[RESOLVED]- Rjump issue

[DavidR]

1. & 2. You would normally only be contacted if they required any further information.

3. If you place the sample in the User Files section of the avast chest you can periodically scan it within the chest (where it can do no harm) and see if it is detected. If it is a new variant or an old that isn't detected you won't be able to directly tell from an avast scan only that it is now detected or not.

Since there is no standardisation in virus/malware naming you can't compare names directly to tell if it is a new variant or an existing one that isn't detected. You could however test using a multi engine scanner which is likely to reveal other virus.malware names for the same sample, from this you may be able to tell if it is an old and not new variant.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[Lisandro]

I've had to turn that (high sensetivity) off because it impacts on the performance on some of our critical systems.

So, the USB won't be automatically scanned when you attach a stick there...

We've debated turning off autorun, and we will do it as soon as possible.

It will be safer.

We have apporximatley 3000 USb storage devices on our network, getting users to scan them manually is not an easy task!

So you can test the Normal sensitivity level but checking for scanning opened/created/modified files also.
I see no other option: if the user does not run a manual scan, the resident should use resources to be always on.

[QEHNick]

This is Virus Totals output.

Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.12.2007 Win-Trojan/Rajump.3515723
AntiVir 7.4.0.32 06.12.2007 Worm/Rjump.E
Authentium 4.93.8 06.12.2007  no virus found
Avast 4.7.997.0 06.09.2007 Win32:Rjump
AVG 7.5.0.467 06.11.2007 Worm/Generic.RL
BitDefender 7.2 06.12.2007 Worm.RJump.J
CAT-QuickHeal 9.00 06.11.2007 Worm.RJump.a
ClamAV devel-20070416 06.12.2007 Worm.RJump-2
DrWeb 4.33 06.11.2007 Trojan.Iespy
eSafe 7.0.15.0 06.11.2007 Win32.RJump.a
eTrust-Vet 30.7.3713 06.12.2007 Win32/RJump.A
Ewido 4.0 06.11.2007  no virus found
FileAdvisor 1 06.12.2007  no virus found
Fortinet 2.85.0.0 06.12.2007 W32/RJump.A!worm
F-Prot 4.3.2.48 06.11.2007  no virus found
F-Secure 6.70.13030.0 06.12.2007 Worm.Win32.RJump.a
Ikarus T3.1.1.8 06.12.2007 Worm.Win32.RJump.a
Kaspersky 4.0.2.24 06.12.2007 Worm.Win32.RJump.a
McAfee 5050 06.11.2007 W32/RJump.worm
Microsoft 1.2503 06.12.2007  no virus found
NOD32v2 2323 06.11.2007 Win32/RJump.A
Norman 5.80.02 06.11.2007  no virus found
Panda 9.0.0.4 06.12.2007 Bck/Simut.A
Prevx1 V2 06.12.2007 Trojan.RavMonE
Sophos 4.18.0 06.12.2007 W32/RJump-H
Sunbelt 2.2.907.0 06.09.2007 VIPRE.Suspicious
Symantec 10 06.12.2007 W32.Rajump
TheHacker 6.1.6.132 06.11.2007 W32/RJump.a
VBA32 3.12.0.1 06.11.2007 Worm.Win32.RJump.a
VirusBuster 4.3.23:9 06.11.2007 Worm.RJump.A
Webwasher-Gateway 6.0.1 06.12.2007 Worm.Rjump.E

Jotti's report...

File:  RavMonE.exe 
Status:  INFECTED/MALWARE 
MD5  ff8f61f7d137155c3d3c1f0e28b9bff4 
Packers detected:  PY2EXE
 
Scanner results 
Scan taken on 12 Jun 2007 07:39:50 (GMT) 
A-Squared  Found nothing
AntiVir  Found WORM/Rjump.E 
ArcaVir  Found Worm.Rjump.A 
Avast  Found Win32:Rjump 
AVG Antivirus  Found Worm/Generic.RL 
BitDefender  Found Worm.RJump.J 
ClamAV  Found Worm.RJump-2 
Dr.Web  Found Trojan.Iespy 
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found Worm.Win32.RJump.a 
Fortinet  Found W32/RJump.A!worm 
Kaspersky Anti-Virus  Found Worm.Win32.RJump.a 
NOD32  Found Win32/RJump.A 
Norman Virus Control  Found nothing
Panda Antivirus  Found Bck/Simut.A 
Rising Antivirus  Found Worm.Snake.a 
VirusBuster  Found Worm.RJump.A 
VBA32  Found Worm.Win32.RJump.a 



As you can see Avast picks it up as RJUMP, our version of Avast is up-to-date in all aspects, but still does not detect it on access. I even copied it to my desktop without avast picking up on it.

What could possibly be wrong?

[Lisandro]

As you can see Avast picks it up as RJUMP, our version of Avast is up-to-date in all aspects, but still does not detect it on access. I even copied it to my desktop without avast picking up on it.
What could possibly be wrong?

Which are your Standard Shield configurations at this time?
Are you scanning the opened/created/modified files?

[DavidR]

As you can see Avast picks it up as RJUMP, our version of Avast is up-to-date in all aspects, but still does not detect it on access. I even copied it to my desktop without avast picking up on it.

