Page 4 of 5 FirstFirst 12345 LastLast
Results 31 to 40 of 47

Thread: invalid security certificates everywhere I go

  1. #31
    Member
    Join Date
    Aug 2009
    Posts
    44

    Smile lastest OTl scan

    I have been limiting use of my computer because I have not seen in your posts the "all appears clear" I did not want to assume anything, I figured I would clarify after you stopped having me run the scans. I appreciate your assistance and have put a lot of faith in you and want you to be sure before I am sure.


    recent OTL log:
    OTL logfile created on: 2/11/2013 4:00:43 PM - Run 3
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.12 Gb Total Physical Memory | 0.53 Gb Available Physical Memory | 46.97% Memory free
    1.98 Gb Paging File | 1.52 Gb Available in Paging File | 76.97% Paging File free
    Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 181.86 Gb Total Space | 144.04 Gb Free Space | 79.21% Space Free | Partition Type: NTFS
    Drive D: | 4.43 Gb Total Space | 2.71 Gb Free Space | 61.07% Space Free | Partition Type: FAT32

    Computer Name: YOUR-382F8BB83C | User Name: Owner | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
    PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
    PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
    PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
    PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\EDIMAX\Common\RaUI.exe (Edimax Technology Co., Ltd)
    PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
    PRC - C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
    PRC - C:\Program Files\HP\HP Software Update\hpwuSchd.exe (Hewlett-Packard)


    ========== Modules (No Company Name) ==========

    MOD - C:\Program Files\Alwil Software\Avast5\defs\13021100\algo.dll ()
    MOD - C:\Program Files\Yahoo!\Messenger\yui.dll ()
    MOD - C:\Program Files\EDIMAX\Common\acAuth.dll ()
    MOD - C:\WINDOWS\system32\hpotscl.dll ()


    ========== Services (SafeList) ==========

    SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
    SRV - (a2free) -- E:\DIAG & REPAIR\ANTI SPYWARE\A-SQUARED FREE\a2service.exe File not found
    SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
    SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
    SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
    SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
    SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
    SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
    SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


    ========== Driver Services (SafeList) ==========

    DRV - (WDICA) -- File not found
    DRV - (PDRFRAME) -- File not found
    DRV - (PDRELI) -- File not found
    DRV - (PDFRAME) -- File not found
    DRV - (PDCOMP) -- File not found
    DRV - (PCIDump) -- File not found
    DRV - (lbrtfdc) -- File not found
    DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
    DRV - (Changer) -- File not found
    DRV - (BW2NDIS5) -- System32\Drivers\BW2NDIS5.sys File not found
    DRV - (ADSFilter) -- system32\DRIVERS\ADSFilter.sys File not found
    DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
    DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
    DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
    DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
    DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
    DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
    DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
    DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
    DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology, Corp.)
    DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
    DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
    DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
    DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
    DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
    DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
    DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
    DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows (R) Server 2003 DDK provider)
    DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
    DRV - (mxnic) -- C:\WINDOWS\system32\drivers\mxnic.sys (Macronix International Co., Ltd. )


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{72CCA13A-4B37-4B53-8F96-03FBD1EEF699}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKCU\..\SearchScopes,DefaultScope = {43CE027F-977E-4A4F-88A3-9E71D72CB3EE}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\..\SearchScopes\{43CE027F-977E-4A4F-88A3-9E71D72CB3EE}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKCU\..\SearchScopes\{72CCA13A-4B37-4B53-8F96-03FBD1EEF699}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKCU\..\SearchScopes\{7A4490DC-927C-4758-9637-43CB97CFA63F}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=MS8TDF&pc=MS8TDF&src=IE-SearchBox
    IE - HKCU\..\SearchScopes\{A93C3295-EECD-4409-AB96-2B154D5C8D66}: "URL" = http://www.bing.com/search?q={searchTerms}&form=MS8TDF&pc=MS8TDF&src=IE-SearchBox
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
    FF - prefs.js..extensions.enabledAddons: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledAddons: wrc@avast.com:7.0.1474
    FF - prefs.js..extensions.enabledItems: wrc@avast.com:7.0.1426
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.4.2.20111006100951
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/11/14 05:37:00 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/10 10:01:25 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/02/10 10:01:25 | 000,000,000 | ---D | M]

    [2009/11/21 07:49:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
    [2013/02/09 10:27:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zxy704qm.default\extensions
    [2010/04/29 04:15:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zxy704qm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2012/05/12 06:03:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/11/14 05:37:00 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\WEBREP\FF
    [2012/02/16 15:04:09 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2012/05/11 14:53:55 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/02/16 15:04:08 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2012/05/11 14:53:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/05/11 14:53:50 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - homepage: http://www.google.com/
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://www.google.com/

    O1 HOSTS File: ([2009/08/30 06:37:55 | 000,326,901 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 123topsearch.com
    O1 - Hosts: 127.0.0.1 www.123topsearch.com
    O1 - Hosts: 127.0.0.1 132.com
    O1 - Hosts: 127.0.0.1 www.132.com
    O1 - Hosts: 127.0.0.1 136136.net
    O1 - Hosts: 127.0.0.1 www.136136.net
    O1 - Hosts: 127.0.0.1 163ns.com
    O1 - Hosts: 127.0.0.1 www.163ns.com
    O1 - Hosts: 11184 more lines...
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
    O2 - BHO: (no name) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
    O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
    O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
    O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
    O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background File not found
    O4 - HKCU..\Run: [Power2GoExpress] File not found
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2006/08/07 14:55:02 | 000,000,000 | -H-D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE (Intuit)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe (Edimax Technology Co., Ltd)
    O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
    O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4 209.55.27.13
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C353AE75-28E8-460E-8CBE-973FE3C5C2D8}: DhcpNameServer = 8.8.8.8 8.8.4.4 209.55.27.13
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/26 11:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.001 -- [ NTFS ]
    O32 - AutoRun File - [2007/11/11 19:59:21 | 000,000,029 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
    O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
    O33 - MountPoints2\{7b245741-de65-11da-869a-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{7b245741-de65-11da-869a-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7b245741-de65-11da-869a-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
    O33 - MountPoints2\{7f41a1aa-e21b-11df-b362-0016173f1d9c}\Shell - "" = AutoRun
    O33 - MountPoints2\{7f41a1aa-e21b-11df-b362-0016173f1d9c}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7f41a1aa-e21b-11df-b362-0016173f1d9c}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/02/09 11:17:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2013/02/09 10:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2013/02/09 10:55:13 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2013/02/09 10:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2009/01/03 10:11:00 | 054,157,776 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stf_en_8_176a1400.exe
    [2009/01/01 12:30:42 | 053,682,216 | ---- | C] (AVG Technologies) -- C:\Program Files\index.php
    [2008/10/18 05:54:06 | 007,857,600 | ---- | C] (Microsoft Corporation) -- C:\Program Files\windows-kb890830-x64-v2.3.exe
    [2008/01/27 10:07:28 | 007,467,056 | ---- | C] (Safer Networking Ltd. ) -- C:\Program Files\spybotsd15.exe
    [2007/12/30 19:40:28 | 001,386,736 | ---- | C] (Microsoft Corporation) -- C:\Program Files\WindowsXP-KB904706-v2-x86-ENU.exe
    [2007/02/17 20:40:21 | 000,288,616 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dxwebsetup.exe

    ========== Files - Modified Within 30 Days ==========

    [2013/02/11 16:00:31 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
    [2013/02/11 15:59:27 | 000,030,277 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2013/02/11 15:59:08 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2013/02/11 15:57:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2013/02/11 15:57:12 | 1207,357,440 | -HS- | M] () -- C:\hiberfil.sys
    [2013/02/11 15:24:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2013/02/10 17:26:18 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1C01F64A-466A-4696-AA08-7A98BA326994}.job
    [2013/02/09 11:26:13 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
    [2013/02/09 11:26:13 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2013/02/09 10:55:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2013/01/27 12:04:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
    [2013/01/26 15:52:07 | 000,000,233 | ---- | M] () -- C:\WINDOWS\qwimp.ini
    [2013/01/26 15:45:47 | 000,001,372 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI

    ========== Files Created - No Company Name ==========

    [2013/02/11 15:57:12 | 1207,357,440 | -HS- | C] () -- C:\hiberfil.sys
    [2013/02/09 10:55:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/05/01 19:20:09 | 000,002,048 | ---- | C] () -- C:\WINDOWS\System32\rt73.bin
    [2012/02/16 05:13:00 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/09/04 12:43:58 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
    [2011/09/04 12:43:58 | 000,029,134 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
    [2011/07/26 11:38:45 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Owner\g2mdlhlpx.exe
    [2008/01/05 10:07:06 | 038,121,770 | ---- | C] () -- C:\Program Files\Office2003SP3-KB923618-FullFile-ENU.exe
    [2006/10/22 07:38:01 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/08/08 17:23:30 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
    [2006/08/07 21:18:12 | 001,070,492 | ---- | C] () -- C:\Program Files\InstallICW.EXE

    ========== ZeroAccess Check ==========

    [2006/05/08 01:41:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    < End of report >

  2. #32
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi djtchrroberts,

    We need to disable Spybot - Search & Destroy's Tea Timer. Please follow the instruction below.
    • Locate your copy of Spybot - Search & Destroy's and open it.
    • In the menu bar at the top select "Mode", then select "Advanced".
    • In the left hand menu expand the "Tools" menu.
    • Select "Resident", then remove the check mark for "Resident Tea Timer"
    • Then exit the program by clicking "File" then select "Exit"
    Next

    Run OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - No CLSID value found.
      O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
      O2 - BHO: (no name) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No CLSID value found.
      
      :Commands
      [purity]
      [createrestorepoint]
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

    In your next post please provide the following:
    • OTL.txt
    • How is the computer running?
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  3. #33
    Member
    Join Date
    Aug 2009
    Posts
    44

    Default

    I started the last OTL scan with the customs scan code and again my computer froze up, I started it at 3:56, got busy on the phone came back two hours later and my computer was still on 3:56.

  4. #34
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi djtchrroberts,

    Let's try the Safe Mode route again.

    = = = = = = = = = =

    Reboot Windows XP in Safe Mode w/ Networking
    • Restart your computer.
    • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
    • Select the option for Safe Mode w/ Networking using the arrow keys.
    • Then press enter on your keyboard to boot into Safe Mode w/ Networking.
    Next

    Run OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - No CLSID value found.
      O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
      O2 - BHO: (no name) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No CLSID value found.
      
      :Commands
      [purity]
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

    In your next post please provide the following:
    • OTL.txt
    • How is the computer running?
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  5. #35
    Member
    Join Date
    Aug 2009
    Posts
    44

    Default OTL Log attached

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 2480 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    ->Temp folder emptied: 13984257 bytes
    ->Temporary Internet Files folder emptied: 606502 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 506 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 14.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 02132013_152543

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...

  6. #36
    Member
    Join Date
    Aug 2009
    Posts
    44

    Smile

    I am not sure what you are looking for when asking how my computer is running. I have not been getting the invalid security certificate warning for several days now, so I assume that the infection has been inactivated/quarantined. I will use my computer some tonight and if I run into concerns I will post another reply to let you know them. Meanwhile if you could be more specific on what you are looking for.

  7. #37
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi djtchrroberts,

    Your log appears to be clean. We have a few items to take care of before we get to the All Clean Speech.

    Clean up with OTL:
    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.
    Next

    You can now delete any tools or logs remaining on your desktop.

    Next
    • Please go to Start > Control Panel > Add Remove Programs.
    • Locate the following programs:
      • Adobe Reader X (10.1.5)
      • Java™ 6 Update 31
    • Click Remove and allow Windows to completely remove each one in turn.Then reboot your computer to complete this part of the process.
    Next

    Adobe Reader: Go to http://get.adobe.com/reader/otherversions/
    • Use the drop down menu's to select your operating system
    • Select your language > Select The current version of Adobe Reader for your language
    • Remove the check mark from the box "Free! McAfee Security Scan Plus"
    • Click the Download button, and follow the onscreen directions to complete the installation.
    Please note, depending on your settings, you may have to temporarily disable your antivirus software for the Adobe Reader update.

    Next
    Next

    Even though I just had you update Java, this next step needs to be carried out.

    There is a vulnerablilty with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.
    More information can be found here: http://www.techsupportforum.com/foru...rs-683721.html

    Disable Java in Web Browsers Windows XP

    • Click on the Start button and then click on the Control Panel option.
    • Double Click on the Java icon to open the Java Control Panel.



    Disable Java through the Java Control Panel

    • In the Java Control Panel, click on the Security tab.
    • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
    • Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
    • Click OK in the Java Plug-in confirmation window.
    • Restart the browser for changes to take effect.



    Next

    Create a System Restore Point in Windows XP
    • Click on Start > All Programs > Accessories > System Tools > and click on System Restore.
    • Click on the Create a Restore Point radio button and then click Next.
    • Give your restore point a description.
    • Next click the Create button and your restore point will be created.
    • Exit out of System Tools.
    Next

    Remove all old Restore Points except the most recent one.
    • Click Start, Run and type CLEANMGR and press Enter
    • Select the hard disk partition and press OK
    • At the top of the dialog, click the tab More Options
    • Under System Restore section, click the button "Clean up"
    Next

    We need to Enable Spybot - Search & Destroy's Tea Timer. Please follow the instruction below.
    • Locate your copy of Spybot - Search & Destroy's and open it.
    • In the menu bar at the top select "Mode", then select "Advanced".
    • In the left hand menu expand the "Tools" menu.
    • Select "Resident", then place a check mark for "Resident Tea Timer"
    • Then exit the program by clicking "File" then select "Exit"
    = = = = = = = = = = = = = = = = = = = =

    With the above items taken care of let's move on to the All Clean part of the process.

    This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

    Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

    Here are some tips to reduce the potential for spyware infection in the future:

    Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

    Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

    Free Anti-Virus

    Firewall
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
    Online Armor Free
    Agnitum Outpost Firewall Free

    Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

    Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
    Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

    WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

    Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

    Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  8. #38
    Member
    Join Date
    Aug 2009
    Posts
    44

    Smile

    Ok I have followed all of the above. Online armor immediately detected a screen logger, never heard of a screen logger before! All the internet options were already set as you suggested. Start up is slower, but at this point, I have no concerns. Thank you very much for sharing your expertise; saving my computer from infestation. I have to say that with use of Avast and Spybot, that is only my second infection in 8 years. The spybot forum has now saved my computer for a 2nd time. Thank you OCD and everyone who contributes that knowledge to help us computer idiots!

  9. #39
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi djtchrroberts,

    1. Were you aware Screen Logger was installed on your computer?
    2. If so, did you install it yourself?

    "Screen Logger is like a handycam for your screen. It can record everything your computer monitor displays on the screen. The main feature of Screen Logger is to capture your screen and log it into log files for you to view at any time. This is very important feature if you need to keep backups for your work, do some troubleshooting on your computer, or even if you just want to know what happens to your computer while you're away. By capturing screens and log them into log files will give you a figure on what happens to your computer."

    Please run Online Armour again and see if it removes it.

    Post the results.
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  10. #40
    Member
    Join Date
    Aug 2009
    Posts
    44

    Thumbs down

    no I did not understand, all the pop up boxes that online armour presents are giving me a headache, not understanding whether I should allow something or not, start up is 3 times as long as previously and and I almost double my surfing time. I am clearly finding it frustrating.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •