Jump to content

INFECTED Trojan.Agent & Virtumonde.prx


Recommended Posts

I am working on my cousins computer, and it is INFECTED with Trojan.Agent & Virtumonde.prx and I can't seem to get it off his computer.

I've scanned the computer multiple times (in both normal-mode and safe-mode) using the latest versions of the following programs:

  1. SpyBot S&D
  2. Malwarebytes' Anti-Malware (of course :huh: )
  3. AVG 8.0 Anti-Virus
  4. VundoFix (didn't find anything)
  5. VirtumundoBeGone (also didn't find anything)

Here is a screenshot of SpyBotS&D results:

th_SBSD-scan-Virtumondeprx.jpg <---Click to see larger

And now for the logs:

Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.30Database version: 1450Windows 5.1.2600 Service Pack 2
12/3/2008 2:01:48 AMmbam-log-2008-12-03 (02-01-26).txt
Scan type: Full Scan (C:\|E:\|)Objects scanned: 98270Time elapsed: 8 minute(s), 25 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lutezibaji (Trojan.Agent) -> No action taken.
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

VirtumundoBeGone v1.5

[12/03/2008, 0:26:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cheyne\Desktop\VirtumundoBeGone.exe" )[12/03/2008, 0:27:05] - Detected System Information:[12/03/2008, 0:27:05] -  Windows Version: 5.1.2600, Service Pack 2[12/03/2008, 0:27:05] -  Current Username: Cousin (Admin)[12/03/2008, 0:27:05] -  Windows is in NORMAL mode.[12/03/2008, 0:27:05] - Searching for Browser Helper Objects:[12/03/2008, 0:27:05] -  BHO 1: {f8a5ef5d-157c-4f30-b303-01ba2970a47d} ()[12/03/2008, 0:27:05] - WARNING: BHO has no default name. Checking for Winlogon reference.[12/03/2008, 0:27:05] -  Checking for HKLM\...\Winlogon\Notify\welatili[12/03/2008, 0:27:05] -  Key not found: HKLM\...\Winlogon\Notify\welatili, continuing.[12/03/2008, 0:27:05] - Finished Searching Browser Helper Objects[12/03/2008, 0:27:05] - Finishing up...[12/03/2008, 0:27:05] - Nothing found! Exiting...

HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:22:06 AM, on 12/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Safe mode with network support
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.comO2 - BHO: (no name) - {f8a5ef5d-157c-4f30-b303-01ba2970a47d} - C:\WINDOWS\system32\welatili.dll (file missing)O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"O4 - HKLM\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",sO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -schedulerO4 - HKUS\S-1-5-19\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-1671511615-2231150215-3758753009-1008\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'LogMeInRemoteUser')O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{33B0502F-2B59-4CFE-84C7-82CDA9B9BC40}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: C:\WINDOWS\system32\gujayiwo.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exeO23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--End of file - 4181 bytes

Thanks in advance for any/all assistance,

-BassKozz

Link to post
Share on other sites

Update:

AVG 8.0 LOG:

AVG 8.0 Anti-Virus command line scannerCopyright © 1992 - 2008 AVG TechnologiesProgram version 8.0.145, engine 8.0.0Virus Database: Version 270.9.13/1825  2008-12-02
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\Administrator\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested. C:\pagefile.sys Locked file. Not tested. C:\System Volume Information\ Locked file. Not tested. C:\WINDOWS\system32\busulupa.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested. C:\WINDOWS\system32\config\default.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SAM Locked file. Not tested. C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested. C:\WINDOWS\system32\config\software.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested. C:\WINDOWS\system32\config\system.LOG Locked file. Not tested. C:\WINDOWS\system32\gepimana.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.C:\WINDOWS\system32\lenokome.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.
------------------------------------------------------------Objects scanned	 : 374488Found infections	:	3Found PUPs		  :	0Healed infections   :	3Healed PUPs		 :	0Warnings			:	0------------------------------------------------------------
Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully

  2. If you don't understand something, stop and ask! Don't keep going on.

  3. Please do not run any other tools or scans whilst I am helping you

  4. Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.

Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.