BassKozz
2008-12-03, 08:37
I am working on my cousins computer, and it is INFECTED with Trojan.Agent & Virtumonde.prx and I can't seem to get it off his computer.
I've scanned the computer multiple times (in both normal-mode and safe-mode) using the latest versions of the following programs:
SpyBot S&D (of course :p: )
Malwarebytes' Anti-Malware
AVG 8.0 Anti-Virus
VundoFix (didn't find anything)
VirtumundoBeGone (also didn't find anything)
Here is a screenshot of SpyBotS&D results:
http://i4.photobucket.com/albums/y105/basskozz/geeksquad/CK/th_SBSD-scan-Virtumondeprx.jpg (http://i4.photobucket.com/albums/y105/basskozz/geeksquad/CK/SBSD-scan-Virtumondeprx.jpg) <---Click to see larger
And now for the logs:
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 2
12/3/2008 2:01:48 AM
mbam-log-2008-12-03 (02-01-26).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 98270
Time elapsed: 8 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lutezibaji (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
VirtumundoBeGone v1.5
[12/03/2008, 0:26:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cheyne\Desktop\VirtumundoBeGone.exe" )
[12/03/2008, 0:27:05] - Detected System Information:
[12/03/2008, 0:27:05] - Windows Version: 5.1.2600, Service Pack 2
[12/03/2008, 0:27:05] - Current Username: Cousin (Admin)
[12/03/2008, 0:27:05] - Windows is in NORMAL mode.
[12/03/2008, 0:27:05] - Searching for Browser Helper Objects:
[12/03/2008, 0:27:05] - BHO 1: {f8a5ef5d-157c-4f30-b303-01ba2970a47d} ()
[12/03/2008, 0:27:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/03/2008, 0:27:05] - Checking for HKLM\...\Winlogon\Notify\welatili
[12/03/2008, 0:27:05] - Key not found: HKLM\...\Winlogon\Notify\welatili, continuing.
[12/03/2008, 0:27:05] - Finished Searching Browser Helper Objects
[12/03/2008, 0:27:05] - Finishing up...
[12/03/2008, 0:27:05] - Nothing found! Exiting...
HijackThis v2.0.2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:06 AM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: (no name) - {f8a5ef5d-157c-4f30-b303-01ba2970a47d} - C:\WINDOWS\system32\welatili.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1671511615-2231150215-3758753009-1008\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'LogMeInRemoteUser')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B0502F-2B59-4CFE-84C7-82CDA9B9BC40}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\gujayiwo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 4181 bytes
:thud:
:bow:Thanks in advance for any/all assistance,:bow:
-BassKozz
I've scanned the computer multiple times (in both normal-mode and safe-mode) using the latest versions of the following programs:
SpyBot S&D (of course :p: )
Malwarebytes' Anti-Malware
AVG 8.0 Anti-Virus
VundoFix (didn't find anything)
VirtumundoBeGone (also didn't find anything)
Here is a screenshot of SpyBotS&D results:
http://i4.photobucket.com/albums/y105/basskozz/geeksquad/CK/th_SBSD-scan-Virtumondeprx.jpg (http://i4.photobucket.com/albums/y105/basskozz/geeksquad/CK/SBSD-scan-Virtumondeprx.jpg) <---Click to see larger
And now for the logs:
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 2
12/3/2008 2:01:48 AM
mbam-log-2008-12-03 (02-01-26).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 98270
Time elapsed: 8 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lutezibaji (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
VirtumundoBeGone v1.5
[12/03/2008, 0:26:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cheyne\Desktop\VirtumundoBeGone.exe" )
[12/03/2008, 0:27:05] - Detected System Information:
[12/03/2008, 0:27:05] - Windows Version: 5.1.2600, Service Pack 2
[12/03/2008, 0:27:05] - Current Username: Cousin (Admin)
[12/03/2008, 0:27:05] - Windows is in NORMAL mode.
[12/03/2008, 0:27:05] - Searching for Browser Helper Objects:
[12/03/2008, 0:27:05] - BHO 1: {f8a5ef5d-157c-4f30-b303-01ba2970a47d} ()
[12/03/2008, 0:27:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/03/2008, 0:27:05] - Checking for HKLM\...\Winlogon\Notify\welatili
[12/03/2008, 0:27:05] - Key not found: HKLM\...\Winlogon\Notify\welatili, continuing.
[12/03/2008, 0:27:05] - Finished Searching Browser Helper Objects
[12/03/2008, 0:27:05] - Finishing up...
[12/03/2008, 0:27:05] - Nothing found! Exiting...
HijackThis v2.0.2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:06 AM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: (no name) - {f8a5ef5d-157c-4f30-b303-01ba2970a47d} - C:\WINDOWS\system32\welatili.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1671511615-2231150215-3758753009-1008\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'LogMeInRemoteUser')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B0502F-2B59-4CFE-84C7-82CDA9B9BC40}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\gujayiwo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 4181 bytes
:thud:
:bow:Thanks in advance for any/all assistance,:bow:
-BassKozz