Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it malware? c:\windows\system32\userinit.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 nembo

nembo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:25 PM

Posted 21 June 2013 - 04:11 PM

Hello

 

I've used Hijackthis to see if I can speed up the boot of my computer and I've found the following entry:

 

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe

 

I think I've never seen it before in the hijackthis list (but I'm not really sure).

 

Could it be malware?

 

Thank you for your attention.

 

Nembo

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Administrator at 23:00:48 on 2013-06-21
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.2043.935 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\Programmi\File comuni\COMODO\launcher_service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
c:\Programmi\ActivIdentity\ActivClient\acevents.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programmi\ActivIdentity\ActivClient\accrdsub.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\On Hand\OnHand.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Programmi\ActivIdentity\ActivClient\acevents.exe
C:\Programmi\ElephantDrive\ElephantDrive\ElephantDrive.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\MemoRex\MemoRex.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\msdtc.exe
C:\Programmi\ABBYY Screenshot Reader\NetworkLicenseServer.exe
c:\Programmi\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\COMODO\COMMON\COSService.exe
C:\Programmi\File comuni\COMODO\GeekBuddyRSP.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
C:\Programmi\Java\jre7\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\Programmi\SOS PC Self\clientBase\bin\ATAService.exe
C:\Programmi\COMODO\COMMON\SynchronizationService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Hewlett-Packard\Shared\HpqToaster.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\programmi\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\programmi\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\programmi\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\programmi\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\programmi\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\programmi\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [On Hand] "c:\programmi\on hand\OnHand.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ABBYY Screenshot Reader Retail] <no file>
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
mRun: [IAAnotif] c:\programmi\intel\intel matrix storage manager\iaanotif.exe
mRun: [accrdsub] "c:\programmi\actividentity\activclient\accrdsub.exe"
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\programmi\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [StartCCC] "c:\programmi\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SoundMAX] c:\programmi\analog devices\soundmax\Smax4.exe /tray
mRun: [PDF Complete] c:\programmi\pdf complete\pdfsty.exe
mRun: [MemoREX] "c:\programmi\memorex\MemoRexStart.exe"
mRun: [SunJavaUpdateSched] "c:\programmi\file comuni\java\java update\jusched.exe"
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [WatchDog] c:\programmi\intervideo\dvd check\DVDCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\bttray.lnk - c:\programmi\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\dvdche~1.lnk - c:\programmi\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\shortc~1.lnk - c:\programmi\elephantdrive\elephantdrive\ElephantDrive.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343479617937
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{9C16EA18-3503-4F5F-A90F-276315E28ACA} : DHCPNameServer = 192.168.1.1
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\programmi\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\dati applicazioni\mozilla\firefox\profiles\5pjqwg36.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=FB42149BC56D33DFC78F7750C49480FA&q=
FF - component: c:\documents and settings\administrator\dati applicazioni\mozilla\firefox\profiles\5pjqwg36.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\programmi\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\programmi\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\programmi\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\programmi\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\programmi\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\programmi\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\programmi\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\programmi\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 13:32; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2010-02-18 13:52; smartwebprinting@hp.com; c:\programmi\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 bdisk;COMODO Disk Raw Access Filter;c:\windows\system32\drivers\bdisk.sys [2013-1-14 79816]
R0 CBUfs;CBUFS;c:\windows\system32\drivers\cbufs.sys [2013-1-14 268544]
R0 cbvd;COMODO Encrypted Virtual Disk;c:\windows\system32\drivers\CBVD.sys [2013-1-14 495424]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-11-28 13560]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-17 64288]
R0 reparse;Reparse;c:\windows\system32\drivers\cbreparse.sys [2013-1-14 512160]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-6-18 37352]
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2012-9-3 36112]
R2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0;ABBYY.Licensing.FineReader.ScreenshotReader.9.0;c:\programmi\abbyy screenshot reader\NetworkLicenseServer.exe [2009-5-15 759048]
R2 accoca;ActivClient Middleware Service;c:\programmi\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 AntiVirSchedulerService;Avira Pianificatore;c:\programmi\avira\antivir desktop\sched.exe [2013-6-18 86752]
R2 AntiVirService;Avira Real-Time Protection;c:\programmi\avira\antivir desktop\avguard.exe [2013-6-18 110816]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-6-18 84744]
R2 CLPSLauncher;COMODO LPS Launcher;c:\programmi\file comuni\comodo\launcher_service.exe [2013-4-17 70344]
R2 COSService.exe;COMODO Online Storage Service;c:\programmi\comodo\common\COSService.exe [2013-1-14 3193032]
R2 GeekBuddyRSP;GeekBuddyRSP Service;c:\programmi\file comuni\comodo\GeekBuddyRSP.exe [2013-4-17 1851088]
R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\telecom italia\wanminiport1st\srvany.exe [2009-6-4 8192]
R2 pdfcDispatcher;PDF Document Manager;c:\programmi\pdf complete\pdfsvc.exe [2009-5-22 576024]
R2 SOSPCService;SOSPCService;c:\programmi\sos pc self\clientbase\bin\ATAService.exe [2013-6-8 102400]
