Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-Nullo and Rootkit.ITGRDEngine removed, still have problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 theshem

theshem

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 12 June 2010 - 10:17 AM

I recently removed these two infections using SuperAntiSpyware. My computer is still acting odd, including some services (DHCP, Wireless Zero Config and Themes) not starting automatically as they are set to do. Those two scans are attached.

I have also already run OTL and those logs are attached also.

I was running GMER but I started getting a bunch of errors including delayed write errors, a blue screen flashed up (all of this happened very quickly) and then my system rebooted. I noticed in another post that you had the user uncheck IAT/EAT, Drives/Partitions other than SystemDrive and Show All, but I had not done that.

I should also add that new tabs are being spawned in Firefox without me clicking on anything. Clearly I am still infected by something.

Thank you for your assistance.

Tim

Attached Files


Edited by theshem, 12 June 2010 - 02:50 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 16 June 2010 - 05:36 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 17 June 2010 - 03:59 PM

Thanks for your reply.

Okay, the problems I am still having include general slowness of the computer, including startup, services not starting at boot time (including DHCP, Themes and Wireless Zero Config...I'm sure there are others I'm not aware of), some browser (Firefox) search redirects, and new tabs opening up on their own claiming to be search results or "you are a winner!!"

I ran OTL, but it only generated one log this time, which is attached.

I was able to finally run GMER in safe mode, and that log is attached as well.

I currently have CA Security Suite running full time, including the firewall.

Attached Files

  • Attached File  OTL.Txt   130.22KB   1 downloads
  • Attached File  gmer.log   1.82KB   3 downloads

Edited by theshem, 17 June 2010 - 03:59 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 17 June 2010 - 05:43 PM

Hello, theshem.
Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.









Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as theshemCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on theshemCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 17 June 2010 - 07:05 PM

Thank you. That's what I feared. I will still go ahead and clean the computer, and schedule with our tech support to do a full restore to original condition.

I will post my log as soon as I'm done with the ComboFix.

#6 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 17 June 2010 - 07:15 PM

When I try to run theshemCF.exe, I get the following error message:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

The title portion of the error message window says:

"32788R22FWJFW\n.pif"

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 18 June 2010 - 04:48 PM

Hello, theshem.

OK, let's try another tack. First, delete your copy of combofix and redownload it. Did it run? IF not try in safe mode.

If that fails, please do this:

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 21 June 2010 - 12:16 AM

Ran ComboFix in Safe Mode. I didn't already have the recovery console, so it installed it for me. CF discovered rootkit activity and required a reboot. Rebooted. ComboFix resumed operation. Got an error message that said "PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience." CF as a whole did not quit. Scans complete, files and a folder deleted...rebooting. It is now preparing the log report. I will switch over to that computer and upload the report when it is finished.

Attached Files


Edited by theshem, 21 June 2010 - 12:38 AM.


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 21 June 2010 - 05:14 PM

OK, sounds like it made it OK. Try running CF in Step 1 in normal mode...if not, run again in Safe Mode.

Hello, theshem.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\Documents and Settings\tschemme\Local Settings\Application Data\PqC8sw32avv
C:\Documents and Settings\All Users\Application Data\PqC8sw32avv
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000000
Driver::
cdrmkaun


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\pibucggd.sys
c:\windows\system32\MpEngineStore\MpKsl300d05b3.sys


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 21 June 2010 - 09:50 PM

Okay, I reran ComboFix according to the above directions, in safe mode. At the end, I saw that it was deleting three files again. The log is attached. I then moved on to Step 2. I could not locate the two files listed in Step 2 at all.

Attached Files



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 23 June 2010 - 05:45 PM

can you please double-check the contents of C:\combofix.txt? It looks like the log was cut off. Please post that log, or let me know if it is only a few lines like the one you posted.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 24 June 2010 - 10:02 PM

It was exactly like the one posted. It was not at C://combofix.txt, though. It was at C://cftheshem/combofix.txt. I've also noted on a couple restarts since running CF that last time that a window briefly pops up, blue background and title bar of ComboFix...like maybe it didn't finish on reboot and is still trying to.

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 26 June 2010 - 06:34 AM

Please post an OTL log as before. It could be your antivirus blocking it from running.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 29 June 2010 - 09:09 PM

Hello there. smile.gif

I'm Extremeboy (or EB for short) and I will continue to help your log here.

Etavares as mentioned in his Signature that he will be away from the 1st of July to the 11th and so I will help him take over for the time being.

--
Please follow instructions as mentioned in his last post and follow me up with any updates etc... and we will continue from there. If you have any questions etc... feel free to ask.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 theshem

theshem
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 30 June 2010 - 12:21 AM

Thanks EB!

Okay, ran OTL...here is the log it generated.

Attached File  OTL.Txt   133.04KB   2 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users