[CompCav]

Chrome still has Babylon Search in it.

Unfortunately my tools do not allow me to change the Chrome search engine.. However, as the main files are now removed following the steps on this page should clear it. Let me know if it works

[Advertisements]

I uninstalled Chrome as I don't use it anyway. After the second restart since the problem was gone it seems to reappear.. atleast right now things look like it.

[Modin]

I uninstalled Chrome as I don't use it anyway. After the second restart since the problem was gone it seems to reappear.. atleast right now things look like it.

[CompCav]

Please do the following steps:

Step 1.

Download the adwCleaner

• Run the Tool
  Windows Vista and Windows 7 users:
  Right click in the adwCleaner.exe and select the option
• Select the Delete button.
• When the scan completes, it will open a notepad windows.
• Please, copy the content of this file in your next reply.

Step 2.

• Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan
• Note: If RogueKiller will not run please try it several times, if it still does not run rename it winlogon.com and try it several times.

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on ShortcutsFix
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.


Step 3.

Update MalwareBytes' and do a Quickscan and delete anything found.


Step 4.

Please post:

adwCleaner log
All RKReport.txt logs
MalwareBytes' log

Update me on computer issues.

[Modin]

adwCleaner log
# AdwCleaner v1.703 - Logfile created 07/24/2012 at 17:45:47
# Updated 20/07/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Mörtl - MARTIN
# Running from : D:\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\DT Soft

***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [5341 octets] - [20/07/2012 19:17:11]
AdwCleaner[S2].txt - [611 octets] - [24/07/2012 17:45:47]

########## EOF - C:\AdwCleaner[S2].txt - [738 octets] ##########

Rogue Killers:

RogueKiller V7.6.4 [07/17/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Scannen --Datum: 07/24/2012 17:51:34

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA70E2B4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xBA70E26E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA70E2BE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA70E264)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xBA70E273)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xBA70E27D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA70E2AF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xBA70E282)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA70E250)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA70E255)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xBA70E2D7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xBA70E28C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA70E2C8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xBA70E287)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA70E2C3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA70E2CD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xBA70E278)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xBA70E2D2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA70E25F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA70E2E6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA70E2EB)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)

¤¤¤ Infektion : ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
ÿþ1

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ +++++
--- User ---
[MBR] f1714bba2d463ce1e28d1ebb4e190fb9
[BSP] b9350b8c34272f7aecbb01901c371540 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 101065 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V7.6.4 [07/17/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Entfernen --Datum: 07/24/2012 17:52:27

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Registry-Einträge: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA70E2B4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xBA70E26E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA70E2BE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA70E264)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xBA70E273)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xBA70E27D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA70E2AF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xBA70E282)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA70E250)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA70E255)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xBA70E2D7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xBA70E28C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA70E2C8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xBA70E287)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA70E2C3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA70E2CD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xBA70E278)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xBA70E2D2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA70E25F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA70E2E6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA70E2EB)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DF8B40)

¤¤¤ Infektion : ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
ÿþ1

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ +++++
--- User ---
[MBR] f1714bba2d463ce1e28d1ebb4e190fb9
[BSP] b9350b8c34272f7aecbb01901c371540 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 101065 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.6.4 [07/17/2012]durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in: Normal Modus
Benutzer: Mörtl [Admin Rechte]
Funktion: Reparierte Verknüpfungen --Datum: 07/24/2012 17:55:34

¤¤¤ Böswillige Prozesse: 0 ¤¤¤

¤¤¤ Treiber: [GELADEN] ¤¤¤

¤¤¤ Dateiattribute wiederhergestellt: ¤¤¤
Desktop: Success 3 / Fail 0
Schnellstart: Success 0 / Fail 0
Programme: Success 6 / Fail 0
Startmenü: Success 0 / Fail 0
Benutzer Ordner: Success 99 / Fail 0
Eigene Dateien: Success 4 / Fail 0
Mein Favoriten: Success 0 / Fail 0
Meine Bilder: Success 0 / Fail 0
Meine Musik: Success 0 / Fail 0
Meine Videos: Success 0 / Fail 0
Lokale Laufwerke: Success 907 / Fail 0
Sicherungskopie: [NOT FOUND]

Laufwerke:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\Harddisk1\DP(1)0-0+7 -- 0x2 --> Restored
[G:] \Device\Harddisk2\DP(1)0-0+8 -- 0x2 --> Restored
[H:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored
[I:] \Device\CdRom0 -- 0x5 --> Skipped
[J:] \Device\Harddisk4\DP(1)0-0+a -- 0x2 --> Restored

¤¤¤ Infektion : ¤¤¤

Abgeschlossen : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


Malwarebytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mörtl :: MARTIN [Administrator]

24.07.2012 17:56:49
mbam-log-2012-07-24 (17-56-49).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 199731
Laufzeit: 3 Minute(n), 46 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

The before experienced issues remain.

Edited by Modin, 24 July 2012 - 10:03 AM.

[CompCav]

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. This infection will require a reboot to correct so make sure these are turned off and will not turn back on at reboot. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions

[Modin]

I ran the program but didn't find any Combofix.txt only a "computer"-icon named ComboFix o.O

[CompCav]

Look on your hard drive in the root directory C:\

The file should be there C:\Combofix.txt

[Modin]

For better understandings I uploaded some pictures to describe the problem that occured or seemed to occur with combofix better:

I didn't find any ComboFix.txt file under C:\ but as you can see some weird icon appeared(not sure if it's part of the program's normal activity)

This is what happens if I open the file:


I hope that adds to your understanding.

[CompCav]

Step 1.

Delete the computer icon.

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
• In the Run box, type in ComboFix /Uninstall
  (Notice the space between the "x" and "/")
  then click OK
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Step 2.

Download AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan



Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information



On completion click the link to locate the zip file to upload and attach to your next post




Please post the log from the first scan and attach the zip file from the second.

[Modin]

While I am running the AVP scan I wanted to inform you that I didn't manage to uninstall ComboFixer and also didn't find it in the list of installed programs.

[CompCav]

OK just delete the icons. don't worry about uninstall.

[Modin]

The first scan didn't show any infected files which means that there was no detected threats report.

Attached Files

•  avptool_sysinfo.zip   35.32KB   197 downloads

[CompCav]

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• In the File name box, type, or copy and paste the following and click Open: NOTE.. Only one file per scan
  
• C:\Windows\system32\drivers\6585364drv.sys
  
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button and wait for the reply.
• Copy and paste the Virustotal link(s) (URL) in your next reply

[Modin]

the file couldn't be found the only file with numbers in it under C:\Windows\system32\drivers\ was 38104359

EDIT: I was able to find the file under a different direction:
C:\WINDOWS\LastGood\system32\DRIVERS\6585364drv.sys

here are the results on the scan: https://www.virustot...sis/1343229113/

Edited by Modin, 25 July 2012 - 09:13 AM.

[CompCav]

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL

• Please reopen on your desktop.
• Copy and Paste the following code into the textbox.
  
  

  :OTL
  
  
  :files
  ipconfig /flushdns /c
  C:\Windows\system32\drivers\6585364drv.sys
  
  :reg
  
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [createrestorepoint]

• Push
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open. Copy and Paste that report in your next reply.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.