computer infected, malwarebytes doesn't show any problems

[steve_lv]

My computer is infected and I was phished about my ebay account and they had all my ebay information. I am getting repeated "Malwarebytes successfully blocked access to a potentially malicious website" messages, from Google Chrome. I have Malwarebytes Pro and have run it several times and each time it says there is no infection. I uninstalled Chrome, ran Malwarebytes, and reinstalled Chrome, but when I go to ebay the messages start appearing again.

Any help would be appreciated.

Thanks,

Steve

attach.txt

dds.txt

[Maniac]

Hello Steve and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
  

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

• Download on the desktop RogueKiller
  
• Quit all programs
  
• Start RogueKiller.exe
  
• Wait until Prescan has finished ...
  
• Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• RogueKiller log log

[steve_lv]

Hi Maniac,

Thanks! Here's the log files:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.19.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Steve Gardner :: ACERQUAD [administrator]

Protection: Enabled

4/19/2013 4:36:06 AM

mbam-log-2013-04-19 (04-36-06).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 225326

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : Steve Gardner [Admin rights]

Mode : Scan -- Date : 04/19/2013 04:53:06

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤

[TASK][sUSP PATH] winupd : C:\Users\Steve Gardner\AppData\Local\Temp\winupd.exe [x] -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[WALLP] HKCU\[...]\Desktop : Wallpaper (C:\Windows\Web\Wallpaper\img24.jpg) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAJS-22YFA0 ATA Device +++++

--- User ---

[MBR] 12d5a9a081d3df7eae31f6bdd0205b84

[bSP] 7b83b149af7d32f4fed3aabb05ba8f57 : Acer MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 9993 Mo

1 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 20467712 | Size: 233604 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 498888704 | Size: 233341 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Seagate Desktop USB Device +++++

--- User ---

[MBR] 981ae81e39b5e16e3cffa377b1306204

[bSP] ef0a836ca1a68842e15e080b7177026b : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_04192013_02d0453.txt >>

RKreport[1]_S_04192013_02d0453.txt

[Maniac]

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[steve_lv]

Hi Maniac,

Thanks again.

Here's the combofix log file:

ComboFix 13-04-19.01 - Steve Gardner 04/19/2013 11:46:31.1.4 - x86

Running from: d:\tests\combofix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Steve Gardner\Taskmgr.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-03-19 to 2013-04-19 )))))))))))))))))))))))))))))))

.

.

2013-04-19 18:53 . 2013-04-19 18:53 -------- d-----w- c:\users\Steve Gardner\AppData\Local\temp

2013-04-19 18:53 . 2013-04-19 18:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\programdata\BrowserProtect

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\users\Steve Gardner\AppData\Roaming\BabSolution

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\program files\Delta

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\users\Steve Gardner\AppData\Roaming\Delta

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\program files\LessTabs

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\users\Steve Gardner\AppData\Roaming\Babylon

2013-04-19 18:42 . 2013-04-19 18:42 -------- d-----w- c:\programdata\Babylon

2013-04-19 11:34 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{80C84B2A-9BAD-44E6-B03A-95BCD8111364}\mpengine.dll

2013-04-19 02:45 . 2013-04-19 02:46 -------- dc----w- C:\dds malware logs

2013-04-17 03:26 . 2013-04-04 12:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-04-10 02:41 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-10 02:41 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-04-10 02:41 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-10 02:41 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-10 02:41 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe

2013-04-10 02:41 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll

2013-04-10 02:41 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll

2013-04-10 02:41 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 03:07 . 2013-04-05 02:20 -------- d-----w- c:\program files\Mozilla Thunderbird

2013-03-21 00:09 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-13 15:08 . 2012-05-26 20:26 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-13 15:08 . 2012-01-10 20:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-04 21:50 . 2011-07-27 02:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-13 00:00 . 2012-07-14 22:24 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-13 00:00 . 2012-02-15 04:06 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-12 08:10 . 2012-01-05 01:27 237088 ------w- c:\windows\system32\MpSigStub.exe

2009-04-01 05:47 . 2013-04-13 19:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{3178A392-8963-471E-B7A2-969CB58D6496}]

2013-04-05 07:38 143896 ----a-w- c:\program files\LessTabs\IE32\LessTabsClientIE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-23 39408]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2011-10-18 2678784]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~2\browse~1\261125~1.80\{c16c1~1\browse~1.dll c:\progra~2\browse~1\261125~1.80\{c16c1~1\browserprotect.dll

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk

backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Steve Gardner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Steve Gardner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]

2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]

2007-06-15 23:48 326440 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]

2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-10-15 05:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]

2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]

2005-08-25 02:25 101080 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]

2007-06-22 01:33 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]

2007-07-14 05:41 178280 ------w- c:\program files\Acer Arcade Live\Acer PlayMovie\PMVService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-06-20 08:56 4493312 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]

2011-06-01 23:06 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]

2007-06-15 08:45 1826816 ----a-w- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-19 02:13 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-26 15:08]

.