R2 SynchronizationService.exe;COMODO BackUp Service;c:\programmi\comodo\common\SynchronizationService.exe [2013-1-14 3996872]
R3 vdbus;Virtual Disk Bus Enumerator;c:\windows\system32\drivers\vdbus.sys [2013-1-14 647456]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 Com4QLBEx;Com4QLBEx;c:\programmi\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-29 193840]
S3 cpuz136;cpuz136;\??\c:\windows\temp\cpuz136\cpuz136_x32.sys --> c:\windows\temp\cpuz136\cpuz136_x32.sys [?]
S3 ElephantDrive-MappedDrive.exe;ElephantDrive-MappedDrive;c:\programmi\elephantdrive\elephantdrive\ElephantDrive-MappedDrive.exe [2012-8-13 125136]
S3 ElephantDrive-Service.exe;ElephantDrive-Service;c:\programmi\elephantdrive\elephantdrive\ElephantDrive-Service.exe [2012-8-13 125136]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-11-28 41584]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\programmi\lavasoft\ad-aware\kernexplorer.sys --> c:\programmi\lavasoft\ad-aware\KernExplorer.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\programmi\file comuni\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560]
.
=============== File Associations ===============
.
ShellExec: pdfvista.exe: Open="c:\programmi\pdf complete\pdfvista.exe"
ShellExec: pdfvista.exe: Read="c:\programmi\pdf complete\pdfvista.exe"
.
=============== Created Last 30 ================
.
2013-06-21 09:50:51    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-21 09:50:48    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-17 22:37:52    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\Avira
2013-06-17 22:25:17    84744    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-06-17 22:25:17    37352    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-06-17 22:25:16    --------    d-----w-    c:\programmi\Avira
2013-06-17 22:25:16    --------    d-----w-    c:\documents and settings\all users\dati applicazioni\Avira
2013-06-15 20:10:45    --------    d-sh--w-    c:\windows\system32\AI_RecycleBin
2013-06-15 20:09:49    --------    d-----w-    c:\programmi\Soluto
2013-06-15 20:08:52    --------    d-----w-    c:\documents and settings\all users\dati applicazioni\Soluto
2013-06-15 19:31:46    --------    d-----w-    c:\documents and settings\administrator\SyncFolder
2013-06-15 19:29:59    --------    d-----w-    c:\programmi\MyPC Backup
2013-06-14 12:59:26    --------    d-----w-    c:\programmi\Loescher
2013-06-13 10:36:45    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\loesch
2013-06-10 19:48:16    934161    ----a-w-    c:\windows\system32\drivers\sfi.dat
2013-06-10 19:43:56    --------    d-----w-    c:\programmi\file comuni\COMODO
2013-06-10 19:43:39    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\COMODO
2013-06-08 19:52:31    --------    d-----w-    c:\programmi\Celestia
2013-06-08 12:51:43    --------    d-----w-    c:\programmi\SOS PC Self
2013-06-08 11:52:30    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\Telecom Italia
2013-06-08 11:52:30    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\Telecom Italia
2013-06-07 19:09:18    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\stellarium
2013-06-07 19:09:16    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\Stellarium
2013-06-07 19:07:57    --------    d-----w-    c:\programmi\Stellarium
2013-06-01 22:42:40    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\Adobe
2013-06-01 22:40:11    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\Super Internet TV
2013-06-01 22:35:08    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\RevoluTV
2013-06-01 22:20:32    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\MMToolz
2013-05-30 19:02:26    --------    d-----w-    c:\documents and settings\administrator\dati applicazioni\ElephantDrive
2013-05-30 18:53:58    --------    d-s---w-    c:\documents and settings\administrator\My ElephantDrive
2013-05-30 18:50:41    --------    d-----w-    c:\programmi\ElephantDrive
2013-05-26 15:57:17    --------    d-----w-    c:\programmi\cygdrive
2013-05-26 15:56:15    --------    d-----w-    c:\windows\system32\IBCOMMON
2013-05-26 15:56:07    --------    d-----w-    c:\programmi\IDriveWindows
2013-05-25 11:57:55    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\ABBYY
2013-05-25 11:49:46    --------    d-----w-    c:\programmi\ABBYY Screenshot Reader
2013-05-25 11:49:46    --------    d-----w-    c:\documents and settings\all users\dati applicazioni\ABBYY
2013-05-25 11:48:36    --------    d-----w-    C:\Temp
2013-05-24 11:44:59    74136    ----a-w-    c:\programmi\mozilla firefox\breakpadinjector.dll
2013-05-24 11:44:59    19352    ----a-w-    c:\programmi\mozilla firefox\AccessibleMarshal.dll
2013-05-23 22:54:58    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\Microsoft_Research
2013-05-23 22:49:08    --------    d-----w-    c:\programmi\Microsoft Research
2013-05-23 22:32:32    --------    d-----w-    c:\documents and settings\administrator\impostazioni locali\dati applicazioni\FreeOCR
2013-05-23 22:25:28    2680320    ----a-w-    c:\windows\system32\ImageEnXLibrary.ocx
2013-05-23 22:25:25    --------    d-----w-    C:\FreeOCR
2013-05-23 22:24:40    --------    d-----w-    c:\programmi\Temp
2013-05-23 22:19:34    --------    d-----w-    c:\windows\tessdata
2013-05-23 18:37:44    162304    ----a-w-    C:\UNWISE.EXE
2013-05-22 21:03:38    --------    d-----w-    c:\programmi\IrfanView
.
==================== Find3M  ====================
.
2013-06-12 19:48:23    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-12 19:48:17    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-11 21:29:52    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-11 21:29:51    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-21 20:00:57    466008    ----a-w-    c:\windows\system32\drivers\sptd.sys
2013-05-07 22:27:49    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:27:49    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:27:48    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29    385024    ----a-w-    c:\windows\system32\html.iec
2013-05-03 05:39:10    2153472    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 05:39:10    2032128    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-12 14:00:50    1876352    ----a-w-    c:\windows\system32\win32k.sys
2013-04-11 09:06:45    41584    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-04-04 12:50:32    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-03-27 14:29:45    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
.
============= FINISH: 23.00.58,73 ===============
 

Attached Files


Edited by nembo, 21 June 2013 - 04:13 PM.


BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 24 June 2013 - 11:18 PM

Hi  nembo

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

White Warrior
 



#3 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 25 June 2013 - 10:07 AM

Hello nembo and welcome.

The userinit.exe file is a legitimate windows file. For information on it please go Here

I see in your log you are running 2 anti-virus programs. AVG and Avira

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove programs in the control panel and remove either AVG or Avira.

Your log looks clean but let's run some scans to make sure there's nothing lurking out of sight.

  • Download Security Check by screen317 from here or  here.
    • Save it to your desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the  save log button, save it to your desktop and post it in your next reply.

I need to see:

Security Check log
Eset log
AswMbr log

Are there any further problems?

White Warrior.
 



#4 nembo

nembo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy

Posted 26 June 2013 - 04:48 PM

Ciao White Warrior

Thank you very much for your patience.

 

What you said about the 2 antivirus puzzled me because I had already uninstalled AVG from my computer before I installed Avira. There is no AVG entry in the control panel so I don't know what's going on.

 

 

Here are the 3 logs you requested:

 

 

- Security Check log

 

 Results of screen317's Security Check version 0.99.68  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
AVG Anti-Virus Free Edition 2012   
Avira Desktop                      
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Panda Cloud Cleaner   
 Java 7 Update 25  
 Adobe Flash Player     11.7.700.224  
 Mozilla Firefox 21.0 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

- Esetscan

 

