Solved BIT1.tmp appears consistently at temp folder

[Resolved] BIT1.tmp appears consistently at temp folder

Hello again,

Three weeks ago, I was helped to get rid of BIT138.tmp file. It is back again. It appears at C:\Documents and Settings|JCP\Local Configuartions\temp, every time I connect to internet, thoough I have Sygate firewall and free Avast antivirus. Size is 35542 k. Initial verification indicated I had hidec.exe at System 32 folder. Removed it, deactivated Restore and reactivated. It did not solve the problem.
Here are DDS sacanning result reports.

1. DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by JCP at 10:21:04,84 on sáb 25/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.647 [GMT -3:00]

AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\Documents and Settings\JCP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.estadao.com.br/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
mRun: [SmcService] c:\arquiv~1\sygate\spf\smc.exe -startgui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\arquiv~1\alwils~1\avast4\ashDisp.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\arquivos de programas\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\arquiv~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {AADAB204-BDFF-4544-90D4-6DCD473BA6F5} = 208.67.222.222,208.67.220.220
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-23 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\arquivos de programas\alwil software\avast4\ashServ.exe [2008-5-23 138680]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-5-23 29696]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\arquivos de programas\alwil software\avast4\ashMaiSv.exe [2008-5-23 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\arquivos de programas\alwil software\avast4\ashWebSv.exe [2008-5-23 352920]
R3 DCamUSBTP10;iP2937 USB Camera;c:\windows\system32\drivers\iP293x.SYS [2008-6-22 232320]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-04-25 09:58 <DIR> --d----- c:\docume~1\jcp\dadosd~1\Malwarebytes
2009-04-25 09:58 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
2009-04-25 09:58 <DIR> --d----- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-04-16 20:12 1,670 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-08 19:29 <DIR> a-dshr-- C:\cmdcons
2009-04-07 19:44 <DIR> --d----- c:\windows\system32\pt-br
2009-04-07 19:44 <DIR> --d----- c:\windows\system32\bits
2009-04-07 19:44 <DIR> --d----- c:\windows\l2schemas
2009-04-07 19:42 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-07 19:41 <DIR> --d----- c:\windows\network diagnostic
2009-04-07 19:29 64,352 -------- c:\windows\system32\drivers\ativmc20.cod
2009-04-05 10:03 <DIR> --d----- c:\arquivos de programas\VITSOFT
2009-04-03 23:19 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-03 23:15 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-04-03 02:26 60 a------- c:\windows\wininit.ini
2009-04-03 00:12 8,576 a------- c:\windows\system32\drivers\qkudbhriohqs.sys
2009-04-01 10:42 8,576 a------- c:\windows\system32\drivers\fwpapbrnyuxh.sys
2009-03-31 11:21 8,576 a------- c:\windows\system32\drivers\usgqslpkoslh.sys
2009-03-29 21:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-28 09:14 <DIR> --d----- c:\arquivos de programas\VDOWNLOADER

==================== Find3M ====================

2009-04-16 20:12 344,724 a------- c:\windows\system32\perfh016.dat
2009-04-16 20:12 48,744 a------- c:\windows\system32\perfc016.dat
2009-03-29 21:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-08 15:02 23 a--sh--- c:\windows\system32\dadaaaa0_x.dll

============= FINISH: 10:21:13,70 ===============

2) Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/5/2008 16:45:15
System Uptime: 25/4/2009 09:13:04 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5GC-MX/1333
Processor: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz | LGA 775 | 1999/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 143,867 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 73,31 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 9 Lite
Adobe Shockwave Player
Arquivo do WinRAR
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
µTorrent
Atualização de Segurança para Windows XP (KB958644)
avast! Antivirus
Babylon
Dic Michaelis - UOL
ffdshow [rev 2460] [2008-12-09]
FineCount 2.0
High Definition Audio Driver Package - KB888111
Intel(R) Graphics Media Accelerator Driver
iPassion PC Camera Driver
Java(TM) 6 Update 13
Kaspersky Online Scanner
Microsoft Office Professional Edição 2003
Nero 7 Essentials
Pacote de Driver do Windows - iPassion iP293x PC-Camera Driver (01/01/2007 6.0.0.1)
PDF to Word
PDFZilla V1.0.7
Real Alternative 1.8.2
Realtek High Definition Audio Driver
Skypeâ„¢ 4.0
SMPlayer 0.6.7
Some PDF Image Extractr 1.1
Some PDF to Word Converter 1.2
Sygate Personal Firewall Pro
VDownloader 0.81
VideoGet
Vit Registry Fix 9.5 (remove only)
WebFldrs XP
Windows Live Messenger
Windows Media Format Runtime
Windows XP Service Pack 3

 

Based on your comments and those in the pointed links (the second here takes to an article no longer availabele, according to the site), I have uninstalled uTorrent, VDownloader and VideoGet. As additional information I have not used these applications since March 24 th. All appearances of BIT.tmp occurrences are dated April 7th and April 24th.
I have checked the temp folder and BIT1.tmp is no longer there.
Do you think we should follow with the application of other tools?

 

Despite the deletion of P2P programs, yesterday the BIT. tmp file reappeared, this time under the name of BIT30.tmp. Removing it was simple. Just clcked mouse right button and deleted it. No more occurrences until now.

 

Hi Jose, sorry for the delay.

BITS (Background Intelligent Transfer Service).
One of your programs might be creating those BIT*.tmp files. Can you upload one or two of them to http://virusscan.jotti.org and see what it reports back?



I know previously we had these below files scanned,.....they still look malicious to me.
Could you please upload each again and post the report?

c:\windows\system32\drivers\qkudbhriohqs.sys

c:\windows\system32\drivers\fwpapbrnyuxh.sys

c:\windows\system32\drivers\usgqslpkoslh.sys


I see MBAM on your computer, was the last scan clean?

 

For fw......uxh.sys, nothing was found. See below

Scan taken on 03 May 2009 20:11:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

For qku ......hqs.sys, nothing found. See below.

Scan taken on 03 May 2009 20:15:06 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing

For usg......slh.sys, nothing was also found yet.

Scan taken on 03 May 2009 20:18:03 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last MBAM scan was clean. I will run it again, and post the results here.

 

Hi Juliet,
No need for being sorry, you are helping me and a bunch of other people. So, I like everybody else, have to wait in the line for my time. Sorry for the delay, this last Friday was a holiday (Labour´s day).
I have also ran MBAM, in the Complete scan mode, but got a clean report. Only thing reported was that Windows Security is OFF, and I keep it that way because I prefer Sygate for firewall services and Avast for antivirus. I presume Windows applications for these services are not updated frequently.

 

I do the same.

Please give me an update on how the computer is at the moment.

 

I am still seeing instances of BIT1.tmp, from time to time. I am able to remove the file, most of the times only in the second try. First try returns the information that file can not be removed, because it is being used by other user. At this very moment the file is not seen in C:\Documents and Settings\JCP\Local Configurations\temp.
I have considered scanning BIT1.tmp, but its size (always 34.7 MB) does not allow to send it to Virscan.org(maximum size is 10 MB).
Note: Anyway I do not notice any abnormal behavior of the system. My concern is whether this is doing some type of stealth activity or is part of any application (I found the file too big for this).

 

Wish I had the magic answer.......

Let's try ComboFix one more time and see if we get any hits.


Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3


-------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.




** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Here is the ComboFix log:

ComboFix 09-04-25.A1 - JCP 04/05/2009 10:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.683 [GMT -3:00]
Executando de: c:\documents and settings\JCP\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090504-0] *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall Pro *disabled*
* Criado um novo ponto de restauro
.
- MODO DE FUNCIONALIDADE REDUZIDA -
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-04 to 2009-5-4 ))))))))))))))))))))))))))))
.

2009-04-26 15:23 . 2009-04-27 18:51 -------- d---a-w c:\documents and settings\All Users\Dados de aplicativos\TEMP
2009-04-25 12:58 . 2009-04-25 12:58 -------- d-----w c:\documents and settings\JCP\Dados de aplicativos\Malwarebytes
2009-04-07 22:44 . 2009-04-07 22:44 -------- d-----w c:\windows\system32\pt-br
2009-04-07 22:44 . 2009-04-07 22:44 -------- d-----w c:\windows\system32\bits
2009-04-07 22:44 . 2009-04-07 22:44 -------- d-----w c:\windows\l2schemas
2009-04-07 22:42 . 2009-04-07 22:44 -------- d-----w c:\windows\ServicePackFiles
2009-04-07 22:29 . 2004-07-17 14:36 64352 ------w c:\windows\system32\drivers\ativmc20.cod

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 23:39 . 2009-03-17 12:22 -------- d-----w c:\documents and settings\JCP\Dados de aplicativos\Skype
2009-04-30 00:42 . 2001-09-28 12:00 48744 ----a-w c:\windows\system32\perfc016.dat
2009-04-30 00:42 . 2001-09-28 12:00 344724 ----a-w c:\windows\system32\perfh016.dat
2009-04-14 17:37 . 2008-05-23 21:00 -------- d-----w c:\arquivos de programas\MSN Messenger
2009-04-08 23:23 . 2008-05-23 19:48 18240 ----a-w c:\documents and settings\JCP\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT
2009-04-07 22:40 . 2004-08-04 01:59 251696 --sha-r C:\ntldr
2009-04-05 13:03 . 2009-04-05 13:03 -------- d-----w c:\arquivos de programas\VITSOFT
2009-04-03 03:39 . 2009-01-18 00:47 -------- d-----w c:\documents and settings\JCP\Dados de aplicativos\uTorrent
2009-04-03 03:12 . 2009-04-03 03:12 8576 ----a-w c:\windows\system32\drivers\qkudbhriohqs.sys
2009-04-02 23:30 . 2009-01-13 20:52 -------- d-----w c:\arquivos de programas\PDFZilla
2009-04-01 13:41 . 2009-04-01 13:42 8576 ----a-w c:\windows\system32\drivers\fwpapbrnyuxh.sys
2009-03-31 14:19 . 2009-03-31 14:21 8576 ----a-w c:\windows\system32\drivers\usgqslpkoslh.sys
2009-03-30 00:33 . 2008-12-14 19:58 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-30 00:33 . 2009-03-30 00:33 -------- d-----w c:\arquivos de programas\Java
2009-03-21 11:18 . 2009-03-21 11:18 -------- d-----w c:\arquivos de programas\SMPlayer
2009-03-17 12:22 . 2009-03-17 12:22 -------- d-----r c:\arquivos de programas\Skype
2009-03-17 12:22 . 2009-03-17 12:22 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Skype
2008-12-08 18:02 . 2008-12-08 18:02 23 --sha-w c:\windows\system32\dadaaaa0_x.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService "= "c:\arquiv~1\Sygate\SPF\smc.exe" [2005-06-06 2614496]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"avast! "= "c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-10-05 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe "=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe "=

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l251x86.sys [2007-07-03 29696]
S3 DCamUSBTP10;iP2937 USB Camera;c:\windows\system32\Drivers\iP293x.sys [2007-10-26 232320]

.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.estadao.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {AADAB204-BDFF-4544-90D4-6DCD473BA6F5} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 10:36
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath "=" "
.
Tempo para conclusão: 2009-05-04 10:37
ComboFix-quarantined-files.txt 2009-05-04 13:37

Pré-execução: 13 pasta(s) 154.242.752.512 bytes disponíveis
Pós execução: 12 pasta(s) 154.234.093.568 bytes disponíveis

94

And this the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:25, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
D:\UTILITÃRIOS\HijackThis\HiJackThis.exe
C:\Arquivos de programas\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.estadao.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\..\{AADAB204-BDFF-4544-90D4-6DCD473BA6F5}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 5058 bytes

 

The only other questionable file I can see is
c:\windows\system32\dadaaaa0_x.dll

If you will run that through VIRUS Total as well.


I don't think your bits-temp files are malicious.
ComboFix searches for bad and will post if found.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)

Reboot to set the registry.


Post back and please give me an update.

 

Here is the Virus Total report. No malicious code found.
I now will run HJT and remove both registry entries. I will then send a comment on current status of BIT1.tmp file.

