Solved BIT138.tmp - Not detected by Antivirus

[Resolved] BIT138.tmp - Not detected by Antivirus

Good afternoon (I am in the GMT-3 time zone),

Starting yesterday, April 2nd, I have seen file BIT138.tmp consistently appearing in C:\Documents and Settings\JCP\Local configurations\Temp. When trying to simply delete it, either it is removed immediately or I receive the message "can not be removed . Being used by someone else ". If I disconnect the internet service provider cable I am able to remove it, and as the PC is off the internet, no reinfestation occurs. It is just a matter of no more than seconds to 5 minutes to have it back, once internet connection is on. I do not even need to open Outlook or Internet Explorer.
My PC is running Windows XP SP2 Professional (Brazilian Portuguese version).
I have already tried the following: Avast Home edition, Kaspersky On Line Scan, Panda Active Scan (on line too), and Malwarebytes Anti-Malware (MBAM), Panda Anti-Rootkit. None of them pointed at anything.
I have also found that there is a registry key named BITS, under HKLM\Software\Microsoft\Windows\Current Version.
The file has always the same name and size (BIT138.tmp, 35542 K)
Googling, I found that a user of this forum had a similar issue, back in December, 2007, and that after going through HijackThis, SmitFraud, SDFix, ended up finding a solution using bitsadmin.exe from Microsoft. The user ID was rmon123

Do you recommend me to use bitsadmin, or we´d better start with some other tool?
If bitsadmin is the way to go, how do I set BITS to manual or stop it? I saw a comment on this in that thread (dated December 17th, 2007) at #17
Sorry if my English sounds weird. English is not my first language, but is my second best spoken and written language I can handle.

Thanks in advance for any help.

Jose Pinho

 

Sorry Pete,

I am still struggling with the process. Hope I am posting both logs in the right area.
If I did something wrong, please let me know.

Cheers.

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/5/2008 16:45:15
System Uptime: 4/3/2009 16:35:41 (720 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5GC-MX/1333
Processor: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz | LGA 775 | 1999/200mhz
Processor: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz | LGA 775 | 2000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 144,559 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 72,788 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/4/2009 02:46:08 - Ponto de verificação do sistema

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 9 Lite
Adobe Shockwave Player
Arquivo do WinRAR
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
µTorrent
Atualização de Segurança para Windows XP (KB958644)
avast! Antivirus
Babylon
Dic Michaelis - UOL
ffdshow [rev 2460] [2008-12-09]
FineCount 2.0
High Definition Audio Driver Package - KB888111
Hotfix para Windows XP (KB921411)
Intel(R) Graphics Media Accelerator Driver
iPassion PC Camera Driver
Java(TM) 6 Update 13
Kaspersky Online Scanner
Microsoft Office Professional Edição 2003
Nero 7 Essentials
Pacote de Driver do Windows - iPassion iP293x PC-Camera Driver (01/01/2007 6.0.0.1)
PDF to Word
PDFZilla V1.0.7
Real Alternative 1.8.2
Realtek High Definition Audio Driver
Skypeâ„¢ 4.0
SMPlayer 0.6.7
Some PDF Image Extractr 1.1
Some PDF to Word Converter 1.2
Sygate Personal Firewall Pro
VDownloader 0.81
VideoGet
Vit Registry Fix 9.5 (remove only)
WebFldrs XP
Windows Live Messenger
Windows Media Format Runtime

==== End Of File ===========================

DDS (Ver_09-03-16.01) - NTFSx86
Run by JCP at 16:50:49,95 on sex 03/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1015.717 [GMT -3:00]

