C:\windows\system32\taskmon.exe

[paddyc]

another one idea.. can you see any file(s) in your Program Files\Alwil software\Avast4\DATA\spool folder?

Maxx this file is empty. Did a check but realised I had deleted the suspicious file so did a reboot and got the suspicious warning back and then checked the spool folder again and it was still empty.

[Maxx_original]

can you post here e.g. last 50 lines of your setup.log file?

[paddyc]

can you post here e.g. last 50 lines of your setup.log file?

maxx here is info. Signing off now it's late.

12:06:09 nrm/int  SYNCER: Type: use IE settings
12:06:09 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:09 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 4
12:06:11 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EFD
12:06:11 nrm/gen  InvalidateCurrent: invalidated server 'Download930 AVAST Server' from 'main'
12:06:11 nrm/gen  SelectCurrent: selected server 'Download921 AVAST Server' from 'main'
12:06:11 nrm/int  SYNCER: Type: use IE settings
12:06:11 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:11 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 5
12:06:13 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:13 nrm/gen  InvalidateCurrent: invalidated server 'Download921 AVAST Server' from 'main'
12:06:13 nrm/gen  SelectCurrent: selected server 'Download655 AVAST Server' from 'main'
12:06:13 nrm/int  SYNCER: Type: use IE settings
12:06:13 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:13 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 6
12:06:15 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:15 nrm/gen  InvalidateCurrent: invalidated server 'Download655 AVAST Server' from 'main'
12:06:15 nrm/gen  SelectCurrent: selected server 'Download967 AVAST Server' from 'main'
12:06:15 nrm/int  SYNCER: Type: use IE settings
12:06:15 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:15 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 7
12:06:17 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:17 nrm/gen  InvalidateCurrent: invalidated server 'Download967 AVAST Server' from 'main'
12:06:17 nrm/gen  SelectCurrent: selected server 'Download201 AVAST Server' from 'main'
12:06:17 nrm/int  SYNCER: Type: use IE settings
12:06:17 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:17 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 8
12:06:19 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EFD
12:06:19 nrm/gen  InvalidateCurrent: invalidated server 'Download201 AVAST Server' from 'main'
12:06:19 nrm/gen  SelectCurrent: selected server 'Download961 AVAST Server' from 'main'
12:06:19 nrm/int  SYNCER: Type: use IE settings
12:06:19 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:19 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 9
12:06:21 nrm/int  ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:21 nrm/gen  InvalidateCurrent: invalidated server 'Download961 AVAST Server' from 'main'
12:06:21 nrm/gen  SelectCurrent: selected server 'Download932 AVAST Server' from 'main'
12:06:21 nrm/int  SYNCER: Type: use IE settings
12:06:21 nrm/int  SYNCER: Auth: another authentication, use WinInet
12:06:21 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 10
12:06:23 min/int  tried 10 servers to get file 'servers.def', but failed (0x20000004)
12:06:23 min/fil  GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP\_av_proI.tm~a02276\onefile, servers.def, error: 0x20000004
12:06:23 min/pkg  Tried to download servers.def but failed with error 0x20000004.
12:06:23 min/pkg  LoadAllDefs failed 0x20000004
12:06:23 min/gen  Err:Cannot connect to download961.avast.com (unknown:80).
12:06:23 nrm/pkg  Transferred: files 22, bytes 0, time 134704 ms
12:06:23 nrm/pkg  Retries: total 20, files 2, servers 21
12:06:23 vrb/int  Sending stats 'http://74.54.25.2/cgi-bin/iavs4stats.cgi': 20000004 0
12:06:23 vrb/fil  NeedReboot=false
12:06:28 min/gen  Return code: 0x20000004 [Cannot connect to 74.54.25.2 (74.54.25.2:80).]
12:06:28 min/gen  Stopped: 03.12.2008, 12:06:28

[Maxx_original]

got it, maybe... tell me what's your VPS version, it seems that you're not able to connect to our servers (maybe some firewall blocks the access)... that's the reason, why the file has not been sent to us and analysed.. also send your full setup.log (zipped) to forejt[at]avast[dot]com with a link to this topic..