C:\Documents and Settings\Administrator\Documenti\setup\FFDictionaryToolbarInstaller_DIC3V5_tbr_1.5.0.0.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Documenti\setup\Pazera_Free_Audio_Extractor.exe    Win32/InstallMonetizer.AF application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Documenti\setup\PDFCreator-1_2_3_setup.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Documenti\setup\burner\Setup_FreeBurner.zip    Win32/Toolbar.Widgi application    deleted - quarantined
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\AskSLib.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\Programmi\Avira\AntiVir Desktop\apnic.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting (after the next restart) - quarantined
C:\Programmi\Avira\AntiVir Desktop\apntoolbarinstaller.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting (after the next restart) - quarantined
C:\Programmi\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe    Win32/Toolbar.Widgi application    cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1994444560-4096946527-1595469631-500\Dc270.exe    a variant of Win32/SoftonicDownloader.E application    cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1994444560-4096946527-1595469631-500\Dc271.exe    a variant of Win32/SoftonicDownloader.E application    cleaned by deleting - quarantined
 

 

- aswMBR

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-26 23:04:38
-----------------------------
23:04:38.171    OS Version: Windows 5.1.2600 Service Pack 3
23:04:38.171    Number of processors: 2 586 0xF0D
23:04:38.171    ComputerName: YOUR-2CBA8FC3CE  UserName: Administrator
23:04:38.796    Initialze error 0
23:05:18.421    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:05:18.421    Disk 0 Vendor: WDC_WD32 13.0 Size: 305245MB BusType: 3
23:05:18.453    Disk 0 MBR read successfully
23:05:18.468    Disk 0 MBR scan
23:05:18.468    Disk 0 unknown MBR code
23:05:18.468    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       304207 MB offset 63
23:05:18.500    Disk 0 Partition 2 00     0C    FAT32 LBA MSDOS5.0     1027 MB offset 623032830
23:05:18.500    Disk 0 scanning sectors +625137345
23:05:18.515    Disk 0 scanning C:\WINDOWS\system32\drivers
23:05:18.515    Service scanning
23:05:19.359    Modules scanning
23:05:20.062    Disk 0 trace - called modules:
23:05:20.078    ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys sptd.sys
23:05:20.093    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a0715a0]
23:05:20.093    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8a071d58]
23:05:20.093    5 hpdskflt.sys[f77184e6] -> nt!IofCallDriver -> \Device\0000009f[0x8a099190]
23:05:20.109    7 ACPI.sys[f7247620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x89ad7030]
23:05:20.109    Scan finished successfully
23:05:51.296    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
23:05:51.296    The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

 

I've got a couple of very little problems.

There's an entry in control panel (TVAnts 1.0) that I'm not able to remove. Should I just leave it there?

When I change the volume using the key "fn" + f11 or f12, the volume level with the green rectangles no longer appears on the screen (but the volumes changes).

 

Could you give me your opinion on my protection level? Are Avira, Malwarebytes and Windows Firewall good enough?

Is the use of a registry cleaner advisable?

 

Have a nice day. Bye

 

Nembo



#5 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2013 - 10:58 PM

double post


Edited by White Warrior, 27 June 2013 - 11:01 PM.


#6 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2013 - 11:00 PM

Hi nembo.

It seems that there are leftovers of AVG on the computer and our tools are picking them up.
Please go here and download the AVG remover tool that suits your system.

I'll give you some protection advice after we get the computer clean.

Is the use of a registry cleaner advisable?

We do not recommend the use of registry cleaners. They seldom do any good and often corrupt the registry, stopping it from working correctly.

TVAnts is a P2P-based Internet audio and video broadcast program. I strongly advise you to remove it.
Download and install Revo Uninstaller (Freeware) from here.

Run the program and select TVAnts
Click Uninstall icon
Choose Advanced and follow the prompts.
Then click Select all (1.) and Delete (2.) to delete all registry items, folders and files listed by Revo and reboot your computer when the Revo Uninstaller is finished.

ESet picked up some malware so let's do more scans to make sure the computer is clean.

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

NOTE:
If you get a message that you must reboot the computer before starting deletion, please do so.
At reboot, only AdwCleaner will run and you can only click on the "Delete" button.
When the deletion is done, AdwCleaner will reboot the computer again and open the logfile.

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
    • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
    • Click on the Scan button.
    • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
  • Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    -- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

I need to see:
AdwCleaner log
MBAM log

White Warrior
 

#7 nembo

nembo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy

Posted 29 June 2013 - 02:30 PM

Hello White Warrior

 

I've used the specific software to uninstall the AVG leftovers and got rid of TvAnt with Revo.

 

I don't know if that's important but when I was uninstalling TvAnt the following message appeared:

 

"Could not open INSTALL.LOG file."

 

I just clicked OK, the process went on without any further problems and finally I did as you told me, selected everything and deleted it. Now TvAnt has disappeared from the control panel.

 

 

 

Here are the new logs (Malwarebytes was already installed on my computer and didn't find any malware):

 

 

 

# AdwCleaner v2.303 - Logfile creato il 29/06/2013 alle 15:34:21
# Aggiornamento 08/06/2013 by Xplode
# Sistema Operativo : Microsoft Windows XP Service Pack 3 (32 bits)
# Utente : Administrator - YOUR-2CBA8FC3CE
# Modalità Avvio : Modalità Normale
# Eseguito da : C:\Documents and Settings\Administrator\Documenti\Saee\adwcleaner.exe
# Opzioni [Elimina]


***** [Servizi] *****


***** [File / Cartelle] *****

Cartella Eliminato : C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\AskSearch
Cartella Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\blekko
Cartella Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\5pjqwg36.default\Conduit
Cartella Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\5pjqwg36.default\ConduitEngine
Cartella Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\pdfforge
Cartella Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\Wondershare
Cartella Eliminato : C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Wondershare
Cartella Eliminato : C:\Documents and Settings\All Users\Dati applicazioni\boost_interprocess
Cartella Eliminato : C:\Documents and Settings\All Users\Menu Avvio\Programmi\Wondershare
Cartella Eliminato : C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\AVG Security Toolbar
Cartella Eliminato : C:\Programmi\Wondershare
File Eliminato : C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\5pjqwg36.default\searchplugins\Conduit.xml
File Eliminato : C:\Programmi\Mozilla Firefox\searchplugins\adawaretb.xml

***** [Registro] *****

Chiave Eliminata : HKCU\Software\AppDataLow\Software\SmartBar
Chiave Eliminata : HKCU\Software\Conduit
Chiave Eliminata : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Chiave Eliminata : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Chiave Eliminata : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Chiave Eliminata : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Chiave Eliminata : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Chiave Eliminata : HKCU\Software\Softonic
Chiave Eliminata : HKCU\Software\YahooPartnerToolbar
Chiave Eliminata : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Chiave Eliminata : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Chiave Eliminata : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Chiave Eliminata : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Chiave Eliminata : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

***** [Browser Internet] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registro Pulito.

-\\ Mozilla Firefox v22.0 (it)

File : C:\Documents and Settings\LocalService\Dati applicazioni\Mozilla\Firefox\Profiles\yumsb3gl.default\prefs.js

Eliminata : user_pref("browser.search.selectedEngine", "blekko");
Eliminata : user_pref("browser.search.selectedEngine", "blekko");
Eliminata : user_pref("browser.search.selectedEngine", "blekko");

File : C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\5pjqwg36.default\prefs.js

