Tech Support Forum - View Single Post

Folo · 06-20-2008, 11:32 PM

Yes I think it was a good test.

Unfortunately I have been unable to locate the [4]-submit.... file you mentioned. It did not appeared on the desktop. I could not find it with the yellow windows search dog, nor could I find any files with the strings "submit" or ".zip" in the file name that resembled the one that was supposed to be output by ComboFix.

I did run a system scan after Avira updated, though I didn't do much toggling with the drives it was supposed to scan. It took about 10 minutes. The HijackThis log I last posted was produced after the Avira scan. Here is the log file from Avira:

Avira AntiVir Personal
Report file date: Friday, June 20, 2008 14:51

Scanning for 1349608 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: FRANKCOMPUTER

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 6/14/2008 18:24:48
ANTIVIR3.VDF : 7.0.4.232 250880 Bytes 6/20/2008 18:24:48
Engineversion : 8.1.0.59
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.44 278907 Bytes 6/20/2008 18:25:23
AESCN.DLL : 8.1.0.22 119157 Bytes 6/20/2008 18:25:22
AERDL.DLL : 8.1.0.20 418165 Bytes 6/20/2008 18:25:19
AEPACK.DLL : 8.1.1.6 364918 Bytes 6/20/2008 18:25:15
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 6/20/2008 18:25:10
AEHEUR.DLL : 8.1.0.32 1274231 Bytes 6/20/2008 18:25:09
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/20/2008 18:25:04
AEGEN.DLL : 8.1.0.29 307573 Bytes 6/20/2008 18:25:03
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/20/2008 18:24:57
AECORE.DLL : 8.1.0.31 168310 Bytes 6/20/2008 18:24:50
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, June 20, 2008 14:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'tvtpwm_tray.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'DkIcon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'logmon.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'IUService.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'DkService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
73 processes with 73 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '53' files ).

Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\cvgmwfei.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.95232
[NOTE] The file was moved to '48c2fcce.qua'!
C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\kuiojdvb.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.108544
[NOTE] The file was moved to '48c4fccf.qua'!
C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\rcmfrfpj.dll
[DETECTION] Is the Trojan horse TR/Monder.107008
[NOTE] The file was moved to '48c8fcc0.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48c8fd07.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48c9fd03.qua'!
C:\Documents and Settings\Frank Palmer\Desktop\[4]-Submit_2008-06-20@13.47.zip
[0] Archive type: ZIP
--> {7a345cd8-0458-ae6a-56ff-b7ea52710c6f}.dll
[DETECTION] Is the Trojan horse TR/Downloader.Gen
--> scntpkdm.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was moved to '48b8fcf4.qua'!
C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[NOTE] The file was moved to '48c7014c.qua'!
C:\QooBox\Quarantine\C\WINDOWS\RnJhbmsgUGFsbWVy\command.exe.vir
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[NOTE] The file was moved to '48c901a9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\bngfltfw.dll.vir
[DETECTION] Is the Trojan horse TR/Monder.103936.1
[NOTE] The file was moved to '48c301a9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\g36.exe.vir
[DETECTION] Contains detection pattern of the dropper DR/Agent.byy
[NOTE] The file was moved to '4892016f.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\gmbkfjwd.exe.vir
[DETECTION] Is the Trojan horse TR/Lowzones.SG
[NOTE] The file was moved to '48be01a9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\ltlsdunj.dll.vir
[DETECTION] Is the Trojan horse TR/Monder.101376.1
[NOTE] The file was moved to '48c801b0.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\luvoiund.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.EON
[NOTE] The file was moved to '48d201b2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\quddsseu.dll.vir
[DETECTION] Is the Trojan horse TR/Monder.104448
[NOTE] The file was moved to '48c001b2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\ricsyxme.dll.vir
[DETECTION] Is the Trojan horse TR/Monder.93696.4
[NOTE] The file was moved to '48bf01a7.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\svfjtifg.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48c201b4.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\uacvtpwo.exe.vir
[DETECTION] Is the Trojan horse TR/Lowzones.SG
[NOTE] The file was moved to '48bf01a0.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\xlftustb.dll.vir
[DETECTION] Is the Trojan horse TR/Monder.103424.1
[NOTE] The file was moved to '48c201ab.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\kmixerr.sys.zip
[0] Archive type: ZIP
--> kmixerr.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[NOTE] The file was moved to '48c501ad.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020001.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[NOTE] The file was moved to '488c020f.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020013.vbs
[DETECTION] Is the Trojan horse TR/Small.WY
[NOTE] The file was moved to '488c0210.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020015.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[NOTE] The file was moved to '49087d39.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020017.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488c0212.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021159.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.96256.1
[NOTE] The file was moved to '488c0217.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021161.dll
[DETECTION] Is the Trojan horse TR/Monder.107008
[NOTE] The file was moved to '49087d30.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021162.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.107008
[NOTE] The file was moved to '488c0218.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021163.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.105472
[NOTE] The file was moved to '49087d31.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021175.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488c0219.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP111\A0022244.dll
[DETECTION] Is the Trojan horse TR/Agent.37888
[NOTE] The file was moved to '488c021d.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022397.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488c0224.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022398.dll
[DETECTION] Is the Trojan horse TR/Monder.95746
[NOTE] The file was moved to '49087d0d.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022400.dll
[DETECTION] Is the Trojan horse TR/Monder.93696.2
[NOTE] The file was moved to '488c0225.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023476.dll
[DETECTION] Is the Trojan horse TR/Monder.103936.1
[NOTE] The file was moved to '488c022a.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023477.exe
[DETECTION] Is the Trojan horse TR/Lowzones.SG
[NOTE] The file was moved to '49087d03.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023478.dll
[DETECTION] Is the Trojan horse TR/Monder.101376.1
[NOTE] The file was moved to '488c022c.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023479.dll
[DETECTION] Is the Trojan horse TR/Vundo.EON
[NOTE] The file was moved to '49087d05.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023481.dll
[DETECTION] Is the Trojan horse TR/Monder.104448
[NOTE] The file was moved to '488c022b.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023482.dll
[DETECTION] Is the Trojan horse TR/Monder.93696.4
[NOTE] The file was moved to '49087d04.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023483.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '488c022d.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023484.exe
[DETECTION] Is the Trojan horse TR/Lowzones.SG
[NOTE] The file was moved to '488c022e.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023485.dll
[DETECTION] Is the Trojan horse TR/Monder.103424.1
[NOTE] The file was moved to '49087d07.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023494.exe
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[NOTE] The file was moved to '49087d06.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP117\A0024603.dll
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was moved to '488c0230.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024794.dll
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was moved to '488c0238.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024796.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was moved to '49087d11.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024800.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.byy
[NOTE] The file was moved to '488c0239.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024853.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.95232
[NOTE] The file was moved to '488c023d.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024854.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.108544
[NOTE] The file was moved to '49087d16.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024855.dll
[DETECTION] Is the Trojan horse TR/Monder.107008
[NOTE] The file was moved to '488c023e.qua'!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024856.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[NOTE] The file was moved to '49087d17.qua'!
C:\WINDOWS\system32\iTmp\vba35gui.exe
[DETECTION] Is the Trojan horse TR/Dldr.CWS.gen.2
[NOTE] The file was moved to '48bd03d1.qua'!
C:\WINDOWS\system32\slNew\gpedire1.exe
[DETECTION] Is the Trojan horse TR/Agent.126976
[NOTE] The file was moved to '48c103e5.qua'!
C:\WINDOWS\system32\xcsDd18\xcsDd182328.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.dht.3
[NOTE] The file was moved to '48cf03dd.qua'!

End of the scan: Friday, June 20, 2008 15:22
Used time: 31:35 min

The scan has been done completely.