[Ltangelic]

Hey paddyc,

I really can't see anything in that runscanner log that causes Avast's warning. Let's try a different scanner this time and see what it can catch.

Please go to Start>Run and type ComboFix /u. You should get a window telling you that ComboFix is uninstalled. Reboot your computer.

1) Run Dr Web Cure It

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

2) Run Panda ActiveScan

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Next reply (please include):

Fresh RSIT log (Please re-run RSIT)
Dr WebCureIt log
Panda Activescan log

[Eddy]

Maxx, could be because of a proxy server also.

[paddyc]

got it, maybe... tell me what's your VPS version, it seems that you're not able to connect to our servers (maybe some firewall blocks the access)... that's the reason, why the file has not been sent to us and analysed.. also send your full setup.log (zipped) to forejt[at]avast[dot]com with a link to this topic..

Maxx my VPS is File version 081203-0 dated 3/12/08 so I am receiving them and I see the notifications that it has been updated.

My Firewall is Zone Alarm - Avast update and email scanner have automatic access to internet but everything else has to ask me and I have never been asked.

Will send the setuplog as requested. Should just mention that my original download of Avast had an RPC problem but an update to 1290 resolved that. However somewhere along the line doing the various scans for Ltangelic Avast stopped appearing in the system tray at start up and could not be found in msconfig. I had to force the icons into the system tray manually. Eventually I did a reinstall and asked for a repair which sorted everything out. However the suspicious file warnings had been going on before the problem with the system tray and they only started after the update to 1290.

Re Eddy's comment I do not use a proxy. I do have Foxyproxy set up on Firefox but it has been disabled for months.

[Maxx_original]

paddyc: follow these instructions

1) restart your computer
2) wait few minutes for the antirootkit dialog to appear
3) check the "send to alwil" box (you must be sure, that it is checked)
4) click "ignore"
5) look to the Program Files\Alwil software\Avast4\DATA\spool folder (and its potential subfolders) immediately
6) the file should be there (not necessarily under the original name), the folder can't be empty

[paddyc]

Ltangelic

Panda Scan did not give me a report but I copied this

ware/navhelp...   Adware   
Latent
   Hide   + Info   
   1. HKEY_CURRENT_USER\Software\Microsoft\Internet...A06644-BC46-4220-A460-47A6EB47C96D}

It also showed one suspicious file but it was LopSD.exe

[paddyc]

paddyc: follow these instructions

1) restart your computer
2) wait few minutes for the antirootkit dialog to appear
3) check the "send to alwil" box (you must be sure, that it is checked)
4) click "ignore"
5) look to the Program Files\Alwil software\Avast4\DATA\spool folder (and its potential subfolders) immediately
6) the file should be there (not necessarily under the original name), the folder can't be empty

Maxx this is what I did on my last post to you but to be sure I did it again and the spool folder contains a suspicious folder but it was empty. There is definitely nothing appearing in that directory.

[paddyc]

Ltangelic,

Here is the DrWebCureIt log - found some things but took 7 hours to run!!

regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;;
stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations\{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Probably DLOADER.Trojan;;
stream004;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations\{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Archive contains infected objects;;
Pinnacle DistanTV Server.msi;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations\{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Archive contains infected objects;Moved.;
Silent Runners.vbs;C:\Documents and Settings\Paddy\Desktop;Probably BATCH.Virus;;
mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;;
stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi\stream004;Probably DLOADER.Trojan;;
stream004;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi;Archive contains infected objects;;
A0000014.msi;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1;Archive contains infected objects;Moved.;

[paddyc]

Ltangelic

Here is the RSIT log part 1

[paddyc]

RSIT Log Part2

[paddyc]

RSIT Log Part3

[paddyc]

RSIT Log Part 4