Yay! TDSSKiller found nothing wrong. Then I disabled all other applications and ran ComboFix, which rebooted. Unfortunately I had forgotten to disable the “load at start” settings, so ComboFix tried to continue its magic but was cut short. Oh well, I disabled everything again and reran ComboFix. This time it did not reboot! But finished.

TDSSKiller’s and Combofix’s reports follow after my message. But, essexboy, I have to thank you: whatever it was, it has stopped now! Avast is giving me no more warnings! I am running Iexplore, TweetDeck, Skype is loaded, svchost has certainly done a lot of connecting… and no warnings have popped up since I last booted! All hail ComboFix!

After all was finished, a message remained, saying that an .exe file (sorry I clicked OK before taking note of the name… it began with a D and finished with 2k) could not be found. But everything seems to be working fine.

(Anyway, whatever happened?)

Reports are attached. You may see that ComboFix’s is written in Portuguese, but I assume that you know where to find what you are looking for, much the same way we can tell where to click in a Windows “OK/Cancel” popup window even though it is in an exotic language…

Last but not least, there are files that attempted to run during boot (that occasion when ComboFix tried to run but I had not disabled the security applications). Spyware Terminator detected them, I denied access, and only later I speculated that they might be ComboFix-related… So I disabled everything and ran ComboFix again, as I said. Now I found them listed in ComboFix’s quarantine report, which is this:

2011-06-19 20:23:08 . 2011-06-19 20:23:08 426 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Receitanet.reg.dat
2011-06-19 20:22:56 . 2011-06-19 20:22:56 210 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM_ActiveSetup-ccc-core-static.reg.dat
2011-06-19 20:01:55 . 2002-10-16 12:56:50 36 ----a-w- C:\Qoobox\Quarantine\L\Autorun.inf.vir
2011-06-19 19:55:43 . 2011-06-19 19:55:43 1,112 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2011-06-19 19:55:43 . 2011-06-19 19:55:43 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2011-06-19 19:55:26 . 2011-06-19 20:19:46 3,863 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-19 19:49:27 . 2011-06-19 20:15:35 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2003-04-04 18:07:20 . 2003-04-04 18:07:20 30,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\npf.sys.vir
2003-04-04 18:03:00 . 2003-04-04 18:03:00 57,344 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Packet.dll.vir
2003-04-04 17:54:48 . 2003-04-04 17:54:48 208,896 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\wpcap.dll.vir
2003-02-03 21:12:00 . 2003-02-03 21:12:00 53,299 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pthreadVC.dll.vir

The application Receitanet is legitimate. It means to connect to Brazil’s treasury to report on tax.

By the way, after all was done, I could not open a certain eula.txt because it was “marked for deletion”. Presumably, ComboFix did it. I then deleted the eula.txt and everything is all right.