Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent or not?


  • Please log in to reply
11 replies to this topic

#1 jkenzie

jkenzie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 05 April 2009 - 05:32 PM

Since last evening, I’ve been hit by several Trojans.
Win32/Cryptor
PSW.Generic7.BSO
Downloader.Zlob_r.EX
Constructor.DER

I have been able to remove most of them but there is something still on my system that keeps returning. There is a .DLL file in my Windows root that has a dynamic name every time the infection comes back. It’s currently calling itself ilegarorohugewu.dll. This is related to a registry entry
O4 - HKLM\..\Run: [Rselixudumos] rundll32.exe "C:\WINDOWS\ilegarorohugewu.dll",e
Anyone have a clue what this is and how I can get rid of it.
Malwarebites is the only scanner that sees it but it always comes back after reboot. MB is calling it Trojan.Agent but I can’t find what is loading it back everytime.
I’m still getting an occasional search engine redirect

John

Edited by KoanYorel, 05 April 2009 - 05:51 PM.
Moved from HJT forum


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 05 April 2009 - 08:13 PM

Hello.

Let's see what we can do.

Please update MBAM and run it using a quick-scan.

Post the results once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 jkenzie

jkenzie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 05 April 2009 - 09:15 PM

Hello
Here is the log file:

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/5/2009 7:14:16 PM
mbam-log-2009-04-05 (19-14-16).txt

Scan type: Quick Scan
Objects scanned: 81660
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\abajunehohi.dll (Trojan.Agent) -> Delete on reboot.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 05 April 2009 - 09:20 PM

Hello.

Seems MBAM got it. It was told to move on reboot so did you reboot? Failure to reboot will prevent MBAM to remove the infection.

Please reboot now if you haven't already and then update MBAM and this time run a Full Scan please.

Post the log once it's done.

It's getting late so I really need to go to bed now. I'll review it tomorrow.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 jkenzie

jkenzie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 06 April 2009 - 09:24 AM

I ran the full scan and rebooted and it reloaded itself within 5 minutes. I was watching Process Explorer when rundll32.exe popped up.
Just so you know Im no novice to removing malware, but I usually do it for other people. Ive tried everything in my arsenal to remove this thing to no avail.
Ive run MBAM several times, in normal and safe mode, always with tea timer off.
Ive come here to ask for help because I am stumped. I will follow your instructions to the letter to get rid of this thing. I can tell you what I have already tried if you want to know.

Thanks,
John

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/6/2009 7:00:06 AM
mbam-log-2009-04-06 (07-00-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 285530
Time elapsed: 1 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\uqexegeqelu.dll (Trojan.Agent) -> Delete on reboot.

Edited by jkenzie, 06 April 2009 - 09:38 AM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 06 April 2009 - 03:21 PM

Hello.

Seems something is causing it to come back.

Please run the following tool.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 justme_94306

justme_94306

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 06 April 2009 - 06:11 PM

FYI...I had exactly the same thing and the newest MBAM released 4/6 around 2pm PST fixed it.

#8 jkenzie

jkenzie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 06 April 2009 - 06:59 PM

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-06 16:30:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwCreateKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwDeleteKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwDeleteValueKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwEnumerateKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B8] ZwEnumerateValueKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C7] ZwOpenKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C2] ZwQueryKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70BD] ZwQueryValueKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwSetValueKey [0x804D70A9]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6

---- Kernel code sections - GMER 1.0.15 ----

? aojIj.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP110.SYS The system cannot find the file specified. !
? System32\kteproc.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#9 jkenzie

jkenzie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 06 April 2009 - 07:10 PM

FYI...I had exactly the same thing and the newest MBAM released 4/6 around 2pm PST fixed it.

That seems to have done the trick. :thumbsup: A well hidden Vundo.h trojan. Thanks for the heads up it's been a long weekend.
Extremeboy thanks for your help, I will keep you posted if it pops back up.
Just a word of note I seem to have gotten these infections from a what is increasingly becoming a problem. Major websites infected with malicious code.
Here is the MBAM log if anyone is interested.
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/6/2009 4:45:22 PM
mbam-log-2009-04-06 (16-45-22).txt

Scan type: Quick Scan
Objects scanned: 79414
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rselixudumos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: ipapr70.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ipapr70.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\iriquhet.dll (Trojan.Agent) -> Delete on reboot.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 06 April 2009 - 07:18 PM

Hello.

I believe you fixed it then? Do you still need help or any confirmation that you want from me?
MBAM still detects it from that log you gave me though.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 jkenzie

jkenzie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 06 April 2009 - 07:23 PM

I'm currently running a full scan just to verify. It's seems MBAM was able to find the infection after the latest update and deleted the infected files after reboot. So far they have not returned.

Edited by jkenzie, 06 April 2009 - 07:23 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 06 April 2009 - 07:40 PM

Okay :thumbsup:

Thanks for letting me know then. Reply back letting me know once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users