Trojan.Agent or not?

Since last evening, I’ve been hit by several Trojans.
Win32/Cryptor
PSW.Generic7.BSO
Downloader.Zlob_r.EX
Constructor.DER

I have been able to remove most of them but there is something still on my system that keeps returning. There is a .DLL file in my Windows root that has a dynamic name every time the infection comes back. It’s currently calling itself ilegarorohugewu.dll. This is related to a registry entry
O4 - HKLM\..\Run: [Rselixudumos] rundll32.exe "C:\WINDOWS\ilegarorohugewu.dll",e
Anyone have a clue what this is and how I can get rid of it.
Malwarebites is the only scanner that sees it but it always comes back after reboot. MB is calling it Trojan.Agent but I can’t find what is loading it back everytime.
I’m still getting an occasional search engine redirect

John

Edited by KoanYorel, 05 April 2009 - 05:51 PM.
Moved from HJT forum

Hello.

Let's see what we can do.

Please update MBAM and run it using a quick-scan.

Post the results once it's done.

With Regards,
Extremeboy

Hello
Here is the log file:

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/5/2009 7:14:16 PM
mbam-log-2009-04-05 (19-14-16).txt

Scan type: Quick Scan
Objects scanned: 81660
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\abajunehohi.dll (Trojan.Agent) -> Delete on reboot.

Hello.

Seems MBAM got it. It was told to move on reboot so did you reboot? Failure to reboot will prevent MBAM to remove the infection.

Please reboot now if you haven't already and then update MBAM and this time run a Full Scan please.

Post the log once it's done.

It's getting late so I really need to go to bed now. I'll review it tomorrow.

With Regards,
Extremeboy

I ran the full scan and rebooted and it reloaded itself within 5 minutes. I was watching Process Explorer when rundll32.exe popped up.
Just so you know I’m no novice to removing malware, but I usually do it for other people. I’ve tried everything in my arsenal to remove this thing to no avail.
I’ve run MBAM several times, in normal and safe mode, always with tea timer off.
I’ve come here to ask for help because I am stumped. I will follow your instructions to the letter to get rid of this thing. I can tell you what I have already tried if you want to know.

Thanks,
John

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/6/2009 7:00:06 AM
mbam-log-2009-04-06 (07-00-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 285530
Time elapsed: 1 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\uqexegeqelu.dll (Trojan.Agent) -> Delete on reboot.

Edited by jkenzie, 06 April 2009 - 09:38 AM.

Hello.

Seems something is causing it to come back.

Please run the following tool.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Download gmer.zip and save to your desktop.
  Alternate Download Site 1
  Alternate Download Site 2
  Alternate Download Site 3
  
• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
• When it's done scanning, you may receive another notice. Click OK if prompted.
• Click on Save ... to save the log on your desktop.
  Save the log as GMER.txt when you save it on your desktop.
• Close Gmer and copy and paste the contents of GMER.txt in your next reply.

• If you receive no notice, click on the Scan button near the bottom.
• It will start scanning again like before.
• When it is done, Click on Save ... to save the log on your desktop.
  Save the log as GMER.txt when you save it on your desktop.
• Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

With Regards,
Extremeboy

FYI...I had exactly the same thing and the newest MBAM released 4/6 around 2pm PST fixed it.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-06 16:30:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwCreateKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwDeleteKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwDeleteValueKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwEnumerateKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B8] ZwEnumerateValueKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C7] ZwOpenKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C2] ZwQueryKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70BD] ZwQueryValueKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwSetValueKey [0x804D70A9]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6

---- Kernel code sections - GMER 1.0.15 ----

? aojIj.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP110.SYS The system cannot find the file specified. !
? System32\kteproc.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

FYI...I had exactly the same thing and the newest MBAM released 4/6 around 2pm PST fixed it.

That seems to have done the trick. A well hidden Vundo.h trojan. Thanks for the heads up it's been a long weekend.
Extremeboy thanks for your help, I will keep you posted if it pops back up.
Just a word of note I seem to have gotten these infections from a what is increasingly becoming a problem. Major websites infected with malicious code.
Here is the MBAM log if anyone is interested.
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/6/2009 4:45:22 PM
mbam-log-2009-04-06 (16-45-22).txt

Scan type: Quick Scan
Objects scanned: 79414
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: ipapr70.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ipapr70.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\iriquhet.dll (Trojan.Agent) -> Delete on reboot.

Hello.

I believe you fixed it then? Do you still need help or any confirmation that you want from me?
MBAM still detects it from that log you gave me though.

I'm currently running a full scan just to verify. It's seems MBAM was able to find the infection after the latest update and deleted the infected files after reboot. So far they have not returned.

Edited by jkenzie, 06 April 2009 - 07:23 PM.

Okay

Thanks for letting me know then. Reply back letting me know once it's done.

With Regards,
Extremeboy