabling task manager, configsys, regedit, etc.) you need admin privileges. To place malware in the system folders requires admin privileges.

So having limited user accounts will save a great deal of damage, but it won't stop everything.

Find out what the mIRC is, ensure that it is the latest version and if it has the ability to have downloads scanned do so. The file name you posted seems incomplete, e.g. there is no file type, .exe, etc. Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

The reason I mention this is the Standard Shield should under normal circumstances scan newly created files (depending on file type) this is normally the executable or potentially dangerous file types. So for it to be found on an on-demand scan seems strange. It could well be that this detection signature has been recently added and the file is old.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #25 on: December 04, 2007, 08:42:43 PM »
Sorry, I assumed the the path name I quoted was complete, as it was all that was displayed on the scan results screen. I now realise it was truncated. I have now managed to locate the full log that gives the entire path and the offending file - which is indeed an .exe and is probably the same one as that identified by the earlier Trend Micro HomeCall scan.

Here it is: "C:\Program Files\mIRC\download\ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar\ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM\cncita4c.zip\cncita4.r01\imtoo.x089x-patch.exe"

I have looked at the mIRC software, it's version 6.16 and appears to be an unlicensed evaluation copy. There do not seem to be any options for scanning downloads.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86921
  • No support PMs thanks
Re: AAVM Subsystem detected a RPC error
« Reply #26 on: December 04, 2007, 09:54:11 PM »
Well the actual detection appears reasonably sound. The reason I say this is that the actual file that was detected (imtoo.x089x-patch.exe) was inside a zip file (cncita4c.zip) and that was inside another type of archive ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar. The use of multiple archives and different types of archive is on occasion used to try and defeat anti-virus detection.

From the above I guess that avast was unable to move it to the chest (?) as on occasion an infected file can't be extracted from a .rar file and this is further complicated by also being inside another zip file.

I suggest that you use windows explorer and navigate to the C:\Program Files\mIRC\download\ folder and delete the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file if it is present.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #27 on: December 05, 2007, 12:44:41 AM »
From the above I guess that avast was unable to move it to the chest (?) as on occasion an infected file can't be extracted from a .rar file and this is further complicated by also being inside another zip file.

I suggest that you use windows explorer and navigate to the C:\Program Files\mIRC\download\ folder and delete the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file if it is present.
Thanks David. When I ran Avast initially I did move it to the chest, however on completion of the scan I was unable to delete it. I then realised that this was because I was logged into my limited access account which would not have had the necessary privileges. I therefore switched users, logged in via the admin account and ran the scan again. This time when the scan picked up the trojan I didn't bother to move it to the chest first, but just selected the option to delete it there and then, which it did successfully.

At your suggestion I have now gone back and deleted the ImTOO.3GP.Video.Converter.v3.1.8.0720b.WinALL-CHiCNCREAM.rar file as well. Hopefully that will be the last of it .... but realistically I know it's only a matter of time before another one rears its ugly head.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86921
  • No support PMs thanks
Re: AAVM Subsystem detected a RPC error
« Reply #28 on: December 05, 2007, 01:08:51 AM »
It might be a matter of time (hopefully not, but I would certainly look at getting a new mIRC update/program), but the limited user accounts should hopefully limit the potential of any infection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

hotmog

  • Guest
Re: AAVM Subsystem detected a RPC error
« Reply #29 on: December 05, 2007, 03:18:40 PM »
I don't know if it was a last, despairing, act of vindictiveness by some remnant of the trojan still present in that .rar file when I deleted it last night, but when I switched on my pc this morning, the dreaded Avast red circle had returned once more. I ran a thorough scan which was clean, so have reinstalled Avast once again which, for the moment at least, seems to be OK.

When I said it was only a matter of time, I didn't expect it to be quite so soon! :o