AV: avast! antivirus 4.8.1335 [VPS 090403-0] *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\JCP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.estadao.com.br/
uURLSearchHooks: Barra de Ferramentas do Yahoo!: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - &Yahoo! Toolbar Helper
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
TB: Barra de Ferramentas do Yahoo!: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [SmcService] c:\arquiv~1\sygate\spf\smc.exe -startgui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\arquiv~1\alwils~1\avast4\ashDisp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\arquiv~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-23 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\arquivos de programas\alwil software\avast4\ashServ.exe [2008-5-23 138680]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-5-23 29696]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\arquivos de programas\alwil software\avast4\ashMaiSv.exe [2008-5-23 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\arquivos de programas\alwil software\avast4\ashWebSv.exe [2008-5-23 352920]
R3 DCamUSBTP10;iP2937 USB Camera;c:\windows\system32\drivers\iP293x.SYS [2008-6-22 232320]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-04-03 02:26 60 a------- c:\windows\wininit.ini
2009-04-03 00:12 8,576 a------- c:\windows\system32\drivers\qkudbhriohqs.sys
2009-04-01 10:42 8,576 a------- c:\windows\system32\drivers\fwpapbrnyuxh.sys
2009-03-31 11:21 8,576 a------- c:\windows\system32\drivers\usgqslpkoslh.sys
2009-03-29 21:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-28 12:28 <DIR> --d----- c:\docume~1\jcp\dadosd~1\BITS
2009-03-28 09:14 <DIR> --d----- c:\arquivos de programas\VDOWNLOADER
2009-03-25 18:09 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-25 08:55 <DIR> --d----- c:\arquivos de programas\Vitsoft
2009-03-21 08:19 <DIR> --d----- c:\documents and settings\jcp\fontconfig
2009-03-21 08:19 <DIR> --d----- c:\documents and settings\jcp\.smplayer
2009-03-21 08:18 <DIR> --d----- c:\arquivos de programas\SMPlayer
2009-03-17 09:22 <DIR> --d--r-- c:\arquivos de programas\Skype

==================== Find3M ====================

2009-04-01 18:05 344,380 a------- c:\windows\system32\perfh016.dat
2009-04-01 18:05 48,628 a------- c:\windows\system32\perfc016.dat
2009-03-29 21:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-08 15:02 23 a--sh--- c:\windows\system32\dadaaaa0_x.dll

============= FINISH: 16:50:59,60 ===============

 

No problem, Pete. Thanks for the update.

 

Dont delete that BITS!!! If you research it, BITS is a part of windows that allows it to transfer updates in the backround. It stands for, BACKGROUND INTELLIGENT TRANSFER SERVICE. Just please dont delete that one and you should be alright.

 

BITS is safe with me. A funny / strange thing is happeining. After running DDS, as part of my surveilance, I have noticed that 2 things happened in the Temp folder located at c:\docume~1\jcp\dadosd~1\Temp. I have 2 folders inside it. One is named _avast4_ and the other one, RarSFX0. The later one, is a WinRAR folder and contains DDS´s Attach file. In other words, BIT138.tmp, is no longer detected. It seems as if RarSFX0 has "taken over" BIT138 place, so to speak. What concerns me is where is BIT138.tmp? I have tried to locate it, but no success. Either the site/computer/application/person that uses it is off, or taking a nap.

 

Well, that file needs to be looked at by an expert if its really suspect and no AVs are picking it up. It might be part of the conficker, but I assume that would have a signature attached to it. Then again, it might be part of your country's Military's botnet.

 

I wiil wait for the analysis, of course.
But just as a piece of additional information: Microsoft´s security fix KB958644 was installed back on computer,on March 25th, as a preventive action for Fool´s Day menace. I had also, as a preventive action, ran Symantec and Panda Conficker / Downadup detection tools.
Anyway, I do not expect the file to go away just because I do not like it.
Thanks again for all support and patience.

 

Additional information, while the logs are being analyzed. From last Friday until today, Wednesday, I have seen other BITX. tmp files (X representing a numer or letter. I have seen, BIT7, BIT5, BIT10, and BITD). All in the same folder as the original BIT138.tmp, and with the same original size.

 

Hi and welcome

Sorry for the delay.



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Hi and thanks for the support you and team are supplying me with.
ComboFix did asked to download Windows Recovery Console, what I did. There was no request for rebooting the PC, so I ran HijackThis immediately and here are both logs.
When this thread was started I had Windows XP Pro SP2, now compuer is running SP3.

ComboFix 09-04-04.01 - JCP 2009-04-08 19:30:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1015.686 [GMT -3:00]
Executando de: c:\documents and settings\JCP\Desktop\123teste.exe
AV: avast! antivirus 4.8.1335 [VPS 090408-0] *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall Pro *disabled*
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JCP\Dados de aplicativos\BITS
c:\documents and settings\JCP\Dados de aplicativos\BITS\BITS.ini
c:\documents and settings\JCP\Dados de aplicativos\BITS\DHTTable.dat
c:\documents and settings\JCP\Dados de aplicativos\BITS\ProxyList.ini
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\bdbfbdef3_r.dll
c:\windows\system32\ibestunz.dll

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-08 to 2009-04-08 ))))))))))))))))))))))))))))
.