11797 Scanning directories
390853 Files were scanned
52 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
53 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
390801 Files not concerned
9001 Archives were scanned
2 Warnings
53 Notes

The computer seems to be a lot faster now. Starting it up doesn't take as long and Explorer is no longer spawning advertisements. It seems to be recovering.

06-20-2008, 11:32 PM	#9 (permalink)
Folo Registered User Join Date: Jun 2008 Posts: 8 OS: Windows XP	Re: Command Helper Yes I think it was a good test. Unfortunately I have been unable to locate the [4]-submit.... file you mentioned. It did not appeared on the desktop. I could not find it with the yellow windows search dog, nor could I find any files with the strings "submit" or ".zip" in the file name that resembled the one that was supposed to be output by ComboFix. I did run a system scan after Avira updated, though I didn't do much toggling with the drives it was supposed to scan. It took about 10 minutes. The HijackThis log I last posted was produced after the Avira scan. Here is the log file from Avira: Avira AntiVir Personal Report file date: Friday, June 20, 2008 14:51 Scanning for 1349608 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: FRANKCOMPUTER Version information: BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00 AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56 AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37 LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23 LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58 ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 6/14/2008 18:24:48 ANTIVIR3.VDF : 7.0.4.232 250880 Bytes 6/20/2008 18:24:48 Engineversion : 8.1.0.59 AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21 AESCRIPT.DLL : 8.1.0.44 278907 Bytes 6/20/2008 18:25:23 AESCN.DLL : 8.1.0.22 119157 Bytes 6/20/2008 18:25:22 AERDL.DLL : 8.1.0.20 418165 Bytes 6/20/2008 18:25:19 AEPACK.DLL : 8.1.1.6 364918 Bytes 6/20/2008 18:25:15 AEOFFICE.DLL : 8.1.0.20 192891 Bytes 6/20/2008 18:25:10 AEHEUR.DLL : 8.1.0.32 1274231 Bytes 6/20/2008 18:25:09 AEHELP.DLL : 8.1.0.15 115063 Bytes 6/20/2008 18:25:04 AEGEN.DLL : 8.1.0.29 307573 Bytes 6/20/2008 18:25:03 AEEMU.DLL : 8.1.0.6 430451 Bytes 6/20/2008 18:24:57 AECORE.DLL : 8.1.0.31 168310 Bytes 6/20/2008 18:24:50 AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53 AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50 AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47 AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23 AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02 SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10 RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25 RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Friday, June 20, 2008 14:51 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'tvtpwm_tray.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'DLG.exe' - '1' Module(s) have been scanned Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'reader_sl.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'cssauth.exe' - '1' Module(s) have been scanned Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned Scan process 'ACTray.exe' - '1' Module(s) have been scanned Scan process 'Amsg.exe' - '1' Module(s) have been scanned Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned Scan process 'issch.exe' - '1' Module(s) have been scanned Scan process 'TpScrex.exe' - '1' Module(s) have been scanned Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned Scan process 'TpShocks.exe' - '1' Module(s) have been scanned Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned Scan process 'DkIcon.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'logmon.exe' - '1' Module(s) have been scanned Scan process 'AcSvc.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'IUService.exe' - '1' Module(s) have been scanned Scan process 'tvtsched.exe' - '1' Module(s) have been scanned Scan process 'rrservice.exe' - '1' Module(s) have been scanned Scan process 'rrpservice.exe' - '1' Module(s) have been scanned Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned Scan process 'SUService.exe' - '1' Module(s) have been scanned Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'sqlservr.exe' - '1' Module(s) have been scanned Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned Scan process 'EvtEng.exe' - '1' Module(s) have been scanned Scan process 'DkService.exe' - '1' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 73 processes with 73 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '53' files ). Starting the file scan: Begin scan in 'C:\' <Preload> C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\cvgmwfei.