Trojan horse Agent_r.XJ + trouble starting up computer

Hello!

I first noticed that my ASUS Eee PC, running Windows 7, was infected about 4 days ago when all sorts of windows started popping up, mostly fake antivirus/malware windows, notably Antimalware Doctor. I was surfing with Firefox at the time, and had walked away from my computer, which was logged into my banking website (!!), for about ten minutes. Most of the popup windows were within Firefox, but it's possible that one or two were in Internet Explorer, which may have opened up on its own.
The popups had completely paralyzed my system, even the Task Manager, with error messages mentioning broken or inaccessible files (often system files). I forced the computer to shut down, and when I turned it on again it never got past the black screen with the cursor (the cursor blinked and "scrolled down" a few lines, then just went on blinking in place).
After shutting it down and restarting it a few times, I somehow managed to restart the system in safe mode ("Windows did not shut down properly"... if I remember correctly), and I ran system restore.
Windows seemed to work fine after that, so I backed up some important files to an external hard drive, downloaded AVG 2011 and Malwarebytes, both of which reported problems upon scanning. AVG reported 10 instances of the above-mentioned Trojan (Trojan horse Agent_r.XJ), 5 of which could not be removed ("Object is inaccessible").
Additionally, whenever I shut down my computer, I would get the same black-screen-and-cursor startup problem when I turned it on again ("restart" was fine).
And a few unwanted spammy popup windows.
(Both of these problems are still continuing, and AVG is still detecting the Trojan--but only one instance that it can't remove on latest scan.)
...
Following advice from another website, I downloaded and ran a program called "autoruns" and deleted some files which I was sure were either unnecessary or harmful--notably "asusservice.exe". I also uninstalled a bunch of useless programs.
...
I read the whole READ & RUN ME guide.

I tried running ComboFix about three times. Once, it gave me an error message stating I needed to uninstall, but another two times, my system crashed right before any of its processes startes--blue screen error message that disappeared on its own and then an option to restart in Safe Mode. For this reason, I chose not to try to run ComboFix again.

RootRepeal also failed to run. I got an error message about "failing to load drivers," preceded by other error messages that I'll attach here.

That's it, I think.

Thank you so much for helping!!!

-J

 

Here are all the log files + an error message from RootRepeal.

 

Another error message from RootRepeal...

And another Malwarebytes log from before I found your READ AND RUN. By the way, I reinstalled Malwarebytes as part of the READ & RUN instructions (renamed the .exe, etc), without first uninstalling the version I had before. I didn't even get a dialog box asking me if I wanted to replace anything...

And I forgot to say... the way that I get my system to start after I've shut it down is by pressing F2 and then ESC to exit without saving. (I have no idea why this works and I am curious to know...)

Thanks again!

 

C:\Users\Adrian\AppData\Local\{872DC470-8BD9-45E3-9EE1-721B014D2B3B} is gone--deleted by one of the programs I just ran.

C:\Users\Adrian\AppData\Roaming\9D26644D5BFFB38462FD9643D338FB18 remains and is still empty.

I ran TDSSKiller twice, because ComboFix alerted me to the fact that SuperAntiSpyware was still activated... so I ran it again after deactivating SAS. Somehow I have four TDSSK logs... here they are.

 

Here is MGlogs.

I am also attaching a screenshot of an error message I got after running the AVG uninstall tool and rebooting my computer.

I'm going to shut my computer down and turn it on again to see if the black screen thing happens again... I'll let you know.

 

Oops... I didn't even have time to turn the computer off; a popup ad just appeared in Firefox... So I guess I'm still infected?

 

Well! The computer started up normally, no empty black screen.
But I still don't know what to make of that last popup.
Should I run any scans again?
Here is ComboFix.txt, btw, in case you need it.

Please let me know when/if to re-enable UAC and toggle system restore!

Thanks again, and sorry for posting so many posts at once.

 

The computer is still starting up normally; thank you!

Can I enable cookies?

Should I turn on some kind of firewall/virus protection?

Re-enable UAC?

 

Okay, I installed AdBlock Plus (I had to go to AdBlock's website because it wouldn't download from the Firefox website) and uninstalled ComboFix.

Even with AdBlock, I'm still getting popups. All of them seem to start with a "results.googlesyndication.com" page, which redirects to a number of spam popups, one after another.

I want to remind you that I never ran RootRepeal successfully (and haven't tried running it since I uninstalled AVG)...

What should I do?

I am also curious what I should set my cookies, firewall, etc levels to at this point... and if it's safe to run programs like Skype...

 

Do you mean, am I connected to the internet through a wireless router? If so, yes, I am, and yes, there are other computers on the network, which are also having the same problem. I will try plugging directly into the modem.

 

Okay, I can do that. But it's not my router and I'm not in charge of the network. Would you mind telling me what I'd have to do to reset the connection, or telling me where to go to find out?

 

To reset the network, I mean... whatever I'd need to do so that we can all connect to the internet again.

 

The network was set up by my housemate (who just left). He said it was easy to set up, and he used all the default options; also something about choosing a password and being given another (long) password for the network which I've got on a piece of paper right here.
The IP on the back of the router is indeed 192.168.1.1, and I've got a default username and admin there too.
Is it safe for me to go ahead and reset the router?

Fyi, I just ran a malwarebytes quick scan and it didn't find anything.

 

Rrrrr... now my router doesn't work. I wasn't able to reset it.
I will try to deal with this & probably be back tomorrow.

 

After calling my router technical support lady in Japan, I was able to reset our connection.
The router password is the same as it was before. Should I change it?
I've also uninstalled and reinstalled Firefox (I didn't check the box to erase my preferences while uninstalling Firefox).
No popups yet, but I did notice that, even while refreshing this page, the bottom of the browser said it was loading things like "googleads.com" "googleads.g.doubleclick.net" and "intellitxt.com"...

I'm wondering what I can and what I definitely shouldn't do with my computer at this point... I'd really like to call my family with Skype, for example, and access my bank account, but I've been holding off from doing these things until this issue was fixed.

Anyway, I'm ready to hear what to do next.

 

From another read page I've read the suggestion that files on other computers might re-infect the router (or change its DNS settings). Is this true? Does that mean that every computer that's connected to this network should go through the cleanup process that I've been putting my computer through?
And, just so I'm clear, is this issue independent of the other issues (viruses, trouble starting up) my computer was having, or are the other issues just a consequence of this one?

 

MGLogs is here...

 

Okay, great!

Should I go ahead with the last steps of the Read & Run--or the ones outlined in your post of yesterday, 3:30pm?

What are the risks, if other folks on this network don't do the Read & Run procedures, both for my computer and for theirs?

How long could it take for my own computer (or for the router) to be re-infected? How would I know if this has happened?

Do I need to uninstall all the cleanup tools I installed, or would it be a good idea to keep some of them in case I have to clean my computer again?

Forgive me for asking so many questions...

Thank you!

 

Okay, I did everything, all the way up to toggling system restore.

I had a few issues that I'd like to ask about.

Defogger didn't ask me to reboot, as it said it would in the bleepingcomputer link. I got no message saying that Disk Emulation software had been re-enabled, only the Defogger main screen with the options to disable or re-enable. I'm not sure if this is an issue...

I couldn't find HijackThis.

• 
  
  Since I read and followed first your post and then the Read & Run, and because I'm running Windows 7 (not Vista), I ran MGClean before going to re-enable UAC. As a result, I have no EnableUAC.reg to run. I just re-enabled UAC in the Control Panel. Is that enough?
  
  Everything else went well.
  
  I'm also curious whether the other computers on the network can just start by running SAS and MBAM, and leave it at that if those programs don't find issues. I ask because all three machines are owned by different people who aren't fluent in English and who might not want to go through the whole procedure.
  
  Thank you so much. I really appreciate the time that you've put into helping me and answering my questions.