Thanks for the help David. It is still a bit puzzling to me. A bit more info below.
It is normally the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswar.log (XP location) file that contains the information on anti-rootkit detections. Yes, thanks - I'd learned that from searching one of your previous posts! I looked there - but it only seems to contain the scan data for the latest boot - and shows no detection.
I actually don't have anything in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot, other than an empty TMP sub-folder. so I don't know if that is only populated if it relates to the anti-rootkit protection (arprot, my best guess).I also have the empty folder you describe. The folder I have the arpot log in though is C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log (ie same place as aswAr log)
The problem being in order for Rapport to do its work it will want to stay hidden and that is similar in tactics of certain malware/rootkits. In that case there is always going to be an element of 'suspicion' when avast's anti-rootkit scan is looking for that type of activity. Yes - that makes sense - thanks
It, the rapport issue isn't actually reported in the Behavior Shield statistics as that is recording activity and not specific files, so you can't match that up. The Behavior Shield doesn't show and or isn't looking for rootkit activity in the way the specific scan is. Your example (ii) is correct in only showing instances where the behavior shield intervened and made a decision to allow the AOL service manager to modify the registry. This is the bitthat still puzzles me. The behaviour shield makes that decision on the AOL service manager every day (it would have helped if I'd posted more of the log originally - see below) - however this is the only time it has ever recorded a red suspicious event rather than an orange analysed event - so something differnt happened yesterday
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 04, 2011 3:22:10 PM
*
04/03/2011 15:29:58 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 04, 2011 5:01:46 PM
*
04/03/2011 17:09:04 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, March 05, 2011 4:07:18 PM
*
05/03/2011 16:15:31 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 09, 2011 10:19:52 AM
*
09/04/2011 10:27:55 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 09, 2011 11:35:29 AM
*
09/04/2011 17:25:29 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, April 10, 2011 4:07:01 PM
*
10/04/2011 16:14:26 Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
By: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
-> Action allowed