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.95232 [NOTE] The file was moved to '48c2fcce.qua'! C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\kuiojdvb.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.108544 [NOTE] The file was moved to '48c4fccf.qua'! C:\Deckard\System Scanner\20080612212159\backup\DOCUME~1\FRANKP~1\LOCALS~1\Temp\rcmfrfpj.dll [DETECTION] Is the Trojan horse TR/Monder.107008 [NOTE] The file was moved to '48c8fcc0.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService5.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The fund was classified as suspicious. [NOTE] The file was moved to '48c8fd07.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The fund was classified as suspicious. [NOTE] The file was moved to '48c9fd03.qua'! C:\Documents and Settings\Frank Palmer\Desktop\[4]-Submit_2008-06-20@13.47.zip [0] Archive type: ZIP --> {7a345cd8-0458-ae6a-56ff-b7ea52710c6f}.dll [DETECTION] Is the Trojan horse TR/Downloader.Gen --> scntpkdm.exe [DETECTION] Is the Trojan horse TR/Downloader.Gen [NOTE] The file was moved to '48b8fcf4.qua'! C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll [DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738 [NOTE] The file was moved to '48c7014c.qua'! C:\QooBox\Quarantine\C\WINDOWS\RnJhbmsgUGFsbWVy\command.exe.vir [DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199 [NOTE] The file was moved to '48c901a9.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\bngfltfw.dll.vir [DETECTION] Is the Trojan horse TR/Monder.103936.1 [NOTE] The file was moved to '48c301a9.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\g36.exe.vir [DETECTION] Contains detection pattern of the dropper DR/Agent.byy [NOTE] The file was moved to '4892016f.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\gmbkfjwd.exe.vir [DETECTION] Is the Trojan horse TR/Lowzones.SG [NOTE] The file was moved to '48be01a9.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\ltlsdunj.dll.vir [DETECTION] Is the Trojan horse TR/Monder.101376.1 [NOTE] The file was moved to '48c801b0.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\luvoiund.dll.vir [DETECTION] Is the Trojan horse TR/Vundo.EON [NOTE] The file was moved to '48d201b2.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\quddsseu.dll.vir [DETECTION] Is the Trojan horse TR/Monder.104448 [NOTE] The file was moved to '48c001b2.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\ricsyxme.dll.vir [DETECTION] Is the Trojan horse TR/Monder.93696.4 [NOTE] The file was moved to '48bf01a7.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\svfjtifg.dll.vir [DETECTION] Is the Trojan horse TR/Vundo.Gen [NOTE] The file was moved to '48c201b4.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\uacvtpwo.exe.vir [DETECTION] Is the Trojan horse TR/Lowzones.SG [NOTE] The file was moved to '48bf01a0.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\xlftustb.dll.vir [DETECTION] Is the Trojan horse TR/Monder.103424.1 [NOTE] The file was moved to '48c201ab.qua'! C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\kmixerr.sys.zip [0] Archive type: ZIP --> kmixerr.sys [DETECTION] Is the Trojan horse TR/Rootkit.Gen [NOTE] The file was moved to '48c501ad.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020001.exe [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen [NOTE] The file was moved to '488c020f.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020013.vbs [DETECTION] Is the Trojan horse TR/Small.WY [NOTE] The file was moved to '488c0210.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020015.exe [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen [NOTE] The file was moved to '49087d39.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0020017.dll [DETECTION] Is the Trojan horse TR/Vundo.Gen [NOTE] The file was moved to '488c0212.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021159.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.96256.1 [NOTE] The file was moved to '488c0217.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021161.dll [DETECTION] Is the Trojan horse TR/Monder.107008 [NOTE] The file was moved to '49087d30.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021162.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.107008 [NOTE] The file was moved to '488c0218.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021163.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.105472 [NOTE] The file was moved to '49087d31.