Eliminata : user_pref("CT2653012.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Eliminata : user_pref("CT2653012.CTID", "CT2653012");
Eliminata : user_pref("CT2653012.CurrentServerDate", "18-9-2010");
Eliminata : user_pref("CT2653012.DialogsAlignMode", "LTR");
Eliminata : user_pref("CT2653012.DownloadReferralCookieData", "");
Eliminata : user_pref("CT2653012.FirstServerDate", "18-9-2010");
Eliminata : user_pref("CT2653012.FirstTime", true);
Eliminata : user_pref("CT2653012.FirstTimeFF3", true);
Eliminata : user_pref("CT2653012.FirstTimeSettingsDone", true);
Eliminata : user_pref("CT2653012.FixPageNotFoundErrors", true);
Eliminata : user_pref("CT2653012.GroupingServerCheckInterval", 1440);
Eliminata : user_pref("CT2653012.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Eliminata : user_pref("CT2653012.Initialize", true);
Eliminata : user_pref("CT2653012.InitializeCommonPrefs", true);
Eliminata : user_pref("CT2653012.InstallationAndCookieDataSentCount", 1);
Eliminata : user_pref("CT2653012.InstalledDate", "Sat Sep 18 2010 15:03:45 GMT+0200 (ora legale Europa occidenta[...]
Eliminata : user_pref("CT2653012.IsGrouping", false);
Eliminata : user_pref("CT2653012.IsMulticommunity", false);
Eliminata : user_pref("CT2653012.IsOpenThankYouPage", true);
Eliminata : user_pref("CT2653012.IsOpenUninstallPage", true);
Eliminata : user_pref("CT2653012.LanguagePackLastCheckTime", "Sat Sep 18 2010 15:03:45 GMT+0200 (ora legale Euro[...]
Eliminata : user_pref("CT2653012.LanguagePackReloadIntervalMM", 1440);
Eliminata : user_pref("CT2653012.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Eliminata : user_pref("CT2653012.LastLogin_2.7.1.3", "Sat Sep 18 2010 15:04:16 GMT+0200 (ora legale Europa occid[...]
Eliminata : user_pref("CT2653012.LatestVersion", "2.7.2.0");
Eliminata : user_pref("CT2653012.Locale", "en");
Eliminata : user_pref("CT2653012.LoginCache", 4);
Eliminata : user_pref("CT2653012.MCDetectTooltipHeight", "83");
Eliminata : user_pref("CT2653012.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Eliminata : user_pref("CT2653012.MCDetectTooltipWidth", "295");
Eliminata : user_pref("CT2653012.SHRINK_TOOLBAR", 1);
Eliminata : user_pref("CT2653012.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER[...]
Eliminata : user_pref("CT2653012.SearchFromAddressBarIsInit", true);
Eliminata : user_pref("CT2653012.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT265[...]
Eliminata : user_pref("CT2653012.SearchInNewTabEnabled", true);
Eliminata : user_pref("CT2653012.SearchInNewTabIntervalMM", 1440);
Eliminata : user_pref("CT2653012.SearchInNewTabLastCheckTime", "Sat Sep 18 2010 15:04:16 GMT+0200 (ora legale Eu[...]
Eliminata : user_pref("CT2653012.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Eliminata : user_pref("CT2653012.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageServic[...]
Eliminata : user_pref("CT2653012.SettingsCheckIntervalMin", 120);
Eliminata : user_pref("CT2653012.SettingsLastCheckTime", "Sat Sep 18 2010 15:03:41 GMT+0200 (ora legale Europa o[...]
Eliminata : user_pref("CT2653012.SettingsLastUpdate", "1283697734");
Eliminata : user_pref("CT2653012.ThirdPartyComponentsInterval", 504);
Eliminata : user_pref("CT2653012.ThirdPartyComponentsLastCheck", "Sat Sep 18 2010 15:03:41 GMT+0200 (ora legale [...]
Eliminata : user_pref("CT2653012.ThirdPartyComponentsLastUpdate", "1246790578");
Eliminata : user_pref("CT2653012.TrusteLinkUrl", "hxxp://www.truste.org/pvr.php?page=validate&softwareProgramId=[...]
Eliminata : user_pref("CT2653012.UserID", "UN36720407730165283");
Eliminata : user_pref("CT2653012.ValidationData_Search", 0);
Eliminata : user_pref("CT2653012.ValidationData_Toolbar", 2);
Eliminata : user_pref("CT2653012.WeatherNetwork", "");
Eliminata : user_pref("CT2653012.WeatherPollDate", "Sat Sep 18 2010 15:05:05 GMT+0200 (ora legale Europa occiden[...]
Eliminata : user_pref("CT2653012.WeatherUnit", "C");
Eliminata : user_pref("CT2653012.alertChannelId", "1045667");
Eliminata : user_pref("CT2653012.clientLogIsEnabled", true);
Eliminata : user_pref("CT2653012.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
Eliminata : user_pref("CT2653012.components.1000234", true);
Eliminata : user_pref("CT2653012.myStuffEnabled", true);
Eliminata : user_pref("CT2653012.myStuffPublihserMinWidth", 400);
Eliminata : user_pref("CT2653012.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Eliminata : user_pref("CT2653012.myStuffServiceIntervalMM", 1440);
Eliminata : user_pref("CT2653012.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Eliminata : user_pref("CT2653012.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1045667/1041378/IT", "\"0\"[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/IT", "\"0\"")[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.engine.conduit-services.com/DLG.pkg?ver=3.3.3[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=0", "63[...]
