malware issues : trojan horse agent_rxj

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by plasmablade, Feb 21, 2011.

  1. plasmablade

    plasmablade Private E-2

    Hi, I'm new here and not the most savvy with computers but I did read all the rules and am good at following instructions so hopefully someone can help me.I am having severe problems with explorer.exe and svchost.exe causing issues with vista. I used AVR antivirus and it located trojan horse agent_r.xj but is unable to remove it. I downloaded all the tools the READ ME specified but I am having problems getting things to work normally, but safe mode is fine. I saw a few other posts about this particular virus/malware and tried using tdsskiller but it doesn't seem to help. If anyone can tell me what I need to do to fix I would really appreciate it.
    I guess ill leave my PC's specs to start. Vista Home Premium Service pack 1-32bit; Acer Aspire m5640, 3 gig ram, Intel dual core 1.8 ghz. I will also attach logs for SuperAntiSpyware, MalwareBytes,Combofix, and Rootrepeal. Had problems getting MGtools to work/post a log. Also these scans were all done in SAFE MODE.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You mean AVG?

    Give me the exact file and file path of the threat it is detecting.

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    Last edited: Feb 21, 2011
  3. plasmablade

    plasmablade Private E-2

    Thank you for replying rather quickly. Yes I did mean AVG, I appologize for the typo. Well I downloaded the programs you linked in the reply and have posted the scan logs in attachments for you. Once again everything is being run from SAFE MODE still. Also one other thing.
    MBRCheck seemed to have an issue. "Found non-standard or infected MBR."
    This is shown at the bottom of the log. I did not know how to proceed so I exited at that point and saved log.
     

    Attached Files:

  4. plasmablade

    plasmablade Private E-2

    I had to reinstall AVG in normal startup because MGTools would not work with it installed. I Rescanned the whole hard drive and did a rootkit scan with AVG and the threat no longer appeared. I'm sure the trojan was located in an .explore file but I dont have the exact path/file. Anyways it seems to be gone now but system still is running slow. I am goin to surf around a bit and see If anything odd occurs and will report any findings back. I also have System Mechanic but am reluctant to run it untill im sure all the malware is gone.
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have an MBR infection. You will need to boot to the Recovery Console to remove this infection.

    Do you have your Vista install disc? If not:

    Vista and Win7 Recovery disc

    You will need to change the boot order in the bios to make the cd-rom the first boot device.


    To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

    1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
    7. Type Bootrec.exe /fixmbr, and then press ENTER. ( There is a space after the .exe and the / ).

    Then boot back into normal mode.

    Now re-run MBRCheck and attach the new log.
     
    Last edited by a moderator: Feb 21, 2011
  6. plasmablade

    plasmablade Private E-2

    Ah thank you. Now I cant access the BIOS because its password protected. I ran the Erecovery tool built in to my Acer a few weeks back when all this started and it seemed to reset the password back to default? Is there anyway to find the default password? Or if I recall is their not a BIOS breaker pin that resets the BIOS and removes this password? Once I get in there I will run the Recovery Console and post the new MBRCheck log.
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  8. plasmablade

    plasmablade Private E-2

    Thank you for all your help but more obstacles continue to impede progress...
    Switched the jumper pin which reset the bios. I have an old vista installation disk matching my version. Got to the point where I am supposed to select an OS to repair and none appeared in the list. What do I do now?
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is beyond the scope of the malware forum. Please post in the software forum for further assistance. Then once you get this issue resolved, come back to this thread.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds