Trojan connects to several ip how to remove?

[livre1]

You have a malware on my computer that is downloading some malware, it is an application to find what ip my computer is being connected.


The team avast may consider whether they are infected ip numbers?


The ip is:


201.69.155.186


201.69.21.16



I remember that avast detects malware several more after that connect the internet again appear several other malware.

[livre1]

This image contains several ips that the application detects as suspicious.

[Tarq57]

You realize that Threatfire is reporting system activity, here, there is nothing to indicate that the activity is suspicious.
Why do you think it is suspicious?

[livre1]

For several reasons:


Because my computer has a trojan that avast does not detect.


Every day I delete more malware appears when I connect the internet again appear.


And because these numbers do not appear when ip was not infected.

[Tarq57]

I suggest you download MBAM and install it, update it, and run a scan.
This is a very good demand scanner (resident in the paid-for version) that might well find and remove the trojan.
A scan report would be good to see, afterwards.

[livre1]

Already used the malware bytes is he has not found anything.

I used several tools no longer detect anything.


The problem must be from these IP numbers.

[.: L' arc :.]

-= try installing Trend Micro Hijack This & post your log here in this topic.. Attaching it on your next post would be better..

[DavidR]

What is your firewall as that should be blocking unauthorised internet connections ?

[livre1]

I do not use firewall.


The log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:17:06, on 9/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Arquivos de programas\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe
C:\Arquivos de programas\ThreatFire\TFService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Arquivos de programas\Discador itelefonica\DiscadorCompitelefonica.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Usuario\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baixaki.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Arquivos de programas\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{925148F4-231D-4E87-8124-05E90B5172A6}: NameServer = 200.204.0.138 200.204.0.10
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Arquivos de programas\ThreatFire\TFService.exe

--
End of file - 5940 bytes

[.: L' arc :.]

-= So far, what I found:

(1) Firewall
       You are either using Windows XP Firewall or none at all.. XP's firewall does not have Outbound protection.. Enhance your protection by installing a firewall with Outbound Protection.. Examples are: PCTools, Agnitum Outpost, Online Armor

(2) Keys

C:\Arquivos de programas\Discador itelefonica\DiscadorCompitelefonica.exe
       -= I cannot assure the harmlessness of this one.. You may try sending DiscadorCompitelefonica.exe to VirusTotal..
           Reference

O17 - HKLM\System\CCS\Services\Tcpip\..\{925148F4-231D-4E87-8124-05E90B5172A6}: NameServer = 200.204.0.138 200.204.0.10
       -= Do you know this IP/domain..? If not, or it suddenly appeared, consider fixing it..

[YoKenny]

-= So far, what I found:

(1) Firewall
       You are either using Windows XP Firewall or none at all.. XP's firewall does not have Outbound protection.. Enhance your protection by installing a firewall with Outbound Protection.. Examples are: PCTools, Agnitum Outpost, Online Armor

(2) Keys

C:\Arquivos de programas\Discador itelefonica\DiscadorCompitelefonica.exe
       -= I cannot assure the harmlessness of this one.. You may try sending DiscadorCompitelefonica.exe to VirusTotal..
           Reference

O17 - HKLM\System\CCS\Services\Tcpip\..\{925148F4-231D-4E87-8124-05E90B5172A6}: NameServer = 200.204.0.138 200.204.0.10
       -= Do you know this IP/domain..? If not, or it suddenly appeared, consider fixing it..

1. They are running Threatfire lessening the need for a software firewall

2. That is probably part of their ISP software.

3.  200.204.0.138 200.204.0.10 is Brasil and probably part of their ISP software

Running HijackThis from the Desktop is not recommended:
C:\Documents and Settings\Usuario\Desktop\HijackThis.exe

Install HijackThis to its default Folder:
C:\Program Files\Trend Micro

[spg SCOTT]

3.  200.204.0.138 200.204.0.10 is Brasil and probably part of their ISP software

Both these IP's and the IP's in the first post are linked to 'telesp', an ISP in Brazil.

So are you saying that malware is connecting to your ISP?

-Scott-

[Lisandro]

I do not use firewall.

That a problem...

Online Armour
PCTools
Outpost Firewall Free
Comodo
ZoneAlarm

[livre1]

I use dialup internet.

Telesp is the provider of Internet file you requested me to send it is necessary to connect the internet.


Brazil Telesp and Telefonica is also ground.


How do I know which company is a ip?


I think Spain is a company which is called land of Telesp and Telefonica.


The company "vivo" English live.