Eliminata : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=3/13/20[...]
Eliminata : user_pref("CommunityToolbar.EngineHiddenByUser", true);
Eliminata : user_pref("CommunityToolbar.EngineOwner", "ConduitEngine");
Eliminata : user_pref("CommunityToolbar.EngineOwnerGuid", "engine@conduit.com");
Eliminata : user_pref("CommunityToolbar.EngineOwnerToolbarId", "conduitengine");
Eliminata : user_pref("CommunityToolbar.IsEngineShown", false);
Eliminata : user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);
Eliminata : user_pref("CommunityToolbar.OriginalEngineOwner", "ConduitEngine");
Eliminata : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "engine@conduit.com");
Eliminata : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "conduitengine");
Eliminata : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://it.yhs.search.yahoo.com/avg/searc[...]
Eliminata : user_pref("CommunityToolbar.ToolbarsList", "CT2653012,ConduitEngine");
Eliminata : user_pref("CommunityToolbar.ToolbarsList2", "CT2653012");
Eliminata : user_pref("CommunityToolbar.alert.alertDialogsGetterLastCheckTime", "Tue Jun 07 2011 23:35:30 GMT+02[...]
Eliminata : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);
Eliminata : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Fri Jun 24 2011 14:37:02 GMT+0200 (ora l[...]
Eliminata : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Eliminata : user_pref("CommunityToolbar.alert.locale", "en");
Eliminata : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Eliminata : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Sun Jun 26 2011 13:48:33 GMT+0200 (ora legal[...]
Eliminata : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1305622559");
Eliminata : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Eliminata : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Eliminata : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Eliminata : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Eliminata : user_pref("CommunityToolbar.alert.userId", "{64589b3a-579e-460e-9832-fb5b23dd3f7e}");
Eliminata : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Eliminata : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Eliminata : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2653012");
Eliminata : user_pref("ConduitEngine.AppTrackingLastCheckTime", "Thu Jun 16 2011 13:24:22 GMT+0200 (ora legale E[...]
Eliminata : user_pref("ConduitEngine.CTID", "ConduitEngine");
Eliminata : user_pref("ConduitEngine.DialogsGetterLastCheckTime", "Sun Mar 27 2011 22:55:01 GMT+0200 (ora legale[...]
Eliminata : user_pref("ConduitEngine.FirstServerDate", "01/20/2011 19");
Eliminata : user_pref("ConduitEngine.FirstTime", true);
Eliminata : user_pref("ConduitEngine.FirstTimeFF3", true);
Eliminata : user_pref("ConduitEngine.HasUserGlobalKeys", true);
Eliminata : user_pref("ConduitEngine.Initialize", true);
Eliminata : user_pref("ConduitEngine.InitializeCommonPrefs", true);
Eliminata : user_pref("ConduitEngine.InstalledDate", "Thu Jan 20 2011 17:26:57 GMT+0100 (ora solare Europa occid[...]
Eliminata : user_pref("ConduitEngine.IsMulticommunity", false);
Eliminata : user_pref("ConduitEngine.IsOpenThankYouPage", false);
Eliminata : user_pref("ConduitEngine.IsOpenUninstallPage", true);
Eliminata : user_pref("ConduitEngine.LanguagePackLastCheckTime", "Sun Mar 27 2011 22:55:00 GMT+0200 (ora legale [...]
Eliminata : user_pref("ConduitEngine.LastLogin_3.2.5.2", "Thu Jan 20 2011 17:26:42 GMT+0100 (ora solare Europa o[...]
Eliminata : user_pref("ConduitEngine.LastLogin_3.3.3.2", "Sun Mar 27 2011 22:55:00 GMT+0200 (ora legale Europa o[...]
Eliminata : user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);
Eliminata : user_pref("ConduitEngine.SettingsLastCheckTime", "Sun Mar 27 2011 22:55:01 GMT+0200 (ora legale Euro[...]
Eliminata : user_pref("ConduitEngine.UserID", "UN10571986906337356");
Eliminata : user_pref("ConduitEngine.componentAlertEnabled", true);
Eliminata : user_pref("ConduitEngine.engineLocale", "it");
Eliminata : user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Sun Mar 27 2011 22:55:01 GMT+0200 (ora l[...]
Eliminata : user_pref("ConduitEngine.globalFirstTimeInfoLastCheckTime", "Sun Mar 27 2011 22:55:03 GMT+0200 (ora [...]
Eliminata : user_pref("ConduitEngine.initDone", true);
Eliminata : user_pref("ConduitEngine.isAppTrackingManagerOn", true);
Eliminata : user_pref("ConduitEngine.usagesFlag", 2);
Eliminata : user_pref("browser.search.defaultthis.engineName", "Veoh Web Player Customized Web Search");
Eliminata : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&Sea[...]

