Trojan.Agent & Virtumonde.prx, won't go away

[BassKozz]

I am working on my cousins computer, and it is INFECTED with Trojan.Agent & Virtumonde.prx and I can't seem to get it off his computer.

I've scanned the computer multiple times (in both normal-mode and safe-mode) using the latest versions of the following programs:

1. SpyBot S&D (of course )
2. Malwarebytes' Anti-Malware
3. AVG 8.0 Anti-Virus
4. VundoFix (didn't find anything)
5. VirtumundoBeGone (also didn't find anything)

Here is a screenshot of SpyBotS&D results:
<---Click to see larger

And now for the logs:

Malwarebytes' Anti-Malware

Code:

Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 2

12/3/2008 2:01:48 AM
mbam-log-2008-12-03 (02-01-26).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 98270
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lutezibaji (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

VirtumundoBeGone v1.5

Code:

[12/03/2008, 0:26:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Cheyne\Desktop\VirtumundoBeGone.exe" )
[12/03/2008, 0:27:05] - Detected System Information:
[12/03/2008, 0:27:05] -  Windows Version: 5.1.2600, Service Pack 2
[12/03/2008, 0:27:05] -  Current Username: Cousin (Admin)
[12/03/2008, 0:27:05] -  Windows is in NORMAL mode.
[12/03/2008, 0:27:05] - Searching for Browser Helper Objects:
[12/03/2008, 0:27:05] -  BHO 1: {f8a5ef5d-157c-4f30-b303-01ba2970a47d} ()
[12/03/2008, 0:27:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/03/2008, 0:27:05] -  Checking for HKLM\...\Winlogon\Notify\welatili
[12/03/2008, 0:27:05] -  Key not found: HKLM\...\Winlogon\Notify\welatili, continuing.
[12/03/2008, 0:27:05] - Finished Searching Browser Helper Objects
[12/03/2008, 0:27:05] - Finishing up...
[12/03/2008, 0:27:05] - Nothing found! Exiting...

HijackThis v2.0.2

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:06 AM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: (no name) - {f8a5ef5d-157c-4f30-b303-01ba2970a47d} - C:\WINDOWS\system32\welatili.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lutezibaji] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1671511615-2231150215-3758753009-1008\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'LogMeInRemoteUser')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B0502F-2B59-4CFE-84C7-82CDA9B9BC40}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\gujayiwo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 4181 bytes

Thanks in advance for any/all assistance,
-BassKozz

[BassKozz]

Update:

AVG 8.0 LOG:

Code:

AVG 8.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2008 AVG Technologies
Program version 8.0.145, engine 8.0.0
Virus Database: Version 270.9.13/1825  2008-12-02

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\Administrator\ntuser.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. 
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested. 
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested. 
C:\pagefile.sys Locked file. Not tested. 
C:\System Volume Information\ Locked file. Not tested. 
C:\WINDOWS\system32\busulupa.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested. 
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SAM Locked file. Not tested. 
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested. 
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested. 
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested. 
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested. 
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested. 
C:\WINDOWS\system32\gepimana.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.
C:\WINDOWS\system32\lenokome.dll.tmp Trojan horse SHeur2.BNC Object was moved to Virus Vault.

------------------------------------------------------------
Objects scanned     : 374488
Found infections    :    3
Found PUPs          :    0
Healed infections   :    3
Healed PUPs         :    0
Warnings            :    0
------------------------------------------------------------