Maxx this file is empty. Did a check but realised I had deleted the suspicious file so did a reboot and got the suspicious warning back and then checked the spool folder again and it was still empty.

can you post here e.g. last 50 lines of your setup.log file?

maxx here is info. Signing off now it’s late.

12:06:09 nrm/int SYNCER: Type: use IE settings
12:06:09 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:09 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 4
12:06:11 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EFD
12:06:11 nrm/gen InvalidateCurrent: invalidated server ‘Download930 AVAST Server’ from ‘main’
12:06:11 nrm/gen SelectCurrent: selected server ‘Download921 AVAST Server’ from ‘main’
12:06:11 nrm/int SYNCER: Type: use IE settings
12:06:11 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:11 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 5
12:06:13 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:13 nrm/gen InvalidateCurrent: invalidated server ‘Download921 AVAST Server’ from ‘main’
12:06:13 nrm/gen SelectCurrent: selected server ‘Download655 AVAST Server’ from ‘main’
12:06:13 nrm/int SYNCER: Type: use IE settings
12:06:13 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:13 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 6
12:06:15 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:15 nrm/gen InvalidateCurrent: invalidated server ‘Download655 AVAST Server’ from ‘main’
12:06:15 nrm/gen SelectCurrent: selected server ‘Download967 AVAST Server’ from ‘main’
12:06:15 nrm/int SYNCER: Type: use IE settings
12:06:15 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:15 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 7
12:06:17 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:17 nrm/gen InvalidateCurrent: invalidated server ‘Download967 AVAST Server’ from ‘main’
12:06:17 nrm/gen SelectCurrent: selected server ‘Download201 AVAST Server’ from ‘main’
12:06:17 nrm/int SYNCER: Type: use IE settings
12:06:17 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:17 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 8
12:06:19 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EFD
12:06:19 nrm/gen InvalidateCurrent: invalidated server ‘Download201 AVAST Server’ from ‘main’
12:06:19 nrm/gen SelectCurrent: selected server ‘Download961 AVAST Server’ from ‘main’
12:06:19 nrm/int SYNCER: Type: use IE settings
12:06:19 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:19 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 9
12:06:21 nrm/int ERROR:HttpGetWininet, catch returned 0x00002EE7
12:06:21 nrm/gen InvalidateCurrent: invalidated server ‘Download961 AVAST Server’ from ‘main’
12:06:21 nrm/gen SelectCurrent: selected server ‘Download932 AVAST Server’ from ‘main’
12:06:21 nrm/int SYNCER: Type: use IE settings
12:06:21 nrm/int SYNCER: Auth: another authentication, use WinInet
12:06:21 dbg/int while trying to get file ‘servers.def’, error 0x20000004 has occured, try 10
12:06:23 min/int tried 10 servers to get file ‘servers.def’, but failed (0x20000004)
12:06:23 min/fil GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP_av_proI.tm~a02276\onefile, servers.def, error: 0x20000004
12:06:23 min/pkg Tried to download servers.def but failed with error 0x20000004.
12:06:23 min/pkg LoadAllDefs failed 0x20000004
12:06:23 min/gen Err:Cannot connect to download961.avast.com (unknown:80).
12:06:23 nrm/pkg Transferred: files 22, bytes 0, time 134704 ms
12:06:23 nrm/pkg Retries: total 20, files 2, servers 21
12:06:23 vrb/int Sending stats ‘http://74.54.25.2/cgi-bin/iavs4stats.cgi’: 20000004 0
12:06:23 vrb/fil NeedReboot=false
12:06:28 min/gen Return code: 0x20000004 [Cannot connect to 74.54.25.2 (74.54.25.2:80).]
12:06:28 min/gen Stopped: 03.12.2008, 12:06:28

got it, maybe… tell me what’s your VPS version, it seems that you’re not able to connect to our servers (maybe some firewall blocks the access)… that’s the reason, why the file has not been sent to us and analysed… also send your full setup.log (zipped) to forejt[at]avast[dot]com with a link to this topic…

Hey paddyc,

I really can’t see anything in that runscanner log that causes Avast’s warning. Let’s try a different scanner this time and see what it can catch.

Please go to Start>Run and type ComboFix /u. You should get a window telling you that ComboFix is uninstalled. Reboot your computer.

1) Run Dr Web Cure It

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
[]Doubleclick the drweb-cureit.exe file and Allow to run the express scan
[]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[]Once the short scan has finished, mark the drives that you want to scan.
[]Select all drives. A red dot shows which drives have been chosen.
[]Click the green arrow at the right, and the scan will start.
[]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[]When the scan has finished, in the menu, click file and choose save report list
[]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.

