paddyc: a fully working installation of avast should work as expected - accumulate the suspicious files in the spool folder (mentioned above) until they are sent to us (during the VPS update)… i don’t know if the fresh install can make any difference, but you can give it a try…
Maxx
Did the reinstall of Avast but the suspicious file is still showing. Did an ignore and checked the spool files again but it was still showing empty.
how about checking the consistency of your filesystem? try to right-click the C drive icon, select properties → tools → error checking → check now (and select automatic repair of found problems)… it will do the validation of MFT and some more checking (it can take more than a moment, so be patient)…
Ok Maxx did that and it came up clean
I am thinking about trying to figure this thing out in reverse. We know that Taskmon.exe is the creation but it does not appear to be visible so is it hiding within something else? What viruses will cause this to happen? Are there some specific files or folders that the virus would lurk in? Can you give me a list that I can manually check and if I identify anything I will run it through virus scan before advising you.
Remember I am not a computer expert just someone trying to think logically 
Re your thoughts on the recovery console I will give this a try if you give me specific instructions what to do. I am old enough to remember some of the dos commands and I still have a dos manual somewhere…??
Ltangelic,
When Dr WebCureIt says that it will move a folder does that mean delete? If not do I still have stuff that I need to kill off? I am still getting the suspicious file warning.
Hey paddyc,
Sorry for the delay. I’m going off for a year as of today due to important examinations. I have asked essexboy, another expert to take over me from now on, hope you don’t mind. Apologies for the sudden leave.
To answer your last question, if it says it will move a folder, it means literally moving it to a quarantined folder created by DrWeb. Please allow Dr Web to move the following:
stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations\{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Probably DLOADER.Trojan;; stream004;C:\Documents and Settings\Paddy\Local Settings\Application Data\Downloaded Installations\{D9F82F04-BB9A-4E88-A34E-93BB52DE3F37};Archive contains infected objects;; stream004\strmserver.exe.184BCE29_589D_4695_8887_63F4C08E3857;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi\stream004;Probably DLOADER.Trojan;; stream004;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1\A0000014.msi;Archive contains infected objects;; A0000014.msi;C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP1;Archive contains infected objects;Moved.;
The rest are all legit items that can be left alone. Good luck, and hope you get your problem resolved soon!
Regards,
LT
Ltangelic,
Thank you for all your help! I hope the examinations go well for you - sometimes we need to concentrate on the important things in life.
Hi Paddy having just come in and not having read all the thread yet what is your current status ?
Hi Essexboy,
Have run very type of malware and rootkit detectives and although we have found the odd virus we have not yet cracked what appears to make this taskmon file replicate itself. It is still doing it and Avast is still calling out the warning but oddly it is not sending a copy back to the virus lab via spooler and vtp.
Would tend to agree there paddy there are maybe two tools not yet used but I do not feel that they would add anything. A question though (and I may have missed you doing this ) When you start and Avast has alarmed, select ignore. Then see if the process is running in Task manager, if it is right click and select properties. Let me know what it says. If it does not appear in task manager then we might use sysinternals to take a look, but that can wait
Essexboy
Have done that and there is nothing running in the Task Manager for taskmon. Just a question for you - I did try right clicking on some other processes and no properties options came up. Do I have a problem with task manager?
I should mention that I had 2 processes running called Mxtask which should be associated with Vcom Fix It but this is supposed to be for the automatic update which I have disabled - so raises the question as to why there are 2 processes running.
Maxx
Re the above I have just noticed error messages in the Avast error log which may refer to this problem.
06/12/2008 13:53:30 SYSTEM 1696 Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002.
06/12/2008 19:47:34 SYSTEM 1904 Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002.
08/12/2008 09:56:08 SYSTEM 1664 Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002.
it means “avast failed to create the suspicious file entry in spool”… i have no idea what can cause this type of errors :-\
Maxx,
Something else to think about. The taskmon.exe was reported again this morning and ignored by me. Now this is supposed to be a rootkit hidden process but the rootkit log for avast reports as follows: -
Scan finished: 09 December 2008 10:36:45
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0
The error log reports the following: -
09/12/2008 11:16:36 1228788996 SYSTEM 1664 Internal error has occurred in module basEncodeFileToSubmit failed! , function 00000002.
Seems to me that Avast is giving a warning for something it did not find and is trying to send a file that does not exist.
Is this something that the Avast programmers need to take a look at?
It does seem to be a phantom. Not all running programmes/processes will have a properties tab
The two processes for Mxtask may be background services as I know that Acronis does that even if I disable it on startup
let’s try another thing… download EICAR test file and scan it… select “report as false positive” in the dialog, fill in some info and confirm the sending… look to the spool folder - is there anything? how about the setup.log and error log? same error? in case of no error delete the file from spool (you will have to disable self-defense temporarily to do that)…
Maxx did that and the file was picked up immediately by Avast. Reported it as false positive and there is a file in suspic folder within the spooler folder. There was no error log message and the set up log was unchanged from early this morning when the vps update was done.
So Avast is doing it’s job except in the case of taskmon.exe - because there is no file for it to latch onto ???
Should I delete the Eicar File?
yes, delete it please to avoid its sending as a false positive… so the file picking works fine for “normal” files… in my opinion is impossible to detect non-existant file on the healthy filesystem, one way to check what’s going on is the lookup from other machine (or from the OS cd)…
Maxx, Something strange - I accessed the spool folder and identified that there was a file, I then sent you my message confirming file in the spooler and yet when I went back to the spooler to delete the file there was nothing there! I did ensure that I switched off the self defense but nothing was showing. The set up log does not show any activity passed 10:30 this morning and it is now 19:48 so the file should not have been sent to Avast. Where could it have gone?
I can attach my laptop to the same network with all files shared on both computers - is this what you mean by a lookup from another machine?
nope… i meant attaching the HDD to another PC or looking onto it from some CD with NTFS driver…
are you sure there was no attempt to update VPS meanwhile? in that case the file would be sent and removed from spool…