*************************

AdwCleaner[S1].txt - [14131 octets] - [29/06/2013 15:34:21]

########## EOF - C:\AdwCleaner[S1].txt - [14192 octets] ##########
 

 

 

 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Versione database: v2013.06.29.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: YOUR-2CBA8FC3CE [amministratore]

29/06/2013 15.57.16
mbam-log-2013-06-29 (15-57-16).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 238022
Tempo impiegato: 12 minuti, 21 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 0
(non sono stati rilevati elementi nocivi)

(fine)
 

 

 

Bye

 

Nembo


Edited by nembo, 29 June 2013 - 02:32 PM.


#8 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2013 - 07:56 PM

Hi nembo.

The TVant file that is left won't cause any problems.

The good news is your logs look clean.
So now we need to do some updates, some clean up and you should be good to go.

Your version of Internet Explorer is outdated.


Firefox is out of date. Please go here and download the latest version.
 
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Private Firewall
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with yes

I suggest you keep MBAM and use it to scan your computer on a regular basis.

Purging System Restore Points
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.  

To do this:
On the Desktop, right-click My Computer > click Properties > click the System Restore tab.
Check Turn off System Restore.
Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.
Please wait a few moments to let it clear.
Now please remove the check from Turn off System Restore.
Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

Let me know if there are any problems left.

White Warrior
 



#9 nembo

nembo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:07:25 PM

Posted 04 July 2013 - 03:37 PM

Hi White Warrior

 

 

I opened the link to download Internet Explorer but I didn't see any version compatible with Windows XP. What's more, since I never use it (I always use Firefox) is it really necessary to keep it updated?

 

I tried to update Firefox from the Help menu but it said it was already updated. Then I downloaded it and installed it from the link you showed me but the version is quite the same (version 22.0). So I don't know why one of the logs said it was out of date.

 

Should I always use Revo when I unistall something or is it only for difficult situations?

 

When I clicked on Adwcleaner.exe there was no "Unistall" button. A message popped up saying it was outdated, so I clicked OK and it opened an Internet page. Now it has disappeared from the folder (I don't know how). I made a search keying "adwcleaner" and the only entry is "ADWCLEANER.EXE-288C0996.pf" in C\WINDOWS\Prefetch.

 

Comodo Firewall stopped my computer working (the desktop was empty and I couldn't open anything) but Private Firewall is OK.

I have only deactivated Windows Firewall, I haven't unistalled it. Is that enough to avoid problems while I use another firewall?

 

As for System Restore, I've understood from your words that I should do the operation you described whenever my antivirus or antimalware finds some threats and deletes them. Am I right?

 

 

I've made a quick scan with MBAM today and it's found something. Here is the log:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Versione database: v2013.07.04.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: YOUR-2CBA8FC3CE [amministratore]

04/07/2013 21.06.17
mbam-log-2013-07-04 (21-06-17).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 239728
Tempo impiegato: 14 minuti, 19 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 1
C:\RECYCLER\S-1-5-21-1994444560-4096946527-1595469631-500\Dc298.zip (Trojan.Genpack.SRE) -> Spostato in quarantena ed eliminato con successo.

(fine)

 

 

 

 

Have a good day

 

Nembo
 


Edited by nembo, 04 July 2013 - 03:37 PM.


#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 05 July 2013 - 11:35 PM

Hi nembo.

Sorry about Internet Explorer. It is up to date. Version 8 is the latest version for XP.

It is up to you if you use revo all the time or not. By using Revo you can be sure that everything has been deleted from the computer.

Don't worry about AdwCleaner it should be ok.

Deactivate the windows firewall is fine. You can't uninstall it as it is part of windows.

You can clean system restore whenever you get infected, that would make sure there is no malware in any old restore points.
But note: Important  This should only be done after successful cleaning of the malware.

The entry in MBAM is nothing to worry about as it was in the recycle bin.

Now some preventative steps to ensure you don't get infected again:

It is important that you visit http://www.windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Happy Surfing.

White Warrior.

 



#11 nembo

nembo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy

Posted 07 July 2013 - 02:48 PM

Thank you very much for your assistance and your advice, it was very kind of you.

Ciao White Warrior :)


Edited by nembo, 07 July 2013 - 02:48 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home

Posted 08 July 2013 - 03:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users