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP109\A0021175.dll [DETECTION] Is the Trojan horse TR/Vundo.Gen [NOTE] The file was moved to '488c0219.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP111\A0022244.dll [DETECTION] Is the Trojan horse TR/Agent.37888 [NOTE] The file was moved to '488c021d.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022397.dll [DETECTION] Is the Trojan horse TR/Vundo.Gen [NOTE] The file was moved to '488c0224.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022398.dll [DETECTION] Is the Trojan horse TR/Monder.95746 [NOTE] The file was moved to '49087d0d.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP114\A0022400.dll [DETECTION] Is the Trojan horse TR/Monder.93696.2 [NOTE] The file was moved to '488c0225.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023476.dll [DETECTION] Is the Trojan horse TR/Monder.103936.1 [NOTE] The file was moved to '488c022a.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023477.exe [DETECTION] Is the Trojan horse TR/Lowzones.SG [NOTE] The file was moved to '49087d03.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023478.dll [DETECTION] Is the Trojan horse TR/Monder.101376.1 [NOTE] The file was moved to '488c022c.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023479.dll [DETECTION] Is the Trojan horse TR/Vundo.EON [NOTE] The file was moved to '49087d05.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023481.dll [DETECTION] Is the Trojan horse TR/Monder.104448 [NOTE] The file was moved to '488c022b.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023482.dll [DETECTION] Is the Trojan horse TR/Monder.93696.4 [NOTE] The file was moved to '49087d04.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023483.dll [DETECTION] Is the Trojan horse TR/Vundo.Gen [NOTE] The file was moved to '488c022d.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023484.exe [DETECTION] Is the Trojan horse TR/Lowzones.SG [NOTE] The file was moved to '488c022e.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023485.dll [DETECTION] Is the Trojan horse TR/Monder.103424.1 [NOTE] The file was moved to '49087d07.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP116\A0023494.exe [DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199 [NOTE] The file was moved to '49087d06.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP117\A0024603.dll [DETECTION] Is the Trojan horse TR/Downloader.Gen [NOTE] The file was moved to '488c0230.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024794.dll [DETECTION] Is the Trojan horse TR/Downloader.Gen [NOTE] The file was moved to '488c0238.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024796.exe [DETECTION] Is the Trojan horse TR/Downloader.Gen [NOTE] The file was moved to '49087d11.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP119\A0024800.exe [DETECTION] Contains detection pattern of the dropper DR/Agent.byy [NOTE] The file was moved to '488c0239.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024853.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.95232 [NOTE] The file was moved to '488c023d.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024854.dll [DETECTION] Is the Trojan horse TR/PCK.Monder.108544 [NOTE] The file was moved to '49087d16.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024855.dll [DETECTION] Is the Trojan horse TR/Monder.107008 [NOTE] The file was moved to '488c023e.qua'! C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP121\A0024856.dll [DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738 [NOTE] The file was moved to '49087d17.qua'! C:\WINDOWS\system32\iTmp\vba35gui.exe [DETECTION] Is the Trojan horse TR/Dldr.CWS.gen.2 [NOTE] The file was moved to '48bd03d1.qua'! C:\WINDOWS\system32\slNew\gpedire1.exe [DETECTION] Is the Trojan horse TR/Agent.126976 [NOTE] The file was moved to '48c103e5.qua'! C:\WINDOWS\system32\xcsDd18\xcsDd182328.exe [DETECTION] Is the Trojan horse TR/Dldr.VB.dht.3 [NOTE] The file was moved to '48cf03dd.qua'! End of the scan: Friday, June 20, 2008 15:22 Used time: 31:35 min The scan has been done completely. 11797 Scanning directories 390853 Files were scanned 52 viruses and/or unwanted programs were found 2 Files were classified as suspicious: 0 files were deleted 0 files were repaired 53 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 390801 Files not concerned 9001 Archives were scanned 2 Warnings 53 Notes The computer seems to be a lot faster now. Starting it up doesn't take as long and Explorer is no longer spawning advertisements. It seems to be recovering.