I'm as baffled as you are as to why this isn't being picked up on-access, you changed the sensitivity to High and I presume that 'did' pick it up on access ?

So why it shouldn't on normal is strange as the file type .exe should be scanned even on Normal.

Unfortunately I don't think submitting the sample to the 'lab' will help you as they would be looking to see if it is a virus and including it in the signatures (if it were a new variant), unless you specifically said in the submission what is happening (not detected on access, but detected on-demand) and give a link to this topic, not just submitting the sample in isolation.

It may be worth an email to support @ avast dot com explaining the problem, with link to this topic as under normal circumstances I would expect it to be scanned on-access (creation/modification) by the standard shield. As Tech mentions if you customised these settings that could be why.

I would also suggest that you confirm that avast is scanning .exe files, etc. and detecting if infected, http://www.eicar.com/anti_virus_test_file.htm. Download any of the .exe or .com versions of the test file and see if the standard shield alerts, you would need to pause the web shield or that is likely to alert or download using the https: link which doesn't get scanned by web shield.

[QEHNick]

Which are your Standard Shield configurations at this time?
Are you scanning the opened/created/modified files?

With Standaad shield set to high, Avast still doe snot detect Ravmone.exe. I can even execute ravmone and it still does not detect it.

When I submitted my samples, I did indeed quote the forum link so they'd know what it was all about.

Eicar detection appears to be fine, although an eicar text file did not get detected until I renamed it Eicar.com

[DavidR]

Text (.txt) files aren't scanned by default on creation or modification, that is why I suggested downloading the com (or exe version, which I see isn't included in the samples on the site) of the test.

I think it would be worth while to email support on this and attack it from both directions, it is certainly weird.


Could it be that this is somehow being stealthed/protected in some way. avast usually hooks .exe files so they are scanned before they are executed. Check and ensure that standard .exe files are in fact scanned, enable the 'Show detailed info on performed actions' in standard shield and execute some normal exe files and see if they are scanned or watch the Last scanned: in standard shield detailed view.

You didn't mention your standard shield settings check the Customise button, Scanner Advanced.

Which are your Standard Shield configurations at this time?

[QEHNick]

Scanner shield settings are default, haven't been changed since installed.

Here's a couple of screenshots so you can see what happens.

The first one is when I execute Ravmone.exe, Avast is set to show detailed...
http://i55.photobucket.com/albums/g136/101nick/ravmoneexecuting.jpg

and the second is the tasklist open so you can see it is actually running, and theres a ravmone.log file on the desktop too.
http://i55.photobucket.com/albums/g136/101nick/ravmonerunning.jpg


Ondrej dropped me a line this morning for some more info, what a hero he is!

[mauserme]

A Hijackthis log from one of the infected computers might shed a little more light on this:

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

.

The log will be long - use multiple posts if you need to.

[DavidR]

Ondrej dropped me a line this morning for some more info, what a hero he is!

That is good news that you have been contacted, I had hoped for and tried to get some input from one of the Alwil team. Hopefully they will be able to get to the bottom of it as beyond my limited knowledge of avasts inner workings.

[QEHNick]

Well since I infected my PC several times...here's a Hijack log from it.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:26:29, on 13/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Alwil Software\Management Tools\asaAdmin.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\qeh-xt\xt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\N.Castleton\Desktop\Root Kit Detection\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zeus
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zeus
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by QEH
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://zeus
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - http://www.endpointscan.com/EndPointScan.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://futuresoft.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software\..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! NetAgent - ALWIL Software - C:\Program Files\Alwil Software\Avast4\AvAgent.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9195 bytes

[Spyros]

I think this one: O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe is connected to Rjump
---
These need further investigation:
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
 C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - http://www.endpointscan.com/EndPointScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software\..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe

[DavidR]

I suspect that QEHNick is aware of this 04 entry as he has intimate knowledge of the RavMonE.exe file (see Reply #17).

QEHNick's problem is that although the file is detected by avast signatures on an on-demand scan, it isn't detected with the on-access scan and avast allows it to execute.

The 022 entries are fine, they appear on the latest Trend Micro HijackThis v2.0.0 (BETA) version but not on HJT 1.99.1, when they first appeared on my first use of the 2.0 version I checked them out fully.

[mauserme]

I think this one: O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe is connected to Rjump

For sure that's where ravmone.exe is loading.  The problem is I was half expecting to see something stealthy here (or see no entry at all) to explain the avast! behavior, but it's just out in the open running as a start up.

If you fix this line in HJT

O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe

and delete these files

C:\WINDOWS\RavMonE.exe

C:\WINDOWS\ADOBER.EXE  (if present)

you will clean the individual computer, but the scanning mystery will remain and you will still need to prevent potential reinfection through the LAN or via USB drives.

Do you recognize the domain in these lines

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software\..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk



EDIT:   Had you already killed the ravmone.exe process before you ran HJT?  Or was ravmone.exe runnng when you generated the log?

[QEHNick]

The domains are legit.

Ravmone wasn't running, I was just too lazy to remove the reg entry.

We now have disabled auto-run on all PC's on the network. I'm running daily on-demand scans to try to keep it clean.

Still the mystery remains.