Infected with Trojan Horse Agent_r.Xj and possibly more

Carver · May 2, 2011

Hi MajorGeeks!

My PC has been seriously infected, probably on last Saturday, but i can't be exactly sure.

The symptoms are: Google Chrome stopped working (just freeze every time it starts); Firefox icon needs to be clicked several times before it opens up (looks like it starts one or more processes called firefox.exe, which use much less memory than the "right" firefox.exe, the one that actually allows me to browse when it starts at the 2/3 attempt); sensibly longer startup times; Windows Update can't connect to Microsoft, as if there is a firewall blocking it; the pc it's unable to normally shut down...after the "Shutting down" screen appears, it crashes and a blue screen error it's showed, than the pc reset itself...if i want to shut it down i've to push the power switch.

A complete AVG scan revealed an Agent_r.XJ infection in explorer.exe but i can't be sure it's the only one.

I've done as it said in the "READ&RUN ME FIRST" thread, while doing so it detected a few other infection but it didn't solved my problems.

I couldn't execute ComboFix (blue screen crash when it starts, after the bar fills up) and Root Repeal (i'm attaching the 3 crashlogs it generates).

I'm attaching all the logs. I've really messed up my pc, if you can help me i would apreciate it immensly.

P.S. Apologies for my not perfect english.

EDIT:sorry, i forgot to add i'm running Windows7 32bit

Carver · May 2, 2011

here are the crashlogs i got from Root Repeal

Kestrel13! · May 2, 2011

Do you have your Windows 7 install disc? If not:

Vista and Win7 Recovery disc

For fixing the boot issues:
To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.

Then you can do this:

Bootrec.exe /fixmbr

Now re run TDSSKiller and attach the log.

Carver · May 3, 2011

Here's the log...most of the symptoms are vanished, I haven't checked up with Chrome.

As you can see from the log name, i've updated TDSS Killer.

Kestrel13! · May 3, 2011

You missed out the running of Combofix. Please download it if you have not already and run it as per the instructions in the R&R. (Yes you will have to uninstall AVG first)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50323 <--- Fix this if you did not deliberately set it yourself.

After clicking Fix exit HJT.

Use windows explorer to find and delete this file if you do not know what it is for.
C:\Users\Claudio\AppData\Roaming\0C2E.5A4

Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Carver · May 3, 2011

I've tried running Combofix earlier, but it crashed with a blue screen when i attempted. Now it has worked fine.

I had no problem with the procedure until i've ran GetLogs.bat. When i did so, a command prompt quickly opend then closed immediatly. I've tried rebooting and at that point i realized internet connection wasn't working.

I can't tell if it has never started back after running Combofix, as i didn't checked.

Anyway, i had to open control panel, then Netwrok Connections, right click on Local Area Connection, and select "execute diagnostics". (I've tried to translate, but probably the english version uses different terms, i hope you can understand anyway).

After that, internet went back and GetLogs worked fine. Here are the logs.

Everything seems to be fine, may i assume the infection it's gone?

Kestrel13! · May 3, 2011

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Carver · May 5, 2011

Thank you so much! I've followed all the procedures reccomanded, and now my pc look safer. I hope to not have to write in this section anymore!

Thanks for your time!

Kestrel13! · May 5, 2011

You are most welcome. Safe surfing.

Log in or Sign up

Infected with Trojan Horse Agent_r.Xj and possibly more

Carver Private E-2

Attached Files:

SASlog.txt

mbam-log-2011-05-02 (12-55-21).txt

MGlogs.zip

Carver Private E-2

Attached Files:

RootRepeal_crash_050211.132806.txt

RootRepeal_crash_050211.132808.txt

RootRepeal_crash_050211.132807.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Carver Private E-2

Attached Files:

TDSSKiller.2.5.0.0_03.05.2011_10.12.14_log.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Carver Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Carver Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member