Want to be sure it's clean, had trojan

Hi, i;ve been having some weird messages from microsoft security essentials for a while. I usually scan it every few days, and when i scan today, tomorrow I will get the message that I have not scanned in a while, which is weird. I always keep it up to date too.

Also my laptop got a bit slow and reluctant to run certain things sometimes.

On top of that, I was experimenting with getting rid of the DDR barriere a while back(had 4 GB installed, only 3 was used by my computer). I regretted it, but couldn't delete it. Now when I startup my laptop I get the option to boot "ohne DDR sphere". I want to delete that option. And in my add/remove menu, there are a few programs that can't be deleted:

- Rhabot(no idea what it is, it doesn't exist according to add/remove)
- Age of Empires III (2 files, same as Rhabot, doesn't exist?)
- Overlord (same as above, doesn't exist).

Also yesterday I went to a website and somehow got a keylogger from that installed on my computer, because I was hacked at a site. I decided this was time to call for the help of majorgeeks.

Btw. I couldn't get RootRepeal to run. I am on a 32bit windows. I tried running it as admin, I tried disabling my firewall and anti-virus. nothing changed. I will attach those logs too.

It would be great to have my laptop running again without problems.

Thank you in advance for your help!

Yours,

Michael Emmerik

 

Forgot the files.

 

Also I am unable to locatie MGlogs.zip I ran the MG thingy twice. I kept looking. There simply is no file. So sorry for that.

 

Sorry forgot the combofix file aswell.

 

Hello Michael

This can be caused by running CCleaner. I think there is an option in the Application tab of CCleaner to turn off cleaning items from MSE.

Try these scans:

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach OTL.txt and Extras.txt to your next message. (How to attach)

 

I really appreciate it that you responded so quickly! Thanks for that.

The first scan showed some threats already, so this means I am still infected. Glad I made this topic=]

Files are attached.

 

These are just drivers that have not been digitally signed/approved by Microsoft. Your logs are pretty clean but let's do this one fix and I think you'll be good to go.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] --  -- (FsUsbExService)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\\SystemRoot\System32\Drivers\sptd.sys -- (sptd)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\ComboFix\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (FsUsbExDisk)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Michael\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Michael\AppData\Local\Temp\aswMBR.sys -- (aswMBR)
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2938961
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-999692125-268758735-1371737598-1000\..\SearchScopes\x-osid:1:search:Yahoo%21: "URL" = http://nl.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_nl&p={searchTerms}
O3 - HKU\S-1-5-21-999692125-268758735-1371737598-1000\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
@Alternate Data Stream - 383 bytes -> C:\ProgramData\TEMP:6BE50C2B
@Alternate Data Stream - 290 bytes -> C:\ProgramData\TEMP:E41EAF13
@Alternate Data Stream - 162 bytes -> C:\ProgramData\TEMP:E0888117
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:D95ACC7D
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:0FF263E8
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0574215C
[COLOR="DarkRed"]:files[/COLOR]
type C:\mgtools\newfiles.txt /c
type C:\mgtools\runkeys.txt /c
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)are not actually malicious though.

 

Thanks for your reply and explaination.

Also just before you posted, I gotten the MGlogs.zip by simply running MGtools as admin.. I'll add the file to this post.

The OTL went fine, I had to reboot and got a log file after. But I can't add it to this post, it's too big? I'll try again..

Edit: Nvm, i found a way to upload it. I made it a .7z file, and changed it to .zip else I couldn't upload it here.

Also I was wondering if you know a way to delete certain entries from the add/remove.

These I want to get rid of but cant:
"Age of Empires III - The Asian Dynasties"
"Age of Empires III - The WarChiefs"
"Overlord"
"Overlord II"
"Rhabot"

Whenever I try, it fails.

And finally, I still have the startup option of "windows 7 ohne DDR sphere" that I want to get rid of but don't know how.

Thank you for your response.

Yours,

Michael

 

You're welcome, Michael.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

For the other problems you are experiencing, it would be best to create a thread in the Software forum as they are not malware related.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thanks for your help. Although It seems I deleted the log of OTL before I could add it to this post, that happened through the removal procedure. Sorry!

Is this a problem?

Also I will go to the software section and ask there.

Thanks for your help once again=]

 

No problem, Michael