2013-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 18:32]

.

2013-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 18:32]

.

2013-04-19 c:\windows\Tasks\Total PC Health Registration3.job

- c:\program files\Common Files\Total PC Health\UUS3\UUS3.dll [2010-11-02 18:09]

.

2013-04-03 c:\windows\Tasks\Total PC Health Update3.job

- c:\program files\Common Files\Total PC Health\UUS3\Update3.exe [2010-11-02 18:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www1.delta-search.com/?affID=119556&babsrc=HP_ss&mntrId=A8BD00192142E3BE

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: intuit.com\accounts

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.1.1

DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://epamailr812.epa.gov/download/dolcontrol.cab

DPF: {CEF002D2-5A9F-4656-AA41-85DA2534ACBD} - hxxps://epamailr812.epa.gov/dwa85W.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-eRecoveryService - (no file)

MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe

MSConfigStartUp-Apanel - c:\acersw\config\NewSetApanel.cmd

MSConfigStartUp-HotKeysCmds - c:\windows\system32\hkcmd.exe

MSConfigStartUp-IgfxTray - c:\windows\system32\igfxtray.exe

MSConfigStartUp-JavaNotifierNotifier - c:\programdata\JavaNotifierNotifier.dll

MSConfigStartUp-Persistence - c:\windows\system32\igfxpers.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-19 11:53

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]

"ImagePath"="\??\c:\program files\Acer Arcade Live\Acer PlayMovie\000.fcl"

.

Completion time: 2013-04-19 11:56:30

ComboFix-quarantined-files.txt 2013-04-19 18:56

.

Pre-Run: 135,603,683,328 bytes free

Post-Run: 136,014,544,896 bytes free

.

- - End Of File - - BAEF6EE311F68C7DE416A8FE2BC41EEA

[Maniac]

Step 1

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

Step 2

Please compress the following folder for me: C:\Qoobox\Quarantine and upload it somewhere, for example at www.mediafire.com and send me a download link via PM.

http://windows.microsoft.com/en-hk/windows-vista/compress-and-uncompress-files-zip-files

[steve_lv]

Hi Maniac,

By the way, the messages about Malwarebytes stopping chrome from accessing malicious websites has stopped after running ComboFix. PM on the way about the Qoobox file.

Here's the JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.8.6 (04.19.2013:1)

OS: Windows Vista Home Premium x86

Ran by Steve Gardner on Sat 04/20/2013 at 7:31:27.40

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\windows nt\currentversion\windows\\AppInit_DLLs

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-47936402-1102721201-4054549719-1000\software\microsoft\internet explorer\main\\Start Page

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\babylon

Successfully deleted: [Registry Key] hkey_current_user\software\babylontoolbar

Failed to delete: [Registry Key] hkey_current_user\software\datamngr_toolbar

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortlbr.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{02478d38-c3f9-4efb-9b51-7695eca05670}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\babylon"

Successfully deleted: [Folder] "C:\Users\Steve Gardner\AppData\Roaming\babsolution"

Successfully deleted: [Folder] "C:\Users\Steve Gardner\AppData\Roaming\babylon"

Successfully deleted: [Folder] "C:\Users\Steve Gardner\AppData\Roaming\drivercure"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 04/20/2013 at 7:33:43.34

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Maniac]

Good to know that! Thanks again!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[steve_lv]

The log.txt file only has two lines:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

the application window said it found one file and quarantined it, but it was combofix:

C:\Users\Steve Gardner\Desktop\ComboFix.exe a variant of MSIL/Solimba.I application cleaned by deleting - quarantined

[Maniac]

It is a false positive, don't worry.

How are things running now?

[steve_lv]

Seems to be fine. I'm not getting the "Malwarebytes successfully blocked access to a potentially malicious website" message now. I didn't delete anything that Roguekiller found, should I rerun it and delete the files?

Steve

[Maniac]

They are already gone.

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Please uninstall ESET Online Scanner and manually delete Junkware Removal Tool.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[steve_lv]

Great! Thanks, Steve

[Maniac]

You're welcome!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!