Virtumonde trogen, rootkit, keyloggers, and something that just won't go away

Ray661 · 02-03-2009, 08:23 AM

My shorthands:
SB=Spybot search and destroy
AVG= AVG 8.0 Free Edition
SRR= Some random rootkit scanner a fellow tech in training suggested.
XP= Windows XP Home Service Pack 3
A!= Avast!
TH=Trogen horse, namely the Virtumonde trogen
RK= The bad rootkit the SRR picked up.
RC= Registry Change, picked up by SB.
DL= Download
DL'd= Downloaded

I am not on my home computer with this thread, but it does have internet access.

Ok, so I'm IM'ing with a friend, and she wanted me to look at her new pictures she just put up. I knew it wasn't a bot, because of the conversation we were having. So she gives me 5 links, and i open every one, loading them all up on GC. The second link was triggered by GC as a bad web site. GC falsely triggered under facebook before, so since the website was something similar to facebook, i went in anyway.

All the sudden, my CPU gauge went way up, and then dropped, and jumped up again. AVG triggered a virus, which i deleted, but SB started getting all kinds of changes, each i denied, but they kept happening over and over and over. Looking closer at the registry changes, i saw something (this was a week or so ago, so my memory is shady), about a keygen, and a more common (this is still happening every 5 seconds) registry change (can give more details later if needed). Then something popped up talking about MS-2009, which needed to be DL'd to keep my computer safe, i didn't do anything about it because i suspected a keylogger at this point has been loaded into my system, and it asked for my credit, and i wouldn't want it anyway, seemed very suspicious.

I scanned with AVG, which only found three things, each deleted, and spybot found 10 threats, each the TH and it's variations.

I ran this scan probably a hundred times, and each time, the TH was still present.

So, at this point, I decided to ask some friends for ideas. I tried downloading A! and scanned with it. As soon as i installed it, it triggered for a virus, and never stopped. The virus can not be moved and renamed, it can't be moved into the vault, and it can not be the third button (forgot what it was :P), it can only be deleted or left alone. Then someone decided to suggest the SRR, so i DL'd it, and scanned, and well, it found the problem.

So you'd think the problems solved right? Wrong, it, like the TH, keeps becoming recreated.

Now at this point, i can't do anything without getting A! triggered with a virus, or SB finding a change in the registry.

I've tried to fix this myself, but I'm out of ideas, short of formatting the HDD. I'm also worried that my mothers computer (although we are not networked together) has caught the same bug as me.

Thanks for you time :)

Edit: by networked together i mean, we don't share files or of the such, and work independant from each other, but are connected physically by a switch.

Ray661 · 02-03-2009, 09:12 AM

the rootkit scanner was made by Sophos.

**amateur** · 02-03-2009, 09:57 AM

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

02-03-2009, 08:23 AM	#1 (permalink)
Ray661 Registered User Join Date: Feb 2009 Posts: 2 OS: XP Home SP 3, soon upgrading to Vista Ultimate	Virtumonde trogen, rootkit, keyloggers, and something that just won't go away My shorthands: SB=Spybot search and destroy AVG= AVG 8.0 Free Edition SRR= Some random rootkit scanner a fellow tech in training suggested. XP= Windows XP Home Service Pack 3 A!= Avast! TH=Trogen horse, namely the Virtumonde trogen RK= The bad rootkit the SRR picked up. RC= Registry Change, picked up by SB. DL= Download DL'd= Downloaded I am not on my home computer with this thread, but it does have internet access. Ok, so I'm IM'ing with a friend, and she wanted me to look at her new pictures she just put up. I knew it wasn't a bot, because of the conversation we were having. So she gives me 5 links, and i open every one, loading them all up on GC. The second link was triggered by GC as a bad web site. GC falsely triggered under facebook before, so since the website was something similar to facebook, i went in anyway. All the sudden, my CPU gauge went way up, and then dropped, and jumped up again. AVG triggered a virus, which i deleted, but SB started getting all kinds of changes, each i denied, but they kept happening over and over and over. Looking closer at the registry changes, i saw something (this was a week or so ago, so my memory is shady), about a keygen, and a more common (this is still happening every 5 seconds) registry change (can give more details later if needed). Then something popped up talking about MS-2009, which needed to be DL'd to keep my computer safe, i didn't do anything about it because i suspected a keylogger at this point has been loaded into my system, and it asked for my credit, and i wouldn't want it anyway, seemed very suspicious. I scanned with AVG, which only found three things, each deleted, and spybot found 10 threats, each the TH and it's variations. I ran this scan probably a hundred times, and each time, the TH was still present. So, at this point, I decided to ask some friends for ideas. I tried downloading A! and scanned with it. As soon as i installed it, it triggered for a virus, and never stopped. The virus can not be moved and renamed, it can't be moved into the vault, and it can not be the third button (forgot what it was :P), it can only be deleted or left alone. Then someone decided to suggest the SRR, so i DL'd it, and scanned, and well, it found the problem. So you'd think the problems solved right? Wrong, it, like the TH, keeps becoming recreated. Now at this point, i can't do anything without getting A! triggered with a virus, or SB finding a change in the registry. I've tried to fix this myself, but I'm out of ideas, short of formatting the HDD. I'm also worried that my mothers computer (although we are not networked together) has caught the same bug as me. Thanks for you time :) Edit: by networked together i mean, we don't share files or of the such, and work independant from each other, but are connected physically by a switch. Last edited by Ray661; 02-03-2009 at 08:25 AM.

02-03-2009, 09:12 AM	#2 (permalink)
Ray661 Registered User Join Date: Feb 2009 Posts: 2 OS: XP Home SP 3, soon upgrading to Vista Ultimate	Re: Virtumonde trogen, rootkit, keyloggers, and something that just won't go away the rootkit scanner was made by Sophos.