2009-04-07 19:44 . 2009-04-07 19:44 <DIR> d-------- c:\windows\system32\pt-br
2009-04-07 19:44 . 2009-04-07 19:44 <DIR> d-------- c:\windows\system32\bits
2009-04-07 19:44 . 2009-04-07 19:44 <DIR> d-------- c:\windows\l2schemas
2009-04-07 19:42 . 2009-04-07 19:44 <DIR> d-------- c:\windows\ServicePackFiles
2009-04-07 19:29 . 2004-08-04 00:36 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2009-04-05 10:03 . 2009-04-05 10:03 <DIR> d-------- c:\arquivos de programas\VITSOFT
2009-04-04 22:30 . 2009-04-04 22:30 <DIR> d-------- c:\documents and settings\JCP\Dados de aplicativos\Malwarebytes
2009-04-03 02:26 . 2009-04-03 02:26 60 --a------ c:\windows\wininit.ini
2009-04-03 00:12 . 2009-04-03 00:12 8,576 --a------ c:\windows\system32\drivers\qkudbhriohqs.sys
2009-04-01 10:42 . 2009-04-01 10:41 8,576 --a------ c:\windows\system32\drivers\fwpapbrnyuxh.sys
2009-03-31 11:21 . 2009-03-31 11:19 8,576 --a------ c:\windows\system32\drivers\usgqslpkoslh.sys
2009-03-29 21:34 . 2009-03-29 21:34 <DIR> d-------- c:\windows\Sun
2009-03-29 21:33 . 2009-03-29 21:33 <DIR> d-------- c:\arquivos de programas\Java
2009-03-29 21:33 . 2009-03-29 21:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-28 10:15 . 2009-03-28 10:15 <DIR> dr------- c:\documents and settings\LocalService\Favoritos
2009-03-28 09:14 . 2009-03-31 22:45 <DIR> d-------- c:\arquivos de programas\VDOWNLOADER
2009-03-25 18:09 . 2009-04-03 23:19 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-25 18:09 . 2008-10-15 13:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-21 08:19 . 2009-03-21 08:19 <DIR> d-------- c:\documents and settings\JCP\fontconfig
2009-03-21 08:19 . 2009-04-05 23:20 <DIR> d-------- c:\documents and settings\JCP\.smplayer
2009-03-21 08:18 . 2009-03-21 08:18 <DIR> d-------- c:\arquivos de programas\SMPlayer
2009-03-17 09:22 . 2009-04-08 17:09 <DIR> d-------- c:\documents and settings\JCP\Dados de aplicativos\Skype
2009-03-17 09:22 . 2009-03-17 09:22 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Skype
2009-03-17 09:22 . 2009-03-17 09:22 <DIR> dr------- c:\arquivos de programas\Skype

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 03:39 --------- d-----w c:\documents and settings\JCP\Dados de aplicativos\uTorrent
2009-04-02 23:30 --------- d-----w c:\arquivos de programas\PDFZilla
2009-04-01 01:45 --------- d-----w c:\arquivos de programas\uTorrent
2009-03-30 00:33 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-08 18:02 23 --sha-w c:\windows\system32\dadaaaa0_x.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService "= "c:\arquiv~1\Sygate\SPF\smc.exe" [2005-06-06 2614496]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"avast! "= "c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-10-05 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe "=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe "=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe "=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-23 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-05-23 20560]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-05-23 29696]
R3 DCamUSBTP10;iP2937 USB Camera;c:\windows\system32\drivers\iP293x.SYS [2008-06-22 232320]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.estadao.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\arquiv~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 19:30:52
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath "=" "
.
Tempo para conclusão: 2009-04-08 19:31:45
ComboFix-quarantined-files.txt 2009-04-08 22:31:43

Pré-execução: 13 pasta(s) 153.161.019.392 bytes disponíveis
Pós execução: 12 pasta(s) 153,186,877,440 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

114

And now the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:31, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\UTILITÃRIOS\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.estadao.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\ARQUIV~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\ARQUIV~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 5065 bytes

 

Welcome back


You have suspicious files on your computer we need to have scanned.


Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\windows\system32\drivers\qkudbhriohqs.sys
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

Also please have the next files scanned.
c:\windows\system32\drivers\fwpapbrnyuxh.sys
c:\windows\system32\drivers\usgqslpkoslh.sys
c:\windows\system32\dadaaaa0_x.dll

 

Hi Juliet,
Sorry for the delay. My internet service provider had a signal problem for about 30 minutes.
Anyway here are the 4 logs.

Arquivo qkudbhriohqs.sys[/COLOR] recebido em 2009.04.09 01:21:07 (CET)
Andamento: terminado
Resultado: 0/40 (0%)
Modo compacto



Antivírus Versão Última Atualização Resultado
a-squared 4.0.0.101 2009.04.09 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.08 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.09 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.09 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6446 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.08 -
Ikarus T3.1.1.49.0 2009.04.08 -
K7AntiVirus 7.10.697 2009.04.08 -
Kaspersky 7.0.0.125 2009.04.09 -
McAfee 5578 2009.04.08 -
McAfee+Artemis 5578 2009.04.08 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3995 2009.04.08 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.09 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.09 -
Symantec 1.4.4.12 2009.04.09 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.09 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Informações adicionais
File size: 8576 bytes
MD5...: d7dbfbc453b645111e6d21142305e80b
SHA1..: e134b78030cfca8dbfd0af144193fc445db86572
SHA256: 0365a5d0d05ebd882978100f0f0f755b43ba256464e335b2f8a2b0dcc4f84487
SHA512: 80d26ec9e58f5f1a7314546e5776bcd1687f6dde63b0c798c2c611e083faf191
4f9518f7873b825192c4b5b4a9e2ec0ac92c51b10571dc51e5dd9ae075d8c9f0
ssdeep: 192:gyg/ycpyDnwYS8McuH8auaRMGW+I929iD0nu5:gZ/VpyDnYH/uWeuh
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xe56
timedatestamp.....: 0x466916f2 (Fri Jun 08 08:44:34 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x1050 0x1080 6.31 4d29dbd0afe43be0a601f147ff2baee6
.rdata 0x1500 0x194 0x200 3.12 7e40ffb0e0a2a150c0869a11af5513c7
.data 0x1700 0x225 0x280 2.01 9456ca564508fe29132d6fd3865aaec0
INIT 0x1980 0x20a 0x280 4.39 b30759fccbe2d047557b63d5c8ef4835
.rsrc 0x1c00 0x390 0x400 2.99 87241b17bb1235a94f602c2c4984a980
.reloc 0x2000 0x122 0x180 4.57 363ca49c5554f4652b1bfcef2bed3a67

( 1 imports )
> ntoskrnl.exe: IoDeleteDevice, IofCompleteRequest, PsLookupProcessByProcessId, ObfDereferenceObject, ObOpenObjectByPointer, PsProcessType, SeDeleteAccessState, PsLookupProcessThreadByCid, SeCreateAccessState, _except_handler3, MmGetSystemRoutineAddress, RtlInitUnicodeString, PsGetVersion, MmIsAddressValid, PsThreadType, _local_unwind2, IoCreateDevice, wcsncat, wcsncpy

( 0 exports )
RDS...: NSRL Reference Data Set

Arquivo dadaaaa0_x.dll recebido em 2009.04.09 02:20:31 (CET)
Andamento: terminado
Resultado: 0/40 (0%)
Modo compacto


Antivírus Versão Última Atualização Resultado
a-squared 4.0.0.101 2009.04.09 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.09 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.09 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.09 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6446 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.09 -
Ikarus T3.1.1.49.0 2009.04.09 -
K7AntiVirus 7.10.697 2009.04.08 -
Kaspersky 7.0.0.125 2009.04.09 -
McAfee 5578 2009.04.08 -
McAfee+Artemis 5578 2009.04.08 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3995 2009.04.08 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.09 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.09 -
Symantec 1.4.4.12 2009.04.09 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.09 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Informações adicionais
File size: 23 bytes
MD5...: 9202cc0c2a60dfa102fe112fbc3a842b
SHA1..: 9c5aea0ffb059040efbeee52951ffaabda423b80
SHA256: af9b392ae5da8d92638e2d6f2e06b475bfec70f762d1747fc2215dcdfed343bc
SHA512: 01ae25302a26ebdac95f92ffb4af5ff405fb7226fafcff8a19c90a06c818d9db
52d24b2eca8fa0f179889dac7409836be84a35ae3f00749b2148bad4931b5e7a
ssdeep: 3:gbTiR8Xeom:gyR8G
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
RDS...: NSRL Reference Data Set

