Trojan.Agent/Gen-Nullo and Rootkit.ITGRDEngine removed, still have problems

I recently removed these two infections using SuperAntiSpyware. My computer is still acting odd, including some services (DHCP, Wireless Zero Config and Themes) not starting automatically as they are set to do. Those two scans are attached.

I have also already run OTL and those logs are attached also.

I was running GMER but I started getting a bunch of errors including delayed write errors, a blue screen flashed up (all of this happened very quickly) and then my system rebooted. I noticed in another post that you had the user uncheck IAT/EAT, Drives/Partitions other than SystemDrive and Show All, but I had not done that.

I should also add that new tabs are being spawned in Firefox without me clicking on anything. Clearly I am still infected by something.

Thank you for your assistance.

Tim

Edited by theshem, 12 June 2010 - 02:50 PM.

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,

• Please download OTL from this link.
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Under the Custom Scan box paste this in:
  
  netsvcs
  msconfig
  activex
  drivers32
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32
  ahcix86s.sys
  nvrd32.sys
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button.
• The scan should take a few minutes.
• Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'

Thanks for your reply.

Okay, the problems I am still having include general slowness of the computer, including startup, services not starting at boot time (including DHCP, Themes and Wireless Zero Config...I'm sure there are others I'm not aware of), some browser (Firefox) search redirects, and new tabs opening up on their own claiming to be search results or "you are a winner!!"

I ran OTL, but it only generated one log this time, which is attached.

I was able to finally run GMER in safe mode, and that log is attached as well.

I currently have CA Security Suite running full time, including the firewall.

Edited by theshem, 17 June 2010 - 03:59 PM.

Hello, theshem.
Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.









Next, please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop as theshemCF.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on theshemCF.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares

Thank you. That's what I feared. I will still go ahead and clean the computer, and schedule with our tech support to do a full restore to original condition.

I will post my log as soon as I'm done with the ComboFix.

When I try to run theshemCF.exe, I get the following error message:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

The title portion of the error message window says:

"32788R22FWJFW\n.pif"

Hello, theshem.

OK, let's try another tack. First, delete your copy of combofix and redownload it. Did it run? IF not try in safe mode.

If that fails, please do this:

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

etavares

Ran ComboFix in Safe Mode. I didn't already have the recovery console, so it installed it for me. CF discovered rootkit activity and required a reboot. Rebooted. ComboFix resumed operation. Got an error message that said "PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience." CF as a whole did not quit. Scans complete, files and a folder deleted...rebooting. It is now preparing the log report. I will switch over to that computer and upload the report when it is finished.

Edited by theshem, 21 June 2010 - 12:38 AM.

OK, sounds like it made it OK. Try running CF in Step 1 in normal mode...if not, run again in Safe Mode.

Hello, theshem.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\pibucggd.sys
c:\windows\system32\MpEngineStore\MpKsl300d05b3.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares

Okay, I reran ComboFix according to the above directions, in safe mode. At the end, I saw that it was deleting three files again. The log is attached. I then moved on to Step 2. I could not locate the two files listed in Step 2 at all.

can you please double-check the contents of C:\combofix.txt? It looks like the log was cut off. Please post that log, or let me know if it is only a few lines like the one you posted.

It was exactly like the one posted. It was not at C://combofix.txt, though. It was at C://cftheshem/combofix.txt. I've also noted on a couple restarts since running CF that last time that a window briefly pops up, blue background and title bar of ComboFix...like maybe it didn't finish on reboot and is still trying to.

Please post an OTL log as before. It could be your antivirus blocking it from running.

Hello there.

I'm Extremeboy (or EB for short) and I will continue to help your log here.

Etavares as mentioned in his Signature that he will be away from the 1st of July to the 11th and so I will help him take over for the time being.

--
Please follow instructions as mentioned in his last post and follow me up with any updates etc... and we will continue from there. If you have any questions etc... feel free to ask.

Thanks.

With Regards,
Extremeboy

Thanks EB!

Okay, ran OTL...here is the log it generated.

 OTL.Txt   133.04KB   2 downloads