C:\windows\system32\taskmon.exe

[paddyc]

Would tend to agree there paddy there are maybe two tools not yet used but I do not feel that they would add anything.  A question though (and I may have missed you doing this ) When you start and Avast has alarmed, select ignore.  Then see if the process is running in Task manager, if it is right click and select properties.  Let me know what it says.  If it does not appear in task manager then we might use sysinternals to take a look, but that can wait    

Essexboy

Have done that and there is nothing running in the Task Manager for taskmon. Just a question for you - I did try right clicking on some other processes and no properties options came up. Do I have a problem with task manager?

I should mention that I had 2 processes running called Mxtask which should be associated with Vcom Fix It but this is supposed to be for the automatic update which I have disabled - so raises the question as to why there are 2 processes running.

[paddyc]

paddyc: follow these instructions

1) restart your computer
2) wait few minutes for the antirootkit dialog to appear
3) check the "send to alwil" box (you must be sure, that it is checked)
4) click "ignore"
5) look to the Program Files\Alwil software\Avast4\DATA\spool folder (and its potential subfolders) immediately
6) the file should be there (not necessarily under the original name), the folder can't be empty

Maxx this is what I did on my last post to you but to be sure I did it again and the spool folder contains a suspicious folder but it was empty. There is definitely nothing appearing in that directory.

Maxx

Re the above I have just noticed error messages in the Avast error log which may refer to this problem.

06/12/2008 13:53:30   SYSTEM   1696   Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002. 
06/12/2008 19:47:34   SYSTEM   1904   Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002. 
08/12/2008 09:56:08   SYSTEM   1664   Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002. 

[Maxx_original]

it means "avast failed to create the suspicious file entry in spool"... i have no idea what can cause this type of errors

[paddyc]

it means "avast failed to create the suspicious file entry in spool"... i have no idea what can cause this type of errors

Maxx,

Something else to think about. The taskmon.exe was reported again this morning and ignored by me. Now this is supposed to be a rootkit hidden process but the rootkit log for avast reports as follows: -

Scan finished: 09 December 2008 10:36:45
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

The error log reports the following: -

09/12/2008   11:16:36   1228788996   SYSTEM   1664   Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002. 

Seems to me that Avast is giving a warning for something it did not find and is trying to send a file that does not exist.

Is this something that the Avast programmers need to take a look at?

[essexboy]

It does seem to be a phantom.  Not all running programmes/processes will have a properties tab

The two processes for  Mxtask  may be background services as I know that Acronis does that even if I disable it on startup

[Maxx_original]

let's try another thing.. download EICAR test file and scan it... select "report as false positive" in the dialog, fill in some info and confirm the sending.. look to the spool folder - is there anything? how about the setup.log and error log? same error? in case of no error delete the file from spool (you will have to disable self-defense temporarily to do that)..

[paddyc]

let's try another thing.. download EICAR test file and scan it... select "report as false positive" in the dialog, fill in some info and confirm the sending.. look to the spool folder - is there anything? how about the setup.log and error log? same error? in case of no error delete the file from spool (you will have to disable self-defense temporarily to do that)..

Maxx did that and the file was picked up immediately by Avast. Reported it as false positive and there is a file in suspic folder within the spooler folder. There was no error log message and the set up log was unchanged from early this morning when the vps update was done.

So Avast is doing it's job except in the case of taskmon.exe - because there is no file for it to latch onto

Should I delete the Eicar File?

[Maxx_original]

yes, delete it please to avoid its sending as a false positive... so the file picking works fine for "normal" files.. in my opinion is impossible to detect non-existant file on the healthy filesystem, one way to check what's going on is the lookup from other machine (or from the OS cd)..

[paddyc]

yes, delete it please to avoid its sending as a false positive... so the file picking works fine for "normal" files.. in my opinion is impossible to detect non-existant file on the healthy filesystem, one way to check what's going on is the lookup from other machine (or from the OS cd)..

Maxx, Something strange - I accessed the spool folder and identified that there was a file, I then sent you my message confirming file in the spooler and yet when I went back to the spooler to delete the file there was nothing there! I did ensure that I switched off the self defense but nothing was showing. The set up log does not show any activity passed 10:30 this morning and it is now 19:48 so the file should not have been sent to Avast. Where could it have gone?

I can attach my laptop to the same network with all files shared on both computers - is this what you mean by a lookup from another machine?

[Maxx_original]

nope.. i meant attaching the HDD to another PC or looking onto it from some CD with NTFS driver...

are you sure there was no attempt to update VPS meanwhile? in that case the file would be sent and removed from spool..

[paddyc]

nope.. i meant attaching the HDD to another PC or looking onto it from some CD with NTFS driver...

are you sure there was no attempt to update VPS meanwhile? in that case the file would be sent and removed from spool..

Maxx definitely no update of the vps - that was done this morning at 10:37 and last entry in the set up log is 10:37. That is why I was astonished when I could not find the file in spooler.

I can  access the hdd of my desk top from my Laptop

[paddyc]

nope.. i meant attaching the HDD to another PC or looking onto it from some CD with NTFS driver...

are you sure there was no attempt to update VPS meanwhile? in that case the file would be sent and removed from spool..

Maxx definitely no update of the vps - that was done this morning at 10:37 and last entry in the set up log is 10:37. That is why I was astonished when I could not find the file in spooler.

I can  access the hdd of my desk top from my Laptop

Maxx,Essexboy,

I did a search of my desktop hdd via my laptop and could not find taskmon.

I have now discovered that I do have recovery console xp installed on my hard drive. I have no idea how to use this but if you give me instructions I will use this to search for taskmon.

[essexboy]

The only way via recovery console is to do a manual search from the command prompt.

Likely areas are

C:\
C:\Windows
C:\Windows\System32

To use the dos prompt change to the directory by typing
CD Windows
Dir /P
Will then page by page the file in that directory

Having checked there then
CD System32
Dir /p
and again page by page through it

Once you find it it is just a matter then of typing
del taskmon.exe

Then exit

[paddyc]

The only way via recovery console is to do a manual search from the command prompt.

Essexboy,

Did that but could find no trace of taskmon in any of the directories.

I did find 3 copies of taskman.exe in windows, system32 and system32\Dllcache all of which say they are by microsoft and are all 15,360k. Only other likely candidate is taskmgr.exe in system32 which is 135,680k and says it is microsoft.

If taskmon is being disguised do you have a list of likely file names that I could search for - or is this unlikely?

[Maxx_original]

it can't be another (similar) name, but the exact one... the files aren't read always through ntfs.sys while doing the antirootkit scan, but i don't know what can cause the difference between our driver and default ntfs driver..