Arquivo fwpapbrnyuxh.sys recebido em 2009.04.09 01:25:47 (CET)
Andamento: terminado
Resultado: 0/40 (0%)
Modo compacto
Imprimir resultados
Email:



Antivírus Versão Última Atualização Resultado
a-squared 4.0.0.101 2009.04.09 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.08 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.09 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.09 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6446 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.08 -
Ikarus T3.1.1.49.0 2009.04.08 -
K7AntiVirus 7.10.697 2009.04.08 -
Kaspersky 7.0.0.125 2009.04.09 -
McAfee 5578 2009.04.08 -
McAfee+Artemis 5578 2009.04.08 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3995 2009.04.08 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.09 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.09 -
Symantec 1.4.4.12 2009.04.09 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.09 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Informações adicionais
File size: 8576 bytes
MD5...: d7dbfbc453b645111e6d21142305e80b
SHA1..: e134b78030cfca8dbfd0af144193fc445db86572
SHA256: 0365a5d0d05ebd882978100f0f0f755b43ba256464e335b2f8a2b0dcc4f84487
SHA512: 80d26ec9e58f5f1a7314546e5776bcd1687f6dde63b0c798c2c611e083faf191
4f9518f7873b825192c4b5b4a9e2ec0ac92c51b10571dc51e5dd9ae075d8c9f0
ssdeep: 192:gyg/ycpyDnwYS8McuH8auaRMGW+I929iD0nu5:gZ/VpyDnYH/uWeuh
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xe56
timedatestamp.....: 0x466916f2 (Fri Jun 08 08:44:34 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x1050 0x1080 6.31 4d29dbd0afe43be0a601f147ff2baee6
.rdata 0x1500 0x194 0x200 3.12 7e40ffb0e0a2a150c0869a11af5513c7
.data 0x1700 0x225 0x280 2.01 9456ca564508fe29132d6fd3865aaec0
INIT 0x1980 0x20a 0x280 4.39 b30759fccbe2d047557b63d5c8ef4835
.rsrc 0x1c00 0x390 0x400 2.99 87241b17bb1235a94f602c2c4984a980
.reloc 0x2000 0x122 0x180 4.57 363ca49c5554f4652b1bfcef2bed3a67

( 1 imports )
> ntoskrnl.exe: IoDeleteDevice, IofCompleteRequest, PsLookupProcessByProcessId, ObfDereferenceObject, ObOpenObjectByPointer, PsProcessType, SeDeleteAccessState, PsLookupProcessThreadByCid, SeCreateAccessState, _except_handler3, MmGetSystemRoutineAddress, RtlInitUnicodeString, PsGetVersion, MmIsAddressValid, PsThreadType, _local_unwind2, IoCreateDevice, wcsncat, wcsncpy

( 0 exports )
RDS...: NSRL Reference Data Set

Arquivo usgqslpkoslh.sys recebido em 2009.04.09 01:29:01 (CET)
Andamento: terminado
Resultado: 0/40 (0%)
Modo compacto
Imprimir resultados
Email:



