Trojans at my gate

Welcome to Major Geeks!

You need to attach the requested log from MGtools.

Also run the below.


Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

Okay TDSSkiller found and removed part of your problem.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!OR=darkred]C:\MGlogs.zip[/COLOR][/B]
[/LIST]Make sure you tell me how things are working now!

 

I misread your TDSSkiller log earlier. It actually said it could not fix the problem since there is no back of the infected file available. Do you have a CD that came with your PC that contains the below Nvida Optical Driver SATA

C:\WINDOWS\system32\DRIVERS\nvgts.sys

You need to replace this file with a clean one and there are no replacements on your hard disk. This file will have to be replace either from the Windows Recovery Console or using special tools but first you need to find a valid clean copy.

 

You need a good/uninfected copy of the file and then it can possibly be replaced using TDSSkiller, ComboFix, Avenger, or the Windows Recovery Console

It may be possible that downloading and installing updated drivers from Nvidia could even repair it but I don't know that for sure. The infection could potential block the update.

 

Tell me exactly where the file is located.

 

Okay then make sure that drive D is currently accessible before doing the below.




Now we need to use ComboFix to copy the file to a few locations and make another backup.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

After reboot, immediately run TDSSkiller again just like previously run.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Why did you install HitmanPro?

Why did you run TDSSKiller 3 times (twice before running ComboFix) and once after?

And what else have you been doing? You have a whole bunch of new infections!! Yes new. They are not related to what we have been trying to fix.

 

Nothing else but what we are asking you to do should be done on this PC. It will only make our work more difficult. Once we are either finished removing all malware ( or we give up which is rare ) you can then do what you want.


Please follow the instructions in the below to disable CD Emulation:

• http://www.bleepingcomputer.com/forums/topic293569.html

I will post another fix in a few minutes. Just do the above while I'm working on this.

 

Do you use anything like the below

I see this file in your log which is why I'm asking. I want to be sure it is valid.

 

Is is a legit copy? Right now it is infected and this could mean it needs to be uninstalled to clean it properly.

The nvgts.sys file may not really be infected. It could be a problem that occurs due to using Daemon Tools which is why I just had you run Defogger.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below code box into it:

Code:

KILLALL::
 
Atjob::
Renv::
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe
c:\program files\ATT-SST\McciTrayApp .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
 
 
DirLook::
C:\Program Files\Common Files\System\ado
C:\Program Files\Common Files\System\msadc
C:\Program Files\Common Files\System\Ole DB
 
FileLook::
c:\windows\system32\acaptuser32.dll
 
File::
c:\windows\Fonts\e2nV5.com
C:\Documents and Settings\NetworkService\Local Settings\Application Data\8cq4r
C:\Documents and Settings\All Users\Application Data\rq8O7YiY.dat
C:\TDSSKiller.2.2.8.1_03.04.2010_19.01.05_log.txt
C:\TDSSKiller.2.2.8.1_05.04.2010_17.29.05_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_18.45.41_log.txt
C:\TDSSKiller.2.2.8.1_05.04.2010_17.23.28_log.txt
C:\TDSSKiller.2.2.8.1_05.04.2010_23.29.24_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_18.10.35_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_16.14.29_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_00.07.24_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_00.08.10_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_00.14.20_log.txt
C:\TDSSKiller.2.2.8.1_03.04.2010_04.39.41_log.txt
C:\MGlogs.zip
C:\Documents and Settings\Administrator\Local Settings\temp\bck7.tmp
 
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"=-
"RemoteControl"=-
"ATT-SST_McciTrayApp"=-
"Adobe Acrobat Speed Launcher"=- [2009-12-22 38840]
"Acrobat Assistant 8.0"=- [2009-12-21 640440]
"GrooveMonitor"=-
"Adobe ARM"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now rerun TDSSKiller ( only once ).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

For now, just follow my last instructions. If we run into problems, we will consider uninstalling some software.

 

Not necessarily.

You can just uninstall Daemon Tools if you don't want the emulation on your PC but your daughter probably uses it to play games without putting in the CD.

Defogger either did not defog or TDSSKiller is having a false detection, or something else is in play the is causing the nvgts.sys to keep appearing as infected when we have replaced it with a clean copy using ComboFix.