Arquivo dadaaaa0_x.dll recebido em 2009.05.04 17:53:53 (CET)


Resultado: 0/40 (0%)
Carregando informação do servidor...
O seu arquivo está na posição: 1.
Tempo estimado de início é entre 38 e 54 segundos.
Não feche a janela até que a análise esteja completa.
O mecanismo que estava processando o arquivo parou, nós esperaremos alguns segundos para tentar recuperar o resultado.
Se estiver esperando por mais de cinco minutos, você terá que reenviar o arquivo.
O seu arquivo está sendo analisado por VirusTotal no momento,
os resultados serão exibidos assim que forem gerados.
Modo compacto Imprimir resultados
O seu arquivo expirou ou não existe.
O serviço está parado no momento, o seu arquivo está esperando para ser analisado (posição: ) por tempo indeterminado.

Você pode aguardar por resposta na página (atualização automática) ou digite o seu email no campo abaixo e clique em "enviar" para que o sistema envie uma notificação quando a análise terminar.
Email:


Antivírus Versão Última Atualização Resultado
a-squared 4.0.0.101 2009.05.04 -
AhnLab-V3 5.0.0.2 2009.05.04 -
AntiVir 7.9.0.160 2009.05.04 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 -
Avast 4.8.1335.0 2009.05.04 -
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 -
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.04 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6488 2009.05.04 -
F-Prot 4.4.4.56 2009.05.04 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.04 -
Ikarus T3.1.1.49.0 2009.05.04 -
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.04 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.04 -
Microsoft 1.4602 2009.05.04 -
NOD32 4052 2009.05.04 -
Norman 6.01.05 2009.05.04 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.04 -
Rising 21.28.04.00 2009.05.04 -
Sophos 4.41.0 2009.05.04 -
Sunbelt 3.2.1858.2 2009.05.03 -
Symantec 1.4.4.12 2009.05.04 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.04 -
VBA32 3.12.10.4 2009.05.04 -
ViRobot 2009.5.4.1719 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.04 -
Informações adicionais
File size: 23 bytes
MD5...: 9202cc0c2a60dfa102fe112fbc3a842b
SHA1..: 9c5aea0ffb059040efbeee52951ffaabda423b80
SHA256: af9b392ae5da8d92638e2d6f2e06b475bfec70f762d1747fc2215dcdfed343bc
SHA512: 01ae25302a26ebdac95f92ffb4af5ff405fb7226fafcff8a19c90a06c818d9db
52d24b2eca8fa0f179889dac7409836be84a35ae3f00749b2148bad4931b5e7a
ssdeep: 3:gbTiR8Xeom:gyR8G

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set

 

I have ran HJt, did the Fix Checked process, rebbot the machine and ran HJt again, confirming by its log that both entries have been removed.
please, see post Fix Checked and rebbot HJt log.
Still no sign of BIt1.tmp.
Lets see if it comes back in the next hours or days, unless you have any other action you consider appropriate to take.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:13, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
D:\UTILITÃRIOS\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.estadao.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\..\{AADAB204-BDFF-4544-90D4-6DCD473BA6F5}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 4849 bytes

 

Jose

Only other thing that comes to mind is to run an online scan.



Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

After running ATFCleaner, this is the Kaspersky ONLine sacn report:

KASPERSKY ONLINE SCANNER 7.0 REPORTKASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 04, 2009 17:42:47
Records in database: 2129449


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned22708
Threat name0
Infected objects0
Suspicious objects0
Duration of the scan00:20:02

No malware has been detected. The scan area is clean.
The selected area was scanned.

And the one that follows, is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:58:55, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\Arquivos de programas\Java\jre6\bin\java.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Outlook Express\msimn.exe
D:\UTILITÃRIOS\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.estadao.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\..\{AADAB204-BDFF-4544-90D4-6DCD473BA6F5}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 4942 bytes

 

Hi Jose

At the moment it appears to be OK.

Like I mentioned earlier it's possible an application on the machine is causing the temp files.
I know I don't have anything to verify this but it's my gut feeling.

We'll leave the topic open for a few days and see how it goes from here.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

 

All right. Combofix removed and a brand new Restore point created.

 

Good deal, we'll watch it over the next few days and if anything suspicious happens let me know.

 

Hi juliet.

It seems we havea strong candidate for creating BITx.tmp (where x is a number or letter) files.
It seems to be related to WindowsLive Update.
I have deactivated Windows Update service, and have not seen the file since then.