Antivírus Versão Última Atualização Resultado
a-squared 4.0.0.101 2009.04.09 -
AhnLab-V3 5.0.0.2 2009.04.08 -
AntiVir 7.9.0.138 2009.04.08 -
Antiy-AVL 2.0.3.1 2009.04.08 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.08 -
AVG 8.5.0.285 2009.04.08 -
BitDefender 7.2 2009.04.08 -
CAT-QuickHeal 10.00 2009.04.08 -
ClamAV 0.94.1 2009.04.09 -
Comodo 1105 2009.04.08 -
DrWeb 4.44.0.09170 2009.04.09 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6446 2009.04.08 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.08 -
Fortinet 3.117.0.0 2009.04.08 -
GData 19 2009.04.08 -
Ikarus T3.1.1.49.0 2009.04.08 -
K7AntiVirus 7.10.697 2009.04.08 -
Kaspersky 7.0.0.125 2009.04.09 -
McAfee 5578 2009.04.08 -
McAfee+Artemis 5578 2009.04.08 -
McAfee-GW-Edition 6.7.6 2009.04.08 -
Microsoft 1.4502 2009.04.08 -
NOD32 3995 2009.04.08 -
Norman 6.00.06 2009.04.08 -
nProtect 2009.1.8.0 2009.04.08 -
Panda 10.0.0.14 2009.04.08 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.09 -
Rising 21.24.22.00 2009.04.08 -
Sophos 4.40.0 2009.04.08 -
Sunbelt 3.2.1858.2 2009.04.09 -
Symantec 1.4.4.12 2009.04.09 -
TheHacker 6.3.4.0.303 2009.04.08 -
TrendMicro 8.700.0.1004 2009.04.08 -
VBA32 3.12.10.2 2009.04.09 -
ViRobot 2009.4.7.1684 2009.04.08 -
VirusBuster 4.6.5.0 2009.04.08 -
Informações adicionais
File size: 8576 bytes
MD5...: d7dbfbc453b645111e6d21142305e80b
SHA1..: e134b78030cfca8dbfd0af144193fc445db86572
SHA256: 0365a5d0d05ebd882978100f0f0f755b43ba256464e335b2f8a2b0dcc4f84487
SHA512: 80d26ec9e58f5f1a7314546e5776bcd1687f6dde63b0c798c2c611e083faf191
4f9518f7873b825192c4b5b4a9e2ec0ac92c51b10571dc51e5dd9ae075d8c9f0
ssdeep: 192:gyg/ycpyDnwYS8McuH8auaRMGW+I929iD0nu5:gZ/VpyDnYH/uWeuh
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xe56
timedatestamp.....: 0x466916f2 (Fri Jun 08 08:44:34 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x1050 0x1080 6.31 4d29dbd0afe43be0a601f147ff2baee6
.rdata 0x1500 0x194 0x200 3.12 7e40ffb0e0a2a150c0869a11af5513c7
.data 0x1700 0x225 0x280 2.01 9456ca564508fe29132d6fd3865aaec0
INIT 0x1980 0x20a 0x280 4.39 b30759fccbe2d047557b63d5c8ef4835
.rsrc 0x1c00 0x390 0x400 2.99 87241b17bb1235a94f602c2c4984a980
.reloc 0x2000 0x122 0x180 4.57 363ca49c5554f4652b1bfcef2bed3a67

( 1 imports )
> ntoskrnl.exe: IoDeleteDevice, IofCompleteRequest, PsLookupProcessByProcessId, ObfDereferenceObject, ObOpenObjectByPointer, PsProcessType, SeDeleteAccessState, PsLookupProcessThreadByCid, SeCreateAccessState, _except_handler3, MmGetSystemRoutineAddress, RtlInitUnicodeString, PsGetVersion, MmIsAddressValid, PsThreadType, _local_unwind2, IoCreateDevice, wcsncat, wcsncpy

( 0 exports )
RDS...: NSRL Reference Data Set

 

Welcome back

Can you translate this for me?
Atualização Resultado

It appears those files came back clean.



Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Juliet,

I have run ATF and The Kaspersky On Line Scan (my favorite on line scanner) and reports says PC is clean. But it also said that, before I asked for support from this forum.
Here is the Scan Report.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 09, 2009 02:11:18
Records in database: 2025305
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 25637
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:19:32

No malware has been detected. The scan area is clean.

The selected area was scanned.

 

Ooops1 I forgot to answer your question about: (Última) Atualização and Resultado. It seems the report lay out changes when copied/pasted in here. (Última) Atualização, means (Latest) Update and Resultado, Results ( and symbol - I guess means no problem detected). It seems applicatinos read the OS language file and puts some information in the same user's OS language. Sorry about that.

 

Welcome back


How's the computer now?

 

It seems fine,except for four points points I ´d like to ask you how to handle:

1. I have not gone bck to default set up for
a) Hidden files and folders
b) Hide protected operating system files
c) Hide files extensions for known ...
Should I return those to their default conditions now, or am I already behind schedule?

2. Is there any thing we should do with quarantined files and folders?

3. If we are done with the malware that was managing my PC, how do I uninstall the programs used for cleaning it up? (ComoFix, Windows Recovery Console, HijackThis, and ATF)
4. When accessing my bank´s site this morning, although I could enter its web page, when I typed the agency nbr and account number, and then OK, after about 3 seconds, I got a dialog box from Internet Explorer, asking to type those numbers again. So I did not even had access to the screen thta asks for password. Any possible effect of so hard a cleaning in registry and files?