2) Run Panda ActiveScan

Please go HERE to run Panda’s ActiveScan
[*]Once you are on the Panda site click the Scan your PC button
[*]A new window will open…click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
[*]When download is complete, click on My Computer to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Next reply (please include):

Fresh RSIT log (Please re-run RSIT)
Dr WebCureIt log
Panda Activescan log

Maxx, could be because of a proxy server also.

Maxx my VPS is File version 081203-0 dated 3/12/08 so I am receiving them and I see the notifications that it has been updated.

My Firewall is Zone Alarm - Avast update and email scanner have automatic access to internet but everything else has to ask me and I have never been asked.

Will send the setuplog as requested. Should just mention that my original download of Avast had an RPC problem but an update to 1290 resolved that. However somewhere along the line doing the various scans for Ltangelic Avast stopped appearing in the system tray at start up and could not be found in msconfig. I had to force the icons into the system tray manually. Eventually I did a reinstall and asked for a repair which sorted everything out. However the suspicious file warnings had been going on before the problem with the system tray and they only started after the update to 1290.

Re Eddy’s comment I do not use a proxy. I do have Foxyproxy set up on Firefox but it has been disabled for months.

paddyc: follow these instructions

1. restart your computer
2. wait few minutes for the antirootkit dialog to appear
3. check the “send to alwil” box (you must be sure, that it is checked)
4. click “ignore”
5. look to the Program Files\Alwil software\Avast4\DATA\spool folder (and its potential subfolders) immediately
6. the file should be there (not necessarily under the original name), the folder can’t be empty

Ltangelic

Panda Scan did not give me a report but I copied this

ware/navhelp… Adware
Latent
Hide + Info
1. HKEY_CURRENT_USER\Software\Microsoft\Internet…A06644-BC46-4220-A460-47A6EB47C96D}

It also showed one suspicious file but it was LopSD.exe

Maxx this is what I did on my last post to you but to be sure I did it again and the spool folder contains a suspicious folder but it was empty. There is definitely nothing appearing in that directory.

Ltangelic,

Here is the DrWebCureIt log - found some things but took 7 hours to run!!

regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;;
stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Probably DLOADER.Trojan;;
stream004;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Archive contains infected objects;;
Pinnacle DistanTV Server.msi;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Archive contains infected objects;Moved.;
Silent Runners.vbs;C:\Documents and Settings\Paddy\Desktop;Probably BATCH.Virus;;
mbam.exe;C:\Program Files\Malwarebytes’ Anti-Malware;Probably BACKDOOR.Trojan;;
stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\System Volume Information_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi\stream004;Probably DLOADER.Trojan;;
stream004;C:\System Volume Information_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi;Archive contains infected objects;;
A0000014.msi;C:\System Volume Information_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1;Archive contains infected objects;Moved.;

Ltangelic

Here is the RSIT log part 1

RSIT Log Part2

RSIT Log Part3

RSIT Log Part 4

RSIT Log Part 5

have you ever used Kaspersky? how about the klif.sys file? in cases when Kaspersky was never present on the system can’t be this file present (it belongs to Kavo malware in these cases)…

Maxx

Ltangelic asked me to run Kaspersky online and it did pick up some virus - so I guess this file came from that operation?

paddyc: good idea is (mentioned by Eddy, i guess) to run a repair console from the OS installation CD (or some linux distro with NTFS driver) and look for the file in “offline” mode… but if you’re not experienced in using the repair console (and “old” dos commands) it would be a risk to try something…

Maxx I will try anything once…but I do have a couple of questions before we get there.

Is it possible that I have a corrupt copy of Avast and perhaps it is seeing something that is not there? Remember that I had RPC problems that would not go away after the initail set up, which were resolved by the update but then the update started my problem off. Would an uninstall and reinstall perhaps be an option? I know that along the way we have found some viruses but none that have appeared to be dangerous or active.

Second point is that I note that some of what has been found refers back to Pinnacle. I have had a number of problems over the years with Pinnacle. The original copy of my computer software had some cd software by Pinnacle which got lost somewhere along the line. A reinstall from the reload disc brought it back up but it got lost along the way again. later I bought a TV pro Hybrid stick with pinnacle software which worked fine but a couple of months back I tried to do an uninstall which went wrong and did not seem to clear out all the files it should have. I then uploaded new software from Pinnacle which seemed to be working fine. Later when I was having all these problems I noticed that streamserve seemed to be in constatnt use so I decided to uninstall all the Pinnacle software. I note that Dr web picked up Pinnacle Distan as a possible virus but it’s main objective is to allow TV To b estreamed to another computer such as a laptop.

Short version - is it possible that what is being picked up is some orphan files that were not properly cleared down by the Pinnacle uninstalls?

I am really stretching now ???