Let's shift gears a little. I'm going to assume you some kind of router that you use. It is not uncommon for routers to get infected. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

Then reboot you PC and see if you still have problems with redirections.

 

When you say instrusions, I assume you are referring to incoming detections by your firewall. Is that the case? If so, that is why you are supposed to have a software firewall.

Okay now that all of that software has been uninstalled, let's see how logs look.

Please download and run the current version of: combofix.exe

Then rerun TDSSKiller like I prevously had you run.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:
C:\Program Files\Mozilla Firefox
C:\documents and settings\UserAccount\Application Data\Mozilla

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

What IPs?


Let's cleanup a bunch of left overs from Adobe and a few other things.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Internet Explorer Plugin - {F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F} - nsfwj2.dll (file missing)
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: gport_ - C:\WINDOWS\SYSTEM32\gport_.dll

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Warnings from your firewall about blocked intrusions are not problems. They are normal. Especially after originally having a PC with infections since some hackers may know of your end address.

Please download and use the current versions of both programs and see if they run. Make sure you shutdown Symantec or it will likely just get in the way of execution.

Uninstall. Reboot. And then reinstall.

MGtools should not be run until after ComboFix has finished running. They should never be run at the same time.

 

Yes please run the previous fix with the new version of ComboFix. Also run the new version of MGtools. Attach new logs.


Also please run this: GMER - running with a random name and attach the log from GMER.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind
atapi.sys
nvgts.sys 
 

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

 

The ComboFix log was so large because I had it deleting stuff from Adobe which I thought were left overs. I though you said you uninstalled all of it earlier. Perhaps that was a misunderstanding. At anyrate. your installation of Adobe Acrobat 9 Pro Extended - English, Français, Deutsch was broken via the last ComboFix step and will likely need to be reinstalled but it would be best not to do this yet until we can fix your malware. The nvgts.sys file is likely the root of your problem and we will have to replace it with a good copy and this will have to be done by booting to the Recovery Console that you installed using ComboFix. We will get to this after I get the log from SystemLook.

 

Okay the nvgts.sys file is definitely the source of the problem and we will have to fix this by using the Windows Recovery Console that you installed when installing ComboFix. However before we can do this, I need you to do the below.

First you need to make a copy of your backup which is here:
d:\drivers\Chipset\1526_XP32\IDE\WinXP\sata_ide\nvgts.sys

and put the copy so that it is located here c:\nvgts.sys

We need to make sure this is completed properly before we can proceed so I will be asking for a new MGtools log a little further down to verify you have completed this properly.


Now we also need to create a batch file to run from the Windows Recovery Console ( henceforth just called the RC ) which will make steps easier for you when we do get to using the RC.

• Open notepad
• Copy the contents of the Code Box below into the notepad window.
• Click File -> Save As...
• In the File name: field, type C:\grfix.txt, then click Save.
• Close notepad

Code:

ren c:\windows\system32\drivers\nvgts.sys nvgts.old
copy c:\nvgts.sys c:\windows\system32\drivers\nvgts.sys

Now double check the C:\grfix.txt file by double clicking on it and make absolutely sure that it looks exactly like I gave above noting to maintain spacing which is why my instructions stated to copy ( typing could lead to mistakes ). If it looks okay, just let me know that you have this grfix.txt file created properly.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Now we will boot into the Windows XP Recovery Console. You should print these to have on hand while offline. Also read thru all of them now to be sure you understand before starting them.

• Restart your computer.
• Shortly after restart and way before Windows loads, you will be prompted to choose which Operating System to start. Pay attention it flashes fast and you will only have about 1 or 2 seconds to hit a key!
• Use the up and down arrow key to select Microsoft Windows Recovery Console that was installed with Combofix and hit enter after selecting.
• Later you will be asked to enter which Windows installation to log onto. Type 1 and press 'Enter'.
• At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the space after the word batch):

batch C:\grfix.txt

After the above runs ( it should be quick), type in Exit and press enter and your computer shall reboot. Reboot back in to Normal Mode and run Combofix once more.

Now also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the new c:\combofix.txt log
• C:\MGlogs.zip