Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can browse the internet but cannot connect to online games [Solved]


  • This topic is locked This topic is locked

#31
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Chrome still has Babylon Search in it.

Unfortunately my tools do not allow me to change the Chrome search engine.. However, as the main files are now removed following the steps on this page should clear it. Let me know if it works
  • 0

Advertisements


#32
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I uninstalled Chrome as I don't use it anyway. After the second restart since the problem was gone it seems to reappear.. atleast right now things look like it.
  • 0

#33
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Please do the following steps:

Step 1.

Download the adwCleaner

  • Run the Tool
    Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select the option
    Posted Image
  • Select the Delete button.
  • When the scan completes, it will open a notepad windows.
  • Please, copy the content of this file in your next reply.


Step 2.

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
  • Note: If RogueKiller will not run please try it several times, if it still does not run rename it winlogon.com and try it several times.
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on ShortcutsFix

    Posted Image
  • The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.


Step 3.

Update MalwareBytes' and do a Quickscan and delete anything found.


Step 4.

Please post:

adwCleaner log
All RKReport.txt logs
MalwareBytes' log

Update me on computer issues.
  • 0

#34
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
adwCleaner log
# AdwCleaner v1.703 - Logfile created 07/24/2012 at 17:45:47
# Updated 20/07/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Mörtl - MARTIN
# Running from : D:\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\DT Soft

***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [5341 octets] - [20/07/2012 19:17:11]
AdwCleaner[S2].txt - [611 octets] - [24/07/2012 17:45:47]

########## EOF - C:\AdwCleaner[S2].txt - [738 octets] ##########

Rogue Killers:

RogueKiller V7.6.4 [07/17/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Scannen --Datum: 07/24/2012 17:51:34

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA70E2B4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xBA70E26E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA70E2BE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA70E264)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xBA70E273)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xBA70E27D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA70E2AF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xBA70E282)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA70E250)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA70E255)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xBA70E2D7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xBA70E28C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA70E2C8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xBA70E287)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA70E2C3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA70E2CD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xBA70E278)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xBA70E2D2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA70E25F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA70E2E6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA70E2EB)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)

¤¤¤ Infektion : ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
ÿþ1

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ +++++
--- User ---
[MBR] f1714bba2d463ce1e28d1ebb4e190fb9
[BSP] b9350b8c34272f7aecbb01901c371540 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 101065 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V7.6.4 [07/17/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Entfernen --Datum: 07/24/2012 17:52:27

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA70E2B4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xBA70E26E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA70E2BE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA70E264)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xBA70E273)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xBA70E27D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA70E2AF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xBA70E282)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA70E250)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA70E255)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xBA70E2D7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xBA70E28C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA70E2C8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xBA70E287)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA70E2C3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA70E2CD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xBA70E278)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xBA70E2D2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA70E25F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA70E2E6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA70E2EB)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)

¤¤¤ Infektion : ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
ÿþ1

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ +++++
--- User ---
[MBR] f1714bba2d463ce1e28d1ebb4e190fb9
[BSP] b9350b8c34272f7aecbb01901c371540 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 101065 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.6.4 [07/17/2012]durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Reparierte Verknüpfungen --Datum: 07/24/2012 17:55:34

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤

¤¤¤ Dateiattribute wiederhergestellt: ¤¤¤
Desktop: Success 3 / Fail 0
Schnellstart: Success 0 / Fail 0
Programme: Success 6 / Fail 0
Startmenü: Success 0 / Fail 0
Benutzer Ordner: Success 99 / Fail 0
Eigene Dateien: Success 4 / Fail 0
Mein Favoriten: Success 0 / Fail 0
Meine Bilder: Success 0 / Fail 0
Meine Musik: Success 0 / Fail 0
Meine Videos: Success 0 / Fail 0
Lokale Laufwerke: Success 907 / Fail 0
Sicherungskopie: [NOT FOUND]

Laufwerke:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\Harddisk1\DP(1)0-0+7 -- 0x2 --> Restored
[G:] \Device\Harddisk2\DP(1)0-0+8 -- 0x2 --> Restored
[H:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored
[I:] \Device\CdRom0 -- 0x5 --> Skipped
[J:] \Device\Harddisk4\DP(1)0-0+a -- 0x2 --> Restored

¤¤¤ Infektion : ¤¤¤

Abgeschlossen : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


Malwarebytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mörtl :: MARTIN [Administrator]

24.07.2012 17:56:49
mbam-log-2012-07-24 (17-56-49).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 199731
Laufzeit: 3 Minute(n), 46 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

The before experienced issues remain.

Edited by Modin, 24 July 2012 - 10:03 AM.

  • 0

#35
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. This infection will require a reboot to correct so make sure these are turned off and will not turn back on at reboot. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions

  • 0

#36
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I ran the program but didn't find any Combofix.txt only a "computer"-icon named ComboFix o.O
  • 0

#37
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Look on your hard drive in the root directory C:\

The file should be there C:\Combofix.txt
  • 0

#38
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
For better understandings I uploaded some pictures to describe the problem that occured or seemed to occur with combofix better:
Posted Image
I didn't find any ComboFix.txt file under C:\ but as you can see some weird icon appeared(not sure if it's part of the program's normal activity)

This is what happens if I open the file:
Posted Image

I hope that adds to your understanding.
  • 0

#39
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Step 1.

Delete the computer icon.

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled


Step 2.

Download AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image


Please post the log from the first scan and attach the zip file from the second.
  • 0

#40
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
While I am running the AVP scan I wanted to inform you that I didn't manage to uninstall ComboFixer and also didn't find it in the list of installed programs.
  • 0

Advertisements


#41
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK just delete the icons. don't worry about uninstall.
  • 0

#42
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
The first scan didn't show any infected files which means that there was no detected threats report.

Attached Files


  • 0

#43
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
To use Virustotal go Here
Posted Image

  • Click the Choose File button in the middle of the screen. This will open a File Upload window.
  • In the File name box, type, or copy and paste the following and click Open: NOTE.. Only one file per scan
  • C:\Windows\system32\drivers\6585364drv.sys
  • This will put the file in the box on the Virustotal page.
  • Click the Scan it! button and wait for the reply.
  • Copy and paste the Virustotal link(s) (URL) in your next reply

  • 0

#44
Modin

Modin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
the file couldn't be found the only file with numbers in it under C:\Windows\system32\drivers\ was 38104359

EDIT: I was able to find the file under a different direction:
C:\WINDOWS\LastGood\system32\DRIVERS\6585364drv.sys

here are the results on the scan: https://www.virustot...sis/1343229113/

Edited by Modin, 25 July 2012 - 09:13 AM.

  • 0

#45
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
Posted Image




  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    
    
    :files
    ipconfig /flushdns /c
    C:\Windows\system32\drivers\6585364drv.sys
    
    :reg
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP